18 research outputs found
On Functional Decomposition of Multivariate Polynomials with Differentiation and Homogenization
In this paper, we give a theoretical analysis for the algorithms to compute
functional decomposition for multivariate polynomials based on differentiation
and homogenization which are proposed by Ye, Dai, Lam (1999) and Faugere,
Perret (2006, 2008, 2009). We show that a degree proper functional
decomposition for a set of randomly decomposable quartic homogenous polynomials
can be computed using the algorithm with high probability. This solves a
conjecture proposed by Ye, Dai, and Lam (1999). We also propose a conjecture
such that the decomposition for a set of polynomials can be computed from that
of its homogenization with high probability. Finally, we prove that the right
decomposition factors for a set of polynomials can be computed from its right
decomposition factor space. Combining these results together, we prove that the
algorithm can compute a degree proper decomposition for a set of randomly
decomposable quartic polynomials with probability one when the base field is of
characteristic zero, and with probability close to one when the base field is a
finite field with sufficiently large number under the assumption that the
conjeture is correct
Decomposition attack on SASASASAS
We demonstrate the first attacks on the SPN ciphers with 6, 7, 8, and 9 secret layers. In particular, we show a decomposition attack on the SASASASAS scheme when the S-box size M and the block length N satisfy the condition M^2 < N (for example, 8-bit S-box and 128-bit block)
QUAD: Overview and Recent Developments
We give an outline of the specification and provable security
features of the QUAD stream cipher proposed at Eurocrypt 2006.
The cipher relies on the iteration of a multivariate system of quadratic
equations over a finite field, typically GF(2) or a small extension. In the
binary case, the security of the keystream generation can be related, in
the concrete security model, to the conjectured intractability of the MQ
problem of solving a random system of m equations in n unknowns. We
show that this security reduction can be extended to incorporate the key
and IV setup and provide a security argument related to the whole stream
cipher.We also briefly address software and hardware performance issues
and show that if one is willing to pseudorandomly generate the systems
of quadratic polynomials underlying the cipher, this leads to suprisingly
inexpensive hardware implementations of QUAD
Key-Recovery Attack on the ASASA Cryptosystem with Expanding S-boxes
We present a cryptanalysis of the ASASA public key cipher
introduced at Asiacrypt 2014.
This scheme alternates three layers of affine transformations A
with two layers of quadratic substitutions S.
We show that the partial derivatives of the public key polynomials
contain information about the intermediate layer.
This enables us to present a very simple distinguisher
between an ASASA public key and random polynomials.
We then expand upon the ideas of the distinguisher
to achieve a full secret key recovery.
This method uses only linear algebra and has a complexity
dominated by the cost of computing
the kernels of small matrices with entries
inÂ
On semigroups of multivariate transformations constructed in terms of time dependent linguistic graphs and solutions of Post Quantum Multivariate Cryptography.
Time dependent linguistic graphs over abelian group H are introduced. In the case such bipartite graph with point set can be used for generation of Eulerian transformation of , i.e. the endomorphism of sending each variable to a monomial term. Subsemigroups of such endomorphisms together with their special homomorphic images are used as platforms of cryptographic protocols of noncommutative cryptography.
The security of these protocol is evaluated via complexity of hard problem of decomposition of Eulerian transformation into the product of known generators of the semigroup. Nowadays the problem is intractable one in the Postquantum setting.
The symbiotic combination of such protocols with special graph based stream ciphers working with plaintext space of kind where for arbitrarily chosen parameter is proposed.
This way we obtained a cryptosystem with encryption/decryption procedure of complexity
Decomposing the ASASA Block Cipher Construction
We consider the problem of recovering the internal specification of a general SP-network consisting of three linear layers (A) interleaved with two Sbox layers (S) (denoted by ASASA for short), given only black-box access to the scheme. The decomposition of such general ASASA schemes was first considered at ASIACRYPT 2014 by Biryukov et al. which used the alleged difficulty of this problem to propose several concrete block cipher designs as candidates for white-box cryptography.
In this paper, we present several attacks on general ASASA schemes that significantly outperform the analysis of Biryukov et al. As a result, we are able to break all the proposed concrete ASASA constructions with practical complexity. For example, we can decompose an ASASA structure that was supposed to provide -bit security in roughly steps, and break the scheme that supposedly provides -bit security in about time. Whenever possible, our findings are backed up with experimental verifications
On desynchronised El Gamal algorithm
Families of stable cyclic groups of nonlinear polynomial transformations of affine spaces over general commutative ring of
increasing with order can be used in the key exchange protocols and related to them El Gamal multivariate cryptosystems.
We suggest to use high degree of noncommutativity of affine Cremona group and modify multivariate El Gamal algorithm via the usage of conjugations for
two polynomials of kind and given by key holder (Alice) or giving them as elements of different transformation groups.
We present key exchange protocols based on twisted discrete logarithms problem
which uses noncommutativity of semigroup.
Recent results on the existence of families of stable transformations of prescribed degree and density and exponential order over finite fields
can be used for the implementation of schemes as above with feasible computational complexity. We introduce an example of a new implemented quadratic multivariate cryptosystem based on the above mentioned ideas
Mass-surveillance without the State: Strongly Undetectable Algorithm-Substitution Attacks
We present new algorithm-substitution attacks (ASAs) on symmetric encryption that improve over prior ones in two ways. First, while prior attacks only broke a sub-class of randomized schemes having a property called coin injectivity, our attacks break ALL randomized schemes. Second, while prior attacks are stateful, ours are stateless, achieving a notion of strong undetectability that we formalize. Together this shows that ASAs are an even more dangerous and powerful mass surveillance method than previously thought. Our work serves to increase awareness about what is possible with ASAs and to spur the search for deterrents and counter-measures