Quantum LLL with an Application to Mersenne Number Cryptosystems

In this work we analyze the impact of translating the well-known LLL algorithm for lattice reduction into the quantum setting. We present the first (to the best of our knowledge) quantum circuit representation of a lattice reduction algorithm in the form of explicit quantum circuits implementing the textbook LLL algorithm. Our analysis identifies a set of challenges arising from constructing reversible lattice reduction as well as solutions to these challenges. We give a detailed resource estimate with the Toffoli gate count and the number of logical qubits as complexity metrics. As an application of the previous, we attack Mersenne number cryptosystems by Groverizing an attack due to Beunardeau et. al that uses LLL as a subprocedure. While Grover\u27s quantum algorithm promises a quadratic speedup over exhaustive search given access to a oracle that distinguishes solutions from non-solutions, we show that in our case, realizing the oracle comes at the cost of a large number of qubits. When an adversary translates the attack by Beunardeau et al. into the quantum setting, the overhead of the quantum LLL circuit may be as large as $2^{52}$ qubits for the text-book implementation and $2^{33}$ for a floating-point variant

Notes on Lattice-Based Cryptography

Asymmetrisk kryptering er avhengig av antakelsen om at noen beregningsproblemer er vanskelige å løse. I 1994 viste Peter Shor at de to mest brukte beregningsproblemene, nemlig det diskrete logaritmeproblemet og primtallsfaktorisering, ikke lenger er vanskelige å løse når man bruker en kvantedatamaskin. Siden den gang har forskere jobbet med å finne nye beregningsproblemer som er motstandsdyktige mot kvanteangrep for å erstatte disse to. Gitterbasert kryptografi er forskningsfeltet som bruker kryptografiske primitiver som involverer vanskelige problemer definert på gitter, for eksempel det korteste vektorproblemet og det nærmeste vektorproblemet. NTRU-kryptosystemet, publisert i 1998, var et av de første som ble introdusert på dette feltet. Problemet Learning With Error (LWE) ble introdusert i 2005 av Regev, og det regnes nå som et av de mest lovende beregningsproblemene som snart tas i bruk i stor skala. Å studere vanskelighetsgraden og å finne nye og raskere algoritmer som løser den, ble et ledende forskningstema innen kryptografi. Denne oppgaven inkluderer følgende bidrag til feltet: - En ikke-triviell reduksjon av Mersenne Low Hamming Combination Search Problem, det underliggende problemet med et NTRU-lignende kryptosystem, til Integer Linear Programming (ILP). Særlig finner vi en familie av svake nøkler. - En konkret sikkerhetsanalyse av Integer-RLWE, en vanskelig beregningsproblemvariant av LWE, introdusert av Gu Chunsheng. Vi formaliserer et meet-in-the-middle og et gitterbasert angrep for denne saken, og vi utnytter en svakhet ved parametervalget gitt av Gu, for å bygge et forbedret gitterbasert angrep. - En forbedring av Blum-Kalai-Wasserman-algoritmen for å løse LWE. Mer spesifikt, introduserer vi et nytt reduksjonstrinn og en ny gjetteprosedyre til algoritmen. Disse tillot oss å utvikle to implementeringer av algoritmen, som er i stand til å løse relativt store LWE-forekomster. Mens den første effektivt bare bruker RAM-minne og er fullt parallelliserbar, utnytter den andre en kombinasjon av RAM og disklagring for å overvinne minnebegrensningene gitt av RAM. - Vi fyller et tomrom i paringsbasert kryptografi. Dette ved å gi konkrete formler for å beregne hash-funksjon til G2, den andre gruppen i paringsdomenet, for Barreto-Lynn-Scott-familien av paringsvennlige elliptiske kurver.Public-key Cryptography relies on the assumption that some computational problems are hard to solve. In 1994, Peter Shor showed that the two most used computational problems, namely the Discrete Logarithm Problem and the Integer Factoring Problem, are not hard to solve anymore when using a quantum computer. Since then, researchers have worked on finding new computational problems that are resistant to quantum attacks to replace these two. Lattice-based Cryptography is the research field that employs cryptographic primitives involving hard problems defined on lattices, such as the Shortest Vector Problem and the Closest Vector Problem. The NTRU cryptosystem, published in 1998, was one of the first to be introduced in this field. The Learning With Error (LWE) problem was introduced in 2005 by Regev, and it is now considered one of the most promising computational problems to be employed on a large scale in the near future. Studying its hardness and finding new and faster algorithms that solve it became a leading research topic in Cryptology. This thesis includes the following contributions to the field: - A non-trivial reduction of the Mersenne Low Hamming Combination Search Problem, the underlying problem of an NTRU-like cryptosystem, to Integer Linear Programming (ILP). In particular, we find a family of weak keys. - A concrete security analysis of the Integer-RLWE, a hard computational problem variant of LWE introduced by Gu Chunsheng. We formalize a meet-in-the-middle attack and a lattice-based attack for this case, and we exploit a weakness of the parameters choice given by Gu to build an improved lattice-based attack. - An improvement of the Blum-Kalai-Wasserman algorithm to solve LWE. In particular, we introduce a new reduction step and a new guessing procedure to the algorithm. These allowed us to develop two implementations of the algorithm that are able to solve relatively large LWE instances. While the first one efficiently uses only RAM memory and is fully parallelizable, the second one exploits a combination of RAM and disk storage to overcome the memory limitations given by the RAM. - We fill a gap in Pairing-based Cryptography by providing concrete formulas to compute hash-maps to G2, the second group in the pairing domain, for the Barreto-Lynn-Scott family of pairing-friendly elliptic curves.Doktorgradsavhandlin

Побудова модифікацій та криптоаналіз постквантових примітивів сімейства AJPS

Кваліфікаційна робота обсягом 135 сторінок містить 45 рисунків, 3 таблиці та 60 джерел. Протягом останніх років стрімко почала розвиватись постквантова криптографія, метою якої є розробка криптографічних примітивів, що були б стійкі до атак з використанням як квантового, так і класичного комп’ютерів. Починаючи з 2017 року триває конкурс постквантових асиметричних криптопримітивів під егідою Національного інституту стандартів та технологій США (NIST). Одним з учасників першого раунду конкурсу є механізм інкапсуляції ключів Mersenne-756839, основою якого є криптосистема AJPS. Метою роботи є дослідження особливостей перетворення інформації в криптографічних примітивах сімейства AJPS, та їх модифікація задля збільшення рівня захищеності. Об’єктом дослідження є процеси перетворення інформації у постквантових системах криптографічного захисту. Предметом дослідження є моделі постквантових криптографічних примітивів сімейства AJPS. У роботі сформовано рекомендації для алгоритмів генерації ключів криптосистем AJPS-1 і AJPS-2 та побудовано атаку підміни на криптосистему AJPS-2. Доведено нові властивості арифметики за модулем числа Мерсенна, узагальненого числа Мерсенна та числа Кренделла. Побудовано модифікацію криптосистеми AJPS-1 шляхом зміни метрики, а також модифікації AJPS-1 та AJPS-2 шляхом зміни класу чисел, що використовуються в криптосистемах у якості модуля. Виконано порівняльний аналіз усіх побудованих модифікацій і криптосистем AJPS-1 та AJPS-2.The volume of the qualitative work is 135 pages and it contains 45 figures, 3 tables and 60 sources. In recent years, quantum-resistant cryptography has been steadily developing. Its aim is to develop the cryptographic primitives that would be resistant to attacks using both quantum and classical computers. In 2017, the National Institute of Standards and Technology (NIST) has launched the competition for quantum-resistant asymmetric cryptographic primitives, which is ongoing. One of the participants of the first round of the competition is the Mersenne-756839 key encapsulation mechanism, which is based on the AJPS cryptosystem. The purpose of the research is to investigate the peculiarities of conversion of information in cryptographic primitives of the AJPS family, and modification of it in order to increase the security level. The object of the research is the pro cessesofconversionofinformationinquantum-resistantcryptographicsecuritysystems.The subject of the research is the models of quantum-resistant cryptographic primitives of the AJPS family. The recommendations for key generation algorithms of the AJPS-1 and the AJPS-2 cryptosystems are represented in the work and the substitution attack on the AJPS-2 cryptosystem is constructed. The new properties of the arithmetic modulo Mersenne number, generalized Mersenne number and Crandall number are proved. The modification of the AJPS-1 cryptosystem by changing the metric, and also the modification of the AJPS-1 and the AJPS-2 by changing the class of numbers, which is used in the cryptosystems as a module, are created. The comparative analysis of all the modifications, which were created, and the cryptosystems AJPS-1 and AJPS-2 was done

Attacks on the AJPS Mersenne-based cryptosystem

Aggarwal, Joux, Prakash and Santha recently introduced a new potentially quantum-safe public-key cryptosystem, and suggested that a brute-force attack is essentially optimal against it. They consider but then dismiss both Meet-in-the-Middle attacks and LLL-based attacks. Very soon after their paper appeared, Beunardeau et al. proposed a practical LLL-based technique that seemed to significantly reduce the security of the AJPS system. In this paper we do two things. First, we show that a Meet-in-the-Middle attack can also be made to work against the AJPS system, using locality-sensitive hashing to overcome the difficulty that Aggarwal et al. saw for such attacks. We also present a quantum version of this attack. Second, we give a more precise analysis of the attack of Beunardeau et al., confirming and refining their results