Cryptanalysis of a public key cryptosystem based on Diophantine equations via weighted LLL reduction

Post-quantum cryptography now plays a central role in cryptography. Many candidates of post-quantum cryptosystems (PQC) have been already proposed but require public keys of large sizes. Constructing PQC with public keys of small sizes is strongly desired. In [Oku15], Okumura proposed a public key cryptosystem based on the difficulty of solving Diophantine equations of degree increasing type (DEC for short). DEC is proposed as an analogue of the Algebraic Surface Cryptosystem [AGM09]. DEC has been expected to avoid the analogues of all attacks against ASC (and the previous versions of ASC). Moreover, DEC has been expected to be a candidate of PQC and to achieve the high security with public keys of small sizes, e.g., about 1;200 bits with 128 bit security. In this paper, we propose a polynomial time attack against DEC. We show that the security of DEC depends on the difficulty of finding special (relatively) short vectors in some lattices obtained from a public key and a ciphertext. The most important target vector in our attack is not necessarily a shortest vector in a lattice of low rank but only some entries are relatively small. In our attack, the LLL algorithm with respect to well-known norms such as the $p$-norms ($1 \leq p \leq 1$) does not seem to work well for finding such vectors. The most technical point of our method is to heuristically find a special norm, which we call a weighted norm, such that the most important target vector becomes a (nearly) shortest vector in a lattice of low rank. We call the LLL algorithm with respect to a weighted norm the ``weighted LLL algorithm in this paper. Our experimental results by a standard PC with Magma suggest that our attack via the weighted LLL algorithm can break the one-wayness of DEC for 128 bit security proposed in [Oku15] with sufficiently high probability

Improving post-quantum cryptography through cryptanalysis

Large quantum computers pose a threat to our public-key cryptographic infrastructure. The possible responses are: Do nothing; accept the fact that quantum computers might be used to break widely deployed protocols. Mitigate the threat by switching entirely to symmetric-key protocols. Mitigate the threat by switching to different public-key protocols. Each user of public-key cryptography will make one of these choices, and we should not expect consensus. Some users will do nothing---perhaps because they view the threat as being too remote. And some users will find that they never needed public-key cryptography in the first place. The work that I present here is for people who need public-key cryptography and want to switch to new protocols. Each of the three articles raises the security estimate of a cryptosystem by showing that some attack is less effective than was previously believed. Each article thereby reduces the cost of using a protocol by letting the user choose smaller (or more efficient) parameters at a fixed level of security. In Part 1, I present joint work with Samuel Jaques in which we revise security estimates for the Supersingular Isogeny Key Exchange (SIKE) protocol. We show that known quantum claw-finding algorithms do not outperform classical claw-finding algorithms. This allows us to recommend 434-bit primes for use in SIKE at the same security level that 503-bit primes had previously been recommended. In Part 2, I present joint work with Martin Albrecht, Vlad Gheorghiu, and Eamonn Postelthwaite that examines the impact of quantum search on sieving algorithms for the shortest vector problem. Cryptographers commonly assume that the cost of solving the shortest vector problem in dimension $d$ is $2^{(0.265\ldots +o(1))d}$ quantumly and $2^{(0.292\ldots + o(1))d}$ classically. These are upper bounds based on a near neighbor search algorithm due to Becker--Ducas--Gama--Laarhoven. Naively, one might think that $d$ must be at least $483 (\approx 128/0.265)$ to avoid attacks that cost fewer than $2^{128}$ operations. Our analysis accounts for terms in the $o(1)$ that were previously ignored. In a realistic model of quantum computation, we find that applying the Becker--Ducas--Gama--Laarhoven algorithm in dimension $d > 376$ will cost more than $2^{128}$ operations. We also find reason to believe that the classical algorithm will outperform the quantum algorithm in dimensions $d < 288$. In Part 3, I present solo work on a variant of post-quantum RSA. The original pqRSA proposal by Bernstein--Heninger--Lou--Valenta uses terabyte keys of the form $n = p_1p_2p_3p_4\cdots p_i\cdots p_{2^{31}}$ where each $p_i$ is a $4096$-bit prime. My variant uses terabyte keys of the form $n = p_1^2p_2^3p_3^5p_4^7\cdots p_i^{\pi_i}\cdots p_{20044}^{225287}$ where each $p_i$ is a $4096$-bit prime and $\pi_i$ is the $i$-th prime. Prime generation is the most expensive part of post-quantum RSA in practice, so the smaller number of prime factors in my proposal gives a large speedup in key generation. The repeated factors help an attacker identify an element of small order, and thereby allow the attacker to use a small-order variant of Shor's algorithm. I analyze small-order attacks and discuss the cost of the classical pre-computation that they require

International Symposium on Mathematics, Quantum Theory, and Cryptography

This open access book presents selected papers from International Symposium on Mathematics, Quantum Theory, and Cryptography (MQC), which was held on September 25-27, 2019 in Fukuoka, Japan. The international symposium MQC addresses the mathematics and quantum theory underlying secure modeling of the post quantum cryptography including e.g. mathematical study of the light-matter interaction models as well as quantum computing. The security of the most widely used RSA cryptosystem is based on the difficulty of factoring large integers. However, in 1994 Shor proposed a quantum polynomial time algorithm for factoring integers, and the RSA cryptosystem is no longer secure in the quantum computing model. This vulnerability has prompted research into post-quantum cryptography using alternative mathematical problems that are secure in the era of quantum computers. In this regard, the National Institute of Standards and Technology (NIST) began to standardize post-quantum cryptography in 2016. This book is suitable for postgraduate students in mathematics and computer science, as well as for experts in industry working on post-quantum cryptography

International Symposium on Mathematics, Quantum Theory, and Cryptography

This open access book presents selected papers from International Symposium on Mathematics, Quantum Theory, and Cryptography (MQC), which was held on September 25-27, 2019 in Fukuoka, Japan. The international symposium MQC addresses the mathematics and quantum theory underlying secure modeling of the post quantum cryptography including e.g. mathematical study of the light-matter interaction models as well as quantum computing. The security of the most widely used RSA cryptosystem is based on the difficulty of factoring large integers. However, in 1994 Shor proposed a quantum polynomial time algorithm for factoring integers, and the RSA cryptosystem is no longer secure in the quantum computing model. This vulnerability has prompted research into post-quantum cryptography using alternative mathematical problems that are secure in the era of quantum computers. In this regard, the National Institute of Standards and Technology (NIST) began to standardize post-quantum cryptography in 2016. This book is suitable for postgraduate students in mathematics and computer science, as well as for experts in industry working on post-quantum cryptography

Topics in basis reduction and integer programming

A basis reduction algorithm computes a reduced basis of a lattice consisting of short and nearly orthogonal vectors. The best known basis reduction method is due to Lenstra, Lenstra and Lovász (LLL): their algorithm has been extensively used in cryptography, experimental mathematics and integer programming. Lenstra used the LLL basis reduction algorithm to show that the integer programming problem can be solved in polynomial time when the number of variables is fixed. In this thesis, we study some topics in basis reduction and integer programming. We make the following contributions. We unify the fundamental inequalities in an LLL reduced basis, which express the shortness and near orthogonality of the basis. We analyze two recent integer programming reformulation techniques which also rely on basis reduction. The reformulation methods are easy to describe. They are also successful in practice in solving several classes of hard integer programs. First, we analyze the reformulation techniques on bounded knapsack problems. The only analyses so far are for knapsack problems with a constraint vector having a certain decomposable structure. Here we do not assume any a priori structure on the constraint vector. We then analyze the reformulation techniques on bounded integer programs. We show that if the coefficients of the constraint matrix are drawn from a sufficiently large interval, then branch and bound creates at most one node at each level if applied to the reformulated instances. On the practical side, we give some numerical values as to how large the numbers should be to make sure that for 90 and 99 percent of the reformulated instances, the number of subproblems that need to be enumerated by branch and bound is at most one at each level. These values turned out to be surprisingly small when the problem size is moderate. We also analyze the solvability of the ``majority of the low density subset sum problems using the method of branch and bound when the coefficients are chosen from a large interval

College of Arts and Sciences

Cornell University Courses of Study Vol. 96 2004/200

College of Arts and Sciences

Cornell University Courses of Study Vol. 96 2004/200