Improved Cryptanalysis of the AJPS Mersenne Based Cryptosystem

At Crypto 2018, Aggarwal, Joux, Prakash and Santha (AJPS) described a new public-key encryption scheme based on Mersenne numbers. Shortly after the publication of the cryptosystem, Beunardeau et al. described an attack with complexity O(2^(2h)). In this paper, we describe an improved attack with complexity O(2^(1.75h))

The Modification of the Quantum-Resistant AJPS-1 Cryptographic Primitive

In recent years, quantum-resistant cryptography has been steadily developing, which is due, in particular, to the post-quantum cryptosystems competition of the National Institute of Standards and Technology (NIST), which has been ongoing since 2017. One of the participants in the first round of the competition is the AJPS cryptosystem. In this work, we propose the modification of the AJPS cryptosystem for bit-by-bit encryption by changing the numbers class used in the cryptosystem as a module. This modification increases the variability of the cryptosystem parameters

Integer Reconstruction Public-Key Encryption

In [AJPS17], Aggarwal, Joux, Prakash & Santha described an elegant public-key cryptosystem (AJPS-1) mimicking NTRU over the integers. This algorithm relies on the properties of Mersenne primes instead of polynomial rings. A later ePrint [BCGN17] by Beunardeau et al. revised AJPS-1’s initial security estimates. While lower than initially thought, the best known attack on AJPS-1 still seems to leave the defender with an exponential advantage over the attacker [dBDJdW17]. However, this lower exponential advantage implies enlarging AJPS-1’s parameters. This, plus the fact that AJPS-1 encodes only a single plaintext bit per ciphertext, made AJPS-1 impractical. In a recent update, Aggarwal et al. overcame this limitation by extending AJPS-1’s bandwidth. This variant (AJPS-ECC) modifies the definition of the public-key and relies on error-correcting codes. This paper presents a different high-bandwidth construction. By opposition to AJPS-ECC, we do not modify the public-key, avoid using errorcorrecting codes and use backtracking to decrypt. The new algorithm is orthogonal to AJPS-ECC as both mechanisms may be concurrently used in the same ciphertext and cumulate their bandwidth improvement effects. Alternatively, we can increase AJPS-ECC’s information rate by a factor of 26 for the parameters recommended in [AJPS17]. The obtained bandwidth improvement and the fact that encryption and decryption are reasonably efficient, make our scheme an interesting postquantum candidate

Quantum Attacks on Mersenne Number Cryptosystems

Mersenne number based cryptography was introduced by Aggarwal et al. as a potential post- quantum cryptosystem in 2017. Shortly after the publication Beunardeau et al. propose a lattice based attack significantly reducing the security margins. During the NIST post-quantum project Aggarwal et al. and Szepieniec introduced a new form of Mersenne number based cryptosystems which remain secure in the presence of the lattice reduction attack. The cryptoschemes make use of error correcting codes and have a low but non-zero probability of failure during the decoding phase. In the event of a decoding failure information about the secret key may be leaked and may allow for new attacks. In the first part of this work, we analyze the Mersenne number cryptosystem and NIST submission Ramstake and identify approaches to exploit the information leaked by decoding failures. We describe different attacks on a weakened variant of Ramstake. Furthermore we pair the decoding failures with a timing attack on the code from the submission package. Both our attacks significantly reduce the security margins compared to the best known generic attack. However, our results on the weakened variant do not seem to carry over to the unweakened cryptosystem. It remains an open question whether the information flow from decoding failures can be exploited to break Ramstake. In the second part of this work we analyze the Groverization of the lattice reduction attack by Beunardeau et al.. The incorporation of classical search problem into a quantum framework promises a quadratic speedup potentially reducing the security margin by half. We give an explicit description of the quantum circuits resulting from the translation of the classical attack. This description contains, to the best of our knowledge, the first in depth description and analysis of a quantum variant of the LLL algorithm. We show that the Groverized attack requires a large (but polynomial) overhead of quantum memory

Побудова модифікацій та криптоаналіз постквантових примітивів сімейства AJPS

Кваліфікаційна робота обсягом 135 сторінок містить 45 рисунків, 3 таблиці та 60 джерел. Протягом останніх років стрімко почала розвиватись постквантова криптографія, метою якої є розробка криптографічних примітивів, що були б стійкі до атак з використанням як квантового, так і класичного комп’ютерів. Починаючи з 2017 року триває конкурс постквантових асиметричних криптопримітивів під егідою Національного інституту стандартів та технологій США (NIST). Одним з учасників першого раунду конкурсу є механізм інкапсуляції ключів Mersenne-756839, основою якого є криптосистема AJPS. Метою роботи є дослідження особливостей перетворення інформації в криптографічних примітивах сімейства AJPS, та їх модифікація задля збільшення рівня захищеності. Об’єктом дослідження є процеси перетворення інформації у постквантових системах криптографічного захисту. Предметом дослідження є моделі постквантових криптографічних примітивів сімейства AJPS. У роботі сформовано рекомендації для алгоритмів генерації ключів криптосистем AJPS-1 і AJPS-2 та побудовано атаку підміни на криптосистему AJPS-2. Доведено нові властивості арифметики за модулем числа Мерсенна, узагальненого числа Мерсенна та числа Кренделла. Побудовано модифікацію криптосистеми AJPS-1 шляхом зміни метрики, а також модифікації AJPS-1 та AJPS-2 шляхом зміни класу чисел, що використовуються в криптосистемах у якості модуля. Виконано порівняльний аналіз усіх побудованих модифікацій і криптосистем AJPS-1 та AJPS-2.The volume of the qualitative work is 135 pages and it contains 45 figures, 3 tables and 60 sources. In recent years, quantum-resistant cryptography has been steadily developing. Its aim is to develop the cryptographic primitives that would be resistant to attacks using both quantum and classical computers. In 2017, the National Institute of Standards and Technology (NIST) has launched the competition for quantum-resistant asymmetric cryptographic primitives, which is ongoing. One of the participants of the first round of the competition is the Mersenne-756839 key encapsulation mechanism, which is based on the AJPS cryptosystem. The purpose of the research is to investigate the peculiarities of conversion of information in cryptographic primitives of the AJPS family, and modification of it in order to increase the security level. The object of the research is the pro cessesofconversionofinformationinquantum-resistantcryptographicsecuritysystems.The subject of the research is the models of quantum-resistant cryptographic primitives of the AJPS family. The recommendations for key generation algorithms of the AJPS-1 and the AJPS-2 cryptosystems are represented in the work and the substitution attack on the AJPS-2 cryptosystem is constructed. The new properties of the arithmetic modulo Mersenne number, generalized Mersenne number and Crandall number are proved. The modification of the AJPS-1 cryptosystem by changing the metric, and also the modification of the AJPS-1 and the AJPS-2 by changing the class of numbers, which is used in the cryptosystems as a module, are created. The comparative analysis of all the modifications, which were created, and the cryptosystems AJPS-1 and AJPS-2 was done

Notes on Lattice-Based Cryptography

Asymmetrisk kryptering er avhengig av antakelsen om at noen beregningsproblemer er vanskelige å løse. I 1994 viste Peter Shor at de to mest brukte beregningsproblemene, nemlig det diskrete logaritmeproblemet og primtallsfaktorisering, ikke lenger er vanskelige å løse når man bruker en kvantedatamaskin. Siden den gang har forskere jobbet med å finne nye beregningsproblemer som er motstandsdyktige mot kvanteangrep for å erstatte disse to. Gitterbasert kryptografi er forskningsfeltet som bruker kryptografiske primitiver som involverer vanskelige problemer definert på gitter, for eksempel det korteste vektorproblemet og det nærmeste vektorproblemet. NTRU-kryptosystemet, publisert i 1998, var et av de første som ble introdusert på dette feltet. Problemet Learning With Error (LWE) ble introdusert i 2005 av Regev, og det regnes nå som et av de mest lovende beregningsproblemene som snart tas i bruk i stor skala. Å studere vanskelighetsgraden og å finne nye og raskere algoritmer som løser den, ble et ledende forskningstema innen kryptografi. Denne oppgaven inkluderer følgende bidrag til feltet: - En ikke-triviell reduksjon av Mersenne Low Hamming Combination Search Problem, det underliggende problemet med et NTRU-lignende kryptosystem, til Integer Linear Programming (ILP). Særlig finner vi en familie av svake nøkler. - En konkret sikkerhetsanalyse av Integer-RLWE, en vanskelig beregningsproblemvariant av LWE, introdusert av Gu Chunsheng. Vi formaliserer et meet-in-the-middle og et gitterbasert angrep for denne saken, og vi utnytter en svakhet ved parametervalget gitt av Gu, for å bygge et forbedret gitterbasert angrep. - En forbedring av Blum-Kalai-Wasserman-algoritmen for å løse LWE. Mer spesifikt, introduserer vi et nytt reduksjonstrinn og en ny gjetteprosedyre til algoritmen. Disse tillot oss å utvikle to implementeringer av algoritmen, som er i stand til å løse relativt store LWE-forekomster. Mens den første effektivt bare bruker RAM-minne og er fullt parallelliserbar, utnytter den andre en kombinasjon av RAM og disklagring for å overvinne minnebegrensningene gitt av RAM. - Vi fyller et tomrom i paringsbasert kryptografi. Dette ved å gi konkrete formler for å beregne hash-funksjon til G2, den andre gruppen i paringsdomenet, for Barreto-Lynn-Scott-familien av paringsvennlige elliptiske kurver.Public-key Cryptography relies on the assumption that some computational problems are hard to solve. In 1994, Peter Shor showed that the two most used computational problems, namely the Discrete Logarithm Problem and the Integer Factoring Problem, are not hard to solve anymore when using a quantum computer. Since then, researchers have worked on finding new computational problems that are resistant to quantum attacks to replace these two. Lattice-based Cryptography is the research field that employs cryptographic primitives involving hard problems defined on lattices, such as the Shortest Vector Problem and the Closest Vector Problem. The NTRU cryptosystem, published in 1998, was one of the first to be introduced in this field. The Learning With Error (LWE) problem was introduced in 2005 by Regev, and it is now considered one of the most promising computational problems to be employed on a large scale in the near future. Studying its hardness and finding new and faster algorithms that solve it became a leading research topic in Cryptology. This thesis includes the following contributions to the field: - A non-trivial reduction of the Mersenne Low Hamming Combination Search Problem, the underlying problem of an NTRU-like cryptosystem, to Integer Linear Programming (ILP). In particular, we find a family of weak keys. - A concrete security analysis of the Integer-RLWE, a hard computational problem variant of LWE introduced by Gu Chunsheng. We formalize a meet-in-the-middle attack and a lattice-based attack for this case, and we exploit a weakness of the parameters choice given by Gu to build an improved lattice-based attack. - An improvement of the Blum-Kalai-Wasserman algorithm to solve LWE. In particular, we introduce a new reduction step and a new guessing procedure to the algorithm. These allowed us to develop two implementations of the algorithm that are able to solve relatively large LWE instances. While the first one efficiently uses only RAM memory and is fully parallelizable, the second one exploits a combination of RAM and disk storage to overcome the memory limitations given by the RAM. - We fill a gap in Pairing-based Cryptography by providing concrete formulas to compute hash-maps to G2, the second group in the pairing domain, for the Barreto-Lynn-Scott family of pairing-friendly elliptic curves.Doktorgradsavhandlin

Post-Quantum Provably-Secure Authentication and MAC from Mersenne Primes

This paper presents a novel, yet efficient secret-key authentication and MAC, which provide post-quantum security promise, whose security is reduced to the quantum-safe conjectured hardness of Mersenne Low Hamming Combination (MERS) assumption recently introduced by Aggarwal, Joux, Prakash, and Santha (CRYPTO 2018). Our protocols are very suitable to weak devices like smart card and RFID tags

SoK: On the Security of Cryptographic Problems from Linear Algebra

There are two main aims to this paper. Firstly, we survey the relevant existing attack strategies known to apply to the most commonly used lattice-based cryptographic problems as well as to a number of their variants. In particular, we consider attacks against problems in the style of LWE, SIS and NTRU defined over rings of the form $\mathbb{Z}[X]/(f(X), g(X))$, where classically $g(X) = q$ is an integer modulus. We also include attacks on variants which use only large integer arithmetic, corresponding to the degree one case $g(X) = X - c$. Secondly, for each of these approaches we investigate whether they can be generalised to the case of a polynomial modulus $g(X)$ having degree larger than one, thus addressing the security of the generalised cryptographic problems from linear algebra introduced by Bootland et al. We find that some attacks readily generalise to a wide range of parameters while others require very specific conditions to be met in order to work

Key Encapsulation from Noisy Key Agreement in the Quantum Random Oracle Model

A multitude of post-quantum key encapsulation mechanisms (KEMs) and public key encryption (PKE) schemes implicitly rely on a protocol by which Alice and Bob exchange public messages and converge on secret values that are identical up to some small noise. By our count, 24 out of 49 KEM or PKE submissions to the NIST Post-Quantum Cryptography Standardization project follow this strategy. Yet the notion of a noisy key agreement (NKA) protocol lacks a formal definition as a primitive in its own right. We provide such a formalization by defining the syntax and security for an NKA protocol. This formalization brings out four generic problems, called A and B State Recovery, Noisy Key Search and Noisy Key Distinguishing, whose solutions must be hard in the quantum computing model. Informally speaking, these can be viewed as noisy, quantum-resistant counterparts of the problems arising from the classical Diffie-Hellman type protocols. We show that many existing proposals contain an NKA component that fits our formalization and we reveal the induced concrete hardness assumptions. The question arises whether considering NKA as an independent primitive can help provide modular designs with improved efficiency and/or proofs. As the second contribution of this paper, we answer this question positively by presenting a generic transform from a secure NKA protocol to an IND-CCA secure KEM in the quantum random oracle model, with a security bound tightly related to the NKD problem. This transformation is essentially the same as that of the NIST candidate Ramstake. While establishing the security of Ramstake was our initial objective, the collection of tools that came about as a result of this journey is of independent interest

Improved Cryptanalysis of the AJPS Mersenne Based Cryptosystem

At Crypto 2018, Aggarwal, Joux, Prakash and Santha (AJPS) described a new public-key encryption scheme based on Mersenne numbers. Shortly after the publication of the cryptosystem, Beunardeau et al. described an attack with complexity O(2^(2h)). In this paper, we describe an improvedattack with complexity O(2^(1.75h))