12 research outputs found
Improved Cryptanalysis of the AJPS Mersenne Based Cryptosystem
At Crypto 2018, Aggarwal, Joux, Prakash and Santha (AJPS) described a new public-key encryption scheme based on Mersenne numbers. Shortly after the publication of the cryptosystem, Beunardeau et al. described an attack with complexity O(2^(2h)). In this paper, we describe an improved attack with complexity O(2^(1.75h))
The Modification of the Quantum-Resistant AJPS-1 Cryptographic Primitive
In recent years, quantum-resistant cryptography has been steadily developing, which is due, in particular, to the post-quantum cryptosystems competition of the National Institute of Standards and Technology (NIST), which has been ongoing since 2017. One of the participants in the first round of the competition is the AJPS cryptosystem. In this work, we propose the modification of the AJPS cryptosystem for bit-by-bit encryption by changing the numbers class used in the cryptosystem as a module. This modification increases the variability of the cryptosystem parameters
Integer Reconstruction Public-Key Encryption
In [AJPS17], Aggarwal, Joux, Prakash & Santha described
an elegant public-key cryptosystem (AJPS-1) mimicking NTRU over the
integers. This algorithm relies on the properties of Mersenne primes
instead of polynomial rings.
A later ePrint [BCGN17] by Beunardeau et al. revised AJPS-1βs initial
security estimates. While lower than initially thought, the best known
attack on AJPS-1 still seems to leave the defender with an exponential
advantage over the attacker [dBDJdW17]. However, this lower exponential
advantage implies enlarging AJPS-1βs parameters. This, plus the fact that
AJPS-1 encodes only a single plaintext bit per ciphertext, made AJPS-1
impractical. In a recent update, Aggarwal et al. overcame this limitation
by extending AJPS-1βs bandwidth. This variant (AJPS-ECC) modifies the
definition of the public-key and relies on error-correcting codes.
This paper presents a different high-bandwidth construction. By opposition
to AJPS-ECC, we do not modify the public-key, avoid using errorcorrecting
codes and use backtracking to decrypt. The new algorithm
is orthogonal to AJPS-ECC as both mechanisms may be concurrently
used in the same ciphertext and cumulate their bandwidth improvement
effects. Alternatively, we can increase AJPS-ECCβs information rate by a
factor of 26 for the parameters recommended in [AJPS17].
The obtained bandwidth improvement and the fact that encryption and
decryption are reasonably efficient, make our scheme an interesting postquantum
candidate
Quantum Attacks on Mersenne Number Cryptosystems
Mersenne number based cryptography was introduced by Aggarwal et al. as a potential post-
quantum cryptosystem in 2017. Shortly after the publication Beunardeau et al. propose a lattice based attack significantly reducing the security margins. During the NIST post-quantum project Aggarwal et al. and Szepieniec introduced a new form of Mersenne number based cryptosystems which remain secure in the presence of the lattice reduction attack. The cryptoschemes make use of error correcting codes and have a low but non-zero probability of failure during the decoding phase. In the event of a decoding failure information about the secret key may be leaked and may allow for new attacks.
In the first part of this work, we analyze the Mersenne number cryptosystem and NIST submission Ramstake and identify approaches to exploit the information leaked by decoding failures. We describe different attacks on a weakened variant of Ramstake. Furthermore we pair the decoding failures with a timing attack on the code from the submission package. Both our attacks significantly reduce the security margins compared to the best known generic attack. However, our results on the weakened variant do not seem to carry over to the unweakened cryptosystem. It remains an open question whether the information flow from decoding failures can be exploited to break Ramstake.
In the second part of this work we analyze the Groverization of the lattice reduction attack by Beunardeau et al.. The incorporation of classical search problem into a quantum framework promises a quadratic speedup potentially reducing the security margin by half. We give an explicit description of the quantum circuits resulting from the translation of the classical attack. This description contains, to the best of our knowledge, the first in depth description and analysis of a quantum variant of the LLL algorithm. We show that the Groverized attack requires a large (but polynomial) overhead of quantum memory
ΠΠΎΠ±ΡΠ΄ΠΎΠ²Π° ΠΌΠΎΠ΄ΠΈΡΡΠΊΠ°ΡΡΠΉ ΡΠ° ΠΊΡΠΈΠΏΡΠΎΠ°Π½Π°Π»ΡΠ· ΠΏΠΎΡΡΠΊΠ²Π°Π½ΡΠΎΠ²ΠΈΡ ΠΏΡΠΈΠΌΡΡΠΈΠ²ΡΠ² ΡΡΠΌΠ΅ΠΉΡΡΠ²Π° AJPS
ΠΠ²Π°Π»ΡΡΡΠΊΠ°ΡΡΠΉΠ½Π° ΡΠΎΠ±ΠΎΡΠ° ΠΎΠ±ΡΡΠ³ΠΎΠΌ 135 ΡΡΠΎΡΡΠ½ΠΎΠΊ ΠΌΡΡΡΠΈΡΡ 45 ΡΠΈΡΡΠ½ΠΊΡΠ², 3 ΡΠ°Π±Π»ΠΈΡΡ ΡΠ° 60 Π΄ΠΆΠ΅ΡΠ΅Π».
ΠΡΠΎΡΡΠ³ΠΎΠΌ ΠΎΡΡΠ°Π½Π½ΡΡ
ΡΠΎΠΊΡΠ² ΡΡΡΡΠΌΠΊΠΎ ΠΏΠΎΡΠ°Π»Π° ΡΠΎΠ·Π²ΠΈΠ²Π°ΡΠΈΡΡ ΠΏΠΎΡΡΠΊΠ²Π°Π½ΡΠΎΠ²Π° ΠΊΡΠΈΠΏΡΠΎΠ³ΡΠ°ΡΡΡ, ΠΌΠ΅ΡΠΎΡ ΡΠΊΠΎΡ Ρ ΡΠΎΠ·ΡΠΎΠ±ΠΊΠ° ΠΊΡΠΈΠΏΡΠΎΠ³ΡΠ°ΡΡΡΠ½ΠΈΡ
ΠΏΡΠΈΠΌΡΡΠΈΠ²ΡΠ², ΡΠΎ Π±ΡΠ»ΠΈ Π± ΡΡΡΠΉΠΊΡ Π΄ΠΎ Π°ΡΠ°ΠΊ Π· Π²ΠΈΠΊΠΎΡΠΈΡΡΠ°Π½Π½ΡΠΌ ΡΠΊ ΠΊΠ²Π°Π½ΡΠΎΠ²ΠΎΠ³ΠΎ, ΡΠ°ΠΊ Ρ ΠΊΠ»Π°ΡΠΈΡΠ½ΠΎΠ³ΠΎ ΠΊΠΎΠΌΠΏβΡΡΠ΅ΡΡΠ². ΠΠΎΡΠΈΠ½Π°ΡΡΠΈ Π· 2017 ΡΠΎΠΊΡ ΡΡΠΈΠ²Π°Ρ ΠΊΠΎΠ½ΠΊΡΡΡ ΠΏΠΎΡΡΠΊΠ²Π°Π½ΡΠΎΠ²ΠΈΡ
Π°ΡΠΈΠΌΠ΅ΡΡΠΈΡΠ½ΠΈΡ
ΠΊΡΠΈΠΏΡΠΎΠΏΡΠΈΠΌΡΡΠΈΠ²ΡΠ² ΠΏΡΠ΄ Π΅Π³ΡΠ΄ΠΎΡ ΠΠ°ΡΡΠΎΠ½Π°Π»ΡΠ½ΠΎΠ³ΠΎ ΡΠ½ΡΡΠΈΡΡΡΡ ΡΡΠ°Π½Π΄Π°ΡΡΡΠ² ΡΠ° ΡΠ΅Ρ
Π½ΠΎΠ»ΠΎΠ³ΡΠΉ Π‘Π¨Π (NIST). ΠΠ΄Π½ΠΈΠΌ Π· ΡΡΠ°ΡΠ½ΠΈΠΊΡΠ² ΠΏΠ΅ΡΡΠΎΠ³ΠΎ ΡΠ°ΡΠ½Π΄Ρ ΠΊΠΎΠ½ΠΊΡΡΡΡ Ρ ΠΌΠ΅Ρ
Π°Π½ΡΠ·ΠΌ ΡΠ½ΠΊΠ°ΠΏΡΡΠ»ΡΡΡΡ ΠΊΠ»ΡΡΡΠ² Mersenne-756839, ΠΎΡΠ½ΠΎΠ²ΠΎΡ ΡΠΊΠΎΠ³ΠΎ Ρ ΠΊΡΠΈΠΏΡΠΎΡΠΈΡΡΠ΅ΠΌΠ° AJPS.
ΠΠ΅ΡΠΎΡ ΡΠΎΠ±ΠΎΡΠΈ Ρ Π΄ΠΎΡΠ»ΡΠ΄ΠΆΠ΅Π½Π½Ρ ΠΎΡΠΎΠ±Π»ΠΈΠ²ΠΎΡΡΠ΅ΠΉ ΠΏΠ΅ΡΠ΅ΡΠ²ΠΎΡΠ΅Π½Π½Ρ ΡΠ½ΡΠΎΡΠΌΠ°ΡΡΡ Π² ΠΊΡΠΈΠΏΡΠΎΠ³ΡΠ°ΡΡΡΠ½ΠΈΡ
ΠΏΡΠΈΠΌΡΡΠΈΠ²Π°Ρ
ΡΡΠΌΠ΅ΠΉΡΡΠ²Π° AJPS, ΡΠ° ΡΡ
ΠΌΠΎΠ΄ΠΈΡΡΠΊΠ°ΡΡΡ Π·Π°Π΄Π»Ρ Π·Π±ΡΠ»ΡΡΠ΅Π½Π½Ρ ΡΡΠ²Π½Ρ Π·Π°Ρ
ΠΈΡΠ΅Π½ΠΎΡΡΡ. ΠΠ±βΡΠΊΡΠΎΠΌ Π΄ΠΎΡΠ»ΡΠ΄ΠΆΠ΅Π½Π½Ρ Ρ ΠΏΡΠΎΡΠ΅ΡΠΈ ΠΏΠ΅ΡΠ΅ΡΠ²ΠΎΡΠ΅Π½Π½Ρ ΡΠ½ΡΠΎΡΠΌΠ°ΡΡΡ Ρ ΠΏΠΎΡΡΠΊΠ²Π°Π½ΡΠΎΠ²ΠΈΡ
ΡΠΈΡΡΠ΅ΠΌΠ°Ρ
ΠΊΡΠΈΠΏΡΠΎΠ³ΡΠ°ΡΡΡΠ½ΠΎΠ³ΠΎ Π·Π°Ρ
ΠΈΡΡΡ. ΠΡΠ΅Π΄ΠΌΠ΅ΡΠΎΠΌ Π΄ΠΎΡΠ»ΡΠ΄ΠΆΠ΅Π½Π½Ρ Ρ ΠΌΠΎΠ΄Π΅Π»Ρ ΠΏΠΎΡΡΠΊΠ²Π°Π½ΡΠΎΠ²ΠΈΡ
ΠΊΡΠΈΠΏΡΠΎΠ³ΡΠ°ΡΡΡΠ½ΠΈΡ
ΠΏΡΠΈΠΌΡΡΠΈΠ²ΡΠ² ΡΡΠΌΠ΅ΠΉΡΡΠ²Π° AJPS. Π£ ΡΠΎΠ±ΠΎΡΡ ΡΡΠΎΡΠΌΠΎΠ²Π°Π½ΠΎ ΡΠ΅ΠΊΠΎΠΌΠ΅Π½Π΄Π°ΡΡΡ Π΄Π»Ρ Π°Π»Π³ΠΎΡΠΈΡΠΌΡΠ² Π³Π΅Π½Π΅ΡΠ°ΡΡΡ ΠΊΠ»ΡΡΡΠ² ΠΊΡΠΈΠΏΡΠΎΡΠΈΡΡΠ΅ΠΌ AJPS-1 Ρ AJPS-2 ΡΠ° ΠΏΠΎΠ±ΡΠ΄ΠΎΠ²Π°Π½ΠΎ Π°ΡΠ°ΠΊΡ ΠΏΡΠ΄ΠΌΡΠ½ΠΈ Π½Π° ΠΊΡΠΈΠΏΡΠΎΡΠΈΡΡΠ΅ΠΌΡ AJPS-2. ΠΠΎΠ²Π΅Π΄Π΅Π½ΠΎ Π½ΠΎΠ²Ρ Π²Π»Π°ΡΡΠΈΠ²ΠΎΡΡΡ Π°ΡΠΈΡΠΌΠ΅ΡΠΈΠΊΠΈ Π·Π° ΠΌΠΎΠ΄ΡΠ»Π΅ΠΌ ΡΠΈΡΠ»Π° ΠΠ΅ΡΡΠ΅Π½Π½Π°, ΡΠ·Π°Π³Π°Π»ΡΠ½Π΅Π½ΠΎΠ³ΠΎ ΡΠΈΡΠ»Π° ΠΠ΅ΡΡΠ΅Π½Π½Π° ΡΠ° ΡΠΈΡΠ»Π° ΠΡΠ΅Π½Π΄Π΅Π»Π»Π°. ΠΠΎΠ±ΡΠ΄ΠΎΠ²Π°Π½ΠΎ ΠΌΠΎΠ΄ΠΈΡΡΠΊΠ°ΡΡΡ ΠΊΡΠΈΠΏΡΠΎΡΠΈΡΡΠ΅ΠΌΠΈ AJPS-1 ΡΠ»ΡΡ
ΠΎΠΌ Π·ΠΌΡΠ½ΠΈ ΠΌΠ΅ΡΡΠΈΠΊΠΈ, Π° ΡΠ°ΠΊΠΎΠΆ ΠΌΠΎΠ΄ΠΈΡΡΠΊΠ°ΡΡΡ AJPS-1 ΡΠ° AJPS-2 ΡΠ»ΡΡ
ΠΎΠΌ Π·ΠΌΡΠ½ΠΈ ΠΊΠ»Π°ΡΡ ΡΠΈΡΠ΅Π», ΡΠΎ Π²ΠΈΠΊΠΎΡΠΈΡΡΠΎΠ²ΡΡΡΡΡΡ Π² ΠΊΡΠΈΠΏΡΠΎΡΠΈΡΡΠ΅ΠΌΠ°Ρ
Ρ ΡΠΊΠΎΡΡΡ ΠΌΠΎΠ΄ΡΠ»Ρ. ΠΠΈΠΊΠΎΠ½Π°Π½ΠΎ ΠΏΠΎΡΡΠ²Π½ΡΠ»ΡΠ½ΠΈΠΉ Π°Π½Π°Π»ΡΠ· ΡΡΡΡ
ΠΏΠΎΠ±ΡΠ΄ΠΎΠ²Π°Π½ΠΈΡ
ΠΌΠΎΠ΄ΠΈΡΡΠΊΠ°ΡΡΠΉ Ρ ΠΊΡΠΈΠΏΡΠΎΡΠΈΡΡΠ΅ΠΌ AJPS-1 ΡΠ° AJPS-2.The volume of the qualitative work is 135 pages and it contains 45 figures, 3 tables and 60 sources.
In recent years, quantum-resistant cryptography has been steadily developing. Its aim is to develop the cryptographic primitives that would be resistant to attacks using both quantum and classical computers. In 2017, the National Institute of Standards and Technology (NIST) has launched the competition for quantum-resistant asymmetric cryptographic primitives, which is ongoing. One of the participants of the first round of the competition is the Mersenne-756839 key encapsulation mechanism, which is based on the AJPS cryptosystem.
The purpose of the research is to investigate the peculiarities of conversion of information in cryptographic primitives of the AJPS family, and modification of it in order to increase the security level. The object of the research is the pro cessesofconversionofinformationinquantum-resistantcryptographicsecuritysystems.The subject of the research is the models of quantum-resistant cryptographic primitives of the AJPS family. The recommendations for key generation algorithms of the AJPS-1 and the AJPS-2 cryptosystems are represented in the work and the substitution attack on the AJPS-2 cryptosystem is constructed. The new properties of the arithmetic modulo Mersenne number, generalized Mersenne number and Crandall number are proved. The modification of the AJPS-1 cryptosystem by changing the metric, and also the modification of the AJPS-1 and the AJPS-2 by changing the class of numbers, which is used in the cryptosystems as a module, are created. The comparative analysis of all the modifications, which were created, and the cryptosystems AJPS-1 and AJPS-2 was done
Notes on Lattice-Based Cryptography
Asymmetrisk kryptering er avhengig av antakelsen om at noen beregningsproblemer er vanskelige Γ₯ lΓΈse. I 1994 viste Peter Shor at de to mest brukte beregningsproblemene, nemlig det diskrete logaritmeproblemet og primtallsfaktorisering, ikke lenger er vanskelige Γ₯ lΓΈse nΓ₯r man bruker en kvantedatamaskin. Siden den gang har forskere jobbet med Γ₯ finne nye beregningsproblemer som er motstandsdyktige mot kvanteangrep for Γ₯ erstatte disse to. Gitterbasert kryptografi er forskningsfeltet som bruker kryptografiske primitiver som involverer vanskelige problemer definert pΓ₯ gitter, for eksempel det korteste vektorproblemet og det nΓ¦rmeste vektorproblemet. NTRU-kryptosystemet, publisert i 1998, var et av de fΓΈrste som ble introdusert pΓ₯ dette feltet. Problemet Learning With Error (LWE) ble introdusert i 2005 av Regev, og det regnes nΓ₯ som et av de mest lovende beregningsproblemene som snart tas i bruk i stor skala. Γ
studere vanskelighetsgraden og Γ₯ finne nye og raskere algoritmer som lΓΈser den, ble et ledende forskningstema innen kryptografi.
Denne oppgaven inkluderer fΓΈlgende bidrag til feltet:
- En ikke-triviell reduksjon av Mersenne Low Hamming Combination Search Problem, det underliggende problemet med et NTRU-lignende kryptosystem, til Integer Linear Programming (ILP). Særlig finner vi en familie av svake nøkler.
- En konkret sikkerhetsanalyse av Integer-RLWE, en vanskelig beregningsproblemvariant av LWE, introdusert av Gu Chunsheng. Vi formaliserer et meet-in-the-middle og et gitterbasert angrep for denne saken, og vi utnytter en svakhet ved parametervalget gitt av Gu, for Γ₯ bygge et forbedret gitterbasert angrep.
- En forbedring av Blum-Kalai-Wasserman-algoritmen for Γ₯ lΓΈse LWE. Mer spesifikt, introduserer vi et nytt reduksjonstrinn og en ny gjetteprosedyre til algoritmen. Disse tillot oss Γ₯ utvikle to implementeringer av algoritmen, som er i stand til Γ₯ lΓΈse relativt store LWE-forekomster. Mens den fΓΈrste effektivt bare bruker RAM-minne og er fullt parallelliserbar, utnytter den andre en kombinasjon av RAM og disklagring for Γ₯ overvinne minnebegrensningene gitt av RAM.
- Vi fyller et tomrom i paringsbasert kryptografi. Dette ved Γ₯ gi konkrete formler for Γ₯ beregne hash-funksjon til G2, den andre gruppen i paringsdomenet, for Barreto-Lynn-Scott-familien av paringsvennlige elliptiske kurver.Public-key Cryptography relies on the assumption that some computational problems are hard to solve. In 1994, Peter Shor showed that the two most used computational problems, namely the Discrete Logarithm Problem and the Integer Factoring Problem, are not hard to solve anymore when using a quantum computer. Since then, researchers have worked on finding new computational problems that are resistant to quantum attacks to replace these two. Lattice-based Cryptography is the research field that employs cryptographic primitives involving hard problems defined on lattices, such as the Shortest Vector Problem and the Closest Vector Problem. The NTRU cryptosystem, published in 1998, was one of the first to be introduced in this field. The Learning With Error (LWE) problem was introduced in 2005 by Regev, and it is now considered one of the most promising computational problems to be employed on a large scale in the near future. Studying its hardness and finding new and faster algorithms that solve it became a leading research topic in Cryptology.
This thesis includes the following contributions to the field:
- A non-trivial reduction of the Mersenne Low Hamming Combination Search Problem, the underlying problem of an NTRU-like cryptosystem, to Integer Linear Programming (ILP). In particular, we find a family of weak keys.
- A concrete security analysis of the Integer-RLWE, a hard computational problem variant of LWE introduced by Gu Chunsheng. We formalize a meet-in-the-middle attack and a lattice-based attack for this case, and we exploit a weakness of the parameters choice given by Gu to build an improved lattice-based attack.
- An improvement of the Blum-Kalai-Wasserman algorithm to solve LWE. In particular, we introduce a new reduction step and a new guessing procedure to the algorithm. These allowed us to develop two implementations of the algorithm that are able to solve relatively large LWE instances. While the first one efficiently uses only RAM memory and is fully parallelizable, the second one exploits a combination of RAM and disk storage to overcome the memory limitations given by the RAM.
- We fill a gap in Pairing-based Cryptography by providing concrete formulas to compute hash-maps to G2, the second group in the pairing domain, for the Barreto-Lynn-Scott family of pairing-friendly elliptic curves.Doktorgradsavhandlin
Post-Quantum Provably-Secure Authentication and MAC from Mersenne Primes
This paper presents a novel, yet efficient secret-key authentication and MAC, which provide post-quantum security promise, whose security is reduced to the quantum-safe conjectured hardness of Mersenne Low Hamming Combination (MERS) assumption recently introduced by Aggarwal, Joux, Prakash, and Santha (CRYPTO 2018). Our protocols are very suitable to weak devices like smart card and RFID tags
SoK: On the Security of Cryptographic Problems from Linear Algebra
There are two main aims to this paper. Firstly, we survey the relevant existing attack strategies known to apply to the most commonly used lattice-based cryptographic problems as well as to a number of their variants. In particular, we consider attacks against problems in the style of LWE, SIS and NTRU defined over rings of the form , where classically is an integer modulus. We also include attacks on variants which use only large integer arithmetic, corresponding to the degree one case . Secondly, for each of these approaches we investigate whether they can be generalised to the case of a polynomial modulus having degree larger than one, thus addressing the security of the generalised cryptographic problems from linear algebra introduced by Bootland et al. We find that some attacks readily generalise to a wide range of parameters while others require very specific conditions to be met in order to work
Key Encapsulation from Noisy Key Agreement in the Quantum Random Oracle Model
A multitude of post-quantum key encapsulation mechanisms (KEMs) and public key encryption (PKE) schemes implicitly rely on a protocol by which Alice and Bob exchange public messages and converge on secret values that are identical up to some small noise. By our count, 24 out of 49 KEM or PKE submissions to the NIST Post-Quantum Cryptography Standardization project follow this strategy. Yet the notion of a noisy key agreement (NKA) protocol lacks a formal definition as a primitive in its own right. We provide such a formalization by defining the syntax and security for an NKA protocol. This formalization brings out four generic problems, called A and B State Recovery, Noisy Key Search and Noisy Key Distinguishing, whose solutions must be hard in the quantum computing model. Informally speaking, these can be viewed as noisy, quantum-resistant counterparts of the problems arising from the classical Diffie-Hellman type protocols. We show that many existing proposals contain an NKA component that fits our formalization and we reveal the induced concrete hardness assumptions. The question arises whether considering NKA as an independent primitive can help provide modular designs with improved efficiency and/or proofs. As the second contribution of this paper, we answer this question positively by presenting a generic transform from a secure NKA protocol to an IND-CCA secure KEM in the quantum random oracle model, with a security bound tightly related to the NKD problem. This transformation is essentially the same as that of the NIST candidate Ramstake. While establishing the security of Ramstake was our initial objective, the collection of tools that came about as a result of this journey is of independent interest
Improved Cryptanalysis of the AJPS Mersenne Based Cryptosystem
At Crypto 2018, Aggarwal, Joux, Prakash and Santha (AJPS) described a new public-key
encryption scheme based on Mersenne numbers. Shortly after the publication of the cryptosystem,
Beunardeau et al. described an attack with complexity O(2^(2h)). In this paper, we describe an improvedattack with complexity O(2^(1.75h))