855 research outputs found
Baby-Step Giant-Step Algorithms for the Symmetric Group
We study discrete logarithms in the setting of group actions. Suppose that
is a group that acts on a set . When , a solution
to can be thought of as a kind of logarithm. In this paper, we study
the case where , and develop analogs to the Shanks baby-step /
giant-step procedure for ordinary discrete logarithms. Specifically, we compute
two sets such that every permutation of can be
written as a product of elements and . Our
deterministic procedure is optimal up to constant factors, in the sense that
and can be computed in optimal asymptotic complexity, and and
are a small constant from in size. We also analyze randomized
"collision" algorithms for the same problem
ECC2K-130 on NVIDIA GPUs
A major cryptanalytic computation is currently underway on multiple platforms, including standard CPUs, FPGAs, PlayStations and Graphics Processing Units (GPUs), to break the Certicom ECC2K-130 challenge. This challenge is to compute an elliptic-curve discrete logarithm on a Koblitz curve over . Optimizations have reduced the cost of the computation to approximately 277 bit operations in 261 iterations. GPUs are not designed for fast binary-field arithmetic; they are designed for highly vectorizable floating-point computations that fit into very small amounts of static RAM. This paper explains how to optimize the ECC2K-130 computation for this unusual platform. The resulting GPU software performs more than 63 million iterations per second, including 320 million multiplications per second, on a $500 NVIDIA GTX 295 graphics card. The same techniques for finite-field arithmetic and elliptic-curve arithmetic can be reused in implementations of larger systems that are secure against similar attacks, making GPUs an interesting option as coprocessors when a busy Internet server has many elliptic-curve operations to perform in parallel
Quantum attacks on Bitcoin, and how to protect against them
The key cryptographic protocols used to secure the internet and financial
transactions of today are all susceptible to attack by the development of a
sufficiently large quantum computer. One particular area at risk are
cryptocurrencies, a market currently worth over 150 billion USD. We investigate
the risk of Bitcoin, and other cryptocurrencies, to attacks by quantum
computers. We find that the proof-of-work used by Bitcoin is relatively
resistant to substantial speedup by quantum computers in the next 10 years,
mainly because specialized ASIC miners are extremely fast compared to the
estimated clock speed of near-term quantum computers. On the other hand, the
elliptic curve signature scheme used by Bitcoin is much more at risk, and could
be completely broken by a quantum computer as early as 2027, by the most
optimistic estimates. We analyze an alternative proof-of-work called Momentum,
based on finding collisions in a hash function, that is even more resistant to
speedup by a quantum computer. We also review the available post-quantum
signature schemes to see which one would best meet the security and efficiency
requirements of blockchain applications.Comment: 21 pages, 6 figures. For a rough update on the progress of Quantum
devices and prognostications on time from now to break Digital signatures,
see https://www.quantumcryptopocalypse.com/quantum-moores-law
An algebraic hash function based on SL2
Cryptographic hash functions are fundamental building blocks of many computer security systems and protocols, primarily being used to ensure data integrity. Recent attacks against modern hash functions have questioned the suitability of standard hash function construction principles. In this paper we consider a hash function construction based multiplication in the group of 2 x 2 matrices over a finite field proposed by Zemor and Tillich [48, 42, 43]. We also look at how the algebraic properties of hash functions following this design can be exploited in attacks. Finally, we consider variations to the approach of Zemor and Tillich that offer some resistance to those attacks
Estimating the cost of generic quantum pre-image attacks on SHA-2 and SHA-3
We investigate the cost of Grover's quantum search algorithm when used in the
context of pre-image attacks on the SHA-2 and SHA-3 families of hash functions.
Our cost model assumes that the attack is run on a surface code based
fault-tolerant quantum computer. Our estimates rely on a time-area metric that
costs the number of logical qubits times the depth of the circuit in units of
surface code cycles. As a surface code cycle involves a significant classical
processing stage, our cost estimates allow for crude, but direct, comparisons
of classical and quantum algorithms.
We exhibit a circuit for a pre-image attack on SHA-256 that is approximately
surface code cycles deep and requires approximately
logical qubits. This yields an overall cost of
logical-qubit-cycles. Likewise we exhibit a SHA3-256 circuit that is
approximately surface code cycles deep and requires approximately
logical qubits for a total cost of, again,
logical-qubit-cycles. Both attacks require on the order of queries in
a quantum black-box model, hence our results suggest that executing these
attacks may be as much as billion times more expensive than one would
expect from the simple query analysis.Comment: Same as the published version to appear in the Selected Areas of
Cryptography (SAC) 2016. Comments are welcome
Time-Memory Trade-offs for Parallel Collision Search Algorithms
Parallel versions of collision search algorithms require a significant amount of memory to store a proportion of the points computed by the pseudo-random walks. Implementations available in the literature use a hash table to store these points and allow fast memory access. We provide theoretical evidence that memory is an important factor in determining the runtime of this method. We propose to replace the traditional hash table by a simple structure, inspired by radix trees, which saves space and provides fast look-up and insertion. In the case of many-collision search algorithms, our variant has a constant-factor improved runtime. We give benchmarks that show the linear parallel performance of the attack on elliptic curves discrete logarithms and improved running times for meet-in-the-middle applications
Quantum Search for Scaled Hash Function Preimages
We present the implementation of Grover's algorithm in a quantum simulator to
perform a quantum search for preimages of two scaled hash functions, whose
design only uses modular addition, word rotation, and bitwise exclusive or. Our
implementation provides the means to assess with precision the scaling of the
number of gates and depth of a full-fledged quantum circuit designed to find
the preimages of a given hash digest. The detailed construction of the quantum
oracle shows that the presence of AND gates, OR gates, shifts of bits and the
reuse of the initial state along the computation, require extra quantum
resources as compared with other hash functions based on modular additions, XOR
gates and rotations. We also track the entanglement entropy present in the
quantum register at every step along the computation, showing that it becomes
maximal at the inner core of the first action of the quantum oracle, which
implies that no classical simulation based on Tensor Networks would be of
relevance. Finally, we show that strategies that suggest a shortcut based on
sampling the quantum register after a few steps of Grover's algorithm can only
provide some marginal practical advantage in terms of error mitigation.Comment: 24 pages, 14 figure
- …