15 research outputs found
Finding Significant Fourier Coefficients: Clarifications, Simplifications, Applications and Limitations
Ideas from Fourier analysis have been used in cryptography for the last three
decades. Akavia, Goldwasser and Safra unified some of these ideas to give a
complete algorithm that finds significant Fourier coefficients of functions on
any finite abelian group. Their algorithm stimulated a lot of interest in the
cryptography community, especially in the context of `bit security'. This
manuscript attempts to be a friendly and comprehensive guide to the tools and
results in this field. The intended readership is cryptographers who have heard
about these tools and seek an understanding of their mechanics and their
usefulness and limitations. A compact overview of the algorithm is presented
with emphasis on the ideas behind it. We show how these ideas can be extended
to a `modulus-switching' variant of the algorithm. We survey some applications
of this algorithm, and explain that several results should be taken in the
right context. In particular, we point out that some of the most important bit
security problems are still open. Our original contributions include: a
discussion of the limitations on the usefulness of these tools; an answer to an
open question about the modular inversion hidden number problem
Modular Inversion Hidden Number Problem- A Lattice Approach
The Modular Inversion Hidden Number Problem (MIHNP) was introduced by
Boneh, Halevi and Howgrave-Graham in Asiacrypt 2001 (BHHâ01). They provided
two heuristics - in Method I, two-third of the output bits are required to solve the
problem, whereas the more efficient heuristic (Method II) requires only one-third of
the bits of the output. After more than a decade, here Sarkar in [28] identified that
the claim in Method II is actually not correct and a detailed calculation justified that
this method too requires two-third of the bits of the output, contrary to the claim in
BHHâ01. He reconstructed the lattice and give a bound which heuristically solve with
half of the output bits. Although J.Xu et al in [29] solved it with only one-third of the
output bits asymptotically but that technique is difficult to understand and implement.
Here we essentially use similar idea of [28] but in a clever way such that it is a better
bound although we solve the problem heuristically with only half of the output bits in
asymptotic sense. This is lot easier to understand and implement.
Also experimental results support the claim corresponding to our heuristics. In the last
section we actually talk about a variant of this which seems to be hard to solve under
lattice attack
Solving a Class of Modular Polynomial Equations and its Relation to Modular Inversion Hidden Number Problem and Inversive Congruential Generator
In this paper we revisit the modular inversion hidden number problem (MIHNP) and the inversive congruential generator (ICG) and consider how to attack them more efficiently. We consider systems of modular polynomial equations of the form a_{ij}+b_{ij}x_i+c_{ij}x_j+x_ix_j=0 (mod p) and show the relation between solving such equations and attacking MIHNP and ICG. We present three heuristic strategies using Coppersmith\u27s lattice-based root-finding technique for solving the above modular equations.
In the first strategy, we use the polynomial number of samples and get the same asymptotic bound on attacking ICG proposed in PKC 2012, which is the best result so far. However, exponential number of samples is required in the work of PKC 2012. In the second strategy, a part of polynomials chosen for the involved lattice are linear combinations of some polynomials and this enables us to achieve a larger upper bound for the desired root. Corresponding to the analysis of MIHNP we give an explicit lattice construction of the second attack method proposed by Boneh, Halevi and Howgrave-Graham in Asiacrypt 2001.
We provide better bound than that in the work of PKC 2012 for attacking ICG. Moreover, we propose the third strategy in order to give a further improvement in the involved lattice construction in the sense of requiring fewer samples
Lattice Attacks on Pairing-Based Signatures
International audiencePractical implementations of cryptosystems often suffer from critical information leakage through side-channels (such as their power consumption or their electromagnetic emanations). For public-key cryptography on embedded systems, the core operation is usually group exponentiation â or scalar multiplication on elliptic curves â which is a sequence of group operations derived from the private-key that may reveal secret bits to an attacker (on an unprotected implementation).We present lattice-based polynomial-time (heuristic) algorithms that recover the signerâs secret in popular pairing-based signatures when used to sign several messages under the assumption that blocks of consecutive bits of the corresponding exponents are known by the attacker. Our techniques relies upon Coppersmith method and apply to all signatures in the so-called exponent-inversion framework in the standard security model (i.e. Boneh-Boyen and Gentry signatures) as well as in the random oracle model (i.e. Sakai-Kasahara signatures)
On the Bit Security of Elliptic Curve Diffie--Hellman
This paper gives the first bit security result for the elliptic curve Diffie--Hellman key exchange protocol for elliptic curves defined over prime fields. About of the most significant bits of the -coordinate of the Diffie--Hellman key are as hard to compute as the entire key. A similar result can be derived for the lower bits. The paper also generalizes and improves the result for elliptic curves over extension fields, that shows that computing one component (in the ground field) of the Diffie--Hellman key is as hard to compute as the entire key
Hardness of Computing Individual Bits for One-way Functions on Elliptic Curves
We prove that if one can predict any of the bits of the input to an elliptic curve based one-way function over a finite field, then we can invert the function. In particular, our result implies that if one can predict any of the bits of the input to a classical pairing-based one-way function with non-negligible advantage over a random guess then one can efficiently invert this function and thus, solve the Fixed Argument Pairing Inversion problem (FAPI-1/FAPI-2). The latter has implications on the security of various pairing-based schemes such as the identity-based encryption scheme of BonehâFranklin, Hessâ identity-based signature scheme, as well as Jouxâs three-party one-round key agreement protocol. Moreover, if one can solve FAPI-1 and FAPI-2 in polynomial time then one can solve the Computational Diffie--Hellman problem (CDH) in polynomial time. Our result implies that all the bits of the functions defined above are hard-to-compute assuming these functions are one-way. The argument is based on a list-decoding technique via discrete Fourier transforms due to Akavia--GoldwasserâSafra as well as an idea due to BonehâShparlinski
On the Provable Security of an Efficient RSA-Based Pseudorandom Generator
Pseudorandom Generators (PRGs) based on the RSA inversion
(one-wayness) problem have been extensively studied in the
literature over the last 25 years. These generators have the
attractive feature of provable pseudorandomness security assuming
the hardness of the RSA inversion problem. However, despite
extensive study, the most efficient provably secure RSA-based
generators output asymptotically only at most bits per
multiply modulo an RSA modulus of bitlength , and hence are too
slow to be used in many practical applications.
To bring theory closer to practice, we present a simple
modification to the proof of security by Fischlin and Schnorr of
an RSA-based PRG, which shows that one can obtain an RSA-based PRG
which outputs bits per multiply and has provable
pseudorandomness security assuming the hardness of a well-studied
variant of the RSA inversion problem, where a constant fraction of
the plaintext bits are given. Our result gives a positive answer to an open question posed by Gennaro (J. of Cryptology, 2005) regarding finding a PRG beating the rate bits per multiply at the cost of a reasonable assumption on RSA inversion
The Modular Inversion Hidden Number Problem
We study a class of problems called Modular Inverse Hidden Number Problems (MIHNPs). The basic problem in this class is the following: Given many pairs x i ; msbk ( + x i ) mod p for random x i 2 Zp the problem is to find 2 Zp (here msbk (x) refers to the k most significant bits of x). We describe an algorithm for this problem when k > (log 2 p)=3 and conjecture that the problem is hard whenever k < (log 2 p)=3. We show that assuming hardness of some variants of this MIHNP problem leads to very efficient algebraic PRNGs and MACs