Quadratic compact knapsack public-key cryptosystem

AbstractKnapsack-type cryptosystems were among the first public-key cryptographic schemes to be invented. Their NP-completeness nature and the high speed in encryption/decryption made them very attractive. However, these cryptosystems were shown to be vulnerable to the low-density subset-sum attacks or some key-recovery attacks. In this paper, additive knapsack-type public-key cryptography is reconsidered. We propose a knapsack-type public-key cryptosystem by introducing an easy quadratic compact knapsack problem. The system uses the Chinese remainder theorem to disguise the easy knapsack sequence. The encryption function of the system is nonlinear about the message vector. Under the relinearization attack model, the system enjoys a high density. We show that the knapsack cryptosystem is secure against the low-density subset-sum attacks by observing that the underlying compact knapsack problem has exponentially many solutions. It is shown that the proposed cryptosystem is also secure against some brute-force attacks and some known key-recovery attacks including the simultaneous Diophantine approximation attack and the orthogonal lattice attack

An Attack on a Fully Homomorphic Encryption Scheme

In this paper we present an attack on a fully homomorphic encryption scheme on PKC2010. We construct a modi¯ed secret key, a modi¯ed decryption algorithm and a subset of the ciphertext space. When the ciphertext is from the subset, we can correctly decrypt it by our modi¯ed secret key and modi¯ed decryption algorithm. We also discuss when our modi¯ed decryption algorithm is e±cient, and when the subset is not negligible

The Lower Bounds on the Second Order Nonlinearity of Cubic Boolean Functions

It is a difficult task to compute the $r$-th order nonlinearity of a given function with algebraic degree strictly greater than $r>1$. Even the lower bounds on the second order nonlinearity is known only for a few particular functions. We investigate the lower bounds on the second order nonlinearity of cubic Boolean functions $F_u(x)=Tr(\sum_{l=1}^{m}\mu_{l}x^{d_{l}})$, where $u_{l} \in F_{2^n}^{*}$, $d_{l}=2^{i_{l}}+2^{j_{l}}+1$, $i_{l}$ and $j_{l}$ are positive integers, $n>i_{l}> j_{l}$. Especially, for a class of Boolean functions $G_u(x)=Tr(\sum_{l=1}^{m}\mu_{l}x^{d_{l}})$, we deduce a tighter lower bound on the second order nonlinearity of the functions, where $u_{l} \in F_{2^n}^{*}$, $d_{l}=2^{i_{l}\gamma}+2^{j_{l}\gamma}+1$, $i_{l}> j_{l}$ and $\gamma\neq 1$ is a positive integer such that $gcd(n,\gamma)=1$. \\The lower bounds on the second order nonlinearity of cubic monomial Boolean functions, represented by $f_\mu(x)=Tr(\mu x^{2^i+2^j+1})$, $\mu\in F_{2^n}^*$, $i$ and $j$ are positive integers such that $i>j$, have recently (2009) been obtained by Gode and Gangopadhvay. Our results have the advantages over those of Gode and Gangopadhvay as follows. We first extend the results from monomial Boolean functions to Boolean functions with more trace terms. We further generalize and improve the results to a wider range of $n$. Also, our bounds are better than those of Gode and Gangopadhvay for monomial functions $f_\mu(x)$

Faster Bootstrapping of FHE over the integers with large prime message space

Bootstrapping of FHE over the integer with large message is a open problem, which is to evaluate double modulo $(c ~\text{mod}~ p )~\mod~ Q$ arithmetic homomorphically for large $Q$. In this paper, we express this double modulo reduction circuit as a arithmetic circuit of degree at most $\theta^2 \log^2\theta/2$, with $O(\theta \log^2\theta)$ multiplication gates, where $\theta= \frac{\lambda}{\log \lambda}$ and $\lambda$ is the security parameter. The complexity of decryption circuit is independent of the message space size $Q$ with a constraint $Q> \theta \log^2\theta/2$

Hard Fault Analysis of Trivium

Fault analysis is a powerful attack to stream ciphers. Up to now, the major idea of fault analysis is to simplify the cipher system by injecting some soft faults. We call it soft fault analysis. As a hardware--oriented stream cipher, Trivium is weak under soft fault analysis. In this paper we consider another type of fault analysis of stream cipher, which is to simplify the cipher system by injecting some hard faults. We call it hard fault analysis. We present the following results about such attack to Trivium. In Case 1 with the probability not smaller than 0.2396, the attacker can obtain 69 bits of 80--bits--key. In Case 2 with the probability not smaller than 0.2291, the attacker can obtain all of 80--bits--key. In Case 3 with the probability not smaller than 0.2291, the attacker can partially solve the key. In Case 4 with non--neglectable probability, the attacker can obtain a simplified cipher, with smaller number of state bits and slower non--linearization procedure. In Case 5 with non--neglectable probability, the attacker can obtain another simplified cipher. Besides, these 5 cases can be checked out by observing the key--stream

Floating Fault analysis of Trivium under Weaker Assumptions

Trivium is a hardware-oriented stream cipher, and one of the finally chosen ciphers by eSTREAM project. Michal Hojsik and Bohuslav Rudolf presented an effective attack to Trivium, named floating fault analysis, at INDOCRYPT 2008. Their attack makes use of the fault injection and the fault float. In this paper, we present an improvement of this attack. Our attack is under following weaker and more practical assumptions.The fault injection can be made for the state at a random time.The positions of the fault bits are from random one of 3 NFSRs, and from a random area within 8 neighboring bits.We present a checking method, by which either the injecting time and fault positions can be determined, or the state differential at a known time can be determined. Each of these two determinations is enough for floating attack. After the determination, the attacker can averagely obtain 67.167 additional linear equations from 82 original quadratic equations, and obtain 66 additional quadratic equations from 66 original cubic equations

Analysis on Aigis-Enc: asymmetrical and symmetrical

Aigis-Enc is an encryption algorithm based on asymmetrical LWE. In this algorithm, the compression process is utilized during both key generation and encryption (which is equivalent to add some LWR noise). Then encapsulation is realized by FO transformation. It is well known that FO transformation is not considered for discussing CPA security. On the other hand, since the security reduction of LWR is hard to proceed, it is not considered for discussing the CPA security of Aigis-Enc. But compression must be put into consideration when we discuss decryption failure probability. In other words, when we discuss the CPA security of Aigis-Enc, the compression and FO transformation are ignored. But when decryption failure probability is discussed, compression should be taken into consideration while FO transformation remains ignored. According to the assumptions above, Aigis-Enc designers claim that the CPA security of Aigis-Enc is approximately equal to that of the symmetrical LWE scheme in the same scale, and the decryption failure probability of Aigis-Enc is far below that of the symmetrical LWE scheme in the same scale. In this paper, we make a thorough comparison between Aigis-Enc (with the recommended parameters) and the symmetrical LWE encryption scheme in the same scale. Our conclusion is as followed: (1) The comparison on CPA security. The former’s is 160.898, and the latter’s is 161.836. (2) The comparison on computation complexity. In key generation phase, the ratio of the former and the latter on sampling amount of distribution \left[ {\begin{array}{*{20}{c}} 0&1\\ {\frac{1}{2}}&{\frac{1}{2}} \end{array}} \right] is 5:4; In encryption phase, that ratio is 19:14. The other computations remain the same. (3) The comparison on decryption failure probability. The former’s is $2^{-128.699}$, the latter\u27s is $2^{-67.0582}$. The comparison seems to be dramatic. But in fact, we can slightly increase some traffic to keep failure probability unchanged. In other words, by compressing less to keep decryption failure probability unchanged. In specific: we change the parameters $\left( {{d_1},{d_2},{d_3}} \right)$ from $\left( {9,9,4} \right)$ to $\left( {10,10,4} \right)$, which means a large part of the public key remains the same, the small part of the public key changes from 9 bits per entry into 10bits. A large part of the ciphertext changes from 9 bits per entry into 10 bits, the small part of the ciphertext remains the same. As thus, the communication traffic increases less than $\frac{1}{9}$, while the decryption failure probability is lower than $2^{-128.699}$. We generalize those attacks presented by designers of Aigis-Enc, including primal attacks and dual attacks. More detailedly, our attacks are more extensive, simpler, and clearer. With them, we obtain the optimal attacks and “the optimal-optimal attack” on Aigis-Enc and the symmetrical LWE scheme in the same scale

Meet-in-the-Middle Attack on 8 Rounds of the AES Block Cipher under 192 Key Bits

The AES block cipher has a 128-bit block length and a user key of 128, 192 or 256 bits, released by NIST for data encryption in the USA; it became an ISO international standard in 2005. In 2008, Demirci and Selccuk gave a meet-in-the-middle attack on 7-round AES under 192 key bits. In 2009, Demirci et al. (incorrectly) described a new meet-in-the-middle attack on 7-round AES under 192 key bits. Subsequently, Dunkelman et al. described an attack on 8-round AES under 192 key bits by taking advantage of several advanced techniques, including one about the key schedule. In this paper, we show that by exploiting a simple observation on the key schedule, a meet-in-the-middle attack on 8-round AES under 192 key bits can be obtained from Demirci and Selccuk\u27s and Demirci et al.\u27s work; and a more efficient attack can be obtained when taking into account Dunkelman et al.\u27s observation on the key schedule. In the single-key attack scenario, attacking 8 rounds is the best currently known cryptanalytic result for AES in terms of the numbers of attacked rounds, and our attack has a dramatically smaller data complexity than the currently known attacks on 8-round AES under 192 key bits

Efficient Construction for Full Black-Box Accountable Authority Identity-Based Encryption

Accountable authority identity-based encryption (A-IBE), as an attractive way to guarantee the user privacy security, enables a malicious private key generator (PKG) to be traced if it generates and re-distributes a user private key. Particularly, an A-IBE scheme achieves full black-box security if it can further trace a decoder box and is secure against a malicious PKG who can access the user decryption results. In PKC\u2711, Sahai and Seyalioglu presented a generic construction for full black-box A-IBE from a primitive called dummy identity-based encryption, which is a hybrid between IBE and attribute-based encryption (ABE). However, as the complexity of ABE, their construction is inefficient and the size of private keys and ciphertexts in their instantiation is linear in the length of user identity. In this paper, we present a new efficient generic construction for full black-box A-IBE from a new primitive called token-based identity-based encryption (TB-IBE), without using ABE. We first formalize the definition and security model for TB-IBE. Subsequently, we show that a TB-IBE scheme satisfying some properties can be converted to a full black-box A-IBE scheme, which is as efficient as the underlying TB-IBE scheme in terms of computational complexity and parameter sizes. Finally, we give an instantiation with the computational complexity as O(1) and the constant size master key pair, private keys, and ciphertexts