How to improve information set decoding exploiting that = 0 mod 2
|
|
- Eric Fleming
- 6 years ago
- Views:
Transcription
1 How to improve information set decoding exploiting that = 0 mod 2 Anja Becker Postdoc at EPFL Seminar CCA January 11, 2013, Paris
2 Representation Find unique solution to hard problem in cryptography Apply new algorithmic technique
3 Setting Problems in cryptography in focus Syndrome decoding problem in a random binary code Knapsack problem Difficulty for random codes and knapsack NP-hard Hard on average Generic algorithms We designed exponential algorithms O(2 α n ), α < 1 Goal: reduce α 2
4 Part I Subset sum problem over the integers Part II Distance decoding problem for binary linear codes
5 Subset Problem Knapsack problem Given n integers a i and a target integer value S, find {0,1}-values ε i: n a i ε i = S. i=1 NP-hard [Karp, 72] Density: D = n/ log 2 (a max) Random knapsack a i U [ 1, 2 n/d ] and ε U {0, 1} n n log 2 (a max) Few solutions of weight n/2 4
6 History In the past encryption cryptosystems were proposed Merkle-Hellman ( 78), Chor-Rivest ( 84),... Attacks exploit Disguised structure of the knapsack or Reduce problem to search of short vector Solvable for density < 0.94 via lattice oracle [LO, 85,.., CJLOSS 92] Solution found in polynomial time for reasonable parameters n log 2 (a max) non unique solution Most difficult case: density 1 leads to exponential complexity 5
7 Standard approach Split the sum n 2 a i ε i = S i=1 n i= n 2 +1 a i ε i 1. Create two lists of length = 2 n/2 n/2 L 1 = x, a ix i, L2 = y, S x i, y i {0, 1} i=1 n i= n/2 +1 a iy i, 2. Search for collision between elements in L 1 and L 2 Hash-join costs: L 1 + L 2 Time and memory: O(n 2 n 2 ) 6
8 Observations Solves all instances Solution found as concatenation: x y = ε Complexity dominated by size of lists and cost for join. Shamir-Schroeppel 81: Can split into 4 lists and keep same time Õ(2n/2 ) but reduce memory to Õ(2n/4 ) Wagner 02: Solves 4-list problem in time Õ(2n/3 ) for many solutions and large lists Õ(.) neglects polynomial factors in n 7
9 Transform problem to search of one-out-of-many...
10 Representation Write ε = x + y where len(x ) = len(y ) = len(ε) = n wt(x ) = wt(y ) N = ( n/2 n/4) = Õ(2 n/2 ) representations 9
11 Algorithm 1. Create L 1 = 2. Create L 2 = { { x of weight n/4, } n a i x i i=1 y of weight n/4, S } n a i y i 3. Search collision over the integers and check weight n a i (x i + y i) = S and wt(x + y) = wt(ε) i=1 ( ) n L = 2 H(1/4) n n n/4 Find solution N times i=1 10
12 Algorithm 1. Create L 1 = 2. Create L 2 = { { x of weight n/4, } n a i x i i=1 y of weight n/4, S } n a i y i 3. Search collision over the integers and check weight n a i (x i + y i) = S and wt(x + y) = wt(ε) i=1 i=1 i=1 n n a ix i + a i yi S mod M i=1 For N M representations: R a x mod M S R a y mod M 10
13 Algorithm 1. Create L 1 = 2. Create L 2 = { { x of weight n/4 y of weight n/4 } n a i x i R mod M i=1 } n a i y i S R mod M 3. Search collision over the integers and check weight n a i (x i + y i) = S and wt(x + y) = wt(ε) i=1 i=1 i=1 n n a ix i + a i yi S mod M i=1 For N M representations: R a x mod M S R a y mod M L i = ( n n/4) M, N M 10
14 Dominating cost 1. Shorter lists E( L ) = #x N 2. Collisions E(C) = L 2 2 n /N = (#x)2 N 2 n 3. Cost to create lists: Apply technique recursively 11
15 Subknapsacks a (x (1) + x (2) + x (3) + x (4) ) = S a (x (1) + x (2) ) M1 R a (x (3) + x (4) ) M1 S R a x (1) M2 R 1 a x (2) M2 R R 1 a x (3) M2 R 2 a x (4) M2 S R R 2 Join to match modular constraint Check weight 12
16 Subknapsacks a (x (1) + x (2) + x (3) + x (4) ) = S a (x (1) + x (2) ) M1 R a (x (3) + x (4) ) M1 S R a x (1) M2 R 1 a x (2) M2 R R 1 a x (3) M2 R 2 a x (4) M2 S R R 2 Solve random instances in time Õ(20.337n ) and memory Õ(20.311n ) Howgrave-Graham, Joux, 10 13
17 Increase number of representations Write solution ε = x + y Write 1 in ε as (1, 0) or (0, 1) in (x, y ) Write 0 in ε as (0, 0) 14
18 Increase number of representations Write solution ε = x + y Write 1 in ε as (1, 0) or (0, 1) in (x, y ) Write 0 in ε as (0, 0) or ( 1, 1) or (1, 1) N = ( ) ( ) n/2 n/4 n/2 c,c,n/2 2c Choose c to find minimal running time Recurse 14
19 Algorithms for hard knapsack problem Algorithms that find solution ε {0, 1} n for a given hard subset sums Time Memory Best known algorithm for all instances, Õ(2 n 2 ) Õ(2 n 4 ) Shamir-Schroeppel, 1979, 1981 For random instances, Õ( n ) Õ( n ) Howgrave-Graham, Joux, 2010 For random instances, B., Coron, Joux, 2011 Õ( n ) Õ( n ) Õ(.) neglects linear/logarithmic factors 15
20 Time-Memory 0.75 Disection Represent. Shamir-Schroeppel Cycle-finding Represent. Time Memory Representation technique: M T = n Dinur, Dunkelmann, Keller, Shamir, 12: Reduce M T down to n
21 Time-Memory 0.75 Disection Represent. Shamir-Schroeppel Cycle-finding Represent. Time Memory Representation technique: M T = n Dinur, Dunkelmann, Keller, Shamir, 12: Reduce M T down to n
22 Application to linear codes Decoding Problem
23 Vectorial subset sum Given random matrix H, random target vector s over F 2, find vector e of weight ω:... He = a 1 a 2 a n... e = s. 19
24 Binary linear codes Defined by a parity check matrix H 0 F n k n 2 Length n and dimension k Codeword c F n 2 : H 0c = 0 Shortest codeword minimal distance d McEliece/Niederreiter-encryption ( 78, 86) CFS-signature (CFS 01, F 10), special signatures (DV 09,MCGL11), zero-knowledge IDE schemes (S 77,MGS 11), hash functions (AF05) 20
25 Underlying computational problem Bounded distance decoding problem Given a linear code C and a random vector y F n 2, an integer ω, find a vector e of weight ω: y + e C. Weight ω d/2 > Unique decoding c+e c O 21
26 Underlying computational problem Bounded distance decoding problem Given a linear code C, a random vector y F n 2, an integer ω, find a vector e of weight ω: y + e C. Syndrome s: Hy = H(c + e) = He = s Comp. syndrome decoding problem Given H, s, an integer ω, find a vector e of weight ω such that He = s. Equivalent problems [LDW 94] NP-hard for binary linear codes [Berlekamp et al. 78] 22
27 Information Set Decoding (ISD) Most efficient method for random code Lee-Brickel 88,.., Finiasz, Sendrier 09 He = UH 0P e = s A 0 1 A... 1 e e [ = A e A e e ] = [ s up s low ] Given e, compute e = A e s low k + l n k l e = p e = ω p 23
28 Probability k + l n k l e = p e = ω p Probability of right weight structure P = ( k+l )( n k l p ω p ( n ω) ) p, l are optimization parameters 24
29 Information Set Decoding Repeat 1. Obtain systematic form by random permutation & Gaussian elimination 2. Search e of weight p where A e = s up. 3. Compute e candidate as A e s low, check weight for ω p 4. Apply inverse initial transformations to solve original problem 25
30 Information Set Decoding Repeat 1. Obtain systematic form by random permutation & Gaussian elimination 2. Search e of weight p where A e = s up. 3. Compute e candidate as A e s low, check weight for ω p 4. Apply inverse initial transformations to solve original problem 26
31 Classical algorithm Find e s.t. A e = s. Split columns: A = A 1 A 2 1. Compute all columns sums {A 1e 1}, {s A 2e 2} of p/2 columns 2. Search for collisions: A 1e 1 = s A 2e 2 p/2 p/2 27
32 Observation Find e in unique way: e 1 e 2 Stern, Barg, 89, Canteau-Chabanne,-Chabaud 94, 98,., BLP 08, Ball-collision ( 10) Amelioration in different phases of ISD What about the representation idea? 28
33 Method based on representations Construct e as e 1 e 2 k + l n k l e = p e = ω p e 1 = p/2 + c e 2 = p/2 + c c = 0 Finiasz, Sendrier 09, May, Meurer, Thomae 11, Johansson, Loendahl 11 c > 0, B., Joux, May, Meurer ( 11) 0,1,-1 integer case 29
34 Representation wt(e i ) = p/2 + c and wt(e 1 e 2) = p N = ( )( p m p ) p/2 c representations Constraint A e 1 = s A e 2 Some representations share same value on some bits t = [A e 1] r = [s A e 2] r for random t F r 2 We expect N/2 r representations for almost every t. 2 r N Algorithm Expect to find one (e 1, e 2) within all collisions: Verify wt(e 1 e 2) = p {e 1, [A 1e 1] r = t} and { e 2, [s A 2e 2] r = t }
35 Asymptotic time complexity Decoding problem for code C = [n, k, d] R := k/n, D := d/n Gilbert-Varshamov bound: R 1 H(D) W := ω/n Half distance decoding: W = D/2 Full distance decoding: W = D Can express complexity in terms of n, R: Time T (n, R) = 2 T (R)n+o(n)
36 Asymptotic time complexity Time T (n, R) = 2 T (R)n+o(n) Half-distance decoding FS-Stern Repres. MMT Leon 0.04 T(R) R:=k/n Almost same worst case information rate
37 Asymptotic worst-case in time Half distance decoding (W = D/2) memory time Stern Ball MMT Now % time 8% time Full distance decoding (W = D) memory time time Stern Ball MMT Now memory limited:
38 Comments and summary Algorithmic tweaks Can reduce memory by choosing slightly larger modulus and repeating Efficient join routine Probabilistic algorithm for random instances For a small fraction of instances and a proportion of targets, the algorithm will not succeed Choice of targets influences the outcome Large lists, many collisions Small number of repetitions 34
39 Experiments Optimal parameters are very small for feasible n Knapsack (n = 80) # 1s at first level: c 1 = 2, c 2 = 1, c 3 = random knapsacks 3 mins per repetition 5.47 repetitions on average (Intel Xeon X5560 at 2.80 GHz) Codes [n, k, ω, p, l] = [1024, 524, 50, 8, 46] (c 1, r 1) = (2, 23), (c 2, r 2) = (1, 13) 1000 instances 50% solved instances per repetition Increase restrictions: r 2 = 14, half time, memory, success Expected size of lists and number of collisions is as expected No special cases 35
40 Bibliography Improved Generic Algorithms for Hard Knapsacks Anja Becker, Antoine Joux, Jean-Sébastien Coron Eurocrypt 2011 eprint.iacr.org/2011/474 Decoding Random Binary Linear Codes in 2 n/20 : How = 0 Improves Information Set Decoding Anja Becker, Antoine Joux, Alexander May, Alexander Meurer Eurocrypt 2012 eprint.iacr.org/2012/026 36
41 Perspectives Possible generalization to other groups Allowing arbitrary coefficients Apply to other problems 37
42 Thank you
Decoding One Out of Many
Decoding One Out of Many Nicolas Sendrier INRIA Paris-Rocquencourt, équipe-projet SECRET Code-based Cryptography Workshop 11-12 May 2011, Eindhoven, The Netherlands Computational Syndrome Decoding Problem:
More informationImproved Generic Algorithms for Hard Knapsacks
Improved Generic Algorithms for Hard Knapsacks Anja Becker 1,, Jean-Sébastien Coron 3, and Antoine Joux 1,2 1 University of Versailles Saint-Quentin-en-Yvelines 2 DGA 3 University of Luxembourg Abstract.
More informationDecoding Random Binary Linear Codes in 2n/20 How 1+1=0 Improves Information Set Decoding
Decoding Random Binary Linear Codes in 2n/20 How 1+1=0 Improves Information Set Decoding A. Becker, A. Joux, A. May, A. Meurer EUROCRYPT 2012, Cambridge The Representation Technique [HGJ10] How to fnd
More informationImproved Information Set Decoding Decoding Random Linear Codes in O(20.054n)
Imroved Information Set Decoding Decoding Random Linear Codes in O(2.54n) Alexander May, Alexander Meurer, Enrico Thomae ASIACRYPT 211, Seoul HORST GÖRTZ INSTITUTE FOR IT-SECURITY FACULTY OF MATHEMATICS
More informationDecoding Random Binary Linear Codes in 2 n/20 : How 1+1=0Improves Information Set Decoding
Decoding Random Binary Linear Codes in n/0 : How 1+1=0Improves Information Set Decoding Anja Becker 1, Antoine Joux 1,, Alexander May 3,, and Alexander Meurer 3, 1 Université de Versailles Saint-Quentin,
More informationPost-Quantum Cryptography
Post-Quantum Cryptography Code-Based Cryptography Tanja Lange with some slides by Tung Chou and Christiane Peters Technische Universiteit Eindhoven ASCrypto Summer School: 18 September 2017 Error correction
More informationCode Based Cryptology at TU/e
Code Based Cryptology at TU/e Ruud Pellikaan g.r.pellikaan@tue.nl University Indonesia, Depok, Nov. 2 University Padjadjaran, Bandung, Nov. 6 Institute Technology Bandung, Bandung, Nov. 6 University Gadjah
More informationLooking back at lattice-based cryptanalysis
September 2009 Lattices A lattice is a discrete subgroup of R n Equivalently, set of integral linear combinations: α 1 b1 + + α n bm with m n Lattice reduction Lattice reduction looks for a good basis
More informationA Fast Provably Secure Cryptographic Hash Function
A Fast Provably Secure Cryptographic Hash Function Daniel Augot, Matthieu Finiasz, and Nicolas Sendrier Projet Codes, INRIA Rocquencourt BP 15, 78153 Le Chesnay - Cedex, France [DanielAugot,MatthieuFiniasz,NicolasSendrier]@inriafr
More informationAdvances in code-based public-key cryptography. D. J. Bernstein University of Illinois at Chicago
Advances in code-based public-key cryptography D. J. Bernstein University of Illinois at Chicago Advertisements 1. pqcrypto.org: Post-quantum cryptography hash-based, lattice-based, code-based, multivariate
More informationImproving the efficiency of Generalized Birthday Attacks against certain structured cryptosystems
Improving the efficiency of Generalized Birthday Attacks against certain structured cryptosystems Robert Niebuhr 1, Pierre-Louis Cayrel 2, and Johannes Buchmann 1,2 1 Technische Universität Darmstadt Fachbereich
More informationCode-based post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago
Code-based post-quantum cryptography D. J. Bernstein University of Illinois at Chicago Once the enormous energy boost that quantum computers are expected to provide hits the street, most encryption security
More informationComputing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring
Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring Alexander May Faculty of Computer Science, Electrical Engineering and Mathematics University of Paderborn 33102 Paderborn,
More informationBreaking Plain ElGamal and Plain RSA Encryption
Breaking Plain ElGamal and Plain RSA Encryption (Extended Abstract) Dan Boneh Antoine Joux Phong Nguyen dabo@cs.stanford.edu joux@ens.fr pnguyen@ens.fr Abstract We present a simple attack on both plain
More informationCode-based Cryptography
Code-based Cryptography Codes correcteurs d erreurs et applications à la cryptographie MPRI 2014/2015-2.13.2 Nicolas Sendrier Linear Codes for Telecommunication data k linear expansion codeword n > k noisy
More informationOn the Security of Some Cryptosystems Based on Error-correcting Codes
On the Security of Some Cryptosystems Based on Error-correcting Codes Florent Chabaud * Florent.Chabaud~ens.fr Laboratoire d'informatique de FENS ** 45, rue d'ulm 75230 Paris Cedex 05 FRANCE Abstract.
More informationA Generic Algorithm for Small Weight Discrete Logarithms in Composite Groups
A Generic Algorithm for Small Weight Discrete Logarithms in Composite Groups Alexander May and Ilya Ozerov Horst Görtz Institute for IT-Security Ruhr-University Bochum, Germany Faculty of Mathematics alex.may@rub.de,
More informationA New Attack on RSA with Two or Three Decryption Exponents
A New Attack on RSA with Two or Three Decryption Exponents Abderrahmane Nitaj Laboratoire de Mathématiques Nicolas Oresme Université de Caen, France nitaj@math.unicaen.fr http://www.math.unicaen.fr/~nitaj
More informationAttacking and defending the McEliece cryptosystem
Attacking and defending the McEliece cryptosystem (Joint work with Daniel J. Bernstein and Tanja Lange) Christiane Peters Technische Universiteit Eindhoven PQCrypto 2nd Workshop on Postquantum Cryptography
More informationComputers and Mathematics with Applications
Computers and Mathematics with Applications 61 (2011) 1261 1265 Contents lists available at ScienceDirect Computers and Mathematics with Applications journal homepage: wwwelseviercom/locate/camwa Cryptanalysis
More informationCryptanalysis of two knapsack public-key cryptosystems
Cryptanalysis of two knapsack public-key cryptosystems Jingguo Bi 1, Xianmeng Meng 2, and Lidong Han 1 {jguobi,hanlidong}@sdu.edu.cn mengxm@sdfi.edu.cn 1 Key Laboratory of Cryptologic Technology and Information
More informationBall-collision decoding
Ball-collision decoding Christiane Peters Technische Universiteit Eindhoven joint work with Daniel J. Bernstein and Tanja Lange Oberseminar Cryptography and Computer Algebra TU Darmstadt November 8, 200
More informationFrom Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited
From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited Julien Cathalo 1, Jean-Sébastien Coron 2, and David Naccache 2,3 1 UCL Crypto Group Place du Levant 3, Louvain-la-Neuve, B-1348, Belgium
More informationNotes 10: Public-key cryptography
MTH6115 Cryptography Notes 10: Public-key cryptography In this section we look at two other schemes that have been proposed for publickey ciphers. The first is interesting because it was the earliest such
More informationVulnerabilities of McEliece in the World of Escher
Vulnerabilities of McEliece in the World of Escher Dustin Moody and Ray Perlner National Institute of Standards and Technology, Gaithersburg, Maryland, USA dustin.moody@nist.gov, ray.perlner@nist.gov Abstract.
More informationCode-Based Cryptography McEliece Cryptosystem
Code-Based Cryptography McEliece Cryptosystem I. Márquez-Corbella 0 . McEliece Cryptosystem 1. Formal Definition. Security-Reduction Proof 3. McEliece Assumptions 4. Notions of Security 5. Critical Attacks
More informationA Knapsack Cryptosystem Secure Against Attacks Using Basis Reduction and Integer Programming
A Knapsack Cryptosystem Secure Against Attacks Using Basis Reduction and Integer Programming Bala Krishnamoorthy William Webb Nathan Moyer Washington State University ISMP 2006 August 2, 2006 Public Key
More informationCode-based Cryptography
Code-based Cryptography PQCRYPTO Summer School on Post-Quantum Cryptography 2017 TU Eindhoven Nicolas Sendrier Linear Codes for Telecommunication data k linear expansion codeword n > k noisy channel data?
More informationNew generic algorithms for hard knapsacks
New generic algorithms for hard knapsacks Nick Howgrave-Graham 1 and Antoine Joux 2 1 35 Park St, Arlington, MA 02474 nickhg@gmail.com 2 dga and Université de Versailles Saint-Quentin-en-Yvelines uvsq
More informationLow-Density Attack Revisited
Low-Density Attack Revisited Tetsuya Izu Jun Kogure Takeshi Koshiba Takeshi Shimoyama Secure Comuting Laboratory, FUJITSU LABORATORIES Ltd., 4-1-1, Kamikodanaka, Nakahara-ku, Kawasaki 211-8588, Japan.
More informationA new zero-knowledge code based identification scheme with reduced communication
A new zero-knowledge code based identification scheme with reduced communication Carlos Aguilar, Philippe Gaborit, Julien Schrek Université de Limoges, France. {carlos.aguilar,philippe.gaborit,julien.schrek}@xlim.fr
More informationA Note on the Density of the Multiple Subset Sum Problems
A Note on the Density of the Multiple Subset Sum Problems Yanbin Pan and Feng Zhang Key Laboratory of Mathematics Mechanization, Academy of Mathematics and Systems Science, Chinese Academy of Sciences,
More information9 Knapsack Cryptography
9 Knapsack Cryptography In the past four weeks, we ve discussed public-key encryption systems that depend on various problems that we believe to be hard: prime factorization, the discrete logarithm, and
More informationA New Knapsack Public-Key Cryptosystem Based on Permutation Combination Algorithm
A New Knapsack Public-Key Cryptosystem Based on Permutation Combination Algorithm Min-Shiang Hwang Cheng-Chi Lee Shiang-Feng Tzeng Department of Management Information System National Chung Hsing University
More informationFast Correlation Attacks: an Algorithmic Point of View
Fast Correlation Attacks: an Algorithmic Point of View Philippe Chose, Antoine Joux, and Michel Mitton DCSSI, 18 rue du Docteur Zamenhof F-92131 Issy-les-Moulineaux cedex, France Philippe.Chose@ens.fr,
More informationFault Attacks Against emv Signatures
Fault Attacks Against emv Signatures Jean-Sébastien Coron 1, David Naccache 2, and Mehdi Tibouchi 2 1 Université du Luxembourg 6, rue Richard Coudenhove-Kalergi l-1359 Luxembourg, Luxembourg {jean-sebastien.coron,
More informationA new generic algorithm for hard knapsacks (preprint)
A new generic algorithm for hard knapsacks preprint Nick Howgrave-Graham 1 and Antoine Joux 2 1 35 Park St, Arlington, MA 02474 nickhg@gmail.com 2 dga and Université de Versailles Saint-Quentin-en-Yvelines
More informationError-correcting Pairs for a Public-key Cryptosystem
Error-correcting Pairs for a Public-key Cryptosystem Ruud Pellikaan g.r.pellikaan@tue.nl joint work with Irene Márquez-Corbella Code-based Cryptography Workshop 2012 Lyngby, 9 May 2012 Introduction and
More informationQuantum-resistant cryptography
Quantum-resistant cryptography Background: In quantum computers, states are represented as vectors in a Hilbert space. Quantum gates act on the space and allow us to manipulate quantum states with combination
More informationQuantum Information Set Decoding Algorithms
Quantum Information Set Decoding Algorithms Ghazal Kachigar 1 and Jean-Pierre Tillich 1 Institut de Mathématiques de Bordeaux Université de Bordeaux Talence Cedex F-33405, France ghazal.kachigar@u-bordeaux.fr
More informationCHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S. Ant nine J aux
CHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S Ant nine J aux (g) CRC Press Taylor 8* Francis Croup Boca Raton London New York CRC Press is an imprint of the Taylor &
More informationHigh-speed cryptography, part 3: more cryptosystems. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven
High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Cryptographers Working systems Cryptanalytic algorithm designers
More informationMcEliece in the world of Escher
McEliece in the world of Escher Danilo Gligoroski 1 and Simona Samardjiska 1,2 and Håkon Jacobsen 1 and Sergey Bezzateev 3 1 Department of Telematics, Norwegian University of Science and Technology (NTNU),
More informationLattice Reduction Attack on the Knapsack
Lattice Reduction Attack on the Knapsack Mark Stamp 1 Merkle Hellman Knapsack Every private in the French army carries a Field Marshal wand in his knapsack. Napoleon Bonaparte The Merkle Hellman knapsack
More informationImproved Generalized Birthday Attack
Improved Generalized Birthday Attack Paul Kirchner July 11, 2011 Abstract Let r, B and w be positive integers. Let C be a linear code of length Bw and subspace of F r 2. The k-regular-decoding problem
More informationA New Class of Product-sum Type Public Key Cryptosystem, K(V)ΣΠPKC, Constructed Based on Maximum Length Code
A New Class of Product-sum Type Public Key Cryptosystem, K(V)ΣΠPKC, Constructed Based on Maximum Length Code Masao KASAHARA Abstract The author recently proposed a new class of knapsack type PKC referred
More informationSolving LPN Using Covering Codes
Solving LPN Using Covering Codes Qian Guo 1,2 Thomas Johansson 1 Carl Löndahl 1 1 Dept of Electrical and Information Technology, Lund University 2 School of Computer Science, Fudan University ASIACRYPT
More informationNoisy Diffie-Hellman protocols
Noisy Diffie-Hellman protocols Carlos Aguilar 1, Philippe Gaborit 1, Patrick Lacharme 1, Julien Schrek 1 and Gilles Zémor 2 1 University of Limoges, France, 2 University of Bordeaux, France. Classical
More informationCode-Based Cryptography
Code-Based Cryptography Tanja Lange with some slides by Tung Chou and Christiane Peters Technische Universiteit Eindhoven Australian Summer School on Embedded Cryptography 11 December 2018 Error correction
More informationCosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks
1 Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks Michael Albert michael.albert@cs.otago.ac.nz 2 This week Arithmetic Knapsack cryptosystems Attacks on knapsacks Some
More informationCRYPTANALYSE EN TEMPS POLYNOMIAL DU SCHÉMA DE MCELIECE BASÉ SUR LES CODES
POLYNOMIAL DU SCHÉMA CODES GÉOMÉTRIQUES A. COUVREUR 1 I. MÁRQUEZ-CORBELLA 1 R. PELLIKAAN 2 1 INRIA Saclay & LIX 2 Department of Mathematics and Computing Science, TU/e. Journées Codage et Cryptographie
More informationMultivariate Public Key Cryptography or Why is there a rainbow hidden behind fields full of oil and vinegar?
Multivariate Public Key Cryptography or Why is there a rainbow hidden behind fields full of oil and vinegar? Christian Eder, Jean-Charles Faugère and Ludovic Perret Seminar on Fundamental Algorithms, University
More informationFast Correlation Attacks: An Algorithmic Point of View
Fast Correlation Attacks: An Algorithmic Point of View Philippe Chose, Antoine Joux, and Michel Mitton DCSSI, 18 rue du Docteur Zamenhof, F-92131 Issy-les-Moulineaux cedex, France, Philippe.Chose@ens.fr,
More informationarxiv: v4 [cs.cr] 30 Nov 2017
The problem with the SURF scheme Thomas Debris-Alazard 1,, Nicolas Sendrier, and Jean-Pierre Tillich 1 Sorbonne Universités, UPMC Univ Paris 06 Inria, Paris {thomas.debris,nicolas.sendrier,jean-pierre.tillich}@inria.fr
More informationA new security notion for asymmetric encryption Draft #8
A new security notion for asymmetric encryption Draft #8 Muhammad Rezal Kamel Ariffin 1,2 1 Al-Kindi Cryptography Research Laboratory, Institute for Mathematical Research, 2 Department of Mathematics,
More informationPartial Key Exposure: Generalized Framework to Attack RSA
Partial Key Exposure: Generalized Framework to Attack RSA Cryptology Research Group Indian Statistical Institute, Kolkata 12 December 2011 Outline of the Talk 1 RSA - A brief overview 2 Partial Key Exposure
More informationA Lattice-Based Threshold Ring Signature Scheme (TRSS-L)
A Lattice-Based Threshold Ring Signature Scheme (TRSS-L) Pierre-Louis Cayrel 1 Richard Lindner 2 Markus Rückert 2 Rosemberg Silva 3 1 Center for Advanced Security Research Darmstadt (CASED) 2 Technische
More informationIntroduction to Quantum Safe Cryptography. ENISA September 2018
Introduction to Quantum Safe Cryptography ENISA September 2018 Introduction This talk will introduce the mathematical background of the most popular PQC primitives Code-based Lattice-based Multivariate
More informationSafer parameters for the Chor-Rivest cryptosystem
Safer parameters for the Chor-Rivest cryptosystem L. Hernández Encinas, J. Muñoz Masqué and A. Queiruga Dios Applied Physics Institute, CSIC C/ Serrano 144, 28006-Madrid, Spain {luis, jaime, araceli}@iec.csic.es
More informationFrom Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes
From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes [Published in D. Naccache, Ed., Topics in Cryptology CT-RSA 2001, vol. 2020 of Lecture Notes in Computer
More informationA new security notion for asymmetric encryption Draft #10
A new security notion for asymmetric encryption Draft #10 Muhammad Rezal Kamel Ariffin 1,2 1 Al-Kindi Cryptography Research Laboratory, Institute for Mathematical Research, 2 Department of Mathematics,
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationSide-channel analysis in code-based cryptography
1 Side-channel analysis in code-based cryptography Tania RICHMOND IMATH Laboratory University of Toulon SoSySec Seminar Rennes, April 5, 2017 Outline McEliece cryptosystem Timing Attack Power consumption
More informationOn the Use of Structured Codes in Code Based Cryptography 1. Nicolas Sendrier
On the Use of Structured Codes in Code Based Cryptography 1 Nicolas Sendrier INRIA, CRI Paris-Rocquencourt, Project-Team SECRET Email: Nicolas.Sendrier@inria.fr WWW: http://www-roc.inria.fr/secret/nicolas.sendrier/
More informationCryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg
Course 1: Remainder: RSA Université du Luxembourg September 21, 2010 Public-key encryption Public-key encryption: two keys. One key is made public and used to encrypt. The other key is kept private and
More informationShortest Vector Problem (1982; Lenstra, Lenstra, Lovasz)
Shortest Vector Problem (1982; Lenstra, Lenstra, Lovasz) Daniele Micciancio, University of California at San Diego, www.cs.ucsd.edu/ daniele entry editor: Sanjeev Khanna INDEX TERMS: Point lattices. Algorithmic
More informationFast correlation attacks on certain stream ciphers
FSE 2011, February 14-16, Lyngby, Denmark Fast correlation attacks on certain stream ciphers Willi Meier FHNW Switzerland 1 Overview A decoding problem LFSR-based stream ciphers Correlation attacks Fast
More informationCS 355: Topics in Cryptography Spring Problem Set 5.
CS 355: Topics in Cryptography Spring 2018 Problem Set 5 Due: June 8, 2018 at 5pm (submit via Gradescope) Instructions: You must typeset your solution in LaTeX using the provided template: https://crypto.stanford.edu/cs355/homework.tex
More informationCryptanalysis of RSA Signatures with Fixed-Pattern Padding
Cryptanalysis of RSA Signatures with Fixed-Pattern Padding [Published in J. Kilian Ed., Advances in Cryptology CRYPTO 2001, vol. 2139 of Lecture Notes in Computer Science, pp. 433 439, Springer-Verlag,
More informationRSA. Ramki Thurimella
RSA Ramki Thurimella Public-Key Cryptography Symmetric cryptography: same key is used for encryption and decryption. Asymmetric cryptography: different keys used for encryption and decryption. Public-Key
More informationOutline. Provable Security in the Computational Model. III Signatures. Public-Key Encryption. Outline. David Pointcheval.
Provable Security in the Computational Model III Signatures David Pointcheval Ecole normale supérieure, CNRS & INRI Public-Key Encryption Signatures 2 dvanced Security for Signature dvanced Security Notions
More informationCOMP4109 : Applied Cryptography
COMP409 : Applied Cryptography Fall 203 M. Jason Hinek Carleton University Applied Cryptography Day 3 public-key encryption schemes some attacks on RSA factoring small private exponent 2 RSA cryptosystem
More informationDeterministic Polynomial Time Equivalence of Computing the RSA Secret Key and Factoring
Deterministic Polynomial Time Equivalence of Computing the RSA Secret Key and Factoring Jean-Sébastien Coron and Alexander May Gemplus Card International 34 rue Guynemer, 92447 Issy-les-Moulineaux, France
More informationCryptographie basée sur les codes correcteurs d erreurs et arithmétique
with Cryptographie basée sur les correcteurs d erreurs et arithmétique with with Laboratoire Hubert Curien, UMR CNRS 5516, Bâtiment F 18 rue du professeur Benoît Lauras 42000 Saint-Etienne France pierre.louis.cayrel@univ-st-etienne.fr
More informationNew Generic Algorithms for Hard Knapsacks
New Generic Algorithms for Hard Knapsacks Nick Howgrave-Graham 1 and Antoine Joux 2 1 35 Park St, Arlington, MA 02474 nickhg@gmail.com 2 dga and Université de Versailles Saint-Quentin-en-Yvelines uvsq
More informationAdapting Density Attacks to Low-Weight Knapsacks
Adapting Density Attacks to Low-Weight Knapsacks Phong Q. Nguy ên 1 and Jacques Stern 2 1 CNRS & École normale supérieure, DI, 45 rue d Ulm, 75005 Paris, France. Phong.Nguyen@di.ens.fr http://www.di.ens.fr/
More informationHigher Order Universal One-Way Hash Functions from the Subset Sum Assumption
Higher Order Universal One-Way Hash Functions from the Subset Sum Assumption Ron Steinfeld, Josef Pieprzyk, Huaxiong Wang Dept. of Computing, Macquarie University, Australia {rons, josef, hwang}@ics.mq.edu.au
More informationSYND: a Fast Code-Based Stream Cipher with a Security Reduction
SYND: a Fast Code-Based Stream Cipher with a Security Reduction Philippe Gaborit XLIM-DMI, Université de Limoges 13 av. Albert Thomas 87000, Limoges, France gaborit@unilim.fr Cedric Lauradoux INRIA Rocquencourt,
More informationLecture 3: Error Correcting Codes
CS 880: Pseudorandomness and Derandomization 1/30/2013 Lecture 3: Error Correcting Codes Instructors: Holger Dell and Dieter van Melkebeek Scribe: Xi Wu In this lecture we review some background on error
More informationarxiv: v1 [math.nt] 13 Mar 2015
A Knapsack-like Code Using Recurrence Sequence Representations arxiv:1503.04238v1 [math.nt] 13 Mar 2015 Nathan Hamlin Bala Krishnamoorthy William Webb Department of Mathematics, Washington State University,
More informationEfficient One-Time Signatures from Quasi-Cyclic Codes: A Full Treatment
cryptography Article Efficient One-Time Signatures from Quasi-Cyclic Codes: A Full Treatment Edoardo Persichetti Department of Mathematical Sciences, Florida Atlantic University, Boca Raton, FL 33431,
More informationCryptanalysis of the Knapsack Generator
Cryptanalysis of the Knapsack Generator Simon Knellwolf and Willi Meier FHNW, Switzerland Abstract. The knapsack generator was introduced in 1985 by Rueppel and Massey as a novel LFSR-based stream cipher
More informationA New Trapdoor in Modular Knapsack Public-Key Cryptosystem
A New Trapdoor in Modular Knapsack Public-Key Cryptosystem Takeshi Nasako Yasuyuki Murakami Abstract. Merkle and Hellman proposed a first knapsack cryptosystem. However, it was broken because the density
More informationCode-based cryptography
Code-based graphy Laboratoire Hubert Curien, UMR CNRS 5516, Bâtiment F 18 rue du professeur Benoît Lauras 42000 Saint-Etienne France pierre.louis.cayrel@univ-st-etienne.fr June 4th 2013 Pierre-Louis CAYREL
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani 1 Mathematical Institute 2 PQShield Ltd. 1 of 44 Outline 1 Public Key Encryption: security notions 2 RSA Encryption Scheme 2 of 44 Course main reference 3 of 44
More informationWhy Textbook ElGamal and RSA Encryption Are Insecure
Why Textbook ElGamal and RSA Encryption Are Insecure (Extended Abstract) Dan Boneh 1, Antoine Joux 2, and Phong Q. Nguyen 3 1 Stanford University, Computer Science Department Stanford, CA 94305, USA dabo@cs.stanford.edu
More informationSome Security Comparisons of GOST R and ECDSA Signature Schemes
Some Security Comparisons of GOST R 34.10-2012 and ECDSA Signature Schemes Trieu Quang Phong Nguyen Quoc Toan Institute of Cryptography Science and Technology Gover. Info. Security Committee, Viet Nam
More informationComputational Complexity
Computational Complexity Algorithm performance and difficulty of problems So far we have seen problems admitting fast algorithms flow problems, shortest path, spanning tree... and other problems for which
More information1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:
Today: Introduction to the class. Examples of concrete physical attacks on RSA A computational approach to cryptography Pseudorandomness 1 What are Physical Attacks Tampering/Leakage attacks Issue of how
More informationMcBits: fast constant-time code-based cryptography. (to appear at CHES 2013)
McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou Technische Universiteit
More informationA Provably Secure Group Signature Scheme from Code-Based Assumptions
A Provably Secure Group Signature Scheme from Code-Based Assumptions Martianus Frederic Ezerman, Hyung Tae Lee, San Ling, Khoa Nguyen, Huaxiong Wang NTU, Singapore ASIACRYPT 15-01/12/15 Group Signatures
More informationMDPC-McEliece: New McEliece Variants from Moderate Density Parity-Check Codes
MDPC-McEliece: New McEliece Variants from Moderate Density Parity-Check Codes Rafael Misoczki, Jean-Pierre Tillich, Nicolas Sendrier, Paulo S. L. M. Barreto To cite this version: Rafael Misoczki, Jean-Pierre
More informationErrors, Eavesdroppers, and Enormous Matrices
Errors, Eavesdroppers, and Enormous Matrices Jessalyn Bolkema September 1, 2016 University of Nebraska - Lincoln Keep it secret, keep it safe Public Key Cryptography The idea: We want a one-way lock so,
More informationMasking the GLP Lattice-Based Signature Scheme at any Order
Masking the GLP Lattice-Based Signature Scheme at any Order Gilles Barthe (IMDEA Software Institute) Sonia Belaïd (CryptoExperts) Thomas Espitau (UPMC) Pierre-Alain Fouque (Univ. Rennes I and IUF) Benjamin
More informationCryptanalysis of the Original McEliece Cryptosystem
Cryptanalysis of the Original McEliece Cryptosystem Anne Canteaut and Nicolas Sendrier INRIA - projet CODES BP 105 78153 Le Chesnay, France Abstract. The class of public-ey cryptosystems based on error-correcting
More informationAlgorithmic Number Theory and Public-key Cryptography
Algorithmic Number Theory and Public-key Cryptography Course 3 University of Luxembourg March 22, 2018 The RSA algorithm The RSA algorithm is the most widely-used public-key encryption algorithm Invented
More informationOvertaking VEST. 45, avenue des États-Unis, Versailles Cedex, France 3 DCSSI Crypto Lab
Overtaking VEST Antoine Joux 1,2 and Jean-René Reinhard 3 1 DGA 2 Université de Versailles St-Quentin-en-Yvelines, PRISM 45, avenue des États-Unis, 78035 Versailles Cedex, France antoine.joux@m4x.org 3
More informationGurgen Khachatrian Martun Karapetyan
34 International Journal Information Theories and Applications, Vol. 23, Number 1, (c) 2016 On a public key encryption algorithm based on Permutation Polynomials and performance analyses Gurgen Khachatrian
More informationA new security notion for asymmetric encryption Draft #12
A new security notion for asymmetric encryption Draft #12 Muhammad Rezal Kamel Ariffin 1,2 1 Al-Kindi Cryptography Research Laboratory, Institute for Mathematical Research, 2 Department of Mathematics,
More informationA Fuzzy Sketch with Trapdoor
A Fuzzy Sketch with Trapdoor Julien Bringer 1, Hervé Chabanne 1, Quoc Dung Do 2 1 SAGEM Défense Sécurité, 2 Ecole Polytechnique, ENST Paris. Abstract In 1999, Juels and Wattenberg introduce an effective
More information