Improved Cryptanalysis of HFEv- via Projection
|
|
- Leo Long
- 5 years ago
- Views:
Transcription
1 Improved Cryptanalysis of HFEv- via Projection Jintai Ding, Ray Perlner, Albrecht Petzoldt, Daniel Smith-Tone PQ Crypto 2018 Fort Lauderdale, Florida 04/10/2018 A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto / 25
2 Outline 1 Multivariate Cryptography 2 The HFEv- Signature Scheme 3 Notations and Previous Work 4 Our three new Attacks against HFEv- 5 Conclusion A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto / 25
3 Multivariate Cryptography p (1) (x 1,..., x n ) = p (2) (x 1,..., x n ) = p (m) (x 1,..., x n ) = n n i=1 j=i n n i=1 j=i n n i=1 j=i p (1) ij x i x j + p (2) ij x i x j + p (m) ij x i x j +. n i=1 n i=1 n i=1 p (1) i x i + p (1) 0 p (2) i x i + p (2) 0 p (m) i x i + p (m) 0 The security of multivariate schemes is based on the Problem MQ: Given m multivariate quadratic polynomials p (1) (x),..., p (m) (x), find a vector x = ( x 1,..., x n ) such that p (1) ( x) =... = p (m) ( x) = 0. A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto / 25
4 Construction Decryption / Signature Generation w F m T x F m F y F n U z F n P Encryption / Signature Verification Easily invertible quadratic map F : F n F m Two invertible linear maps T : F m F m and U : F n F n Public key: P = T F U supposed to look like a random system Private key: T, F, U allows to invert the public key A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto / 25
5 Big Field Signature Schemes w F n T 1 x F n F 1 y F n U 1 z F n Signature Generation X E F 1 Y E Φ Φ 1 P Signature Verification A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto / 25
6 HFEv - Key Generation BigField + Minus Equations + Vinegar Variation central map F : F v E E, F(X) = q i +q j D 0 i j q i D α ij X qi +q j + F = Φ 1 F Φ quadratic i=0 β i (v 1,..., v v ) X qi + γ(v 1,..., v v ) linear maps T : F n F n a and U : F n+v F n+v of maximal rank public key: P = T F U : F n+v F n a private key: T, F, U A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto / 25
7 Signature Generation Given: message (hash value) w F n a 1 Compute x = T 1 (w) F n and X = Φ(x) E 2 Choose random values for the vinegar variables v 1,..., v v Solve F v1,...,v v (Y ) = X over E via Berlekamps algorithm 3 Compute y = Φ 1 (Y ) F n and z = U 1 (y v 1... v v ) Signature: z F n+v. A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto / 25
8 Signature Verification Given: signature z F n+v, message (hash value) w F n a Compute w = P(z) F n a Accept the signature z w = w. A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto / 25
9 Direct Attack ( ) 2 ( ) n a n a Complexity direct = 3 2 d reg Experiments: HFEv- systems can be solved faster than random systems Reason: low degree of regularity d reg { (q 1) (r+a+v 1) q even and r + a odd, (q 1) (r+a+v) otherwise. with r = log q (D 1) + 1. Experiments: d reg r+a+v+7 3 for HFEv- systems over GF(2)., A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto / 25
10 Q-Rank Definition Let E be a degree n extension of the field F q. The Q-rank of a quadratic map F(x) on F n q is the rank of the quadratic form φ F φ 1 in E[X 0,..., X n 1 ] via the identification X i = X qi. F: n quadratic polynomials f (1),... f (n) in F q [x o,..., x n 1 ] Interpolation F : n 1 n 1 i=0 j=i α ji X qi X qj in E[X] X i =X qi ˆF : n 1 n 1 i=0 j=i α ij X i X j in E[X 0,..., X n 1 ] ˆF : (X 0,..., X n 1 ) M (X 0,... X n 1 ) T Q-rank(F) = Rank(M) Q-Rank is invariant under invertible affine transformations F F T, but not under isomorphisms F S F T A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto / 25
11 Q-Rank (2) Definition Let E be a degree d < n extension field of F q. The min-q-rank of a quadratic map F : F n q F m q over E is min-q-rank(f) = min S max {Q-rank (S F T )}, T where S : F d q F m q and T : F n q F d q are nonzero linear transformations. The min-q-rank of a multivariate quadratic system is invariant under isomorphisms of polynomials. A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto / 25
12 The KS-attack on HFE Idea: Use the low min-q-rank of the central map F to recover an equivalent private key Lift public map P to the extension field E (polynomial interpolation) Solve a MinRank Problem to find linear map N with N P of low rank Later Improvement (Minors Modelling): N can be found by computing a Gröbner basis over F (and computing the variety over E) (( ) ω ) n + r + 1 Complexity MinRank = O r with 2 < ω 3. A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto / 25
13 The algebra A E: degree n extension field of F, θ: primitive element of E φ : F n E, φ(x 0,..., x n 1 ) = n 1 i=0 x iα i isomorphism Φ : E A, Φ(a) = (a, a q,..., a qn 1 ) A E n We can pass between elements (x 0,..., x n 1 ) F n and (X, X q,..., X qn 1 ) A by right multiplication with M n and M 1 n, where θ θ q... θ qn 1 M n = θ 2 θ 2q... θ 2qn 1.. θ n 1 θ (n 1)q... θ (n 1)qn 1 A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto / 25
14 The algebra A (cont.) To cover the vinegar variables v 1,..., v v, we define ( ) Mn 0 M n = n v 0 v n I v lifting a vector (x 0,..., x n 1, v 1,..., v v ) F n to an element of A F v. A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto / 25
15 MinRank then Projection We find (P 1,..., P n )T 1 M n = (U M n F 0 M n T U T,..., U M n F (n 1) M n T U T ), where U, T and P i are the matrix representations of the affine transformations U and T and the public polynomials P i, and F i is the i-th Frobenius power of F over A F v. We find that F 0 has the form Rank(F 0 ) = r + a + v A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto / 25
16 MinRank then Projection (2) 1 Apply a MinRank attack on the matrices P i (with target rank r + a + v) equivalent output transformation T matrix L representing the low Q-rank quadratic form L = U MnF 0 M n T U T. 2 Find the vinegar subspace of L. project L to the orthogonal complement of a codimension 1 subspace of ker(l). Denote the result by ˆL. Apply a further codimension one projection π to ˆL. If there is a nontrivial intersection between ker(π) and the vinegar subspace, the rank of ˆL will drop. ( ) 2 ( ) Comp MP = O n + r + v n a + (r + a + v + 1) 3 q r+a+1. r + a + v 2 A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto / 25
17 Project then MinRank 1 Apply a projection π, projecting the plaintext space to a codimension k subspace 2 Apply the MinRank attack If there is a nontrivial intersection between ker(π) and the vinegar subspace, we can find a quadratic form of degree less then r + a + v. ( ) 2 ( ) Comp PM = O q c(r+a+ n a) ( c+1 2 ) n + r + v c n a. r + a + v c 2 A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto / 25
18 The Distinguisher Observation 1: Two HFEv- public keys P 1 and P 2 with same values for n, D and a but different values v 1 and v 2 Fix variables to get determined systems and solve the systems with F 4 The step degrees of the F 4 algorithm will be different This also holds when guessing (not too many) additional variables (hybrid approach) A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto / 25
19 The Distinguisher (2) Observation 2: HFEv-(n, D, a, v) public key P Define V = span(t n+1,..., T n+v ) Append l V to the system P and apply F 4 The so obtained system P behaves exactly like an public key. HFEv (n 1, D, a, v 1) A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto / 25
20 The Distinguisher (3) Consider an HFEv-(n, D, a, v) public key P Add the field equations {xi 2 x i = 0} to P Add randomly chosen linear equations l 1,..., l k to P Solve the system with F 4 By looking at the F 4 step degrees, we can distinguish the two cases 1) span(l 1,..., l k ) V = and 2) span(l 1,..., l k ) V. A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto / 25
21 The Attack Having found l 1,..., l k such that span(l 1,..., l k ) V = { l}, we can recover the private HFEv- key as follows 1 Recover the exact form of l = k i=1 λ i l i Remove l1 from the system. If the distinguisher still works, the coefficient λ 1 is zero. Otherwise, λ 1 = 1. Continue this step to find all the coefficients λ i 2 Add l to the HFEv- system and run the distinguisher again to find another linear equation ˆl V. After having recovered v of these linear equations the system will behave like an HFE- system. 3 Apply any attack against HFE- (e.g [VS, PQCrypto2017]) to complete the attack. A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto / 25
22 Complexity of the Distinguisher Complexity of the Distinguisher (finding l V) depends on number of distinguisher runs Pr(l V) = 2 n Pr(span(l 1,..., l k ) V ) = 1 (1 2 n ) 2 k cost of a single run (= 1 run of F 4 ) ( ) 2 ( ) Comp F4 = O n + v k n + v k 2 d reg 2 k n A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto / 25
23 Complexity of the Distinguisher Comp Distinguisher; classical = O 2 n k Comp Distinguisher; quantum = O 2 (n k)/2 ( ) 2 ( ) n + v k n + v k 2 d reg ( ) 2 ( ) n + v k n + v k. 2 The cost of the remaining steps (finding the exact form of l and removing the other Vinegar variables from the system, breaking the remaining HFEsystem) is much smaller. d reg A strategy to estimate k and d reg for concrete HFEv- systems can be found in our paper. A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto / 25
24 Conclusion We presented three new attacks against HFEv- using the idea of projection MinRank then Projection Projection then MinRank Distinguishing based attack Better performance than existing attacks against some HFEv- systems (see example in the paper) Less memory consumption than all known attacks (for all parameter sets) New insights in the security of HFEv- Restrictions for the parameter choice of HFEv- based schemes A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto / 25
25 The End Thank you for your attention Questions? A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto / 25
Improved Cryptanalysis of HFEv- via Projection
Improved Cryptanalysis of HFEv- via Projection Jintai Ding 1, Ray Perlner 2, Albrecht Petzoldt 2, and Daniel Smith-Tone 2,3 1 Department of Mathematical Sciences, University of Cincinnati, Cincinnati,
More informationOn the Complexity of the Hybrid Approach on HFEv-
On the Complexity of the Hybrid Approach on HFEv- Albrecht Petzoldt National Institute of Standards and Technology, Gaithersburg, Maryland, USA albrecht.petzoldt@gmail.com Abstract. The HFEv- signature
More informationHFERP - A New Multivariate Encryption Scheme
- A New Multivariate Encryption Scheme Yasuhiko Ikematsu (Kyushu University) Ray Perlner (NIST) Daniel Smith-Tone (NIST, University of Louisville) Tsuyoshi Takagi (Kyushi University) Jeremy Vates (University
More informationMultivariate Quadratic Public-Key Cryptography Part 1: Basics
Multivariate Quadratic Public-Key Cryptography Part 1: Basics Bo-Yin Yang Academia Sinica PQCrypto Executive Summer School 2017 Eindhoven, the Netherlands Friday, 23.06.2017 B.-Y. Yang (Academia Sinica)
More informationMultivariate Public Key Cryptography
Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016 Outline Outline What is a MPKC? Multivariate Public Key Cryptosystems - Cryptosystems,
More informationA Classification of Differential Invariants for Multivariate Post-Quantum Cryptosystems
A Classification of Differential Invariants for Multivariate Post-Quantum Cryptosystems Ray Perlner 1 Daniel Smith-Tone 1,2 1 National Institute of Standards and Technology 2 University of Louisville 7th
More informationOn the Security and Key Generation of the ZHFE Encryption Scheme
On the Security and Key Generation of the ZHFE Encryption Scheme Wenbin Zhang and Chik How Tan Temasek Laboratories National University of Singapore tslzw@nus.edu.sg and tsltch@nus.edu.sg Abstract. At
More informationInoculating Multivariate Schemes Against Differential Attacks
Inoculating Multivariate Schemes Against Differential Attacks Jintai Ding and Jason E. Gower Department of Mathematical Sciences University of Cincinnati Cincinnati, OH 45221-0025 USA Email: ding@math.uc.edu,
More informationNew candidates for multivariate trapdoor functions
New candidates for multivariate trapdoor functions Jaiberth Porras 1, John B. Baena 1, Jintai Ding 2,B 1 Universidad Nacional de Colombia, Medellín, Colombia 2 University of Cincinnati, Cincinnati, OH,
More informationSimple Matrix Scheme for Encryption (ABC)
Simple Matrix Scheme for Encryption (ABC) Adama Diene, Chengdong Tao, Jintai Ding April 26, 2013 dama Diene, Chengdong Tao, Jintai Ding ()Simple Matrix Scheme for Encryption (ABC) April 26, 2013 1 / 31
More informationMI-T-HFE, a New Multivariate Signature Scheme
MI-T-HFE, a New Multivariate Signature Scheme Wenbin Zhang and Chik How Tan Temasek Laboratories National University of Singapore tslzw@nus.edu.sg and tsltch@nus.edu.sg Abstract. In this paper, we propose
More informationThe Shortest Signatures Ever
The Shortest Signatures Ever Mohamed Saied Emam Mohamed 1, Albrecht Petzoldt 2 1 Technische Universität Darmstadt, Germany 2 Kyushu University, Fukuoka, Japan mohamed@cdc.informatik.tu-darmstadt.de, petzoldt@imi.kyushu-u.ac.jp
More informationOil-Vinegar signature cryptosystems
Oil-Vinegar signature cryptosystems Jintai Ding University of Cincinnati Workshop on multivariate public key cryptosystems, 2006 Taiwan Information Security Center The National Taiwan University of Science
More informationMultivariate Public Key Cryptography or Why is there a rainbow hidden behind fields full of oil and vinegar?
Multivariate Public Key Cryptography or Why is there a rainbow hidden behind fields full of oil and vinegar? Christian Eder, Jean-Charles Faugère and Ludovic Perret Seminar on Fundamental Algorithms, University
More informationRank Analysis of Cubic Multivariate Cryptosystems
Rank Analysis of Cubic Multivariate Cryptosystems John Baena 1 Daniel Cabarcas 1 Daniel Escudero 2 Karan Khathuria 3 Javier Verbel 1 April 10, 2018 1 Universidad Nacional de Colombia, Colombia 2 Aarhus
More informationA Polynomial-Time Key-Recovery Attack on MQQ Cryptosystems
A Polynomial-Time Key-Recovery Attack on MQQ Cryptosystems Jean-Charles Faugère, Danilo Gligoroski, Ludovic Perret, Simona Samardjiska, Enrico Thomae PKC 2015, March 30 - April 1, Maryland, USA 2 Summary
More informationCryptanalysis of Simple Matrix Scheme for Encryption
Cryptanalysis of Simple Matrix Scheme for Encryption Chunsheng Gu School of Computer Engineering, Jiangsu University of Technology, Changzhou, 213001, China {chunsheng_gu}@163.com Abstract. Recently, Tao
More informationNew Directions in Multivariate Public Key Cryptography
New Directions in Shuhong Gao Joint with Ray Heindl Clemson University The 4th International Workshop on Finite Fields and Applications Beijing University, May 28-30, 2010. 1 Public Key Cryptography in
More informationHidden Field Equations
Security of Hidden Field Equations (HFE) 1 The security of Hidden Field Equations ( H F E ) Nicolas T. Courtois INRIA, Paris 6 and Toulon University courtois@minrank.org Permanent HFE web page : hfe.minrank.org
More informationCryptanalysis of the TTM Cryptosystem
Cryptanalysis of the TTM Cryptosystem Louis Goubin and Nicolas T Courtois SchlumbergerSema - CP8 36-38 rue de la Princesse BP45 78430 Louveciennes Cedex France LouisGoubin@bullnet,courtois@minrankorg Abstract
More informationDifferential Security of the HF Ev Signiture Primitive
Differential Security of the HF Ev Signiture Primitive Ryann Cartor 1 Ryan Gipson 1 Daniel Smith-Tone 1,2 Jeremy Vates 1 1 University of Louisville 2 National Institute of Standards and Technology 25th
More informationAn Asymptotically Optimal Structural Attack on the ABC Multivariate Encryption Scheme
An Asymptotically Optimal Structural Attack on the ABC Multivariate Encryption Scheme Dustin Moody 1, Ray Perlner 1, and Daniel Smith-Tone 1,2 1 National Institute of Standards and Technology, Gaithersburg,
More informationAnalysis of Hidden Field Equations Cryptosystem over Odd-Characteristic Fields
Nonlinear Phenomena in Complex Systems, vol. 17, no. 3 (2014), pp. 278-283 Analysis of Hidden Field Equations Cryptosystem over Odd-Characteristic Fields N. G. Kuzmina and E. B. Makhovenko Saint-Petersburg
More informationAlgebraic Cryptanalysis of MQQ Public Key Cryptosystem by MutantXL
Algebraic Cryptanalysis of MQQ Public Key Cryptosystem by MutantXL Mohamed Saied Emam Mohamed 1, Jintai Ding 2, and Johannes Buchmann 1 1 TU Darmstadt, FB Informatik Hochschulstrasse 10, 64289 Darmstadt,
More informationLinearity Measures for MQ Cryptography
Linearity Measures for MQ Cryptography Simona Samardjiska 1,2 and Danilo Gligoroski 1 Department of Telematics, NTNU, Trondheim, Norway, 1 FCSE, UKIM, Skopje, Macedonia. 2 simonas@item.ntno.no,simona.samardjiska@finki.ukim.mk,
More informationCryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)
Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R) Eli Biham Computer Science Department Technion Israel Institute of Technology Haifa 32000, Israel biham@cs.technion.ac.il http://www.cs.technion.ac.il/~biham/
More informationEfficient variant of Rainbow using sparse secret keys
Takanori Yasuda 1, Tsuyoshi Takagi 2, and Kouichi Sakurai 1,3 1 Institute of Systems, Information Technologies and Nanotechnologies, Fukuoka, Japan 2 Institute of Mathematics for Industry, Kyushu University,
More informationDifferential Cryptanalysis for Multivariate Schemes
Differential Cryptanalysis for Multivariate Schemes Jacques Stern Joint work with P. A. Fouque and L. Granboulan École normale supérieure Differential Cryptanalysis for Multivariate Schemes p.1/23 MI Cryptosystem
More informationRGB, a Mixed Multivariate Signature Scheme
Advance Access publication on 7 August 2015 RGB, a Mixed Multivariate Signature Scheme Wuqiang Shen and Shaohua Tang c The British Computer Society 2015. All rights reserved. For Permissions, please email:
More informationMutantXL: Solving Multivariate Polynomial Equations for Cryptanalysis
MutantXL: Solving Multivariate Polynomial Equations for Cryptanalysis Johannes Buchmann 1, Jintai Ding 2, Mohamed Saied Emam Mohamed 1, and Wael Said Abd Elmageed Mohamed 1 1 TU Darmstadt, FB Informatik
More informationTOT, a Fast Multivariate Public Key Cryptosystem with Basic Secure Trapdoor
TOT, a Fast Multivariate Public Key Cryptosystem with Basic Secure Trapdoor Wuqiang Shen and Shaohua Tang School of Computer Science & Engineering, South China University of Technology, Guangzhou 510006,
More informationHybrid Approach : a Tool for Multivariate Cryptography
Hybrid Approach : a Tool for Multivariate Cryptography Luk Bettale, Jean-Charles Faugère and Ludovic Perret INRIA, Centre Paris-Rocquencourt, SALSA Project UPMC, Univ. Paris 06, LIP6 CNRS, UMR 7606, LIP6
More informationKey Recovery on Hidden Monomial Multivariate Schemes
Key Recovery on Hidden Monomial Multivariate Schemes Pierre-Alain Fouque 1, Gilles Macario-Rat 2, and Jacques Stern 1 1 École normale supérieure, 45 rue d Ulm, 75005 Paris, France {Pierre-Alain.Fouque,
More informationLittle Dragon Two: An efficient Multivariate Public Key Cryptosystem
Little Dragon Two: An efficient Multivariate Public Key Cryptosystem Rajesh P Singh, A.Saikia, B.K.Sarma Department of Mathematics Indian Institute of Technology Guwahati Guwahati -781039, India October
More informationA Classification of Differential Invariants for Multivariate Post-Quantum Cryptosystems
A Classification of Differential Invariants for Multivariate Post-Quantum Cryptosystems Ray Perlner 1 and Daniel Smith-Tone 1,2 1 National Institute of Standards and Technology, Gaithersburg, Maryland,
More informationGröbner Bases Techniques in Post-Quantum Cryptography
Gröbner Bases Techniques in Post-Quantum Cryptography Ludovic Perret Sorbonne Universités, UPMC Univ Paris 06, INRIA Paris LIP6, PolSyS Project, Paris, France Post-Quantum Cryptography Winter School, Fukuoka,
More informationGröbner Bases in Public-Key Cryptography
Gröbner Bases in Public-Key Cryptography Ludovic Perret SPIRAL/SALSA LIP6, Université Paris 6 INRIA ludovic.perret@lip6.fr ECRYPT PhD SUMMER SCHOOL Emerging Topics in Cryptographic Design and Cryptanalysis
More informationTaxonomy of Public Key Schemes based on the problem of Multivariate Quadratic equations
Taxonomy of Public Key Schemes based on the problem of Multivariate Quadratic equations Christopher Wolf, and Bart Preneel {Christopher.Wolf, Bart.Preneel}@esat.kuleuven.ac.be chris@christopher-wolf.de
More informationCryptanalysis of the HFE Public Key Cryptosystem by Relinearization
Cryptanalysis of the HFE Public Key Cryptosystem by Relinearization Aviad Kipnis 1 and Adi Shamir 2 1 NDS Technologies, Israel 2 Computer Science Dept., The Weizmann Institute, Israel Abstract. The RSA
More informationSmall Public Keys and Fast Verification for Multivariate Quadratic Public Key Systems
Small Public Keys and Fast Verification for Multivariate Quadratic Public Key Systems Albrecht Petzoldt 1, Enrico Thomae, Stanislav Bulygin 3, and Christopher Wolf 4 1,3 Technische Universität Darmstadt
More informationLattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.
Lattices A Lattice is a discrete subgroup of the additive group of n-dimensional space R n. Lattices have many uses in cryptography. They may be used to define cryptosystems and to break other ciphers.
More informationA brief survey of post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago
A brief survey of post-quantum cryptography D. J. Bernstein University of Illinois at Chicago Once the enormous energy boost that quantum computers are expected to provide hits the street, most encryption
More informationCryptanalysis of the Oil & Vinegar Signature Scheme
Cryptanalysis of the Oil & Vinegar Signature Scheme Aviad Kipnis 1 and Adi Shamir 2 1 NDS Technologies, Israel 2 Dept. of Applied Math, Weizmann Institute, Israel Abstract. Several multivariate algebraic
More informationIntroduction to Quantum Safe Cryptography. ENISA September 2018
Introduction to Quantum Safe Cryptography ENISA September 2018 Introduction This talk will introduce the mathematical background of the most popular PQC primitives Code-based Lattice-based Multivariate
More informationNotes on Alekhnovich s cryptosystems
Notes on Alekhnovich s cryptosystems Gilles Zémor November 2016 Decisional Decoding Hypothesis with parameter t. Let 0 < R 1 < R 2 < 1. There is no polynomial-time decoding algorithm A such that: Given
More information10 Concrete candidates for public key crypto
10 Concrete candidates for public key crypto In the previous lecture we talked about public key cryptography and saw the Diffie Hellman system and the DSA signature scheme. In this lecture, we will see
More informationLinear Algebra. Workbook
Linear Algebra Workbook Paul Yiu Department of Mathematics Florida Atlantic University Last Update: November 21 Student: Fall 2011 Checklist Name: A B C D E F F G H I J 1 2 3 4 5 6 7 8 9 10 xxx xxx xxx
More informationPublic key cryptography using Permutation P-Polynomials over Finite Fields
Public key cryptography using Permutation P-Polynomials over Finite Fields Rajesh P Singh 1 B. K. Sarma 2 A. Saikia 3 Department of Mathematics Indian Institute of Technology Guwahati Guwahati 781039,
More informationQuantum-resistant cryptography
Quantum-resistant cryptography Background: In quantum computers, states are represented as vectors in a Hilbert space. Quantum gates act on the space and allow us to manipulate quantum states with combination
More informationAlgebraic Aspects of Symmetric-key Cryptography
Algebraic Aspects of Symmetric-key Cryptography Carlos Cid (carlos.cid@rhul.ac.uk) Information Security Group Royal Holloway, University of London 04.May.2007 ECRYPT Summer School 1 Algebraic Techniques
More informationDevelopments in multivariate post quantum cryptography.
University of Louisville ThinkIR: The University of Louisville's Institutional Repository Electronic Theses and Dissertations 8-2018 Developments in multivariate post quantum cryptography. Jeremy Robert
More informationPoly Dragon: An efficient Multivariate Public Key Cryptosystem
Poly Dragon: An efficient Multivariate Public Key Cryptosystem Rajesh P Singh, A.Saikia, B.K.Sarma Department of Mathematics Indian Institute of Technology Guwahati Guwahati -781039, India May 19, 2010
More informationCHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S. Ant nine J aux
CHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S Ant nine J aux (g) CRC Press Taylor 8* Francis Croup Boca Raton London New York CRC Press is an imprint of the Taylor &
More informationSide-channel analysis in code-based cryptography
1 Side-channel analysis in code-based cryptography Tania RICHMOND IMATH Laboratory University of Toulon SoSySec Seminar Rennes, April 5, 2017 Outline McEliece cryptosystem Timing Attack Power consumption
More informationMXL2 : Solving Polynomial Equations over GF(2) Using an Improved Mutant Strategy
MXL2 : Solving Polynomial Equations over GF(2) Using an Improved Mutant Strategy Mohamed Saied Emam Mohamed 1, Wael Said Abd Elmageed Mohamed 1, Jintai Ding 2, and Johannes Buchmann 1 1 TU Darmstadt, FB
More informationFPGA-based Niederreiter Cryptosystem using Binary Goppa Codes
FPGA-based Niederreiter Cryptosystem using Binary Goppa Codes Wen Wang 1, Jakub Szefer 1, and Ruben Niederhagen 2 1. Yale University, USA 2. Fraunhofer Institute SIT, Germany April 9, 2018 PQCrypto 2018
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationCode-based Cryptography
a Hands-On Introduction Daniel Loebenberger Ηράκλειο, September 27, 2018 Post-Quantum Cryptography Various flavours: Lattice-based cryptography Hash-based cryptography Code-based
More informationMcEliece type Cryptosystem based on Gabidulin Codes
McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Zürich ALCOMA, March 19, 2015 joint work with Kyle Marshall Outline Traditional McEliece Crypto System 1 Traditional
More informationMultivariate Public Key Cryptography
Multivariate Public Key Cryptography Jintai Ding 1 and Bo-Yin Yang 2 1 University of Cincinnati and Technische Universität Darmstadt. 2 Academia Sinica and Taiwan InfoSecurity Center, Taipei, Taiwan. Summary.
More informationRSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis. Daniel Genkin, Adi Shamir, Eran Tromer
RSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis Daniel Genkin, Adi Shamir, Eran Tromer Mathematical Attacks Input Crypto Algorithm Key Output Goal: recover the key given access to the inputs
More informationRésolution de systèmes polynomiaux structurés et applications en Cryptologie
Résolution de systèmes polynomiaux structurés et applications en Cryptologie Pierre-Jean Spaenlehauer University of Western Ontario Ontario Research Center for Computer Algebra Magali Bardet, Jean-Charles
More informationHidden Pair of Bijection Signature Scheme
Hidden Pair of Bijection Signature Scheme Masahito Gotaishi and Shigeo Tsujii Research and Development Initiative, Chuo University, 1-13-27 Kasuga, Tokyo, Japan, 112-8551 gotaishi@tamaccchuo-uacjp http://wwwchuo-uacjp/chuo-u/rdi/index
More informationStructural Cryptanalysis of SASAS
tructural Cryptanalysis of AA Alex Biryukov and Adi hamir Computer cience department The Weizmann Institute Rehovot 76100, Israel. Abstract. In this paper we consider the security of block ciphers which
More informationLecture 15 & 16: Trapdoor Permutations, RSA, Signatures
CS 7810 Graduate Cryptography October 30, 2017 Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures Lecturer: Daniel Wichs Scribe: Willy Quach & Giorgos Zirdelis 1 Topic Covered. Trapdoor Permutations.
More informationIntroduction to Arithmetic Geometry Fall 2013 Lecture #17 11/05/2013
18.782 Introduction to Arithmetic Geometry Fall 2013 Lecture #17 11/05/2013 Throughout this lecture k denotes an algebraically closed field. 17.1 Tangent spaces and hypersurfaces For any polynomial f k[x
More informationCryptographical Security in the Quantum Random Oracle Model
Cryptographical Security in the Quantum Random Oracle Model Center for Advanced Security Research Darmstadt (CASED) - TU Darmstadt, Germany June, 21st, 2012 This work is licensed under a Creative Commons
More informationEtude d hypothèses algorithmiques et attaques de primitives cryptographiques
Etude d hypothèses algorithmiques et attaques de primitives cryptographiques Charles Bouillaguet École normale supérieure Paris, France Ph.D. Defense September 26, 2011 Introduction Modes of Operation
More informationNotes for Lecture 15
COS 533: Advanced Cryptography Lecture 15 (November 8, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Kevin Liu Notes for Lecture 15 1 Lattices A lattice looks something like the following.
More informationDivision Property: a New Attack Against Block Ciphers
Division Property: a New Attack Against Block Ciphers Christina Boura (joint on-going work with Anne Canteaut) Séminaire du groupe Algèbre et Géometrie, LMV November 24, 2015 1 / 50 Symmetric-key encryption
More informationMathematical Foundations of Public-Key Cryptography
Mathematical Foundations of Public-Key Cryptography Adam C. Champion and Dong Xuan CSE 4471: Information Security Material based on (Stallings, 2006) and (Paar and Pelzl, 2010) Outline Review: Basic Mathematical
More informationPublic Key Cryptography. All secret key algorithms & hash algorithms do the same thing but public key algorithms look very different from each other.
Public Key Cryptography All secret key algorithms & hash algorithms do the same thing but public key algorithms look very different from each other. The thing that is common among all of them is that each
More informationFrom 5-pass MQ-based identification to MQ-based signatures
From 5-pass MQ-based identification to MQ-based signatures Andreas Hülsing, Joost Rijneveld, Simona Samardjiska, and Peter Schwabe 30 June 2016 1 / 31 Our take on PQ-Crypto Prepare for actual use Reliable
More informationAlgorithmic Number Theory and Public-key Cryptography
Algorithmic Number Theory and Public-key Cryptography Course 3 University of Luxembourg March 22, 2018 The RSA algorithm The RSA algorithm is the most widely-used public-key encryption algorithm Invented
More informationAsymmetric Encryption
-3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function
More informationImpossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128
Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-8 Zheng Yuan,,, ian Li, Beijing Electronic Science & Technology Institute, Beijing 7, P.R. China zyuan@tsinghua.edu.cn, sharonlee95@6.com
More informationCryptanalysis of the Tractable Rational Map Cryptosystem
Cryptanalysis of the Tractable Rational Map Cryptosystem Antoine Joux 1, Sébastien Kunz-Jacques 2, Frédéric Muller 2, and Pierre-Michel Ricordel 2 1 SPOTI Antoine.Joux@m4x.org 2 DCSSI Crypto Lab 51, Boulevard
More informationHow Fast can be Algebraic Attacks on Block Ciphers?
How Fast can be Algebraic Attacks on Block Ciphers? Nicolas T. Courtois Axalto mart Cards, 36-38 rue de la Princesse BP 45, 78430 Louveciennes Cedex, France http://www.nicolascourtois.net courtois@minrank.org
More informationEssential Algebraic Structure Within the AES
Essential Algebraic Structure Within the AES Sean Murphy and Matthew J.B. Robshaw Information Security Group, Royal Holloway, University of London, Egham, Surrey, TW20 0EX, U.K. s.murphy@rhul.ac.uk m.robshaw@rhul.ac.uk
More informationOn multivariate signature-only public key cryptosystems
On multivariate signature-only public key cryptosystems Nicolas T. Courtois 1,2 courtois@minrank.org http://www.minrank.org 1 Systèmes Information Signal (SIS), Université de Toulon et du Var BP 132, F-83957
More informationBackground: Lattices and the Learning-with-Errors problem
Background: Lattices and the Learning-with-Errors problem China Summer School on Lattices and Cryptography, June 2014 Starting Point: Linear Equations Easy to solve a linear system of equations A s = b
More informationHigh-speed cryptography, part 3: more cryptosystems. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven
High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Cryptographers Working systems Cryptanalytic algorithm designers
More informationPublic key cryptosystem MST 3 : cryptanalysis and realization
Public key cryptosystem MST 3 : cryptanalysis and realization Pavol Svaba Tran van Trung Institut für Experimentelle Mathematik Universität Duisburg-Essen Ellernstrasse 29 45326 Essen, Germany {svaba,trung}@iem.uni-due.de
More informationOpen problems related to algebraic attacks on stream ciphers
Open problems related to algebraic attacks on stream ciphers Anne Canteaut INRIA - projet CODES B.P. 105 78153 Le Chesnay cedex - France e-mail: Anne.Canteaut@inria.fr Abstract The recently developed algebraic
More informationWinter 2011 Josh Benaloh Brian LaMacchia
Winter 2011 Josh Benaloh Brian LaMacchia Fun with Public-Key Tonight we ll Introduce some basic tools of public-key crypto Combine the tools to create more powerful tools Lay the ground work for substantial
More informationKey Recovery on Hidden Monomial Multivariate Schemes
Key Recovery on Hidden Monomial Multivariate Schemes Pierre-Alain Fouque 1, Gilles Macario-Rat 2, and Jacques Stern 1 1 École normale supérieure, 45 rue d Ulm, 75005 Paris, France {Pierre-Alain.Fouque,
More informationLecture 7: CPA Security, MACs, OWFs
CS 7810 Graduate Cryptography September 27, 2017 Lecturer: Daniel Wichs Lecture 7: CPA Security, MACs, OWFs Scribe: Eysa Lee 1 Topic Covered Chosen Plaintext Attack (CPA) MACs One Way Functions (OWFs)
More informationPublic-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Appendix A: Symmetric Techniques Block Ciphers A block cipher f of block-size
More informationOn the Security of HFE, HFEv- and Quartz
On the Security of HFE, HFEv- and Quartz Nicolas T. Courtois 1, Magnus Daum 2,andPatrickFelke 2 1 CP8 Crypto Lab, SchlumbergerSema 36-38 rue de la Princesse, BP 45, 78430Louveciennes Cedex, France courtois@minrank.org
More informationMultiplicative complexity in block cipher design and analysis
Multiplicative complexity in block cipher design and analysis Pavol Zajac Institute of Computer Science and Mathematics Slovak University of Technology pavol.zajac@stuba.sk Fewer Multiplications in Cryptography
More informationA Brief Retrospective Look at the Cayley-Purser Public-key Cryptosystem, 19 Years Later
A Brief Retrospective Look at the Cayley-Purser Public-key Cryptosystem, 19 Years Later Douglas R. Stinson David R. Cheriton School of Computer Science University of Waterloo 49th Southeastern Conference
More informationDiophantine equations via weighted LLL algorithm
Cryptanalysis of a public key cryptosystem based on Diophantine equations via weighted LLL algorithm Momonari Kudo Graduate School of Mathematics, Kyushu University, JAPAN Kyushu University Number Theory
More informationPost-Quantum Cryptography & Privacy. Andreas Hülsing
Post-Quantum Cryptography & Privacy Andreas Hülsing Privacy? Too abstract? How to achieve privacy? Under the hood... Public-key crypto ECC RSA DSA Secret-key crypto AES SHA2 SHA1... Combination of both
More informationDifferential Algorithms for the Isomorphism of Polynomials Problem
Differential Algorithms for the Isomorphism of Polynomials Problem Abstract. In this paper, we investigate the difficulty of the Isomorphism of Polynomials (IP) Problem as well as one of its variant IP1S.
More informationQuadratic Equations from APN Power Functions
IEICE TRANS. FUNDAMENTALS, VOL.E89 A, NO.1 JANUARY 2006 1 PAPER Special Section on Cryptography and Information Security Quadratic Equations from APN Power Functions Jung Hee CHEON, Member and Dong Hoon
More informationAnalysis of Modern Stream Ciphers
Analysis of Modern Stream Ciphers Josef Pieprzyk Centre for Advanced Computing Algorithms and Cryptography, Macquarie University, Australia CANS - Singapore - December 2007 estream Outline 1. estream Project
More informationAn Algebraic Framework for Cipher Embeddings
An Algebraic Framework for Cipher Embeddings C. Cid 1, S. Murphy 1, and M.J.B. Robshaw 2 1 Information Security Group, Royal Holloway, University of London, Egham, Surrey, TW20 0EX, U.K. 2 France Télécom
More informationIsomorphism of Polynomials : New Results
Isomorphism of Polynomials : New Results Charles Bouillaguet, Jean-Charles Faugère 2,3, Pierre-Alain Fouque and Ludovic Perret 3,2 Ecole Normale Supérieure {charles.bouillaguet, pierre-alain.fouque}@ens.fr
More informationIdeals over a Non-Commutative Ring and their Application in Cryptology
Ideals over a Non-Commutative Ring and their Application in Cryptology E. M. Gabidulin, A. V. Paramonov and 0. V. Tretjakov Moscow Institute of Physics and Technology 141700 Dolgoprudnii Moscow Region,
More informationMiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity
MiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity. Arnab Roy 1 (joint work with Martin Albrecht 2, Lorenzo Grassi 3, Christian Rechberger 1,3 and Tyge Tiessen
More information