Cryptanalysis of a public key cryptosystem based on Diophantine equations via weighted LLL reduction
|
|
- Natalie Austin
- 5 years ago
- Views:
Transcription
1 Cryptanalysis of a public key cryptosystem based on Diophantine equations via weighted LLL reduction Shinya Okumura Institute of Systems, Information Technologies and Nanotechnologies This is a joint work with Jintai Ding, Momonari Kudo, Tsuyoshi Takagi, Chengdong Tao * ƚ ǂ Department of Mathematics, University of Cincinnati Graduate School of Mathematics, Kyushu University Institute of Mathematics for Industry, Kyushu University South China University of Technology
2 Outline 1. Introduction 2. Brief review of DEC 3. Our attack against DEC 4. Weighted LLL reduction 5. Experimental results on our attack 6. Conclusion
3 1. Introduction Outline
4 1. Introduction Aim: Cryptanalysis of a candidate of post-quantum cryptosystems based on Diophantine equations [1](DEC) [1] S. Okumura, A public key cryptosystem based on diophantine equations of degree increasing type, Pacific Journal of Mathematics for Industry, Vol. 7 (4), pp , Springer, (2015).
5 1. Introduction Aim: Cryptanalysis of a candidate of post-quantum cryptosystems based on Diophantine equations [1](DEC) Why is post-quantum cryptography (PQC) important now? 1. PKCs used widely will be broken by quantum computers [2] 2. Resistance to quantum computers 3. Long-term security and small devices [1] S. Okumura, A public key cryptosystem based on diophantine equations of degree increasing type, Pacific Journal of Mathematics for Industry, Vol. 7 (4), pp , Springer, (2015). [2] P. W. Shor, Algorithms for Quantum Computation: Discrete Logarithms and Factoring, In: Proc. of SFCS 94, pp , IEEE Computer Society Washington, DC, USA, (1994).
6 1. Introduction Aim: Cryptanalysis of a candidate of post-quantum cryptosystems based on Diophantine equations [1](DEC) Why is post-quantum cryptography (PQC) important now? 1. PKCs used widely will be broken by quantum computers [2] 2. Resistance to quantum computers 3. Long-term security and small devices NSA and NIST announced their plans for transitioning to PQC (c.f. PQCrypto 2016: [1] S. Okumura, A public key cryptosystem based on diophantine equations of degree increasing type, Pacific Journal of Mathematics for Industry, Vol. 7 (4), pp , Springer, (2015). [2] P. W. Shor, Algorithms for Quantum Computation: Discrete Logarithms and Factoring, In: Proc. of SFCS 94, pp , IEEE Computer Society Washington, DC, USA, (1994).
7 Some projects on PQC have started. -PQC for long-term security: -JST, CREST CryptoMath:
8 Some projects on PQC have started. -PQC for long-term security: -JST, CREST CryptoMath: Desired properties for practical PQC 1. Based on NP-hard problem 2. Efficient implementation and High performance (efficient encryption/decryption and small key sizes)
9 Some projects on PQC have started. -PQC for long-term security: -JST, CREST CryptoMath: Desired properties for practical PQC 1. Based on NP-hard problem 2. Efficient implementation and High performance (efficient encryption/decryption and small key sizes) The Algebraic Surface Cryptosystem (ASC) [2] -A candidate of PQC -Small key sizes (about 500 bits for recommended parameters) -The one-wayness of ASC is broken [3]. [2] K. Akiyama, Y. Goto, H. Miyake, An Algebraic Surface Cryptosystem, In Proc. of PKC 09, LNCS, Vol. 5443, pp , Springer, (2009). [3] J. -C. Faugere, ሖ P. -J. Spaenlehauer, Algebraic Cryptanalysis of the PKC'2009 Algebraic Surface Cryptosystem, In: Proc. of PKC'10, LNCS, Vol. 6056, pp , Springer, (2010).
10 ASC: based on Diophantine problem/f p t DEC: I. based on Diophantine problem/z and an analogue of ASC II. A candidate of PQC III. Expected to have resistance to all attacks against ASC Ⅳ. Small public key size (1, 200 bits for 128 bit security)
11 ASC: based on Diophantine problem/f p t DEC: I. based on Diophantine problem/z and an analogue of ASC II. A candidate of PQC III. Expected to have resistance to all attacks against ASC Ⅳ. Small public key size (1, 200 bits for 128 bit security) About 4 times smaller than NTRU s public key size [4] [4] A draft of the report on post-quantum cryptography NISTIR 8105, available at draft.pdf.
12 ASC: based on Diophantine problem/f p t DEC: I. based on Diophantine problem/z and an analogue of ASC II. A candidate of PQC III. Expected to have resistance to all attacks against ASC Ⅳ. Small public key size (1, 200 bits for 128 bit security) About 4 times smaller than NTRU s public key size [4] Diophantine problem/z Given: f x 1,, x n Z[x 1,, x n ] Find: a 1,, a n Z s.t. f a 1,, a n = 0 if such integers exist (f x 1,, x n = 0 : Diophantine equation) The solvability of f = 0 cannot be tested in general [5] II, IV [4] A draft of the report on post-quantum cryptography NISTIR 8105, available at draft.pdf. [5] M. Davis, Y. Matijasevic, J. Robinson, Hilbert's tenth problem, Diophantine equations: positive aspects of a negative solution, Mathematical Developments Arising from Hilbert Problems, pp. 323{378, American Mathematical Society, Providence, RI., (1976).
13 Our attack Security of DEC Finding some relatively short vectors
14 Our attack Security of DEC Finding some relatively short vectors Most important vector: -Not shortest in a lattice of low rank (3-rank) Usual LLL algorithm -Bit length of each entry: unbalance, known LLL algorithm w.r.t. a weighted norm Called weighted LLL in our work
15 Our attack Security of DEC Finding some relatively short vectors Most important vector: -Not shortest in a lattice of low rank (3-rank) Usual LLL algorithm -Bit length of each entry: unbalance, known LLL algorithm w.r.t. a weighted norm Called weighted LLL in our work Remark -The weighted LLL is applied to attack ECDSA [6]. -The above two situations also occurred in [6]. -The weighted LLL is useful to find vectors with above two properties. [6] J. -C. Faugere, ሖ C. Goyet, G. Renault, Attacking (EC)DSA Given Only an Implicit Hint, In: Proc. of SAC 2012, LNCS, Vol. 7707, pp , Springer, (2013).
16 Outline 1. Introduction 2. Brief review of DEC
17 2. Brief review of DEC Key Generation Secret Key a 1,, a n Z n Public Key Encryption Idea for avoiding known attacks m Z[x 1,, x n ]: Plaintext N Z >0 : Random, large m Z[x 1,, x n ]: Twisted plaintext f, s j, r j Z[x 1,, x n ]: Random d, e Z >0 X Z[x 1,, x n ] s.t. X a 1,, a n d d = 0 F 1 = m + s 1 f + r 1 X F 2 = m + s 2 f + r 2 X F 3 = m + s 3 f + r 3 X Ciphertext Some necessary conditions are omitted.
18 Important Remarks (1) Bit length of each coefficient of X and s j are known. (2) Coefficients of X and s j are much smaller than those of others.
19 Outline 1. Introduction 2. Brief review of DEC 3. Our attack against DEC
20 Outline 3. Our attack against DEC Ciphertext of DEC: F i = m + s i f + r i X (i = 1, 2, 3) (X: public key) Goal: Find m Step 1: Find s i s i s i+1. Step 2: Find f satisfying F 1 F 1 F 2 = s 1 f + r 1 X, F 2 F 2 F 3 = s 2 f + r 2 X. (r i r i r i+1 ) Step 3: Find the correct s 1 and m.
21 Outline Step 1: Find s i s i s i+1. Step 2: Find f satisfying 3. Our attack against DEC Ciphertext of DEC: F i = m + s i f + r i X (i = 1, 2, 3) (X: public key) Goal: Find m Step 3: Find the correct s 1 and m. The weighted LLL is applied. We focus on Step 1 in this talk. F 1 F 1 F 2 = s 1 f + r 1 X, F 2 F 2 F 3 = s 2 f + r 2 X. (r i r i r i+1 )
22 More details of Step 1 g s 2 r 1 s 1 r 2 r i r i r i+1 Coefficients: unknown (variables) s 2 F 1 s 1 F 2 = g X, Linear system xa = 0. L Ker A = u Z m ua = 0 s 1, s 2, g ( s 1, s 2, g : vector consisting of coefficients of s i and g)
23 More details of Step 1 g s 2 r 1 s 1 r 2 r i r i r i+1 Coefficients: unknown (variables) s 2 F 1 s 1 F 2 = g X, Linear system xa = 0. L Ker A = u Z m ua = 0 s 1, s 2, g ( s 1, s 2, g : vector consisting of coefficients of s i and g) 1. Vectors s 1 and s 2 are not shortest in a lattice of low rank. 2. Bit length of each entry of s 1 and s 2 is almost known. Key point
24 Outline 1. Introduction 2. Brief review of DEC 3. Our attack against DEC 4. Weighted LLL reduction
25 4. Weighted LLL reduction Usual norms used in LLL reduction : p-norms p 1 p a 1,, a n p a p a p 1 p n 1 p < a 1,, a n max a i a 1,, a n R n i Definition Let w = w 1,, w n R n >0. The weighted norm w for the weight w is defined as follows: a 1,, a n w = w 1 a 1,, w n a n 2 a 1,, a n R n. Definition Weighted LLL algorithm for w R n >0 is the LLL algorithm w.r.t. w.
26 Toy example (An instance of step 1 of our attack) L: Lattice with basis u 1, u 2, u 3 : u 1 u 2 u 3 = Goal: Find a = 189, 1193, , 194, 14633, L Case of usual LLL reduction u 1, u 2, u 3 LLL u 1,LLL, u 2,LLL, u 3,LLL u 1,LLL u 2,LLL u 3,LLL =
27 Observation The rank of L is 3. The LLL algorithm finds shortest vector with high probability. However, max i u i,lll p < a p for 1 p Our target a is not shortest.
28 Observation The rank of L is 3. The LLL algorithm finds shortest vector with high probability. However, max i u i,lll p < a p for 1 p Our target a is not shortest. Case of weighted LLL reduction Assumption : Bit length of each entry of our target a is known. A weight w R 6 >0 is determined appropriately. a: shortest in L w.r.t. w
29 189, 1193, , 194, 14633, Small Small Large Small Small Large Weight : Large Large Small Large Large Small Vectors with small 1-2nd/4-5th entries and large 3rd/6th entries become shorter compared to other vectors.
30 189, 1193, , 194, 14633, Small Small Large Small Small Large Weight : Large Large Small Large Large Small w = Vectors with small 1-2nd/4-5th entries and large 3rd/6th entries become shorter compared to other vectors. 2 log , 2 log , 2 log , 2 log , 2 log = 2 23, 2 21, 2 1, 2 23, 2 17, 2 1 The assumption allows us to determine w., 2 1
31 189, 1193, , 194, 14633, Small Small Large Small Small Large Weight : Large Large Small Large Large Small w = Vectors with small 1-2nd/4-5th entries and large 3rd/6th entries become shorter compared to other vectors. 2 log , 2 log , 2 log , 2 log , 2 log = 2 23, 2 21, 2 1, 2 23, 2 17, 2 1 The assumption allows us to determine w., 2 1 u 1, u 2, u 3 Weighted LLL u 1,w_LLL, u 2,w_LLL, u 3,w_LLL Target vector! u 1,w_LLL u 2,w_LLL u 3,w_LLL =
32 Outline 1. Introduction 2. Brief review of DEC 3. Our attack against DEC 4. Weighted LLL reduction 5. Experimental results on our attack
33 PC 5. Experimental results on our attack CPU: 2.60GHz CPU (Intel Corei5) OS: Mac OS X 64 bit Memory: 16GB Software: Magma V2.21-3
34 Expermental results on our attack for recommended parameters Recommended parameters (128 bit security) Total degree of Public keys X Number of monomials of X Maximum sizes of coefficients of X except its constant and maximal terms (bit) Experimental results Number of successes of our attack / 100 Method for lattice reduction is Step 1 Usual LLL Step 1 Step 3 Ave. Time (sec) Weighted LLL Step 1 Step 3 Ave. Time (sec)
35 Outline 1. Introduction 2. Brief review of DEC 3. Our attack against DEC 4. Weighted LLL reduction 5. Experimental results on our attack 6. Conclusion
36 6. Conclusion 1. We proposed an attack against DEC. 2. We use three weakness of DEC: Three polynomials are used as a ciphertext. Coefficients of some polynomials are much smaller compared to those of other polynomials. Bit length of each coefficient of some polynomials is known. 3. The success probability of our attack is about 20~30%.
Diophantine equations via weighted LLL algorithm
Cryptanalysis of a public key cryptosystem based on Diophantine equations via weighted LLL algorithm Momonari Kudo Graduate School of Mathematics, Kyushu University, JAPAN Kyushu University Number Theory
More informationSimple Matrix Scheme for Encryption (ABC)
Simple Matrix Scheme for Encryption (ABC) Adama Diene, Chengdong Tao, Jintai Ding April 26, 2013 dama Diene, Chengdong Tao, Jintai Ding ()Simple Matrix Scheme for Encryption (ABC) April 26, 2013 1 / 31
More informationPractical Analysis of Key Recovery Attack against Search-LWE Problem
Practical Analysis of Key Recovery Attack against Search-LWE Problem The 11 th International Workshop on Security, Sep. 13 th 2016 Momonari Kudo, Junpei Yamaguchi, Yang Guo and Masaya Yasuda 1 Graduate
More informationA Public-key Encryption Scheme Based on Non-linear Indeterminate Equations (Giophantus)
A Public-key Encryption Scheme Based on Non-linear Indeterminate Equations (Giophantus) Koichiro Akiyama 1, Yasuhiro Goto 2, Shinya Okumura 3, Tsuyoshi Takagi 4, Koji Nuida 5, Goichiro Hanaoka 5, Hideo
More informationComputers and Mathematics with Applications
Computers and Mathematics with Applications 61 (2011) 1261 1265 Contents lists available at ScienceDirect Computers and Mathematics with Applications journal homepage: wwwelseviercom/locate/camwa Cryptanalysis
More informationOn the Complexity of the Hybrid Approach on HFEv-
On the Complexity of the Hybrid Approach on HFEv- Albrecht Petzoldt National Institute of Standards and Technology, Gaithersburg, Maryland, USA albrecht.petzoldt@gmail.com Abstract. The HFEv- signature
More informationMutantXL: Solving Multivariate Polynomial Equations for Cryptanalysis
MutantXL: Solving Multivariate Polynomial Equations for Cryptanalysis Johannes Buchmann 1, Jintai Ding 2, Mohamed Saied Emam Mohamed 1, and Wael Said Abd Elmageed Mohamed 1 1 TU Darmstadt, FB Informatik
More informationThe Shortest Signatures Ever
The Shortest Signatures Ever Mohamed Saied Emam Mohamed 1, Albrecht Petzoldt 2 1 Technische Universität Darmstadt, Germany 2 Kyushu University, Fukuoka, Japan mohamed@cdc.informatik.tu-darmstadt.de, petzoldt@imi.kyushu-u.ac.jp
More informationAlgebraic Cryptanalysis of MQQ Public Key Cryptosystem by MutantXL
Algebraic Cryptanalysis of MQQ Public Key Cryptosystem by MutantXL Mohamed Saied Emam Mohamed 1, Jintai Ding 2, and Johannes Buchmann 1 1 TU Darmstadt, FB Informatik Hochschulstrasse 10, 64289 Darmstadt,
More informationPost-quantum key exchange for the Internet based on lattices
Post-quantum key exchange for the Internet based on lattices Craig Costello Talk at MSR India Bangalore, India December 21, 2016 Based on J. Bos, C. Costello, M. Naehrig, D. Stebila Post-Quantum Key Exchange
More informationA Polynomial-Time Key-Recovery Attack on MQQ Cryptosystems
A Polynomial-Time Key-Recovery Attack on MQQ Cryptosystems Jean-Charles Faugère, Danilo Gligoroski, Ludovic Perret, Simona Samardjiska, Enrico Thomae PKC 2015, March 30 - April 1, Maryland, USA 2 Summary
More informationQuantum Differential and Linear Cryptanalysis
Quantum Differential and Linear Cryptanalysis Marc Kaplan 1,2 Gaëtan Leurent 3 Anthony Leverrier 3 María Naya-Plasencia 3 1 LTCI, Télécom ParisTech 2 School of Informatics, University of Edinburgh 3 Inria
More informationA brief survey of post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago
A brief survey of post-quantum cryptography D. J. Bernstein University of Illinois at Chicago Once the enormous energy boost that quantum computers are expected to provide hits the street, most encryption
More informationMultivariate Public Key Cryptography
Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016 Outline Outline What is a MPKC? Multivariate Public Key Cryptosystems - Cryptosystems,
More information9 Knapsack Cryptography
9 Knapsack Cryptography In the past four weeks, we ve discussed public-key encryption systems that depend on various problems that we believe to be hard: prime factorization, the discrete logarithm, and
More informationNew Directions in Multivariate Public Key Cryptography
New Directions in Shuhong Gao Joint with Ray Heindl Clemson University The 4th International Workshop on Finite Fields and Applications Beijing University, May 28-30, 2010. 1 Public Key Cryptography in
More informationEfficient variant of Rainbow using sparse secret keys
Takanori Yasuda 1, Tsuyoshi Takagi 2, and Kouichi Sakurai 1,3 1 Institute of Systems, Information Technologies and Nanotechnologies, Fukuoka, Japan 2 Institute of Mathematics for Industry, Kyushu University,
More informationCryptanalysis of Simple Matrix Scheme for Encryption
Cryptanalysis of Simple Matrix Scheme for Encryption Chunsheng Gu School of Computer Engineering, Jiangsu University of Technology, Changzhou, 213001, China {chunsheng_gu}@163.com Abstract. Recently, Tao
More informationImproving the efficiency of Generalized Birthday Attacks against certain structured cryptosystems
Improving the efficiency of Generalized Birthday Attacks against certain structured cryptosystems Robert Niebuhr 1, Pierre-Louis Cayrel 2, and Johannes Buchmann 1,2 1 Technische Universität Darmstadt Fachbereich
More informationPost-Quantum Cryptography & Privacy. Andreas Hülsing
Post-Quantum Cryptography & Privacy Andreas Hülsing Privacy? Too abstract? How to achieve privacy? Under the hood... Public-key crypto ECC RSA DSA Secret-key crypto AES SHA2 SHA1... Combination of both
More informationCryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97
Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97 Phong Nguyen and Jacques Stern École Normale Supérieure, Laboratoire d Informatique 45, rue d Ulm, F 75230 Paris Cedex 05 {Phong.Nguyen,Jacques.Stern}@ens.fr
More informationSide Channel Analysis and Protection for McEliece Implementations
Side Channel Analysis and Protection for McEliece Implementations Thomas Eisenbarth Joint work with Cong Chen, Ingo von Maurich and Rainer Steinwandt 9/27/2016 NATO Workshop- Tel Aviv University Overview
More informationSide-channel analysis in code-based cryptography
1 Side-channel analysis in code-based cryptography Tania RICHMOND IMATH Laboratory University of Toulon SoSySec Seminar Rennes, April 5, 2017 Outline McEliece cryptosystem Timing Attack Power consumption
More informationBreaking Symmetric Cryptosystems Using Quantum Algorithms
Breaking Symmetric Cryptosystems Using Quantum Algorithms Gaëtan Leurent Joined work with: Marc Kaplan Anthony Leverrier María Naya-Plasencia Inria, France FOQUS Workshop Gaëtan Leurent (Inria) Breaking
More informationA New Trapdoor in Modular Knapsack Public-Key Cryptosystem
A New Trapdoor in Modular Knapsack Public-Key Cryptosystem Takeshi Nasako Yasuyuki Murakami Abstract. Merkle and Hellman proposed a first knapsack cryptosystem. However, it was broken because the density
More informationLattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.
Lattices A Lattice is a discrete subgroup of the additive group of n-dimensional space R n. Lattices have many uses in cryptography. They may be used to define cryptosystems and to break other ciphers.
More informationA new security notion for asymmetric encryption Draft #8
A new security notion for asymmetric encryption Draft #8 Muhammad Rezal Kamel Ariffin 1,2 1 Al-Kindi Cryptography Research Laboratory, Institute for Mathematical Research, 2 Department of Mathematics,
More informationQuantum-resistant cryptography
Quantum-resistant cryptography Background: In quantum computers, states are represented as vectors in a Hilbert space. Quantum gates act on the space and allow us to manipulate quantum states with combination
More informationPost-Quantum Cryptography & Privacy. Andreas Hülsing
Post-Quantum Cryptography & Privacy Andreas Hülsing Privacy? Too abstract? How to achieve privacy? Under the hood... Asymmetric Crypto ECC RSA DSA Symmetric Crypto AES SHA2 SHA1... Combination of both
More informationCryptography in the Quantum Era. Tomas Rosa and Jiri Pavlu Cryptology and Biometrics Competence Centre, Raiffeisen BANK International
Cryptography in the Quantum Era Tomas Rosa and Jiri Pavlu Cryptology and Biometrics Competence Centre, Raiffeisen BANK International Postulate #1: Qubit state belongs to Hilbert space of dimension 2 ψ
More informationThe failure of McEliece PKC based on Reed-Muller codes.
The failure of McEliece PKC based on Reed-Muller codes. May 8, 2013 I. V. Chizhov 1, M. A. Borodin 2 1 Lomonosov Moscow State University. email: ivchizhov@gmail.com, ichizhov@cs.msu.ru 2 Lomonosov Moscow
More informationPost-Quantum Code-Based Cryptography
Big Data Photonics UCLA Post-Quantum Code-Based Cryptography 03-25-2016 Valérie Gauthier Umaña Assistant Professor valeriee.gauthier@urosario.edu.co Cryptography Alice 1 Cryptography Alice Bob 1 Cryptography
More informationCryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)
Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R) Eli Biham Computer Science Department Technion Israel Institute of Technology Haifa 32000, Israel biham@cs.technion.ac.il http://www.cs.technion.ac.il/~biham/
More informationAn Algebraic Approach to NTRU (q = 2 n ) via Witt Vectors and Overdetermined Systems of Nonlinear Equations
An Algebraic Approach to NTRU (q = 2 n ) via Witt Vectors and Overdetermined Systems of Nonlinear Equations J.H. Silverman 1, N.P. Smart 2, and F. Vercauteren 2 1 Mathematics Department, Box 1917, Brown
More informationNew candidates for multivariate trapdoor functions
New candidates for multivariate trapdoor functions Jaiberth Porras 1, John B. Baena 1, Jintai Ding 2,B 1 Universidad Nacional de Colombia, Medellín, Colombia 2 University of Cincinnati, Cincinnati, OH,
More informationFurther Results on Implicit Factoring in Polynomial Time
Further Results on Implicit Factoring in Polynomial Time Santanu Sarkar and Subhamoy Maitra Indian Statistical Institute, 203 B T Road, Kolkata 700 108, India {santanu r, subho}@isical.ac.in Abstract.
More informationPost-Quantum Cryptography
Post-Quantum Cryptography Sebastian Schmittner Institute for Theoretical Physics University of Cologne 2015-10-26 Talk @ U23 @ CCC Cologne This work is licensed under a Creative Commons Attribution-ShareAlike
More informationCryptanalysis of a Public Key Cryptosystem Proposed at ACISP 2000
Cryptanalysis of a Public Key Cryptosystem Proposed at ACISP 2000 Amr Youssef 1 and Guang Gong 2 1 Center for Applied Cryptographic Research Department of Combinatorics & Optimization 2 Department of Electrical
More informationBackground: Lattices and the Learning-with-Errors problem
Background: Lattices and the Learning-with-Errors problem China Summer School on Lattices and Cryptography, June 2014 Starting Point: Linear Equations Easy to solve a linear system of equations A s = b
More informationCryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev
Cryptography Lecture 2: Perfect Secrecy and its Limitations Gil Segev Last Week Symmetric-key encryption (KeyGen, Enc, Dec) Historical ciphers that are completely broken The basic principles of modern
More informationWild McEliece Incognito
Wild McEliece Incognito Christiane Peters Technische Universiteit Eindhoven joint work with Daniel J. Bernstein and Tanja Lange Seminaire de Cryptographie Rennes April 1, 2011 Bad news Quantum computers
More informationDouble-Moduli Gaussian Encryption/Decryption with Primary Residues and Secret Controls
Int. J. Communications, Network and System Sciences, 011, 4, 475-481 doi:10.436/ijcns.011.47058 Published Online July 011 (http://www.scirp.org/journal/ijcns) Double-Moduli Gaussian Encryption/Decryption
More informationInoculating Multivariate Schemes Against Differential Attacks
Inoculating Multivariate Schemes Against Differential Attacks Jintai Ding and Jason E. Gower Department of Mathematical Sciences University of Cincinnati Cincinnati, OH 45221-0025 USA Email: ding@math.uc.edu,
More informationLattice Reduction Attack on the Knapsack
Lattice Reduction Attack on the Knapsack Mark Stamp 1 Merkle Hellman Knapsack Every private in the French army carries a Field Marshal wand in his knapsack. Napoleon Bonaparte The Merkle Hellman knapsack
More informationAdapting Density Attacks to Low-Weight Knapsacks
Adapting Density Attacks to Low-Weight Knapsacks Phong Q. Nguy ên 1 and Jacques Stern 2 1 CNRS & École normale supérieure, DI, 45 rue d Ulm, 75005 Paris, France. Phong.Nguyen@di.ens.fr http://www.di.ens.fr/
More informationHFERP - A New Multivariate Encryption Scheme
- A New Multivariate Encryption Scheme Yasuhiko Ikematsu (Kyushu University) Ray Perlner (NIST) Daniel Smith-Tone (NIST, University of Louisville) Tsuyoshi Takagi (Kyushi University) Jeremy Vates (University
More informationA New Class of Product-sum Type Public Key Cryptosystem, K(V)ΣΠPKC, Constructed Based on Maximum Length Code
A New Class of Product-sum Type Public Key Cryptosystem, K(V)ΣΠPKC, Constructed Based on Maximum Length Code Masao KASAHARA Abstract The author recently proposed a new class of knapsack type PKC referred
More informationLattice-Based Cryptography
Liljana Babinkostova Department of Mathematics Computing Colloquium Series Detecting Sensor-hijack Attacks in Wearable Medical Systems Krishna Venkatasubramanian Worcester Polytechnic Institute Quantum
More informationSolving All Lattice Problems in Deterministic Single Exponential Time
Solving All Lattice Problems in Deterministic Single Exponential Time (Joint work with P. Voulgaris, STOC 2010) UCSD March 22, 2011 Lattices Traditional area of mathematics Bridge between number theory
More informationSolving LWE problem with bounded errors in polynomial time
Solving LWE problem with bounded errors in polynomial time Jintai Ding, Southern Chinese University of Technology, University of Cincinnati, ding@mathucedu Abstract In this paper, we present a new algorithm,
More informationAnalysis of Hidden Field Equations Cryptosystem over Odd-Characteristic Fields
Nonlinear Phenomena in Complex Systems, vol. 17, no. 3 (2014), pp. 278-283 Analysis of Hidden Field Equations Cryptosystem over Odd-Characteristic Fields N. G. Kuzmina and E. B. Makhovenko Saint-Petersburg
More informationCryptanalysis of the Co-ACD Assumption
Cryptanalysis of the Co-ACD Assumption Pierre-Alain Fouque 1, Moon Sung Lee 2, Tancrède Lepoint 3, and Mehdi Tibouchi 4 1 Université de Rennes 1 and Institut Universitaire de France fouque@irisa.fr 2 Seoul
More informationApproximate Integer Common Divisor Problem relates to Implicit Factorization
Approximate Integer Common Divisor Problem relates to Implicit Factorization Santanu Sarar and Subhamoy Maitra Applied Statistics Unit, Indian Statistical Institute, 203 B T Road, Kolata 700 108, India
More informationNew attacks on RSA with Moduli N = p r q
New attacks on RSA with Moduli N = p r q Abderrahmane Nitaj 1 and Tajjeeddine Rachidi 2 1 Laboratoire de Mathématiques Nicolas Oresme Université de Caen Basse Normandie, France abderrahmane.nitaj@unicaen.fr
More informationMasao KASAHARA. Graduate School of Osaka Gakuin University
Abstract Construction of New Classes of Knapsack Type Public Key Cryptosystem Using Uniform Secret Sequence, K(II)ΣΠPKC, Constructed Based on Maximum Length Code Masao KASAHARA Graduate School of Osaka
More informationImproved Cryptanalysis of HFEv- via Projection
Improved Cryptanalysis of HFEv- via Projection Jintai Ding 1, Ray Perlner 2, Albrecht Petzoldt 2, and Daniel Smith-Tone 2,3 1 Department of Mathematical Sciences, University of Cincinnati, Cincinnati,
More informationApplications of Lattice Reduction in Cryptography
Applications of Lattice Reduction in Cryptography Abderrahmane Nitaj University of Caen Basse Normandie, France Kuala Lumpur, Malaysia, June 27, 2014 AK Q ËAÓ Abderrahmane Nitaj (LMNO) Applications of
More informationGentry s SWHE Scheme
Homomorphic Encryption and Lattices, Spring 011 Instructor: Shai Halevi May 19, 011 Gentry s SWHE Scheme Scribe: Ran Cohen In this lecture we review Gentry s somewhat homomorphic encryption (SWHE) scheme.
More informationPost-Quantum Cryptography from Lattices
Post-Quantum Cryptography from Lattices Léo Ducas 1 CWI, Amsterdam, The Netherlands CWI Scientific Meeting, November 2016. 1 Funded by a PPP Grant, between NXP and CWI. Cryptography Cryptography in everyday
More informationAlgebraic Aspects of Symmetric-key Cryptography
Algebraic Aspects of Symmetric-key Cryptography Carlos Cid (carlos.cid@rhul.ac.uk) Information Security Group Royal Holloway, University of London 04.May.2007 ECRYPT Summer School 1 Algebraic Techniques
More informationDeterministic Polynomial Time Equivalence between Factoring and Key-Recovery Attack on Takagi s RSA
Deterministic Polynomial Time Equivalence between Factoring and Key-Recovery Attack on Takagi s RSA Noboru Kunihiro 1 and Kaoru Kurosawa 2 1 The University of Electro-Communications, Japan kunihiro@iceuecacjp
More informationCompact Ring LWE Cryptoprocessor
1 Compact Ring LWE Cryptoprocessor CHES 2014 Sujoy Sinha Roy 1, Frederik Vercauteren 1, Nele Mentens 1, Donald Donglong Chen 2 and Ingrid Verbauwhede 1 1 ESAT/COSIC and iminds, KU Leuven 2 Electronic Engineering,
More informationHOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 1 / 51
HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY Abderrahmane Nitaj Laboratoire de Mathe matiques Nicolas Oresme Universite de Caen Normandie, France Nouakchott, February 15-26, 2016 Abderrahmane
More informationMultivariate Quadratic Public-Key Cryptography Part 1: Basics
Multivariate Quadratic Public-Key Cryptography Part 1: Basics Bo-Yin Yang Academia Sinica PQCrypto Executive Summer School 2017 Eindhoven, the Netherlands Friday, 23.06.2017 B.-Y. Yang (Academia Sinica)
More informationLattice Reduction Attacks on HE Schemes. Martin R. Albrecht 15/03/2018
Lattice Reduction Attacks on HE Schemes Martin R. Albrecht 15/03/2018 Learning with Errors The Learning with Errors (LWE) problem was defined by Oded Regev. 1 Given (A, c) with uniform A Z m n q, uniform
More informationDeterministic Polynomial Time Equivalence of Computing the RSA Secret Key and Factoring
Deterministic Polynomial Time Equivalence of Computing the RSA Secret Key and Factoring Jean-Sébastien Coron and Alexander May Gemplus Card International 34 rue Guynemer, 92447 Issy-les-Moulineaux, France
More informationGauss Sieve on GPUs. Shang-Yi Yang 1, Po-Chun Kuo 1, Bo-Yin Yang 2, and Chen-Mou Cheng 1
Gauss Sieve on GPUs Shang-Yi Yang 1, Po-Chun Kuo 1, Bo-Yin Yang 2, and Chen-Mou Cheng 1 1 Department of Electrical Engineering, National Taiwan University, Taipei, Taiwan {ilway25,kbj,doug}@crypto.tw 2
More informationPractical Analysis of Key Recovery Attack against Search-LWE Problem
Practical Analysis of Key Recovery Attack against Search-LWE Problem IMI Cryptography Seminar 28 th June, 2016 Speaker* : Momonari Kuo Grauate School of Mathematics, Kyushu University * This work is a
More informationPublic key cryptography using Permutation P-Polynomials over Finite Fields
Public key cryptography using Permutation P-Polynomials over Finite Fields Rajesh P Singh 1 B. K. Sarma 2 A. Saikia 3 Department of Mathematics Indian Institute of Technology Guwahati Guwahati 781039,
More informationLittle Dragon Two: An efficient Multivariate Public Key Cryptosystem
Little Dragon Two: An efficient Multivariate Public Key Cryptosystem Rajesh P Singh, A.Saikia, B.K.Sarma Department of Mathematics Indian Institute of Technology Guwahati Guwahati -781039, India October
More informationThe quantum threat to cryptography
The quantum threat to cryptography Ashley Montanaro School of Mathematics, University of Bristol 20 October 2016 Quantum computers University of Bristol IBM UCSB / Google University of Oxford Experimental
More informationAttacking and defending the McEliece cryptosystem
Attacking and defending the McEliece cryptosystem (Joint work with Daniel J. Bernstein and Tanja Lange) Christiane Peters Technische Universiteit Eindhoven PQCrypto 2nd Workshop on Postquantum Cryptography
More informationShort generators without quantum computers: the case of multiquadratics
Short generators without quantum computers: the case of multiquadratics Daniel J. Bernstein University of Illinois at Chicago 31 July 2017 https://multiquad.cr.yp.to Joint work with: Jens Bauch & Henry
More informationCryptanalysis of two knapsack public-key cryptosystems
Cryptanalysis of two knapsack public-key cryptosystems Jingguo Bi 1, Xianmeng Meng 2, and Lidong Han 1 {jguobi,hanlidong}@sdu.edu.cn mengxm@sdfi.edu.cn 1 Key Laboratory of Cryptologic Technology and Information
More informationOn error distributions in ring-based LWE
On error distributions in ring-based LWE Wouter Castryck 1,2, Ilia Iliashenko 1, Frederik Vercauteren 1,3 1 COSIC, KU Leuven 2 Ghent University 3 Open Security Research ANTS-XII, Kaiserslautern, August
More informationGröbner Bases. Applications in Cryptology
Gröbner Bases. Applications in Cryptology Jean-Charles Faugère INRIA, Université Paris 6, CNRS with partial support of Celar/DGA FSE 20007 - Luxembourg E cient Goal: how Gröbner bases can be used to break
More informationPractical Analysis of Key Recovery Attack against Search-LWE Problem
Practical Analysis of Key Recovery Attack against Search-LWE Problem Royal Holloway an Kyushu University Workshop on Lattice-base cryptography 7 th September, 2016 Momonari Kuo Grauate School of Mathematics,
More informationMcEliece and Niederreiter Cryptosystems That Resist Quantum Fourier Sampling Attacks
McEliece and Niederreiter Cryptosystems That Resist Quantum Fourier Sampling Attacks Hang Dinh Indiana Uniersity South Bend joint work with Cristopher Moore Uniersity of New Mexico Alexander Russell Uniersity
More informationLinear Cryptanalysis of Reduced-Round Speck
Linear Cryptanalysis of Reduced-Round Speck Tomer Ashur Daniël Bodden KU Leuven and iminds Dept. ESAT, Group COSIC Address Kasteelpark Arenberg 10 bus 45, B-3001 Leuven-Heverlee, Belgium tomer.ashur-@-esat.kuleuven.be
More informationPoly Dragon: An efficient Multivariate Public Key Cryptosystem
Poly Dragon: An efficient Multivariate Public Key Cryptosystem Rajesh P Singh, A.Saikia, B.K.Sarma Department of Mathematics Indian Institute of Technology Guwahati Guwahati -781039, India May 19, 2010
More informationAnalysis of Some Quasigroup Transformations as Boolean Functions
M a t h e m a t i c a B a l k a n i c a New Series Vol. 26, 202, Fasc. 3 4 Analysis of Some Quasigroup Transformations as Boolean Functions Aleksandra Mileva Presented at MASSEE International Conference
More informationFurther improving security of Vector Stream Cipher
NOLTA, IEICE Paper Further improving security of Vector Stream Cipher Atsushi Iwasaki 1a) and Ken Umeno 2 1 Fukuoka Institute of Technology Wajiro-higashi, Higashiku, Fukuoka 811-0295, Japan 2 Graduate
More informationA new attack on RSA with a composed decryption exponent
A new attack on RSA with a composed decryption exponent Abderrahmane Nitaj and Mohamed Ould Douh,2 Laboratoire de Mathématiques Nicolas Oresme Université de Caen, Basse Normandie, France abderrahmane.nitaj@unicaen.fr
More informationRSA. Ramki Thurimella
RSA Ramki Thurimella Public-Key Cryptography Symmetric cryptography: same key is used for encryption and decryption. Asymmetric cryptography: different keys used for encryption and decryption. Public-Key
More informationSolving LWE with BKW
Martin R. Albrecht 1 Jean-Charles Faugére 2,3 1,4 Ludovic Perret 2,3 ISG, Royal Holloway, University of London INRIA CNRS IIS, Academia Sinica, Taipei, Taiwan PKC 2014, Buenos Aires, Argentina, 28th March
More informationArithmétique et Cryptographie Asymétrique
Arithmétique et Cryptographie Asymétrique Laurent Imbert CNRS, LIRMM, Université Montpellier 2 Journée d inauguration groupe Sécurité 23 mars 2010 This talk is about public-key cryptography Why did mathematicians
More informationCPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems
CPE 776:DATA SECURITY & CRYPTOGRAPHY Some Number Theory and Classical Crypto Systems Dr. Lo ai Tawalbeh Computer Engineering Department Jordan University of Science and Technology Jordan Some Number Theory
More informationA Brief Retrospective Look at the Cayley-Purser Public-key Cryptosystem, 19 Years Later
A Brief Retrospective Look at the Cayley-Purser Public-key Cryptosystem, 19 Years Later Douglas R. Stinson David R. Cheriton School of Computer Science University of Waterloo 49th Southeastern Conference
More informationAlgebraic Side-Channel Collision Attacks on AES
Algebraic Side-Channel Collision Attacks on AES Andrey Bogdanov 1 and Andrey Pyshkin 2 1 Chair for Communication Security Ruhr University Bochum, Germany abogdanov@crypto.rub.de 2 Department of Computer
More informationGröbner Bases Techniques in Post-Quantum Cryptography
Gröbner Bases Techniques in Post-Quantum Cryptography Ludovic Perret Sorbonne Universités, UPMC Univ Paris 06, INRIA Paris LIP6, PolSyS Project, Paris, France Post-Quantum Cryptography Winter School, Fukuoka,
More informationOn Deterministic Polynomial-Time Equivalence of Computing the CRT-RSA Secret Keys and Factoring
On Deterministic Polynomial-Time Equivalence of Computing the CRT-RSA Secret Keys and Factoring Subhamoy Maitra and Santanu Sarkar Applied Statistics Unit, Indian Statistical Institute, 203 B T Road, Kolkata
More informationA new security notion for asymmetric encryption Draft #10
A new security notion for asymmetric encryption Draft #10 Muhammad Rezal Kamel Ariffin 1,2 1 Al-Kindi Cryptography Research Laboratory, Institute for Mathematical Research, 2 Department of Mathematics,
More informationSecurity Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography
Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography Peter Schwabe October 21 and 28, 2011 So far we assumed that Alice and Bob both have some key, which nobody else has. How
More informationOutline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt
NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nuñez, Isaac Agudo, and Javier Lopez Network, Information and Computer Security Laboratory (NICS Lab) Universidad de Málaga, Spain
More informationLinear Extension Cube Attack on Stream Ciphers ABSTRACT 1. INTRODUCTION
Malaysian Journal of Mathematical Sciences 9(S) June: 139-156 (015) Special ssue: The 4 th nternational Cryptology and nformation Security Conference 014 (Cryptology 014) MALAYSAN JOURNAL OF MATHEMATCAL
More informationA new security notion for asymmetric encryption Draft #12
A new security notion for asymmetric encryption Draft #12 Muhammad Rezal Kamel Ariffin 1,2 1 Al-Kindi Cryptography Research Laboratory, Institute for Mathematical Research, 2 Department of Mathematics,
More informationComputing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring
Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring Alexander May Faculty of Computer Science, Electrical Engineering and Mathematics University of Paderborn 33102 Paderborn,
More informationMultikey Homomorphic Encryption from NTRU
Multikey Homomorphic Encryption from NTRU Li Chen lichen.xd at gmail.com Xidian University January 12, 2014 Multikey Homomorphic Encryption from NTRU Outline 1 Variant of NTRU Encryption 2 Somewhat homomorphic
More informationCosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks
1 Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks Michael Albert michael.albert@cs.otago.ac.nz 2 This week Arithmetic Knapsack cryptosystems Attacks on knapsacks Some
More informationMaTRU: A New NTRU-Based Cryptosystem
MaTRU: A New NTRU-Based Cryptosystem Michael Coglianese 1 and Bok Min Goi 2 1 Macgregor, 321 Summer Street Boston, MA 02210, USA mcoglian@comcast.net 2 Centre for Cryptography and Information Security
More information