An efficient quantum meet-in-the-middle attack against NTRU-2005

Transcription

1 Article Quantum Information October 03 Vol58 o8-9: oi: 0007/s y An efficient quantum meet-in-the-mile attack against TRU-005 WAG Hong, MA Zhi * & MA huangui State Key Laboratory of Mathematical Engineering an Avance omputing, Zhengzhou 45000, hina Receive January, 03 accepte May 5, 03 TRU is one of the most iely use public-key cryptosystems an its security has been an active research topic This paper proposes a ne ay to fin TRU-005 private key The algorithm is base on meet-in-the-mile attack an a quantum algorithm for searching the fixe eight target ompare ith the current classical an quantum meet-in-the-mile attacks, our algorithm has loer time an space complexity Moreover, this attack can also be applie against ifferent versions of TRU The result can help to unerstan the security of TRU better quantum algorithm, TRU, meet-in-the-mile attack itation: Wang H, Ma Z, Ma G An efficient quantum meet-in-the-mile attack against TRU-005 hin Sci Bull, 03, 58: , oi: 0007/ s y For all the time, ho to use the quantum computational theory to improve the classical cryptanalysis ability is an important issue TRU is a public-key cryptosystem base on the shortest lattice vector problem At equivalent security level, TRU nees loer memory an smaller computational complexity than RSA o, there is no efficient quantum algorithm knon that ill solve the shortest lattice vector problem So, it is believe that TRU is secure in quantum times [] In fact, ith the rapi evelopment of quantum computation, all cryptosystems base on the problems of large integer factorization an iscrete logarithm are potentially fragile Hoever, it is still unclear hat kin of effects the quantum computational theory coul make on the security of TRU till no lassical meet-in-the-mile (MITM) attack is a generic cryptanalytic metho originally evelope from cryptanalysis of block ciphers Recently, this technique is also foun to be quite useful in the cryptanalysis of public-key cryptography MITM attack is the best algorithm for attacking TRU at present Grover [] propose a generic quantum search algorithm hich gives a quaratic speeup over the classical brute-force search Hoever, it is not yet knon *orresponing author ( ma_zhi@63com) hether Grover algorithm can spee up the classical MITM attack There are some ne evelopments in the classical cryptanalysis of TRU, such as lattice attack, hybri attack [3], broacast attack [4], etc Luig [5] combine lattice reuction technique ith Grover algorithm, an put forar a novel quantum attack algorithm against TRU Hoever, the attack algorithm in [5] is not better than classical MITM attack In 0, a quantum algorithm use to fin fixe eight target as propose [6] At the same time, the author analyze the security of TRU by the propose algorithm The computation complexity of Wang s algorithm is significantly loer than a classical brute-force search, but still higher than a classical MITM attack Xiong et al [7] combine MITM attack ith Grover quantum searching algorithm, an evelope a quantum MITM attack metho against TRU The time complexity O, hich is loer than the classical in [7] is MITM attack Hoever, the author just consiere the quantum iterative times, an ignore all the complexity of classical precomputation If consiering the classical complexity, the complexity of MITM attack in [7] The Author(s) 03 This article is publishe ith open access at Springerlinkcom csbscichinacom springercom/scp

2 Wang H, et al hin Sci Bull October (03) Vol58 o is log, hich has no any avantages compare ith the classical MITM attack in [8] Base on the classical MITM attack an a quantum algorithm to fin a target solution ith fixe eight, e propose a ne quantum algorithm to attack TRU The time com- plexity is only /3 log /3 /3 /3 (Here, x enotes the largest integer less than x ), hich is loer than previous attacks Preliminaries TRU cryptosystem TRU has been accepte as one of the stanar public-key cryptosystem in the stanar IEEE St 363 The avantage of TRU over other cryptosystems is that encryption an ecryption are very fast an the key are relatively small Also the key generation is fast an easy There have been several ifferent versions of TRU [9,0] For the completeness, e give a simple escription of TRU key generation Details can be foun in [0] To keep consistent ith [6,7], e use the same notation (The versions in [6] is TRU-005) In TRU, given three integers, p, q>0, an the basic objects are truncate polynomials in the ring R [ x]/ x Every element in the ring R can be represente as a vector or a polynomial, here multiplication is efine as convolution multiplication There are three nonempty proper subsets: Sr, Sg, SF R, here element rsr S( ) means that there are coefficients of one in polynomial r, an the rest are zero Similarly, one can efine S g =S( ), S F =S( 3 ) Step Ranomly choose g S an F SF, calculate f=+pf Here e require that there exists that f fq (Mo q) Step Let h fq g(mo q) The public key of TRU: h, p, q The private key of TRU: f A classical MITM attack hoose an integer k, such that k is much larger than g fq q R such In [8], the private key f=f, an the public key h=f q g (Mo q) Let f=f f, here both f an f have a length of /, containing / ones, an enote concatenation () Enumerate f Put each f into a bin base on the most significant bits of the first k coorinates of f h(mo q) () Enumerate f Juge each f to see if it correspons to an occupie bin While checking for occupation, e consier not only the bin given by the most significant bits of the first k coefficients of f h(mo q), but also the bins given by the flips of all the most significant bits hich a to the corresponing coefficients of f h(mo q) (3) Search for matches When f hits an occupie bin, take f from the bin Determine hether (f f ) h(mo q) is binary, an if so return f=f f an terminate Otherise, procee to the next f heck each one if the bin contains more than one f The algorithm can alays return the private key f or a cyclic shift of f Both the time an space complexity are ( ) 3 Wang s attack algorithm Wang et al [6] put forar a quantum algorithm to fin the fixe eight target, an propose a ne metho to fin the private key of TRU Wang s algorithm can be consiere as a quantum brute-force attack, hich can reuce the time O complexity from to First, Wang et al efine the label of an n-imensional Boolean vector ith fixe eight Definition [6] Suppose that the eight of an n-imensional Boolean vector v is, that is, in all positions v takes value 0 except at positions a, a,,a ith a <a <a n The label L v of vector v is then efine as L v a a a Obviously,there is a one-to-one corresponence beteen vectors an their labels Moreover, Lv n The label of a target vector is calle the target label Wang s attack proceure is as follos: () ompute the maximum value of labels n, enote t log n () Search the t-tuple vector using Grover algorithm, erive the target label (3) Derive target vector from target label, return as a caniate private key 4 A quantum MITM Attack In [7], the author assume an are even The bin hich contains polynomial f i ill be labele as label _ f i, an bin( fi) {label _ fi} The basic iea of quantum MITM attack in [7] is: () ompute all {label _ f, f } an arrange as a table L inexe by label _ f () Search f ith the Grover search algorithm, ith label _ f bin( f ), an

3 356 Wang H, et al hin Sci Bull October (03) Vol58 o8-9 f f h(mo q) {0,} (3) Search f correspon to label _ f in L Verify f +f ith other conitions In fact, the time complexity analysis in [7] is incorrect Just as e mentione before, the author ignore all the complexity of classical precomputation An improve quantum MITM attack In TRU-005, the private key is f=+f, here polynomial (or vector) F is consisting of ones an zeros So, if e can fin the polynomial F, the private key f can also been obtaine easily Here, the polynomial F can also be regare as a vector The basic iea of the improve algorithm The iea is to fin the key F in the form F F, here enotes concatenation The length of F an F are 3 an 3, respectively Moreover, F has 3 ones, an F has 3 ones We have fh g(mo q) F F h g(mo q) hf h gf h(mo q) h F h {0,} F h (Mo q) i i i i In fact, accoring to lemma, although F itself may not have the property, e kno that there exist some rotations of F hich has this property an that any rotation of F ill be effective as the private key parameters Lemma Let F F F, 3 an 3 are the length of F an F, respectively Then there exists one rotation of F hich has the property: F has 3 ones, an F has 3 ones Proof Let a, b>0 Without loss of generality, let F has 3 a ones in the first 3 entries, b ones in the mile 3 a b ones in the entries, an /3 last 3 entries Then, rotating F by one position can only change the number of ones in the first (mile) 3 entries by 0, or There are three cases: In case, if b 3, then after 3 left rotations each at a position, obviously In case, if b 3, hen finishing 3 left rotations, the first 3 entries ill have b 3 ones in them Therefore, at some points, the number of ones in the first 3 entries must have been exactly 3 o let us look at the last case If b 3, then 3a b 3, so after 3 left rotations, the first 3 entries ill have 3a b 3 ones in them, obviously Let T an S enote the binary vectors hich are efine by the most significant bits of the first k coorinates of h F h(mo q) an F h(mo q), respectively Here, all F are of length 3, but e ientify them ith the length- vectors forme by appening 3 zeros Similarly, e ientify all F ith the length- vectors forme by prepening 3 zeros Algorithm (i) hoose an integer k, so that k /3 /3 00* (ii) alculate each F to get the binary vector T, an arrange as a table L inexe by T (iii) Apply the Oracle, let F run over its hole sample space an then, search for matches by quantum algorithm in [6] The proper matches meet the to conitions: () S {} T or S {} T, here S is given by the flips of some bits of S hich a to the corresponing coefficients of F h(mo q) h F F h(mo q) {0,} () (iv) Verify f F F ith other conitions Details of searching for matches in step (iii) are: () Let the label l correspon to the vector F,l The Oracle can be efine as, if F, l meet the to conitions in step (iii) Ol () 0, others let () alculate the maximum value of the label n log /3 /3 /3 /3 (3) Initialize the quantum system, an prouce the n equally-eighte superposition state 0 n l l 0 n/ (4) Use Grover algorithm 4 times, get the label l an the vector F,l correspon to the label Algorithm analysis Let O() enote the complexity of classical computation Similarly, O() enotes the complexity of quantum computation Furthermore, to keep consistent ith [,8], the time to calculate h F h(mo q) is taken to be one,

4 Wang H, et al hin Sci Bull October (03) Vol58 o Table Time an space complexity comparison for ifferent TRU attacks Time Space -MITM [8] Wang s attack [6] Q-MITM [7] This paper O O / O / / / / / log / / O / O () / O log /3 /3 /3 /3 /3 /3 /3 /3 Table Time complexity comparison for various parameters Time complexity -MITM [8] Wang s attack [6] Q-MITM [7] This paper O / O log / / / / O / / O log /3 /3 /3 /3 /3 /3 TRU TRU TRU TRU operation Accoring to the above process, the time an space complexity of algorithm epen on step (ii) an step (iii) The number of F is /3 /3, so the time to put each F /3 into a proper bin is /3 alculating the table L nees /3 log /3 /3 /3 basic operation So the expecte time to run step (ii) ill be no more than /3 log /3 /3 /3 The computation complexity of step (iii) only epens on /3 Grover iterative times, ie O /3 The table L nees to be save, so the space complexity is /3 /3 3 omparison for ifferent TRU attacks The comparisons of results for ifferent attacks an various parameters are illustrate in Table an Table Remark ompare the to tables above, our metho is very efficient both in the time an space complexity In fact, if quantum computation is not more expensive than classical computation, it oul be orthhile to transfer some ones from the F sie to the F sie In this case, the expecte running time become approximately O /3 /3 /3 log /3 /3 /3 4 onclusions With the evelopment of quantum computation, the security strength of TRU has been an active research area in the past 0 years This paper revise some errors in [7] an propose an improve quantum MITM attack against TRU The time complexity in this paper is significantly reuce Moreover, this attack can also be applie against TRU- 998 an TRU-00 The result can help to unerstan the security of TRU better An open question orth investing oul be to see if the current attacks may still be improve This ork as supporte by the ational High Technology Research an Development Program of hina (0AA00803), the ational atural Science Founation of hina (U0460) an the Open Project Program of the State Key Laboratory of Mathematical Engineering an Avance omputing (03A4) Perlner R A, ooper D A Quantum resistant public key cryptography: A survey In: Seamons K, McBurnett, Polk T, es Proceeings of the 8th Symposium on Ientity an Trust on the Internet, 009 April 4 6, Gaithersburg, MD, USA e York: AM Press, Grover L K A fast quantum mechanics algorithm for atabase search In: Proceeing of the 8th AM Symposium on Theory of omputation, Philaelphia, PA, USA e York: AM Press, Hograve-Graham A hybri lattice-reuction an meet-in-themile attack against TRU In: Menezes A, e Proceeings RYPTO, 007 August 9 3, Santa Barbara, A, USA Berlin Heielberg: Springer, LS 46, Ding J T, Pan Y B, Deng Y P An algebraic broacast attack against TRU In: Susilo W, Mu Y, Seberry J, es Proceeings AISP, 0 July 9, Wollongong, SW, Australia Berlin Heielberg: Springer, LS 737,

5 358 Wang H, et al hin Sci Bull October (03) Vol58 o8-9 5 Luig A faster lattice reuction metho using quantum search In: Ibaraki T, Katoh, Ono H, es Proceeings ISAA, 003 December 5 7, Kyoto, Japan Berlin Heielberg: Springer, LS 906, Wang X, Bao W S, Fu X Q A quantum algorithm for searching a target solution of fixe eight hin Sci Bull, 0, 56: Xiong Z, Wang J, Wang Y, et al An improve MITM attack against TRU Int J Sec App, 0, 6: Silverman J, Olyzko A TRU Report 004, Version, A Meet-The Mile Attack on an TRU Private Key Technical Report, TRU ryptosystems, Hoffstein J, Pipher J, Silverman J TRU: A ring-base public key cryptosystem In: Buhler J P, e Proceeings Algorithmic umber Theory (ATS III), 998 June 5, Portlan, Oregon, USA Berlin Heielberg: Springer, LS 43, Hograve-Graham, Silverman J H, Whyte W hoosing parameter sets for TRUEncrypt ith AEP an SVES-3 In: Menezes A, e Proceeings the ryptographers Track at the RSA, 005 February 4 8, San Francisco, A, USA Berlin Heielberg: Springer, LS 3376, Open Access This article is istribute uner the terms of the reative ommons Attribution License hich permits any use, istribution, an reprouction in any meium, provie the original author(s) an source are creite