Cryptanalysis of NISTPQC submissions
|
|
- Betty Turner
- 5 years ago
- Views:
Transcription
1 Cryptanalysis of NISTPQC submissions Daniel J. Bernstein, Tanja Lange, Lorenz Panny University of Illinois at Chicago, Technische Universiteit Eindhoven 18 August 2018 Workshops on Attacks in Cryptography
2 NSA announcements August 11, 2015 IAD recognizes that there will be a move, in the not distant future, to a quantum resistant algorithm suite. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 2
3 NSA announcements August 11, 2015 IAD recognizes that there will be a move, in the not distant future, to a quantum resistant algorithm suite. August 19, 2015 IAD will initiate a transition to quantum resistant algorithms in the not too distant future. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 2
4 Post-quantum cryptography 2015 Finally even NSA admits that the world needs post-quantum crypto Every agency posts something (NCSC UK, NCSC NL, NSA (broken certificate!)) NIST announces call for submissions to post-quantum project, solicits submissions on signatures, encryption, and key exchange. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 3
5 Post-quantum cryptography 10 years of motivating people to work on post-quantum crypto Finally even NSA admits that the world needs post-quantum crypto Every agency posts something (NCSC UK, NCSC NL, NSA (broken certificate!)) NIST announces call for submissions to post-quantum project, solicits submissions on signatures, encryption, and key exchange. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 3
6 NIST Post-Quantum Competition December 2016, after public feedback: NIST calls for submissions of post-quantum cryptosystems to standardize. A FURTHER BREAKDOWN 30 November 2017: NIST receives 82 submissions. Overview from Dustin Moody s (NIST) talk at Asiacrypt: Signatures KEM/Encryption Overall Lattice-based Code-based Multi-variate Hash-based 4 4 Other Total Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 4
7 Complete and proper submissions 21 December 2017: NIST posts 69 submissions from 260 people. BIG QUAKE. BIKE. CFPKM. Classic McEliece. Compact LWE. CRYSTALS-DILITHIUM. CRYSTALS-KYBER. DAGS. Ding Key Exchange. DME. DRS. DualModeMS. Edon-K. EMBLEM and R.EMBLEM. FALCON. FrodoKEM. GeMSS. Giophantus. Gravity-SPHINCS. Guess Again. Gui. HILA5. HiMQ-3. HK17. HQC. KINDI. LAC. LAKE. LEDAkem. LEDApkc. Lepton. LIMA. Lizard. LOCKER. LOTUS. LUOV. McNie. Mersenne MQDSS. NewHope. NTRUEncrypt. NTRU-HRSS-KEM. NTRU Prime. NTS-KEM. Odd Manhattan. OKCN/AKCN/CNKE. Ouroboros-R. Picnic. pqntrusign. pqrsa encryption. pqrsa signature. pqsigrm. QC-MDPC KEM. qtesla. RaCoSS. Rainbow. Ramstake. RankSign. RLCE-KEM. Round2. RQC. RVB. SABER. SIKE. SPHINCS+. SRTPI. Three Bears. Titanium. WalnutDSA. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 5
8 Attack timeline: month Bernstein Groot Bruinderink Panny Lange: attack script breaking CCA for HILA5 Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 6
9 Attack timeline: month Bernstein Groot Bruinderink Panny Lange: attack script breaking CCA for HILA NIST posts 69 submissions Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 6
10 Attack timeline: month Bernstein Groot Bruinderink Panny Lange: attack script breaking CCA for HILA NIST posts 69 submissions Panny: attack script breaking Guess Again Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 6
11 Attack timeline: month Bernstein Groot Bruinderink Panny Lange: attack script breaking CCA for HILA NIST posts 69 submissions Panny: attack script breaking Guess Again Hülsing Bernstein Panny Lange: attack scripts breaking RaCoSS Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 6
12 Attack timeline: month Bernstein Groot Bruinderink Panny Lange: attack script breaking CCA for HILA NIST posts 69 submissions Panny: attack script breaking Guess Again Hülsing Bernstein Panny Lange: attack scripts breaking RaCoSS Panny: attack script breaking RVB; RVB withdrawn Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 6
13 Attack timeline: month Bernstein Groot Bruinderink Panny Lange: attack script breaking CCA for HILA NIST posts 69 submissions Panny: attack script breaking Guess Again Hülsing Bernstein Panny Lange: attack scripts breaking RaCoSS Panny: attack script breaking RVB; RVB withdrawn Bernstein Lange: attack script breaking HK17 Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 6
14 Attack timeline: month Bernstein Groot Bruinderink Panny Lange: attack script breaking CCA for HILA NIST posts 69 submissions Panny: attack script breaking Guess Again Hülsing Bernstein Panny Lange: attack scripts breaking RaCoSS Panny: attack script breaking RVB; RVB withdrawn Bernstein Lange: attack script breaking HK Gaborit: attack reducing McNie security level Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 6
15 Attack timeline: month Bernstein Groot Bruinderink Panny Lange: attack script breaking CCA for HILA NIST posts 69 submissions Panny: attack script breaking Guess Again Hülsing Bernstein Panny Lange: attack scripts breaking RaCoSS Panny: attack script breaking RVB; RVB withdrawn Bernstein Lange: attack script breaking HK Gaborit: attack reducing McNie security level Gaborit: attack reducing Lepton security level Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 6
16 Attack timeline: month Bernstein Groot Bruinderink Panny Lange: attack script breaking CCA for HILA NIST posts 69 submissions Panny: attack script breaking Guess Again Hülsing Bernstein Panny Lange: attack scripts breaking RaCoSS Panny: attack script breaking RVB; RVB withdrawn Bernstein Lange: attack script breaking HK Gaborit: attack reducing McNie security level Gaborit: attack reducing Lepton security level Beullens: attack reducing DME security level Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 6
17 Attack timeline: month Bernstein Groot Bruinderink Panny Lange: attack script breaking CCA for HILA NIST posts 69 submissions Panny: attack script breaking Guess Again Hülsing Bernstein Panny Lange: attack scripts breaking RaCoSS Panny: attack script breaking RVB; RVB withdrawn Bernstein Lange: attack script breaking HK Gaborit: attack reducing McNie security level Gaborit: attack reducing Lepton security level Beullens: attack reducing DME security level : submitter has claimed patent on submission. Warning: Other people could also claim patents. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 6
18 Attack timeline: month Bernstein, building on Bernstein Lange, Wang Malluhi, Li Liu Pan Xie: faster attack script breaking HK17; HK17 withdrawn Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 7
19 Attack timeline: month Bernstein, building on Bernstein Lange, Wang Malluhi, Li Liu Pan Xie: faster attack script breaking HK17; HK17 withdrawn Steinfeld, independently Albrecht Postlethwaite Virdia: attack script breaking CFPKM Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 7
20 Attack timeline: month Bernstein, building on Bernstein Lange, Wang Malluhi, Li Liu Pan Xie: faster attack script breaking HK17; HK17 withdrawn Steinfeld, independently Albrecht Postlethwaite Virdia: attack script breaking CFPKM Alperin-Sheriff Perlner: attack breaking pqsigrm Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 7
21 Attack timeline: month Bernstein, building on Bernstein Lange, Wang Malluhi, Li Liu Pan Xie: faster attack script breaking HK17; HK17 withdrawn Steinfeld, independently Albrecht Postlethwaite Virdia: attack script breaking CFPKM Alperin-Sheriff Perlner: attack breaking pqsigrm Yang Bernstein Lange: attack script breaking SRTPI; SRTPI withdrawn Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 7
22 Attack timeline: month Bernstein, building on Bernstein Lange, Wang Malluhi, Li Liu Pan Xie: faster attack script breaking HK17; HK17 withdrawn Steinfeld, independently Albrecht Postlethwaite Virdia: attack script breaking CFPKM Alperin-Sheriff Perlner: attack breaking pqsigrm Yang Bernstein Lange: attack script breaking SRTPI; SRTPI withdrawn Lequesne Sendrier Tillich: attack breaking Edon-K; script posted ; Edon-K withdrawn Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 7
23 Attack timeline: month Bernstein, building on Bernstein Lange, Wang Malluhi, Li Liu Pan Xie: faster attack script breaking HK17; HK17 withdrawn Steinfeld, independently Albrecht Postlethwaite Virdia: attack script breaking CFPKM Alperin-Sheriff Perlner: attack breaking pqsigrm Yang Bernstein Lange: attack script breaking SRTPI; SRTPI withdrawn Lequesne Sendrier Tillich: attack breaking Edon-K; script posted ; Edon-K withdrawn Beullens: attack script breaking DME Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 7
24 Attack timeline: month Bernstein, building on Bernstein Lange, Wang Malluhi, Li Liu Pan Xie: faster attack script breaking HK17; HK17 withdrawn Steinfeld, independently Albrecht Postlethwaite Virdia: attack script breaking CFPKM Alperin-Sheriff Perlner: attack breaking pqsigrm Yang Bernstein Lange: attack script breaking SRTPI; SRTPI withdrawn Lequesne Sendrier Tillich: attack breaking Edon-K; script posted ; Edon-K withdrawn Beullens: attack script breaking DME Li Liu Pan Xie, independently Bootle Tibouchi Xagawa: attack breaking Compact LWE ; script from 2nd team Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 7
25 Attack timeline: month Bernstein, building on Bernstein Lange, Wang Malluhi, Li Liu Pan Xie: faster attack script breaking HK17; HK17 withdrawn Steinfeld, independently Albrecht Postlethwaite Virdia: attack script breaking CFPKM Alperin-Sheriff Perlner: attack breaking pqsigrm Yang Bernstein Lange: attack script breaking SRTPI; SRTPI withdrawn Lequesne Sendrier Tillich: attack breaking Edon-K; script posted ; Edon-K withdrawn Beullens: attack script breaking DME Li Liu Pan Xie, independently Bootle Tibouchi Xagawa: attack breaking Compact LWE ; script from 2nd team Castryck Vercauteren: attack breaking Giophantus Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 7
26 Attack timeline: month Bernstein, building on Bernstein Lange, Wang Malluhi, Li Liu Pan Xie: faster attack script breaking HK17; HK17 withdrawn Steinfeld, independently Albrecht Postlethwaite Virdia: attack script breaking CFPKM Alperin-Sheriff Perlner: attack breaking pqsigrm Yang Bernstein Lange: attack script breaking SRTPI; SRTPI withdrawn Lequesne Sendrier Tillich: attack breaking Edon-K; script posted ; Edon-K withdrawn Beullens: attack script breaking DME Li Liu Pan Xie, independently Bootle Tibouchi Xagawa: attack breaking Compact LWE ; script from 2nd team Castryck Vercauteren: attack breaking Giophantus Blackburn: attack reducing WalnutDSA security level Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 7
27 Attack timeline: month Bernstein, building on Bernstein Lange, Wang Malluhi, Li Liu Pan Xie: faster attack script breaking HK17; HK17 withdrawn Steinfeld, independently Albrecht Postlethwaite Virdia: attack script breaking CFPKM Alperin-Sheriff Perlner: attack breaking pqsigrm Yang Bernstein Lange: attack script breaking SRTPI; SRTPI withdrawn Lequesne Sendrier Tillich: attack breaking Edon-K; script posted ; Edon-K withdrawn Beullens: attack script breaking DME Li Liu Pan Xie, independently Bootle Tibouchi Xagawa: attack breaking Compact LWE ; script from 2nd team Castryck Vercauteren: attack breaking Giophantus Blackburn: attack reducing WalnutDSA security level Beullens: another attack reducing WalnutDSA security level Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 7
28 Attack timeline: subsequent events Beullens: attack breaking WalnutDSA Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 8
29 Attack timeline: subsequent events Beullens: attack breaking WalnutDSA Fabsic Hromada Zajac: attack breaking CCA for LEDA Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 8
30 Attack timeline: subsequent events Beullens: attack breaking WalnutDSA Fabsic Hromada Zajac: attack breaking CCA for LEDA Yu Ducas: attack reducing DRS security level Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 8
31 Attack timeline: subsequent events Beullens: attack breaking WalnutDSA Fabsic Hromada Zajac: attack breaking CCA for LEDA Yu Ducas: attack reducing DRS security level Debris-Alazard Tillich: attack breaking RankSign; RankSign withdrawn Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 8
32 Attack timeline: subsequent events Beullens: attack breaking WalnutDSA Fabsic Hromada Zajac: attack breaking CCA for LEDA Yu Ducas: attack reducing DRS security level Debris-Alazard Tillich: attack breaking RankSign; RankSign withdrawn Beullens Blackburn: attack script breaking WalnutDSA Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 8
33 Attack timeline: subsequent events Beullens: attack breaking WalnutDSA Fabsic Hromada Zajac: attack breaking CCA for LEDA Yu Ducas: attack reducing DRS security level Debris-Alazard Tillich: attack breaking RankSign; RankSign withdrawn Beullens Blackburn: attack script breaking WalnutDSA Kotov Menshov Ushakov: another attack breaking WalnutDSA Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 8
34 Attack timeline: subsequent events Beullens: attack breaking WalnutDSA Fabsic Hromada Zajac: attack breaking CCA for LEDA Yu Ducas: attack reducing DRS security level Debris-Alazard Tillich: attack breaking RankSign; RankSign withdrawn Beullens Blackburn: attack script breaking WalnutDSA Kotov Menshov Ushakov: another attack breaking WalnutDSA Barelli Couvreur: attack reducing DAGS security level Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 8
35 Attack timeline: subsequent events Beullens: attack breaking WalnutDSA Fabsic Hromada Zajac: attack breaking CCA for LEDA Yu Ducas: attack reducing DRS security level Debris-Alazard Tillich: attack breaking RankSign; RankSign withdrawn Beullens Blackburn: attack script breaking WalnutDSA Kotov Menshov Ushakov: another attack breaking WalnutDSA Barelli Couvreur: attack reducing DAGS security level Couvreur Lequesne Tillich: attack breaking short parameters for RLCE Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 8
36 Attack timeline: subsequent events Beullens: attack breaking WalnutDSA Fabsic Hromada Zajac: attack breaking CCA for LEDA Yu Ducas: attack reducing DRS security level Debris-Alazard Tillich: attack breaking RankSign; RankSign withdrawn Beullens Blackburn: attack script breaking WalnutDSA Kotov Menshov Ushakov: another attack breaking WalnutDSA Barelli Couvreur: attack reducing DAGS security level Couvreur Lequesne Tillich: attack breaking short parameters for RLCE Beullens Castryck Vercauteren: attack script breaking Giophantus Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 8
37 Complete and proper submissions 21 December 2017: NIST posts 69 submissions from 260 people. BIG QUAKE. BIKE. CFPKM. Classic McEliece. Compact LWE. CRYSTALS-DILITHIUM. CRYSTALS-KYBER. DAGS. Ding Key Exchange. DME. DRS. DualModeMS. Edon-K. EMBLEM and R.EMBLEM. FALCON. FrodoKEM. GeMSS. Giophantus. Gravity-SPHINCS. Guess Again. Gui. HILA5. HiMQ-3. HK17. HQC. KINDI. LAC. LAKE. LEDAkem. LEDApkc. Lepton. LIMA. Lizard. LOCKER. LOTUS. LUOV. McNie. Mersenne MQDSS. NewHope. NTRUEncrypt. NTRU-HRSS-KEM. NTRU Prime. NTS-KEM. Odd Manhattan. OKCN/AKCN/CNKE. Ouroboros-R. Picnic. pqntrusign. pqrsa encryption. pqrsa signature. pqsigrm. QC-MDPC KEM. qtesla. RaCoSS. Rainbow. Ramstake. RankSign. RLCE-KEM. Round2. RQC. RVB. SABER. SIKE. SPHINCS+. SRTPI. Three Bears. Titanium. WalnutDSA. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 9
38 Complete and proper submissions 21 December 2017: NIST posts 69 submissions from 260 people. BIG QUAKE. BIKE. CFPKM. Classic McEliece. Compact LWE. CRYSTALS-DILITHIUM. CRYSTALS-KYBER. DAGS. Ding Key Exchange. DME. DRS. DualModeMS. Edon-K. EMBLEM and R.EMBLEM. FALCON. FrodoKEM. GeMSS. Giophantus. Gravity-SPHINCS. Guess Again. Gui. HILA5. HiMQ-3. HK17. HQC. KINDI. LAC. LAKE. LEDAkem. LEDApkc. Lepton. LIMA. Lizard. LOCKER. LOTUS. LUOV. McNie. Mersenne MQDSS. NewHope. NTRUEncrypt. NTRU-HRSS-KEM. NTRU Prime. NTS-KEM. Odd Manhattan. OKCN/AKCN/CNKE. Ouroboros-R. Picnic. pqntrusign. pqrsa encryption. pqrsa signature. pqsigrm. QC-MDPC KEM. qtesla. RaCoSS. Rainbow. Ramstake. RankSign. RLCE-KEM. Round2. RQC. RVB. SABER. SIKE. SPHINCS+. SRTPI. Three Bears. Titanium. WalnutDSA. Color coding: total break; partial break Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 9
39 HILA5 HILA5 is a RLWE-based KEM submitted to NISTPQC. This design also provides IND-CCA secure KEM-DEM public key encryption if used in conjunction with an appropriate AEAD such as NIST approved AES256-GCM. HILA5 NIST submission document (v1.0) Decapsulation much faster than encapsulation (and faster than any other scheme). No mention of a CCA transform (e.g. Fujisaki Okamoto). Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 10
40 Noisy Diffie Hellman degree n Have a ring R = Z[x]/(q, ϕ) where q Z and ϕ Z[x]. Let χ be a narrow distribution around 0 R. Fix some random element g R. a, e χ n b, e χ n A = ga + e B = gb + e S = Ba = gab + e a S = Ab = gab + eb = S S = e a eb 0 χ small Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 11
41 Reconciliation Alice and Bob obtain close secret vectors S, S (Z/q) n. How to map coefficients to bits? 0 q 3q/4 q/4 q/2 Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 12
42 Reconciliation Alice and Bob obtain close secret vectors S, S (Z/q) n. How to map coefficients to bits? 0 q edge 1 3q/4 q/4 0 q/2 Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 12
43 Reconciliation Alice and Bob obtain close secret vectors S, S (Z/q) n. How to map coefficients to bits? 0 q edge 1 3q/4 0 q/4 Alice: 1 Bob: 1 q/2 Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 12
44 Reconciliation Alice and Bob obtain close secret vectors S, S (Z/q) n. How to map coefficients to bits? 0 q edge 1 3q/4 0 q/4 Alice: 0 Bob: 0 q/2 Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 12
45 Reconciliation Alice and Bob obtain close secret vectors S, S (Z/q) n. How to map coefficients to bits? 0 q edge 1 3q/4 0 q/4 Alice: 1 Bob: 0 q/2 Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 12
46 Reconciliation Alice and Bob obtain close secret vectors S, S (Z/q) n. How to map coefficients to bits? 0 q edge 1 3q/4 0 q/2 q/4 Alice: 1 Bob: 0 oops! Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 12
47 Reconciliation Mapping coefficients to bits using fixed intervals is bad. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 13
48 Reconciliation Mapping coefficients to bits using fixed intervals is bad. Better: Bob chooses a mapping based on his coefficient and tells Alice which mapping he used. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 13
49 Reconciliation Mapping coefficients to bits using fixed intervals is bad. Better: Bob chooses a mapping based on his coefficient and tells Alice which mapping he used. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 13
50 Reconciliation Mapping coefficients to bits using fixed intervals is bad. Better: Bob chooses a mapping based on his coefficient and tells Alice which mapping he used. 1 0 Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 13
51 Reconciliation Mapping coefficients to bits using fixed intervals is bad. Better: Bob chooses a mapping based on his coefficient and tells Alice which mapping he used Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 13
52 Reconciliation Mapping coefficients to bits using fixed intervals is bad. Better: Bob chooses a mapping based on his coefficient and tells Alice which mapping he used Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 13
53 Fluhrer s attack Problem: Evil Bob can trick Alice into leaking information by deliberately using the wrong mapping for one coefficient. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 14
54 Fluhrer s attack Problem: Evil Bob can trick Alice into leaking information by deliberately using the wrong mapping for one coefficient. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 14
55 Fluhrer s attack Problem: Evil Bob can trick Alice into leaking information by deliberately using the wrong mapping for one coefficient Alice: 0 Alice: 1 Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 14
56 Fluhrer s attack Problem: Evil Bob can trick Alice into leaking information by deliberately using the wrong mapping for one coefficient Alice: 0 Alice: 1 Evil Bob can distinguish these cases! (He knows all the other key bits.) Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 14
57 Chosen-ciphertext information leaks Evil Bob has two guesses k 0, k 1 for what Alice s key k will be given his manipulated public key B. Alice Evil Bob Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 15
58 Chosen-ciphertext information leaks Evil Bob has two guesses k 0, k 1 for what Alice s key k will be given his manipulated public key B. B Enc(k 0, "GET / HTTP/1.1") Alice Evil Bob Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 15
59 Chosen-ciphertext information leaks Evil Bob has two guesses k 0, k 1 for what Alice s key k will be given his manipulated public key B. B Enc(k 0, "GET / HTTP/1.1") I don t understand! Aborting. Alice Evil Bob Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 15
60 Chosen-ciphertext information leaks Evil Bob has two guesses k 0, k 1 for what Alice s key k will be given his manipulated public key B. B Enc(k 1, "GET / HTTP/1.1") Alice Evil Bob Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 15
61 Chosen-ciphertext information leaks Evil Bob has two guesses k 0, k 1 for what Alice s key k will be given his manipulated public key B. B Enc(k 1, "GET / HTTP/1.1") Here s your webpage! Alice Evil Bob Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 15
62 Chosen-ciphertext information leaks Evil Bob has two guesses k 0, k 1 for what Alice s key k will be given his manipulated public key B. B Enc(k 1, "GET / HTTP/1.1") Here s your webpage! Alice Evil Bob = Bob learns that k = k 1. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 15
63 Chosen-ciphertext information leaks Evil Bob has two guesses k 0, k 1 for what Alice s key k will be given his manipulated public key B. B Enc(k 0, "GET / HTTP/1.1") Decryption failure! Aborting. Alice Evil Bob = Bob learns that k = k 1. This still works if Enc is an authenticated symmetric cipher! Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 15
64 Chosen-ciphertext information leaks Evil Bob has two guesses k 0, k 1 for what Alice s key k will be given his manipulated public key B. B Enc(k 1, "GET / HTTP/1.1") Here s your webpage! Alice Evil Bob = Bob learns that k = k 1. This still works if Enc is an authenticated symmetric cipher! Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 15
65 Fluhrer s attack Adaptive chosen-ciphertext attack against static keys. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 16
66 Fluhrer s attack Adaptive chosen-ciphertext attack against static keys. Recall that Alice s shared secret is gab + e a. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 16
67 Fluhrer s attack Adaptive chosen-ciphertext attack against static keys. Recall that Alice s shared secret is gab + e a. edge Suppose Evil Bob knows b δ such that gab δ [0] = M + δ. = Querying Alice with b = b δ leaks whether e a[0] > δ. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 16
68 Fluhrer s attack Adaptive chosen-ciphertext attack against static keys. Recall that Alice s shared secret is gab + e a. edge Suppose Evil Bob knows b δ such that gab δ [0] = M + δ. = Querying Alice with b = b δ leaks whether e a[0] > δ. Structure of R Can choose e such that e a[0] = a[i] to recover all of a. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 16
69 Fluhrer s attack Querying Alice with b = b δ and e = 1 leaks whether a[0] > δ. 1 M 0 Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 17
70 Fluhrer s attack Querying Alice with b = b δ and e = 1 leaks whether a[0] > δ. 1 M Evil Bob s δ: 0 Alice: 1 0 Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 17
71 Fluhrer s attack Querying Alice with b = b δ and e = 1 leaks whether a[0] > δ. 1 M Evil Bob s δ: -8 Alice: 0 0 Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 17
72 Fluhrer s attack Querying Alice with b = b δ and e = 1 leaks whether a[0] > δ. 1 M Evil Bob s δ: -4 Alice: 1 0 Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 17
73 Fluhrer s attack Querying Alice with b = b δ and e = 1 leaks whether a[0] > δ. 1 M Evil Bob s δ: -6 Alice: 0 0 Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 17
74 Fluhrer s attack Querying Alice with b = b δ and e = 1 leaks whether a[0] > δ. 1 M Evil Bob s δ: -5 Alice: 1 0 Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 17
75 Fluhrer s attack Querying Alice with b = b δ and e = 1 leaks whether a[0] > δ. 1 M Evil Bob s δ: -5 Alice: 1 0 = Evil Bob learns that a[0] = 5. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 17
76 Our work Adaption of Fluhrer s attack to HILA5 and analysis Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 18
77 HILA5 Standard noisy Diffie Hellman with new reconciliation. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 19
78 HILA5 Standard noisy Diffie Hellman with new reconciliation. Ring: Z[x]/(q, x ) where q = Noise distribution χ: Ψ on { 16,..., 16} 1 same as New Hope. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 19
79 HILA5 Standard noisy Diffie Hellman with new reconciliation. Ring: Z[x]/(q, x ) where q = Noise distribution χ: Ψ on { 16,..., 16} New reconciliation mechanism: Only use safe bits that are far from an edge. Additionally apply an error-correcting code. 1 same as New Hope. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 19
80 HILA5 s reconciliation For each coefficient: d = 0: Discard coefficient. d = 1: Send reconciliation information c; use for key bit k. Edges: c = 0: 3q/8... 7q/8 k = 0. 7q/8... 3q/8 k = 1. c = 1: q/8... 5q/8 k = 0. 5q/8... q/8 k = 1. (picture: HILA5 documentation) Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 20
81 HILA5 s packet format bits d 0...d 1023 select 496 coefficients bits r 0...r 239 correct errors Bob s public key safe bits reconciliation error correction gb + e bits c 0...c 495 select an edge Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 21
82 HILA5 s packet format bits d 0...d 1023 select 496 coefficients bits r 0...r 239 correct errors Bob s public key safe bits reconciliation error correction gb + e bits c 0...c 495 select an edge We re going to manipulate each of these parts. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 21
83 Unsafe bits gb + e safe bits reconciliation error correction We want to attack the first coefficient. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 22
84 Unsafe bits gb + e safe bits reconciliation error correction We want to attack the first coefficient. = Force d 0 = 1 to make Alice use it. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 22
85 Living on the edge gb + e safe bits reconciliation error correction We want to attack the edge at M = q/8. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 23
86 Living on the edge gb + e safe bits reconciliation error correction We want to attack the edge at M = q/8. = Force c 0 = 1. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 23
87 Making errors gb + e safe bits reconciliation error correction HILA5 uses a custom linear error-correcting code XE5. Encrypted (XOR) using part of Bob s shared secret S. Ten variable-length codewords R 0...R 9. Alice corrects S[0] using the first bit of each R i. Capable of correcting (at least) 5-bit errors. We want to keep errors in S[0]. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 24
88 Making errors gb + e safe bits reconciliation error correction HILA5 uses a custom linear error-correcting code XE5. Encrypted (XOR) using part of Bob s shared secret S. Ten variable-length codewords R 0...R 9. Alice corrects S[0] using the first bit of each R i. Capable of correcting (at least) 5-bit errors. We want to keep errors in S[0]. = Flip the first bit of R 0...R 4! Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 24
89 All coefficients for the price of one gb + e safe bits reconciliation error correction Our binary search recovers e a[0] from gab δ + e a by varying δ. How to get a[1], a[2],..? Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 25
90 All coefficients for the price of one gb + e safe bits reconciliation error correction Our binary search recovers e a[0] from gab δ + e a by varying δ. How to get a[1], a[2],..? By construction of R = Z[x]/(q, x ), Evil Bob can rotate a[i] into e a[0] by setting e = x 1024 i. Running the search for all i yields all coefficients of a. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 25
91 Evil Bob needs evil b δ gb + e safe bits reconciliation error correction Recall that Evil Bob needs b δ such that gab δ [0] = M + δ. How to obtain b δ without knowing a? Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 26
92 Evil Bob needs evil b δ gb + e safe bits reconciliation error correction Recall that Evil Bob needs b δ such that gab δ [0] = M + δ. How to obtain b δ without knowing a? = Guess b 0 based on Alice s public key A = ga + e: Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 26
93 Evil Bob needs evil b δ gb + e safe bits reconciliation error correction Recall that Evil Bob needs b δ such that gab δ [0] = M + δ. How to obtain b δ without knowing a? = Guess b 0 based on Alice s public key A = ga + e: If b 0 has two entries ±1 and (Ab 0 )[0] = M, then Pr [gab 0[0] = M] = Pr [x + y = 0] 9.9%. e χ n x,y Ψ 16 Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 26
94 Evil Bob needs evil b δ gb + e safe bits reconciliation error correction Recall that Evil Bob needs b δ such that gab δ [0] = M + δ. How to obtain b δ without knowing a? = Guess b 0 based on Alice s public key A = ga + e: If b 0 has two entries ±1 and (Ab 0 )[0] = M, then Pr [gab 0[0] = M] = Pr [x + y = 0] 9.9%. e χ n x,y Ψ 16 For all other δ, set b δ := (1 + δm 1 mod q) b 0. This works because M 1 mod q = 8 is small here. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 26
95 Evil Bob needs evil b δ gb + e safe bits reconciliation error correction Recall that Evil Bob needs b δ such that gab δ [0] = M + δ. How to obtain b δ without knowing a? = Guess b 0 based on Alice s public key A = ga + e: If b 0 has two entries ±1 and (Ab 0 )[0] = M, then Pr [gab 0[0] = M] = Pr [x + y = 0] 9.9%. e χ n x,y Ψ 16 For all other δ, set b δ := (1 + δm 1 mod q) b 0. This works because M 1 mod q = 8 is small here. If b 0 was wrong, the recovered coefficients are all 0 or 1. = easily detectable. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 26
96 Implementation Our code 1 attacks the HILA5 reference implementation. 100% success rate in our experiments. Less than 6000 queries (virtually always). (Note: Evil Bob could recover fewer coefficients and compute the rest by solving a lattice problem of reduced dimension.) 1 Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 27
97
98 HK17 HK17 consists broadly in a Key Exchange Protocol (KEP) based on non-commutative algebra of hypercomplex numbers limited to quaternions and octonions. In particular, this proposal is based on non-commutative and non-associative algebra using octonions. Security analysis:... In our protocol, we could not find any ways to proceed with any abelianization of our octonions non-associative Moufang loop [29] or reducing of the GSDP problem of polynomial powers of octonions to a finitely generated nilpotent image of the given free group in the cryptosystem and a further nonlinear decomposition attack. We simply conclude that Roman kov attacks do not affect our proposal. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 28
99 What are octonions? R: set of real numbers. C: set of complex numbers; dim-2 R-vector space. H: set of quaternions; dim-4 R-vector space; 1843 Hamilton. O: set of octonions; dim-8 R-vector space; 1845 Cayley, 1845 Graves. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 29
100 What are octonions? R: set of real numbers. C: set of complex numbers; dim-2 R-vector space. H: set of quaternions; dim-4 R-vector space; 1843 Hamilton. O: set of octonions; dim-8 R-vector space; 1845 Cayley, 1845 Graves. Each of these sets has a three-part definition: Elements. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 29
101 What are octonions? R: set of real numbers. C: set of complex numbers; dim-2 R-vector space. H: set of quaternions; dim-4 R-vector space; 1843 Hamilton. O: set of octonions; dim-8 R-vector space; 1845 Cayley, 1845 Graves. Each of these sets has a three-part definition: Elements. Conjugation q q. (For R: the identity map.) Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 29
102 What are octonions? R: set of real numbers. C: set of complex numbers; dim-2 R-vector space. H: set of quaternions; dim-4 R-vector space; 1843 Hamilton. O: set of octonions; dim-8 R-vector space; 1845 Cayley, 1845 Graves. Each of these sets has a three-part definition: Elements. Conjugation q q. (For R: the identity map.) Multiplication q, r qr. (R, C: commutative. R, C, H: associative.) Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 29
103 What are octonions? R: set of real numbers. C: set of complex numbers; dim-2 R-vector space. H: set of quaternions; dim-4 R-vector space; 1843 Hamilton. O: set of octonions; dim-8 R-vector space; 1845 Cayley, 1845 Graves. Each of these sets has a three-part definition: Elements. Conjugation q q. (For R: the identity map.) Multiplication q, r qr. (R, C: commutative. R, C, H: associative.) Simple unified definition from 1919 Dickson: O = H H with conjugation (q, Q) = (q, Q); multiplication (q, Q)(r, R) = (qr R Q, Rq + Qr ). Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 29
104 What are octonions? R: set of real numbers. C: set of complex numbers; dim-2 R-vector space. H: set of quaternions; dim-4 R-vector space; 1843 Hamilton. O: set of octonions; dim-8 R-vector space; 1845 Cayley, 1845 Graves. Each of these sets has a three-part definition: Elements. Conjugation q q. (For R: the identity map.) Multiplication q, r qr. (R, C: commutative. R, C, H: associative.) Simple unified definition from 1919 Dickson: O = H H with conjugation (q, Q) = (q, Q); multiplication (q, Q)(r, R) = (qr R Q, Rq + Qr ). H = C C with same formulas. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 29
105 What are octonions? R: set of real numbers. C: set of complex numbers; dim-2 R-vector space. H: set of quaternions; dim-4 R-vector space; 1843 Hamilton. O: set of octonions; dim-8 R-vector space; 1845 Cayley, 1845 Graves. Each of these sets has a three-part definition: Elements. Conjugation q q. (For R: the identity map.) Multiplication q, r qr. (R, C: commutative. R, C, H: associative.) Simple unified definition from 1919 Dickson: O = H H with conjugation (q, Q) = (q, Q); multiplication (q, Q)(r, R) = (qr R Q, Rq + Qr ). H = C C with same formulas. C = R R with same formulas. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 29
106 What are octonions? R: set of real numbers. C: set of complex numbers; dim-2 R-vector space. H: set of quaternions; dim-4 R-vector space; 1843 Hamilton. O: set of octonions; dim-8 R-vector space; 1845 Cayley, 1845 Graves. Each of these sets has a three-part definition: Elements. Conjugation q q. (For R: the identity map.) Multiplication q, r qr. (R, C: commutative. R, C, H: associative.) Simple unified definition from 1919 Dickson: O = H H with conjugation (q, Q) = (q, Q); multiplication (q, Q)(r, R) = (qr R Q, Rq + Qr ). H = C C with same formulas. C = R R with same formulas. Exercise: Every q O has q 2 = tq n and q = t q for some t, n R. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 29
107 How does HK17 work? Use integers modulo prime p instead of real numbers. HK17 submission claims security for p = Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 30
108 How does HK17 work? Use integers modulo prime p instead of real numbers. HK17 submission claims security for p = Alice: Generate secret integers m, n, f 0, f 1,..., f 32 > 0. Generate public octonions q, r; secret a = f 0 + f 1 q + + f 32 q 32. Send q, r, a m ra n to Bob. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 30
109 How does HK17 work? Use integers modulo prime p instead of real numbers. HK17 submission claims security for p = Alice: Generate secret integers m, n, f 0, f 1,..., f 32 > 0. Generate public octonions q, r; secret a = f 0 + f 1 q + + f 32 q 32. Send q, r, a m ra n to Bob. Bob: Generate secret integers k, l, h 0, h 1,..., h 32 > 0. Generate secret b = h 0 + h 1 q + + h 32 q 32. Send b k rb l to Alice. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 30
110 How does HK17 work? Use integers modulo prime p instead of real numbers. HK17 submission claims security for p = Alice: Generate secret integers m, n, f 0, f 1,..., f 32 > 0. Generate public octonions q, r; secret a = f 0 + f 1 q + + f 32 q 32. Send q, r, a m ra n to Bob. Bob: Generate secret integers k, l, h 0, h 1,..., h 32 > 0. Generate secret b = h 0 + h 1 q + + h 32 q 32. Send b k rb l to Alice. Shared secret: a m (b k rb l )a n = b k (a m ra n )b l. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 30
111 Why does HK17 work? Does a m ra n mean (a m r)a n, or a m (ra n )? Does a m mean a(a( )), or (( )a)a? Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 31
112 Why does HK17 work? Does a m ra n mean (a m r)a n, or a m (ra n )? Does a m mean a(a( )), or (( )a)a? Octonions satisfy some partial associativity rules: Flexible identity: x(yx) = (xy)x. Alternative identity: x(xy) = (xx)y and y(xx) = (yx)x. Moufang identities: z(x(zy)) = ((zx)z)y; x(z(yz)) = ((xz)y)z; (zx)(yz) = (z(xy))z = z((xy)z). Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 31
113 Why does HK17 work? Does a m ra n mean (a m r)a n, or a m (ra n )? Does a m mean a(a( )), or (( )a)a? Octonions satisfy some partial associativity rules: Flexible identity: x(yx) = (xy)x. Alternative identity: x(xy) = (xx)y and y(xx) = (yx)x. Moufang identities: z(x(zy)) = ((zx)z)y; x(z(yz)) = ((xz)y)z; (zx)(yz) = (z(xy))z = z((xy)z). So a(aa) = (aa)a; a(a(aa)) = (aa)(aa) = ((aa)a)a; etc. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 31
114 Why does HK17 work? Does a m ra n mean (a m r)a n, or a m (ra n )? Does a m mean a(a( )), or (( )a)a? Octonions satisfy some partial associativity rules: Flexible identity: x(yx) = (xy)x. Alternative identity: x(xy) = (xx)y and y(xx) = (yx)x. Moufang identities: z(x(zy)) = ((zx)z)y; x(z(yz)) = ((xz)y)z; (zx)(yz) = (z(xy))z = z((xy)z). So a(aa) = (aa)a; a(a(aa)) = (aa)(aa) = ((aa)a)a; etc. Also (ar)(aa) = a((ra)a) = a(r(aa)); (ar)((aa)a) = a((r(aa))a) = a(((ra)a)a) = a(r(a(aa))); etc. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 31
115 Why does HK17 work? Does a m ra n mean (a m r)a n, or a m (ra n )? Does a m mean a(a( )), or (( )a)a? Octonions satisfy some partial associativity rules: Flexible identity: x(yx) = (xy)x. Alternative identity: x(xy) = (xx)y and y(xx) = (yx)x. Moufang identities: z(x(zy)) = ((zx)z)y; x(z(yz)) = ((xz)y)z; (zx)(yz) = (z(xy))z = z((xy)z). So a(aa) = (aa)a; a(a(aa)) = (aa)(aa) = ((aa)a)a; etc. Also (ar)(aa) = a((ra)a) = a(r(aa)); (ar)((aa)a) = a((r(aa))a) = a(((ra)a)a) = a(r(a(aa))); etc. q m (q k rq l )q n = q k (q m rq n )q l. a m (b k rb l )a n = b k (a m ra n )b l because a, b are polynomials in q. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 31
116 A fast attack, and a faster attack Remember the exercise: q 2 is a linear combination of 1, q. So every polynomial in q is a linear combination of 1, q. There are only p 2 of these combinations! Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 32
117 A fast attack, and a faster attack Remember the exercise: q 2 is a linear combination of 1, q. So every polynomial in q is a linear combination of 1, q. There are only p 2 of these combinations! Attacker sees a m ra n, tries p 2 possibilities for a m. Recognizing correct possibility: a n is linear combination of 1, q. Fake solutions aren t a problem: good enough for decryption. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 32
118 A fast attack, and a faster attack Remember the exercise: q 2 is a linear combination of 1, q. So every polynomial in q is a linear combination of 1, q. There are only p 2 of these combinations! Attacker sees a m ra n, tries p 2 possibilities for a m. Recognizing correct possibility: a n is linear combination of 1, q. Fake solutions aren t a problem: good enough for decryption. Even faster: Attacker tries only q, q + 1, q + 2, q + 3,.... Finds integer multiple of a m ; good enough for decryption. This was the first attack script: 2 32 fast computations. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 32
119 A fast attack, and a faster attack Remember the exercise: q 2 is a linear combination of 1, q. So every polynomial in q is a linear combination of 1, q. There are only p 2 of these combinations! Attacker sees a m ra n, tries p 2 possibilities for a m. Recognizing correct possibility: a n is linear combination of 1, q. Fake solutions aren t a problem: good enough for decryption. Even faster: Attacker tries only q, q + 1, q + 2, q + 3,.... Finds integer multiple of a m ; good enough for decryption. This was the first attack script: 2 32 fast computations. Even faster: Attacker solves a m ra n = (q + x)r(yq + z). Eight equations in three variables x, y, z; linearize. This was the second attack script: practically instantaneous. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 32
HILA5 Pindakaas: On the CCA security of lattice-based encryption with error correction
HILA5 Pindakaas: On the CCA security of lattice-based encryption with error correction Daniel J. Bernstein 1 Leon Groot Bruinderink 2 Tanja Lange 2 Lorenz Panny 2 1 University of Illinois at Chicago 2
More informationReport on Learning with Errors over Rings-based HILA5 and its CCA Security
Report on Learning with Errors over Rings-based HILA5 and its CCA Security Jesús Antonio Soto Velázquez January 24, 2018 Abstract HILA5 is a cryptographic primitive based on lattices that was submitted
More informationCode-based Cryptography
a Hands-On Introduction Daniel Loebenberger Ηράκλειο, September 27, 2018 Post-Quantum Cryptography Various flavours: Lattice-based cryptography Hash-based cryptography Code-based
More informationAttacks in code based cryptography: a survey, new results and open problems
Attacks in code based cryptography: a survey, new results and open problems J.-P. Tillich Inria, team-project SECRET April 9, 2018 1. Code based cryptography introduction Difficult problem in coding theory
More informationCRYPTANALYSIS OF COMPACT-LWE
SESSION ID: CRYP-T10 CRYPTANALYSIS OF COMPACT-LWE Jonathan Bootle, Mehdi Tibouchi, Keita Xagawa Background Information Lattice-based cryptographic assumption Based on the learning-with-errors (LWE) assumption
More informationCRYSTALS Kyber and Dilithium. Peter Schwabe February 7, 2018
CRYSTALS Kyber and Dilithium Peter Schwabe peter@cryptojedi.org https://cryptojedi.org February 7, 2018 Crypto today 5 building blocks for a secure channel Symmetric crypto Block or stream cipher (e.g.,
More informationFrom NewHope to Kyber. Peter Schwabe April 7, 2017
From NewHope to Kyber Peter Schwabe peter@cryptojedi.org https://cryptojedi.org April 7, 2017 In the past, people have said, maybe it s 50 years away, it s a dream, maybe it ll happen sometime. I used
More informationElliptic curves. Tanja Lange Technische Universiteit Eindhoven. with some slides by Daniel J. Bernstein
Elliptic curves Tanja Lange Technische Universiteit Eindhoven with some slides by Daniel J. Bernstein Diffie-Hellman key exchange Pick some generator. Diffie-Hellman key exchange Pick some generator. Diffie-Hellman
More informationMarkku-Juhani O. Saarinen
Shorter Messages and Faster Post-Quantum Encryption with Round5 on Cortex M Markku-Juhani O. Saarinen S. Bhattacharya 1 O. Garcia-Morchon 1 R. Rietman 1 L. Tolhuizen 1 Z. Zhang 2 (1)
More informationOpen problems in lattice-based cryptography
University of Auckland, New Zealand Plan Goal: Highlight some hot topics in cryptography, and good targets for mathematical cryptanalysis. Approximate GCD Homomorphic encryption NTRU and Ring-LWE Multi-linear
More informationMessage Authentication Codes (MACs)
Message Authentication Codes (MACs) Tung Chou Technische Universiteit Eindhoven, The Netherlands October 8, 2015 1 / 22 About Me 2 / 22 About Me Tung Chou (Tony) 2 / 22 About Me Tung Chou (Tony) Ph.D.
More informationhttps://www.microsoft.com/en-us/research/people/plonga/ Outline Motivation recap Isogeny-based cryptography The SIDH key exchange protocol The SIKE protocol Authenticated key exchange from supersingular
More informationA Generic Hybrid Encryption Construction in the Quantum Random Oracle Model
A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model Presented by: Angela Robinson Department of Mathematical Sciences, Florida Atlantic University April 4, 2018 Motivation Quantum-resistance
More informationA Key Recovery Attack on MDPC with CCA Security Using Decoding Errors
A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors Qian Guo Thomas Johansson Paul Stankovski Dept. of Electrical and Information Technology, Lund University ASIACRYPT 2016 Dec 8th, 2016
More informationIntroduction to Quantum Safe Cryptography. ENISA September 2018
Introduction to Quantum Safe Cryptography ENISA September 2018 Introduction This talk will introduce the mathematical background of the most popular PQC primitives Code-based Lattice-based Multivariate
More informationOutline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt
NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nuñez, Isaac Agudo, and Javier Lopez Network, Information and Computer Security Laboratory (NICS Lab) Universidad de Málaga, Spain
More informationPost-Quantum Cryptography
Post-Quantum Cryptography Sebastian Schmittner Institute for Theoretical Physics University of Cologne 2015-10-26 Talk @ U23 @ CCC Cologne This work is licensed under a Creative Commons Attribution-ShareAlike
More informationPublic-key cryptography and the Discrete-Logarithm Problem. Tanja Lange Technische Universiteit Eindhoven. with some slides by Daniel J.
Public-key cryptography and the Discrete-Logarithm Problem Tanja Lange Technische Universiteit Eindhoven with some slides by Daniel J. Bernstein Cryptography Let s understand what our browsers do. Schoolbook
More informationCryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups
Great Theoretical Ideas in CS V. Adamchik CS 15-251 Upcoming Interview? Lecture 24 Carnegie Mellon University Cryptography and RSA How the World's Smartest Company Selects the Most Creative Thinkers Groups
More informationPost-quantum key exchange for the Internet based on lattices
Post-quantum key exchange for the Internet based on lattices Craig Costello Talk at MSR India Bangalore, India December 21, 2016 Based on J. Bos, C. Costello, M. Naehrig, D. Stebila Post-Quantum Key Exchange
More informationNoisy Diffie-Hellman protocols
Noisy Diffie-Hellman protocols Carlos Aguilar 1, Philippe Gaborit 1, Patrick Lacharme 1, Julien Schrek 1 and Gilles Zémor 2 1 University of Limoges, France, 2 University of Bordeaux, France. Classical
More informationCryptography and Security Final Exam
Cryptography and Security Final Exam Serge Vaudenay 17.1.2017 duration: 3h no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices are not
More informationNTRU Prime. Daniel J. Bernstein, Chitchanok Chuengsatiansup, Tanja Lange, and Christine van Vredendaal. Technische Universiteit Eindhoven
NTRU Prime Daniel J. Bernstein, Chitchanok Chuengsatiansup, Tanja Lange, and Christine van Vredendaal Technische Universiteit Eindhoven 25 August 2016 Tanja Lange NTRU Prime https://eprint.iacr.org/2016/461
More informationPost-quantum key exchange based on Lattices
Post-quantum key exchange based on Lattices Joppe W. Bos Romanian Cryptology Days Conference Cybersecurity in a Post-quantum World September 20, 2017, Bucharest 1. NXP Semiconductors Operations in > 35
More informationLecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security
Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationCryptanalysis of the Algebraic Eraser
Cryptanalysis of the Algebraic Eraser Simon R. Blackburn Royal Holloway University of London 9th June 2016 Simon R. Blackburn (RHUL) The Algebraic Eraser 1 / 14 Diffie-Hellman key exchange Alice and Bob
More informationPublic-key Cryptography and elliptic curves
Public-key Cryptography and elliptic curves Dan Nichols University of Massachusetts Amherst nichols@math.umass.edu WINRS Research Symposium Brown University March 4, 2017 Cryptography basics Cryptography
More informationMATH 158 FINAL EXAM 20 DECEMBER 2016
MATH 158 FINAL EXAM 20 DECEMBER 2016 Name : The exam is double-sided. Make sure to read both sides of each page. The time limit is three hours. No calculators are permitted. You are permitted one page
More informationPublic Key Cryptography
Public Key Cryptography Introduction Public Key Cryptography Unlike symmetric key, there is no need for Alice and Bob to share a common secret Alice can convey her public key to Bob in a public communication:
More informationA gentle introduction to isogeny-based cryptography
A gentle introduction to isogeny-based cryptography Craig Costello Tutorial at SPACE 2016 December 15, 2016 CRRao AIMSCS, Hyderabad, India Part 1: Motivation Part 2: Preliminaries Part 3: Brief SIDH sketch
More informationTanja Lange Technische Universiteit Eindhoven
Crytanalysis Course Part I Tanja Lange Technische Universiteit Eindhoven 28 Nov 2016 with some slides by Daniel J. Bernstein Main goal of this course: We are the attackers. We want to break ECC and RSA.
More informationProgressive lattice sieving
Progressive lattice sieving Thijs Laarhoven and Artur Mariano t s tt t s PQCrypto 2018, Fort Lauderdale (FL), USA (April 10, 2018) Lattices What is a lattice? Lattices What is a lattice? b 1 b 2 Lattices
More informationL7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015
L7. Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang, 5 March 2015 1 Outline The basic foundation: multiplicative group modulo prime The basic Diffie-Hellman (DH) protocol The discrete logarithm
More informationA Generic Attack on Lattice-based Schemes using Decryption Errors
A Generic Attack on Lattice-based Schemes using Decryption Errors with Application to ss-ntru-pke Qian Guo 1,2, Thomas Johansson 2, and Alexander Nilsson 2 1 Dept. of Informatics, University of Bergen,
More informationNewHope for ARM Cortex-M
for ARM Cortex-M Erdem Alkim 1, Philipp Jakubeit 2, Peter Schwabe 2 erdemalkim@gmail.com, phil.jakubeit@gmail.com, peter@cryptojedi.org 1 Ege University, Izmir, Turkey 2 Radboud University, Nijmegen, The
More informationOn error distributions in ring-based LWE
On error distributions in ring-based LWE Wouter Castryck 1,2, Ilia Iliashenko 1, Frederik Vercauteren 1,3 1 COSIC, KU Leuven 2 Ghent University 3 Open Security Research ANTS-XII, Kaiserslautern, August
More informationPublic-key Cryptography and elliptic curves
Public-key Cryptography and elliptic curves Dan Nichols nichols@math.umass.edu University of Massachusetts Oct. 14, 2015 Cryptography basics Cryptography is the study of secure communications. Here are
More informationHardness and advantages of Module-SIS and Module-LWE
Hardness and advantages of Module-SIS and Module-LWE Adeline Roux-Langlois EMSEC: Univ Rennes, CNRS, IRISA April 24, 2018 Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018
More informationarxiv: v2 [cs.cr] 14 Feb 2018
Code-based Key Encapsulation from McEliece s Cryptosystem Edoardo Persichetti arxiv:1706.06306v2 [cs.cr] 14 Feb 2018 Florida Atlantic University Abstract. In this paper we show that it is possible to extend
More informationThe Elliptic Curve in https
The Elliptic Curve in https Marco Streng Universiteit Leiden 25 November 2014 Marco Streng (Universiteit Leiden) The Elliptic Curve in https 25-11-2014 1 The s in https:// HyperText Transfer Protocol
More informationHistorical cryptography. cryptography encryption main applications: military and diplomacy
Historical cryptography cryptography encryption main applications: military and diplomacy ancient times world war II Historical cryptography All historical cryptosystems badly broken! No clear understanding
More information2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms
CRYPTOGRAPHY 19 Cryptography 5 ElGamal cryptosystems and Discrete logarithms Definition Let G be a cyclic group of order n and let α be a generator of G For each A G there exists an uniue 0 a n 1 such
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #9 Sep 22 nd 2005 CSCI 6268/TLEN 5831, Fall 2005 Announcements Midterm #1, next class (Tues, Sept 27 th ) All lecture materials and readings
More informationQuantum-Safe Crypto Why & How? JP Aumasson, Kudelski Security
Quantum-Safe Crypto Why & How? JP Aumasson, Kudelski Security Flight plan What s a quantum computer? How broken are your public keys? AES vs. quantum search Hidden quantum powers Defeating quantum computing
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationAsymmetric Encryption
-3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function
More informationHigh-speed cryptography, part 3: more cryptosystems. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven
High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Cryptographers Working systems Cryptanalytic algorithm designers
More informationLecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography
CS 7880 Graduate Cryptography September 10, 2015 Lecture 1: Perfect Secrecy and Statistical Authentication Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Definition of perfect secrecy One-time
More information14 Diffie-Hellman Key Agreement
14 Diffie-Hellman Key Agreement 14.1 Cyclic Groups Definition 14.1 Example Let д Z n. Define д n = {д i % n i Z}, the set of all powers of д reduced mod n. Then д is called a generator of д n, and д n
More informationIntroduction to Modern Cryptography. (1) Finite Groups, Rings and Fields. (2) AES - Advanced Encryption Standard
Introduction to Modern Cryptography Lecture 3 (1) Finite Groups, Rings and Fields (2) AES - Advanced Encryption Standard +,0, and -a are only notations! Review - Groups Def (group): A set G with a binary
More informationPost-quantum security models for authenticated encryption
Post-quantum security models for authenticated encryption Vladimir Soukharev David R. Cheriton School of Computer Science February 24, 2016 Introduction Bellare and Namprempre in 2008, have shown that
More informationCode Based Cryptography
Code Based Cryptography Alain Couvreur INRIA & LIX, École Polytechnique École de Printemps Post Scryptum 2018 A. Couvreur Code Based Crypto Post scryptum 2018 1 / 66 Outline 1 Introduction 2 A bit coding
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationLattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.
Lattices A Lattice is a discrete subgroup of the additive group of n-dimensional space R n. Lattices have many uses in cryptography. They may be used to define cryptosystems and to break other ciphers.
More informationCryptanalysis of an NTRU-based Proxy Encryption Scheme from ASIACCS 15
Cryptanalysis of an NTRU-based Proxy Encryption Scheme from ASIACCS 15 Zhen Liu 1,2,3, Yanbin Pan 1, and Zhenfei Zhang 4 1 Key Laboratory of Mathematics Mechanization, NCMIS, Academy of Mathematics and
More informationTighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model. Shuichi Katsumata (The University of Tokyo /AIST) Takashi Yamakawa (NTT)
1 Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo /AIST) *Pronounced as Shuichi Katsumata (The University of Tokyo /AIST) Shota Yamada (AIST) Takashi Yamakawa
More informationIntro to Public Key Cryptography Diffie & Hellman Key Exchange
Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie & Hellman Key Exchange Course Summary - Math Part
More informationWinter 2011 Josh Benaloh Brian LaMacchia
Winter 2011 Josh Benaloh Brian LaMacchia Fun with Public-Key Tonight we ll Introduce some basic tools of public-key crypto Combine the tools to create more powerful tools Lay the ground work for substantial
More informationA brief survey of post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago
A brief survey of post-quantum cryptography D. J. Bernstein University of Illinois at Chicago Once the enormous energy boost that quantum computers are expected to provide hits the street, most encryption
More informationSecurity Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography
Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography Peter Schwabe October 21 and 28, 2011 So far we assumed that Alice and Bob both have some key, which nobody else has. How
More informationPublic-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange
Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key Encryption (a.k.a. private-key encryption) SKE: Syntax KeyGen outputs K K E scheme E Syntax a.k.a.
More informationCosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks
1 Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks Michael Albert michael.albert@cs.otago.ac.nz 2 This week Arithmetic Knapsack cryptosystems Attacks on knapsacks Some
More informationPractical, Quantum-Secure Key Exchange from LWE
Practical, Quantum-Secure Key Exchange from LWE Douglas Stebila 4 th ETSI/IQC Workshop on Quantum-Safe Cryptography September 21, 2016 Acknowledgements Collaborators Joppe Bos Craig Costello and Michael
More informationLecture 7: ElGamal and Discrete Logarithms
Lecture 7: ElGamal and Discrete Logarithms Johan Håstad, transcribed by Johan Linde 2006-02-07 1 The discrete logarithm problem Recall that a generator g of a group G is an element of order n such that
More informationOverview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017
CSC 580 Cryptography and Computer Security Math for Public Key Crypto, RSA, and Diffie-Hellman (Sections 2.4-2.6, 2.8, 9.2, 10.1-10.2) March 21, 2017 Overview Today: Math needed for basic public-key crypto
More informationCryptography CS 555. Topic 22: Number Theory/Public Key-Cryptography
Cryptography CS 555 Topic 22: Number Theory/Public Key-Cryptography 1 Exam Recap 2 Exam Recap Highest Average Score on Question Question 4: (Feistel Network with round function f(x) = 0 n ) Tougher Questions
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationPublic-Key Cryptosystems CHAPTER 4
Public-Key Cryptosystems CHAPTER 4 Introduction How to distribute the cryptographic keys? Naïve Solution Naïve Solution Give every user P i a separate random key K ij to communicate with every P j. Disadvantage:
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani Mathematical Institute Oxford University 1 of 74 Outline 1 Complexity measures 2 Algebra and Number Theory Background 3 Public Key Encryption: security notions
More informationPart 2 LWE-based cryptography
Part 2 LWE-based cryptography Douglas Stebila SAC Summer School Université d'ottawa August 14, 2017 https://www.douglas.stebila.ca/research/presentations Funding acknowledgements: SAC Summer School 2017-08-14
More informationPost-Quantum Cryptography
Post-Quantum Cryptography Code-Based Cryptography Tanja Lange with some slides by Tung Chou and Christiane Peters Technische Universiteit Eindhoven ASCrypto Summer School: 18 September 2017 Error correction
More informationPublic Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy
Symmetric Cryptography Review Alice Bob Public Key x e K (x) y d K (y) x K K Instructor: Dr. Wei (Lisa) Li Department of Computer Science, GSU Two properties of symmetric (secret-key) crypto-systems: The
More informationSolutions for week 1, Cryptography Course - TDA 352/DIT 250
Solutions for week, Cryptography Course - TDA 352/DIT 250 In this weekly exercise sheet: you will use some historical ciphers, the OTP, the definition of semantic security and some combinatorial problems.
More informationShort generators without quantum computers: the case of multiquadratics
Short generators without quantum computers: the case of multiquadratics Daniel J. Bernstein University of Illinois at Chicago 31 July 2017 https://multiquad.cr.yp.to Joint work with: Jens Bauch & Henry
More informationb = 10 a, is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a.
INTRODUCTION TO CRYPTOGRAPHY 5. Discrete Logarithms Recall the classical logarithm for real numbers: If we write b = 10 a, then a = log 10 b is the logarithm of b to the base 10. Changing the base to e
More informationCryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97
Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97 Phong Nguyen and Jacques Stern École Normale Supérieure, Laboratoire d Informatique 45, rue d Ulm, F 75230 Paris Cedex 05 {Phong.Nguyen,Jacques.Stern}@ens.fr
More informationDiscrete logarithm and related schemes
Discrete logarithm and related schemes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Discrete logarithm problem examples, equivalent
More informationLattice-Based Cryptography
Liljana Babinkostova Department of Mathematics Computing Colloquium Series Detecting Sensor-hijack Attacks in Wearable Medical Systems Krishna Venkatasubramanian Worcester Polytechnic Institute Quantum
More informationLeakage of Signal function with reused keys in RLWE key exchange
Leakage of Signal function with reused keys in RLWE key exchange Jintai Ding 1, Saed Alsayigh 1, Saraswathy RV 1, Scott Fluhrer 2, and Xiaodong Lin 3 1 University of Cincinnati 2 Cisco Systems 3 Rutgers
More informationQC-MDPC: A Timing Attack and a CCA2 KEM
QC-MDPC: A Timing Attack and a CCA2 KEM Edward Eaton 1, Matthieu Lequesne 23, Alex Parent 1, and Nicolas Sendrier 3 1 ISARA Corporation, Waterloo, Canada {ted.eaton,alex.parent}@isara.com 2 Sorbonne Universités,
More informationSupersingular Isogeny Key Encapsulation
Supersingular Isogeny Key Encapsulation Presented by David Jao University of Waterloo and evolutionq, Inc. Full list of submitters: Reza Azarderakhsh, FAU Matt Campagna, Amazon Craig Costello, MSR Luca
More information1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2
Contents 1 Recommended Reading 1 2 Public Key/Private Key Cryptography 1 2.1 Overview............................................. 1 2.2 RSA Algorithm.......................................... 2 3 A Number
More informationDefinition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University
Number Theory, Public Key Cryptography, RSA Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr The Euler Phi Function For a positive integer n, if 0
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationLemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).
1 Background 1.1 The group of units MAT 3343, APPLIED ALGEBRA, FALL 2003 Handout 3: The RSA Cryptosystem Peter Selinger Let (R, +, ) be a ring. Then R forms an abelian group under addition. R does not
More informationApplied cryptography
Applied cryptography Identity-based Cryptography Andreas Hülsing 19 November 2015 1 / 37 The public key problem How to obtain the correct public key of a user? How to check its authenticity? General answer:
More informationCode-based post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago
Code-based post-quantum cryptography D. J. Bernstein University of Illinois at Chicago Once the enormous energy boost that quantum computers are expected to provide hits the street, most encryption security
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 33 The Diffie-Hellman Problem
More informationCryptography and Security Midterm Exam
Cryptography and Security Midterm Exam Serge Vaudenay 23.11.2017 duration: 1h45 no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices
More informationAn introduction to supersingular isogeny-based cryptography
An introduction to supersingular isogeny-based cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 8, 2017 Šibenik, Croatia Towards quantum-resistant cryptosystems from supersingular
More informationNotes 10: Public-key cryptography
MTH6115 Cryptography Notes 10: Public-key cryptography In this section we look at two other schemes that have been proposed for publickey ciphers. The first is interesting because it was the earliest such
More informationQuantum Differential and Linear Cryptanalysis
Quantum Differential and Linear Cryptanalysis Marc Kaplan 1,2 Gaëtan Leurent 3 Anthony Leverrier 3 María Naya-Plasencia 3 1 LTCI, Télécom ParisTech 2 School of Informatics, University of Edinburgh 3 Inria
More informationCS 355: Topics in Cryptography Spring Problem Set 5.
CS 355: Topics in Cryptography Spring 2018 Problem Set 5 Due: June 8, 2018 at 5pm (submit via Gradescope) Instructions: You must typeset your solution in LaTeX using the provided template: https://crypto.stanford.edu/cs355/homework.tex
More informationPublic Key Encryption
Public Key Encryption KG October 17, 2017 Contents 1 Introduction 1 2 Public Key Encryption 2 3 Schemes Based on Diffie-Hellman 3 3.1 ElGamal.................................... 5 4 RSA 7 4.1 Preliminaries.................................
More informationCryptanalysis of a key exchange protocol based on the endomorphisms ring End(Z p Z p 2)
AAECC (212) 23:143 149 DOI 1.17/s2-12-17-z ORIGINAL PAPER Cryptanalysis of a key exchange protocol based on the endomorphisms ring End(Z p Z p 2) Abdel Alim Kamal Amr M. Youssef Received: 2 November 211
More informationSOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies
SOBER Cryptanalysis Daniel Bleichenbacher and Sarvar Patel {bleichen,sarvar}@lucent.com Bell Laboratories Lucent Technologies Abstract. SOBER is a new stream cipher that has recently been developed by
More informationIdeal Lattices and NTRU
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin April 23-30, 2013 Ideal Lattices and NTRU Scribe: Kina Winoto 1 Algebraic Background (Reminders) Definition 1. A commutative
More informationAdvanced code-based cryptography. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven
Advanced code-based cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Lattice-basis reduction Define L = (0; 24)Z + (1; 17)Z = {(b; 24a + 17b) : a;
More informationBreaking Symmetric Cryptosystems Using Quantum Algorithms
Breaking Symmetric Cryptosystems Using Quantum Algorithms Gaëtan Leurent Joined work with: Marc Kaplan Anthony Leverrier María Naya-Plasencia Inria, France FOQUS Workshop Gaëtan Leurent (Inria) Breaking
More information