Cryptanalysis of NISTPQC submissions
Size: px
Start display at page:

Download "Cryptanalysis of NISTPQC submissions"

Transcription

1 Cryptanalysis of NISTPQC submissions Daniel J. Bernstein, Tanja Lange, Lorenz Panny University of Illinois at Chicago, Technische Universiteit Eindhoven 18 August 2018 Workshops on Attacks in Cryptography

2 NSA announcements August 11, 2015 IAD recognizes that there will be a move, in the not distant future, to a quantum resistant algorithm suite. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 2

3 NSA announcements August 11, 2015 IAD recognizes that there will be a move, in the not distant future, to a quantum resistant algorithm suite. August 19, 2015 IAD will initiate a transition to quantum resistant algorithms in the not too distant future. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 2

4 Post-quantum cryptography 2015 Finally even NSA admits that the world needs post-quantum crypto Every agency posts something (NCSC UK, NCSC NL, NSA (broken certificate!)) NIST announces call for submissions to post-quantum project, solicits submissions on signatures, encryption, and key exchange. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 3

5 Post-quantum cryptography 10 years of motivating people to work on post-quantum crypto Finally even NSA admits that the world needs post-quantum crypto Every agency posts something (NCSC UK, NCSC NL, NSA (broken certificate!)) NIST announces call for submissions to post-quantum project, solicits submissions on signatures, encryption, and key exchange. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 3

6 NIST Post-Quantum Competition December 2016, after public feedback: NIST calls for submissions of post-quantum cryptosystems to standardize. A FURTHER BREAKDOWN 30 November 2017: NIST receives 82 submissions. Overview from Dustin Moody s (NIST) talk at Asiacrypt: Signatures KEM/Encryption Overall Lattice-based Code-based Multi-variate Hash-based 4 4 Other Total Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 4

7 Complete and proper submissions 21 December 2017: NIST posts 69 submissions from 260 people. BIG QUAKE. BIKE. CFPKM. Classic McEliece. Compact LWE. CRYSTALS-DILITHIUM. CRYSTALS-KYBER. DAGS. Ding Key Exchange. DME. DRS. DualModeMS. Edon-K. EMBLEM and R.EMBLEM. FALCON. FrodoKEM. GeMSS. Giophantus. Gravity-SPHINCS. Guess Again. Gui. HILA5. HiMQ-3. HK17. HQC. KINDI. LAC. LAKE. LEDAkem. LEDApkc. Lepton. LIMA. Lizard. LOCKER. LOTUS. LUOV. McNie. Mersenne MQDSS. NewHope. NTRUEncrypt. NTRU-HRSS-KEM. NTRU Prime. NTS-KEM. Odd Manhattan. OKCN/AKCN/CNKE. Ouroboros-R. Picnic. pqntrusign. pqrsa encryption. pqrsa signature. pqsigrm. QC-MDPC KEM. qtesla. RaCoSS. Rainbow. Ramstake. RankSign. RLCE-KEM. Round2. RQC. RVB. SABER. SIKE. SPHINCS+. SRTPI. Three Bears. Titanium. WalnutDSA. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 5

8 Attack timeline: month Bernstein Groot Bruinderink Panny Lange: attack script breaking CCA for HILA5 Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 6

9 Attack timeline: month Bernstein Groot Bruinderink Panny Lange: attack script breaking CCA for HILA NIST posts 69 submissions Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 6

10 Attack timeline: month Bernstein Groot Bruinderink Panny Lange: attack script breaking CCA for HILA NIST posts 69 submissions Panny: attack script breaking Guess Again Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 6

11 Attack timeline: month Bernstein Groot Bruinderink Panny Lange: attack script breaking CCA for HILA NIST posts 69 submissions Panny: attack script breaking Guess Again Hülsing Bernstein Panny Lange: attack scripts breaking RaCoSS Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 6

12 Attack timeline: month Bernstein Groot Bruinderink Panny Lange: attack script breaking CCA for HILA NIST posts 69 submissions Panny: attack script breaking Guess Again Hülsing Bernstein Panny Lange: attack scripts breaking RaCoSS Panny: attack script breaking RVB; RVB withdrawn Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 6

13 Attack timeline: month Bernstein Groot Bruinderink Panny Lange: attack script breaking CCA for HILA NIST posts 69 submissions Panny: attack script breaking Guess Again Hülsing Bernstein Panny Lange: attack scripts breaking RaCoSS Panny: attack script breaking RVB; RVB withdrawn Bernstein Lange: attack script breaking HK17 Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 6

14 Attack timeline: month Bernstein Groot Bruinderink Panny Lange: attack script breaking CCA for HILA NIST posts 69 submissions Panny: attack script breaking Guess Again Hülsing Bernstein Panny Lange: attack scripts breaking RaCoSS Panny: attack script breaking RVB; RVB withdrawn Bernstein Lange: attack script breaking HK Gaborit: attack reducing McNie security level Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 6

15 Attack timeline: month Bernstein Groot Bruinderink Panny Lange: attack script breaking CCA for HILA NIST posts 69 submissions Panny: attack script breaking Guess Again Hülsing Bernstein Panny Lange: attack scripts breaking RaCoSS Panny: attack script breaking RVB; RVB withdrawn Bernstein Lange: attack script breaking HK Gaborit: attack reducing McNie security level Gaborit: attack reducing Lepton security level Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 6

16 Attack timeline: month Bernstein Groot Bruinderink Panny Lange: attack script breaking CCA for HILA NIST posts 69 submissions Panny: attack script breaking Guess Again Hülsing Bernstein Panny Lange: attack scripts breaking RaCoSS Panny: attack script breaking RVB; RVB withdrawn Bernstein Lange: attack script breaking HK Gaborit: attack reducing McNie security level Gaborit: attack reducing Lepton security level Beullens: attack reducing DME security level Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 6

17 Attack timeline: month Bernstein Groot Bruinderink Panny Lange: attack script breaking CCA for HILA NIST posts 69 submissions Panny: attack script breaking Guess Again Hülsing Bernstein Panny Lange: attack scripts breaking RaCoSS Panny: attack script breaking RVB; RVB withdrawn Bernstein Lange: attack script breaking HK Gaborit: attack reducing McNie security level Gaborit: attack reducing Lepton security level Beullens: attack reducing DME security level : submitter has claimed patent on submission. Warning: Other people could also claim patents. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 6

18 Attack timeline: month Bernstein, building on Bernstein Lange, Wang Malluhi, Li Liu Pan Xie: faster attack script breaking HK17; HK17 withdrawn Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 7

19 Attack timeline: month Bernstein, building on Bernstein Lange, Wang Malluhi, Li Liu Pan Xie: faster attack script breaking HK17; HK17 withdrawn Steinfeld, independently Albrecht Postlethwaite Virdia: attack script breaking CFPKM Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 7

20 Attack timeline: month Bernstein, building on Bernstein Lange, Wang Malluhi, Li Liu Pan Xie: faster attack script breaking HK17; HK17 withdrawn Steinfeld, independently Albrecht Postlethwaite Virdia: attack script breaking CFPKM Alperin-Sheriff Perlner: attack breaking pqsigrm Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 7

21 Attack timeline: month Bernstein, building on Bernstein Lange, Wang Malluhi, Li Liu Pan Xie: faster attack script breaking HK17; HK17 withdrawn Steinfeld, independently Albrecht Postlethwaite Virdia: attack script breaking CFPKM Alperin-Sheriff Perlner: attack breaking pqsigrm Yang Bernstein Lange: attack script breaking SRTPI; SRTPI withdrawn Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 7

22 Attack timeline: month Bernstein, building on Bernstein Lange, Wang Malluhi, Li Liu Pan Xie: faster attack script breaking HK17; HK17 withdrawn Steinfeld, independently Albrecht Postlethwaite Virdia: attack script breaking CFPKM Alperin-Sheriff Perlner: attack breaking pqsigrm Yang Bernstein Lange: attack script breaking SRTPI; SRTPI withdrawn Lequesne Sendrier Tillich: attack breaking Edon-K; script posted ; Edon-K withdrawn Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 7

23 Attack timeline: month Bernstein, building on Bernstein Lange, Wang Malluhi, Li Liu Pan Xie: faster attack script breaking HK17; HK17 withdrawn Steinfeld, independently Albrecht Postlethwaite Virdia: attack script breaking CFPKM Alperin-Sheriff Perlner: attack breaking pqsigrm Yang Bernstein Lange: attack script breaking SRTPI; SRTPI withdrawn Lequesne Sendrier Tillich: attack breaking Edon-K; script posted ; Edon-K withdrawn Beullens: attack script breaking DME Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 7

24 Attack timeline: month Bernstein, building on Bernstein Lange, Wang Malluhi, Li Liu Pan Xie: faster attack script breaking HK17; HK17 withdrawn Steinfeld, independently Albrecht Postlethwaite Virdia: attack script breaking CFPKM Alperin-Sheriff Perlner: attack breaking pqsigrm Yang Bernstein Lange: attack script breaking SRTPI; SRTPI withdrawn Lequesne Sendrier Tillich: attack breaking Edon-K; script posted ; Edon-K withdrawn Beullens: attack script breaking DME Li Liu Pan Xie, independently Bootle Tibouchi Xagawa: attack breaking Compact LWE ; script from 2nd team Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 7

25 Attack timeline: month Bernstein, building on Bernstein Lange, Wang Malluhi, Li Liu Pan Xie: faster attack script breaking HK17; HK17 withdrawn Steinfeld, independently Albrecht Postlethwaite Virdia: attack script breaking CFPKM Alperin-Sheriff Perlner: attack breaking pqsigrm Yang Bernstein Lange: attack script breaking SRTPI; SRTPI withdrawn Lequesne Sendrier Tillich: attack breaking Edon-K; script posted ; Edon-K withdrawn Beullens: attack script breaking DME Li Liu Pan Xie, independently Bootle Tibouchi Xagawa: attack breaking Compact LWE ; script from 2nd team Castryck Vercauteren: attack breaking Giophantus Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 7

26 Attack timeline: month Bernstein, building on Bernstein Lange, Wang Malluhi, Li Liu Pan Xie: faster attack script breaking HK17; HK17 withdrawn Steinfeld, independently Albrecht Postlethwaite Virdia: attack script breaking CFPKM Alperin-Sheriff Perlner: attack breaking pqsigrm Yang Bernstein Lange: attack script breaking SRTPI; SRTPI withdrawn Lequesne Sendrier Tillich: attack breaking Edon-K; script posted ; Edon-K withdrawn Beullens: attack script breaking DME Li Liu Pan Xie, independently Bootle Tibouchi Xagawa: attack breaking Compact LWE ; script from 2nd team Castryck Vercauteren: attack breaking Giophantus Blackburn: attack reducing WalnutDSA security level Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 7

27 Attack timeline: month Bernstein, building on Bernstein Lange, Wang Malluhi, Li Liu Pan Xie: faster attack script breaking HK17; HK17 withdrawn Steinfeld, independently Albrecht Postlethwaite Virdia: attack script breaking CFPKM Alperin-Sheriff Perlner: attack breaking pqsigrm Yang Bernstein Lange: attack script breaking SRTPI; SRTPI withdrawn Lequesne Sendrier Tillich: attack breaking Edon-K; script posted ; Edon-K withdrawn Beullens: attack script breaking DME Li Liu Pan Xie, independently Bootle Tibouchi Xagawa: attack breaking Compact LWE ; script from 2nd team Castryck Vercauteren: attack breaking Giophantus Blackburn: attack reducing WalnutDSA security level Beullens: another attack reducing WalnutDSA security level Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 7

28 Attack timeline: subsequent events Beullens: attack breaking WalnutDSA Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 8

29 Attack timeline: subsequent events Beullens: attack breaking WalnutDSA Fabsic Hromada Zajac: attack breaking CCA for LEDA Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 8

30 Attack timeline: subsequent events Beullens: attack breaking WalnutDSA Fabsic Hromada Zajac: attack breaking CCA for LEDA Yu Ducas: attack reducing DRS security level Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 8

31 Attack timeline: subsequent events Beullens: attack breaking WalnutDSA Fabsic Hromada Zajac: attack breaking CCA for LEDA Yu Ducas: attack reducing DRS security level Debris-Alazard Tillich: attack breaking RankSign; RankSign withdrawn Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 8

32 Attack timeline: subsequent events Beullens: attack breaking WalnutDSA Fabsic Hromada Zajac: attack breaking CCA for LEDA Yu Ducas: attack reducing DRS security level Debris-Alazard Tillich: attack breaking RankSign; RankSign withdrawn Beullens Blackburn: attack script breaking WalnutDSA Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 8

33 Attack timeline: subsequent events Beullens: attack breaking WalnutDSA Fabsic Hromada Zajac: attack breaking CCA for LEDA Yu Ducas: attack reducing DRS security level Debris-Alazard Tillich: attack breaking RankSign; RankSign withdrawn Beullens Blackburn: attack script breaking WalnutDSA Kotov Menshov Ushakov: another attack breaking WalnutDSA Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 8

34 Attack timeline: subsequent events Beullens: attack breaking WalnutDSA Fabsic Hromada Zajac: attack breaking CCA for LEDA Yu Ducas: attack reducing DRS security level Debris-Alazard Tillich: attack breaking RankSign; RankSign withdrawn Beullens Blackburn: attack script breaking WalnutDSA Kotov Menshov Ushakov: another attack breaking WalnutDSA Barelli Couvreur: attack reducing DAGS security level Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 8

35 Attack timeline: subsequent events Beullens: attack breaking WalnutDSA Fabsic Hromada Zajac: attack breaking CCA for LEDA Yu Ducas: attack reducing DRS security level Debris-Alazard Tillich: attack breaking RankSign; RankSign withdrawn Beullens Blackburn: attack script breaking WalnutDSA Kotov Menshov Ushakov: another attack breaking WalnutDSA Barelli Couvreur: attack reducing DAGS security level Couvreur Lequesne Tillich: attack breaking short parameters for RLCE Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 8

36 Attack timeline: subsequent events Beullens: attack breaking WalnutDSA Fabsic Hromada Zajac: attack breaking CCA for LEDA Yu Ducas: attack reducing DRS security level Debris-Alazard Tillich: attack breaking RankSign; RankSign withdrawn Beullens Blackburn: attack script breaking WalnutDSA Kotov Menshov Ushakov: another attack breaking WalnutDSA Barelli Couvreur: attack reducing DAGS security level Couvreur Lequesne Tillich: attack breaking short parameters for RLCE Beullens Castryck Vercauteren: attack script breaking Giophantus Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 8

37 Complete and proper submissions 21 December 2017: NIST posts 69 submissions from 260 people. BIG QUAKE. BIKE. CFPKM. Classic McEliece. Compact LWE. CRYSTALS-DILITHIUM. CRYSTALS-KYBER. DAGS. Ding Key Exchange. DME. DRS. DualModeMS. Edon-K. EMBLEM and R.EMBLEM. FALCON. FrodoKEM. GeMSS. Giophantus. Gravity-SPHINCS. Guess Again. Gui. HILA5. HiMQ-3. HK17. HQC. KINDI. LAC. LAKE. LEDAkem. LEDApkc. Lepton. LIMA. Lizard. LOCKER. LOTUS. LUOV. McNie. Mersenne MQDSS. NewHope. NTRUEncrypt. NTRU-HRSS-KEM. NTRU Prime. NTS-KEM. Odd Manhattan. OKCN/AKCN/CNKE. Ouroboros-R. Picnic. pqntrusign. pqrsa encryption. pqrsa signature. pqsigrm. QC-MDPC KEM. qtesla. RaCoSS. Rainbow. Ramstake. RankSign. RLCE-KEM. Round2. RQC. RVB. SABER. SIKE. SPHINCS+. SRTPI. Three Bears. Titanium. WalnutDSA. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 9

38 Complete and proper submissions 21 December 2017: NIST posts 69 submissions from 260 people. BIG QUAKE. BIKE. CFPKM. Classic McEliece. Compact LWE. CRYSTALS-DILITHIUM. CRYSTALS-KYBER. DAGS. Ding Key Exchange. DME. DRS. DualModeMS. Edon-K. EMBLEM and R.EMBLEM. FALCON. FrodoKEM. GeMSS. Giophantus. Gravity-SPHINCS. Guess Again. Gui. HILA5. HiMQ-3. HK17. HQC. KINDI. LAC. LAKE. LEDAkem. LEDApkc. Lepton. LIMA. Lizard. LOCKER. LOTUS. LUOV. McNie. Mersenne MQDSS. NewHope. NTRUEncrypt. NTRU-HRSS-KEM. NTRU Prime. NTS-KEM. Odd Manhattan. OKCN/AKCN/CNKE. Ouroboros-R. Picnic. pqntrusign. pqrsa encryption. pqrsa signature. pqsigrm. QC-MDPC KEM. qtesla. RaCoSS. Rainbow. Ramstake. RankSign. RLCE-KEM. Round2. RQC. RVB. SABER. SIKE. SPHINCS+. SRTPI. Three Bears. Titanium. WalnutDSA. Color coding: total break; partial break Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 9

39 HILA5 HILA5 is a RLWE-based KEM submitted to NISTPQC. This design also provides IND-CCA secure KEM-DEM public key encryption if used in conjunction with an appropriate AEAD such as NIST approved AES256-GCM. HILA5 NIST submission document (v1.0) Decapsulation much faster than encapsulation (and faster than any other scheme). No mention of a CCA transform (e.g. Fujisaki Okamoto). Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 10

40 Noisy Diffie Hellman degree n Have a ring R = Z[x]/(q, ϕ) where q Z and ϕ Z[x]. Let χ be a narrow distribution around 0 R. Fix some random element g R. a, e χ n b, e χ n A = ga + e B = gb + e S = Ba = gab + e a S = Ab = gab + eb = S S = e a eb 0 χ small Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 11

41 Reconciliation Alice and Bob obtain close secret vectors S, S (Z/q) n. How to map coefficients to bits? 0 q 3q/4 q/4 q/2 Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 12

42 Reconciliation Alice and Bob obtain close secret vectors S, S (Z/q) n. How to map coefficients to bits? 0 q edge 1 3q/4 q/4 0 q/2 Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 12

43 Reconciliation Alice and Bob obtain close secret vectors S, S (Z/q) n. How to map coefficients to bits? 0 q edge 1 3q/4 0 q/4 Alice: 1 Bob: 1 q/2 Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 12

44 Reconciliation Alice and Bob obtain close secret vectors S, S (Z/q) n. How to map coefficients to bits? 0 q edge 1 3q/4 0 q/4 Alice: 0 Bob: 0 q/2 Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 12

45 Reconciliation Alice and Bob obtain close secret vectors S, S (Z/q) n. How to map coefficients to bits? 0 q edge 1 3q/4 0 q/4 Alice: 1 Bob: 0 q/2 Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 12

46 Reconciliation Alice and Bob obtain close secret vectors S, S (Z/q) n. How to map coefficients to bits? 0 q edge 1 3q/4 0 q/2 q/4 Alice: 1 Bob: 0 oops! Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 12

47 Reconciliation Mapping coefficients to bits using fixed intervals is bad. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 13

48 Reconciliation Mapping coefficients to bits using fixed intervals is bad. Better: Bob chooses a mapping based on his coefficient and tells Alice which mapping he used. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 13

49 Reconciliation Mapping coefficients to bits using fixed intervals is bad. Better: Bob chooses a mapping based on his coefficient and tells Alice which mapping he used. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 13

50 Reconciliation Mapping coefficients to bits using fixed intervals is bad. Better: Bob chooses a mapping based on his coefficient and tells Alice which mapping he used. 1 0 Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 13

51 Reconciliation Mapping coefficients to bits using fixed intervals is bad. Better: Bob chooses a mapping based on his coefficient and tells Alice which mapping he used Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 13

52 Reconciliation Mapping coefficients to bits using fixed intervals is bad. Better: Bob chooses a mapping based on his coefficient and tells Alice which mapping he used Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 13

53 Fluhrer s attack Problem: Evil Bob can trick Alice into leaking information by deliberately using the wrong mapping for one coefficient. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 14

54 Fluhrer s attack Problem: Evil Bob can trick Alice into leaking information by deliberately using the wrong mapping for one coefficient. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 14

55 Fluhrer s attack Problem: Evil Bob can trick Alice into leaking information by deliberately using the wrong mapping for one coefficient Alice: 0 Alice: 1 Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 14

56 Fluhrer s attack Problem: Evil Bob can trick Alice into leaking information by deliberately using the wrong mapping for one coefficient Alice: 0 Alice: 1 Evil Bob can distinguish these cases! (He knows all the other key bits.) Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 14

57 Chosen-ciphertext information leaks Evil Bob has two guesses k 0, k 1 for what Alice s key k will be given his manipulated public key B. Alice Evil Bob Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 15

58 Chosen-ciphertext information leaks Evil Bob has two guesses k 0, k 1 for what Alice s key k will be given his manipulated public key B. B Enc(k 0, "GET / HTTP/1.1") Alice Evil Bob Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 15

59 Chosen-ciphertext information leaks Evil Bob has two guesses k 0, k 1 for what Alice s key k will be given his manipulated public key B. B Enc(k 0, "GET / HTTP/1.1") I don t understand! Aborting. Alice Evil Bob Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 15

60 Chosen-ciphertext information leaks Evil Bob has two guesses k 0, k 1 for what Alice s key k will be given his manipulated public key B. B Enc(k 1, "GET / HTTP/1.1") Alice Evil Bob Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 15

61 Chosen-ciphertext information leaks Evil Bob has two guesses k 0, k 1 for what Alice s key k will be given his manipulated public key B. B Enc(k 1, "GET / HTTP/1.1") Here s your webpage! Alice Evil Bob Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 15

62 Chosen-ciphertext information leaks Evil Bob has two guesses k 0, k 1 for what Alice s key k will be given his manipulated public key B. B Enc(k 1, "GET / HTTP/1.1") Here s your webpage! Alice Evil Bob = Bob learns that k = k 1. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 15

63 Chosen-ciphertext information leaks Evil Bob has two guesses k 0, k 1 for what Alice s key k will be given his manipulated public key B. B Enc(k 0, "GET / HTTP/1.1") Decryption failure! Aborting. Alice Evil Bob = Bob learns that k = k 1. This still works if Enc is an authenticated symmetric cipher! Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 15

64 Chosen-ciphertext information leaks Evil Bob has two guesses k 0, k 1 for what Alice s key k will be given his manipulated public key B. B Enc(k 1, "GET / HTTP/1.1") Here s your webpage! Alice Evil Bob = Bob learns that k = k 1. This still works if Enc is an authenticated symmetric cipher! Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 15

65 Fluhrer s attack Adaptive chosen-ciphertext attack against static keys. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 16

66 Fluhrer s attack Adaptive chosen-ciphertext attack against static keys. Recall that Alice s shared secret is gab + e a. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 16

67 Fluhrer s attack Adaptive chosen-ciphertext attack against static keys. Recall that Alice s shared secret is gab + e a. edge Suppose Evil Bob knows b δ such that gab δ [0] = M + δ. = Querying Alice with b = b δ leaks whether e a[0] > δ. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 16

68 Fluhrer s attack Adaptive chosen-ciphertext attack against static keys. Recall that Alice s shared secret is gab + e a. edge Suppose Evil Bob knows b δ such that gab δ [0] = M + δ. = Querying Alice with b = b δ leaks whether e a[0] > δ. Structure of R Can choose e such that e a[0] = a[i] to recover all of a. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 16

69 Fluhrer s attack Querying Alice with b = b δ and e = 1 leaks whether a[0] > δ. 1 M 0 Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 17

70 Fluhrer s attack Querying Alice with b = b δ and e = 1 leaks whether a[0] > δ. 1 M Evil Bob s δ: 0 Alice: 1 0 Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 17

71 Fluhrer s attack Querying Alice with b = b δ and e = 1 leaks whether a[0] > δ. 1 M Evil Bob s δ: -8 Alice: 0 0 Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 17

72 Fluhrer s attack Querying Alice with b = b δ and e = 1 leaks whether a[0] > δ. 1 M Evil Bob s δ: -4 Alice: 1 0 Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 17

73 Fluhrer s attack Querying Alice with b = b δ and e = 1 leaks whether a[0] > δ. 1 M Evil Bob s δ: -6 Alice: 0 0 Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 17

74 Fluhrer s attack Querying Alice with b = b δ and e = 1 leaks whether a[0] > δ. 1 M Evil Bob s δ: -5 Alice: 1 0 Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 17

75 Fluhrer s attack Querying Alice with b = b δ and e = 1 leaks whether a[0] > δ. 1 M Evil Bob s δ: -5 Alice: 1 0 = Evil Bob learns that a[0] = 5. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 17

76 Our work Adaption of Fluhrer s attack to HILA5 and analysis Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 18

77 HILA5 Standard noisy Diffie Hellman with new reconciliation. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 19

78 HILA5 Standard noisy Diffie Hellman with new reconciliation. Ring: Z[x]/(q, x ) where q = Noise distribution χ: Ψ on { 16,..., 16} 1 same as New Hope. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 19

79 HILA5 Standard noisy Diffie Hellman with new reconciliation. Ring: Z[x]/(q, x ) where q = Noise distribution χ: Ψ on { 16,..., 16} New reconciliation mechanism: Only use safe bits that are far from an edge. Additionally apply an error-correcting code. 1 same as New Hope. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 19

80 HILA5 s reconciliation For each coefficient: d = 0: Discard coefficient. d = 1: Send reconciliation information c; use for key bit k. Edges: c = 0: 3q/8... 7q/8 k = 0. 7q/8... 3q/8 k = 1. c = 1: q/8... 5q/8 k = 0. 5q/8... q/8 k = 1. (picture: HILA5 documentation) Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 20

81 HILA5 s packet format bits d 0...d 1023 select 496 coefficients bits r 0...r 239 correct errors Bob s public key safe bits reconciliation error correction gb + e bits c 0...c 495 select an edge Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 21

82 HILA5 s packet format bits d 0...d 1023 select 496 coefficients bits r 0...r 239 correct errors Bob s public key safe bits reconciliation error correction gb + e bits c 0...c 495 select an edge We re going to manipulate each of these parts. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 21

83 Unsafe bits gb + e safe bits reconciliation error correction We want to attack the first coefficient. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 22

84 Unsafe bits gb + e safe bits reconciliation error correction We want to attack the first coefficient. = Force d 0 = 1 to make Alice use it. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 22

85 Living on the edge gb + e safe bits reconciliation error correction We want to attack the edge at M = q/8. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 23

86 Living on the edge gb + e safe bits reconciliation error correction We want to attack the edge at M = q/8. = Force c 0 = 1. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 23

87 Making errors gb + e safe bits reconciliation error correction HILA5 uses a custom linear error-correcting code XE5. Encrypted (XOR) using part of Bob s shared secret S. Ten variable-length codewords R 0...R 9. Alice corrects S[0] using the first bit of each R i. Capable of correcting (at least) 5-bit errors. We want to keep errors in S[0]. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 24

88 Making errors gb + e safe bits reconciliation error correction HILA5 uses a custom linear error-correcting code XE5. Encrypted (XOR) using part of Bob s shared secret S. Ten variable-length codewords R 0...R 9. Alice corrects S[0] using the first bit of each R i. Capable of correcting (at least) 5-bit errors. We want to keep errors in S[0]. = Flip the first bit of R 0...R 4! Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 24

89 All coefficients for the price of one gb + e safe bits reconciliation error correction Our binary search recovers e a[0] from gab δ + e a by varying δ. How to get a[1], a[2],..? Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 25

90 All coefficients for the price of one gb + e safe bits reconciliation error correction Our binary search recovers e a[0] from gab δ + e a by varying δ. How to get a[1], a[2],..? By construction of R = Z[x]/(q, x ), Evil Bob can rotate a[i] into e a[0] by setting e = x 1024 i. Running the search for all i yields all coefficients of a. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 25

91 Evil Bob needs evil b δ gb + e safe bits reconciliation error correction Recall that Evil Bob needs b δ such that gab δ [0] = M + δ. How to obtain b δ without knowing a? Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 26

92 Evil Bob needs evil b δ gb + e safe bits reconciliation error correction Recall that Evil Bob needs b δ such that gab δ [0] = M + δ. How to obtain b δ without knowing a? = Guess b 0 based on Alice s public key A = ga + e: Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 26

93 Evil Bob needs evil b δ gb + e safe bits reconciliation error correction Recall that Evil Bob needs b δ such that gab δ [0] = M + δ. How to obtain b δ without knowing a? = Guess b 0 based on Alice s public key A = ga + e: If b 0 has two entries ±1 and (Ab 0 )[0] = M, then Pr [gab 0[0] = M] = Pr [x + y = 0] 9.9%. e χ n x,y Ψ 16 Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 26

94 Evil Bob needs evil b δ gb + e safe bits reconciliation error correction Recall that Evil Bob needs b δ such that gab δ [0] = M + δ. How to obtain b δ without knowing a? = Guess b 0 based on Alice s public key A = ga + e: If b 0 has two entries ±1 and (Ab 0 )[0] = M, then Pr [gab 0[0] = M] = Pr [x + y = 0] 9.9%. e χ n x,y Ψ 16 For all other δ, set b δ := (1 + δm 1 mod q) b 0. This works because M 1 mod q = 8 is small here. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 26

95 Evil Bob needs evil b δ gb + e safe bits reconciliation error correction Recall that Evil Bob needs b δ such that gab δ [0] = M + δ. How to obtain b δ without knowing a? = Guess b 0 based on Alice s public key A = ga + e: If b 0 has two entries ±1 and (Ab 0 )[0] = M, then Pr [gab 0[0] = M] = Pr [x + y = 0] 9.9%. e χ n x,y Ψ 16 For all other δ, set b δ := (1 + δm 1 mod q) b 0. This works because M 1 mod q = 8 is small here. If b 0 was wrong, the recovered coefficients are all 0 or 1. = easily detectable. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 26

96 Implementation Our code 1 attacks the HILA5 reference implementation. 100% success rate in our experiments. Less than 6000 queries (virtually always). (Note: Evil Bob could recover fewer coefficients and compute the rest by solving a lattice problem of reduced dimension.) 1 Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 27

97

98 HK17 HK17 consists broadly in a Key Exchange Protocol (KEP) based on non-commutative algebra of hypercomplex numbers limited to quaternions and octonions. In particular, this proposal is based on non-commutative and non-associative algebra using octonions. Security analysis:... In our protocol, we could not find any ways to proceed with any abelianization of our octonions non-associative Moufang loop [29] or reducing of the GSDP problem of polynomial powers of octonions to a finitely generated nilpotent image of the given free group in the cryptosystem and a further nonlinear decomposition attack. We simply conclude that Roman kov attacks do not affect our proposal. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 28

99 What are octonions? R: set of real numbers. C: set of complex numbers; dim-2 R-vector space. H: set of quaternions; dim-4 R-vector space; 1843 Hamilton. O: set of octonions; dim-8 R-vector space; 1845 Cayley, 1845 Graves. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 29

100 What are octonions? R: set of real numbers. C: set of complex numbers; dim-2 R-vector space. H: set of quaternions; dim-4 R-vector space; 1843 Hamilton. O: set of octonions; dim-8 R-vector space; 1845 Cayley, 1845 Graves. Each of these sets has a three-part definition: Elements. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 29

101 What are octonions? R: set of real numbers. C: set of complex numbers; dim-2 R-vector space. H: set of quaternions; dim-4 R-vector space; 1843 Hamilton. O: set of octonions; dim-8 R-vector space; 1845 Cayley, 1845 Graves. Each of these sets has a three-part definition: Elements. Conjugation q q. (For R: the identity map.) Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 29

102 What are octonions? R: set of real numbers. C: set of complex numbers; dim-2 R-vector space. H: set of quaternions; dim-4 R-vector space; 1843 Hamilton. O: set of octonions; dim-8 R-vector space; 1845 Cayley, 1845 Graves. Each of these sets has a three-part definition: Elements. Conjugation q q. (For R: the identity map.) Multiplication q, r qr. (R, C: commutative. R, C, H: associative.) Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 29

103 What are octonions? R: set of real numbers. C: set of complex numbers; dim-2 R-vector space. H: set of quaternions; dim-4 R-vector space; 1843 Hamilton. O: set of octonions; dim-8 R-vector space; 1845 Cayley, 1845 Graves. Each of these sets has a three-part definition: Elements. Conjugation q q. (For R: the identity map.) Multiplication q, r qr. (R, C: commutative. R, C, H: associative.) Simple unified definition from 1919 Dickson: O = H H with conjugation (q, Q) = (q, Q); multiplication (q, Q)(r, R) = (qr R Q, Rq + Qr ). Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 29

104 What are octonions? R: set of real numbers. C: set of complex numbers; dim-2 R-vector space. H: set of quaternions; dim-4 R-vector space; 1843 Hamilton. O: set of octonions; dim-8 R-vector space; 1845 Cayley, 1845 Graves. Each of these sets has a three-part definition: Elements. Conjugation q q. (For R: the identity map.) Multiplication q, r qr. (R, C: commutative. R, C, H: associative.) Simple unified definition from 1919 Dickson: O = H H with conjugation (q, Q) = (q, Q); multiplication (q, Q)(r, R) = (qr R Q, Rq + Qr ). H = C C with same formulas. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 29

105 What are octonions? R: set of real numbers. C: set of complex numbers; dim-2 R-vector space. H: set of quaternions; dim-4 R-vector space; 1843 Hamilton. O: set of octonions; dim-8 R-vector space; 1845 Cayley, 1845 Graves. Each of these sets has a three-part definition: Elements. Conjugation q q. (For R: the identity map.) Multiplication q, r qr. (R, C: commutative. R, C, H: associative.) Simple unified definition from 1919 Dickson: O = H H with conjugation (q, Q) = (q, Q); multiplication (q, Q)(r, R) = (qr R Q, Rq + Qr ). H = C C with same formulas. C = R R with same formulas. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 29

106 What are octonions? R: set of real numbers. C: set of complex numbers; dim-2 R-vector space. H: set of quaternions; dim-4 R-vector space; 1843 Hamilton. O: set of octonions; dim-8 R-vector space; 1845 Cayley, 1845 Graves. Each of these sets has a three-part definition: Elements. Conjugation q q. (For R: the identity map.) Multiplication q, r qr. (R, C: commutative. R, C, H: associative.) Simple unified definition from 1919 Dickson: O = H H with conjugation (q, Q) = (q, Q); multiplication (q, Q)(r, R) = (qr R Q, Rq + Qr ). H = C C with same formulas. C = R R with same formulas. Exercise: Every q O has q 2 = tq n and q = t q for some t, n R. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 29

107 How does HK17 work? Use integers modulo prime p instead of real numbers. HK17 submission claims security for p = Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 30

108 How does HK17 work? Use integers modulo prime p instead of real numbers. HK17 submission claims security for p = Alice: Generate secret integers m, n, f 0, f 1,..., f 32 > 0. Generate public octonions q, r; secret a = f 0 + f 1 q + + f 32 q 32. Send q, r, a m ra n to Bob. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 30

109 How does HK17 work? Use integers modulo prime p instead of real numbers. HK17 submission claims security for p = Alice: Generate secret integers m, n, f 0, f 1,..., f 32 > 0. Generate public octonions q, r; secret a = f 0 + f 1 q + + f 32 q 32. Send q, r, a m ra n to Bob. Bob: Generate secret integers k, l, h 0, h 1,..., h 32 > 0. Generate secret b = h 0 + h 1 q + + h 32 q 32. Send b k rb l to Alice. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 30

110 How does HK17 work? Use integers modulo prime p instead of real numbers. HK17 submission claims security for p = Alice: Generate secret integers m, n, f 0, f 1,..., f 32 > 0. Generate public octonions q, r; secret a = f 0 + f 1 q + + f 32 q 32. Send q, r, a m ra n to Bob. Bob: Generate secret integers k, l, h 0, h 1,..., h 32 > 0. Generate secret b = h 0 + h 1 q + + h 32 q 32. Send b k rb l to Alice. Shared secret: a m (b k rb l )a n = b k (a m ra n )b l. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 30

111 Why does HK17 work? Does a m ra n mean (a m r)a n, or a m (ra n )? Does a m mean a(a( )), or (( )a)a? Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 31

112 Why does HK17 work? Does a m ra n mean (a m r)a n, or a m (ra n )? Does a m mean a(a( )), or (( )a)a? Octonions satisfy some partial associativity rules: Flexible identity: x(yx) = (xy)x. Alternative identity: x(xy) = (xx)y and y(xx) = (yx)x. Moufang identities: z(x(zy)) = ((zx)z)y; x(z(yz)) = ((xz)y)z; (zx)(yz) = (z(xy))z = z((xy)z). Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 31

113 Why does HK17 work? Does a m ra n mean (a m r)a n, or a m (ra n )? Does a m mean a(a( )), or (( )a)a? Octonions satisfy some partial associativity rules: Flexible identity: x(yx) = (xy)x. Alternative identity: x(xy) = (xx)y and y(xx) = (yx)x. Moufang identities: z(x(zy)) = ((zx)z)y; x(z(yz)) = ((xz)y)z; (zx)(yz) = (z(xy))z = z((xy)z). So a(aa) = (aa)a; a(a(aa)) = (aa)(aa) = ((aa)a)a; etc. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 31

114 Why does HK17 work? Does a m ra n mean (a m r)a n, or a m (ra n )? Does a m mean a(a( )), or (( )a)a? Octonions satisfy some partial associativity rules: Flexible identity: x(yx) = (xy)x. Alternative identity: x(xy) = (xx)y and y(xx) = (yx)x. Moufang identities: z(x(zy)) = ((zx)z)y; x(z(yz)) = ((xz)y)z; (zx)(yz) = (z(xy))z = z((xy)z). So a(aa) = (aa)a; a(a(aa)) = (aa)(aa) = ((aa)a)a; etc. Also (ar)(aa) = a((ra)a) = a(r(aa)); (ar)((aa)a) = a((r(aa))a) = a(((ra)a)a) = a(r(a(aa))); etc. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 31

115 Why does HK17 work? Does a m ra n mean (a m r)a n, or a m (ra n )? Does a m mean a(a( )), or (( )a)a? Octonions satisfy some partial associativity rules: Flexible identity: x(yx) = (xy)x. Alternative identity: x(xy) = (xx)y and y(xx) = (yx)x. Moufang identities: z(x(zy)) = ((zx)z)y; x(z(yz)) = ((xz)y)z; (zx)(yz) = (z(xy))z = z((xy)z). So a(aa) = (aa)a; a(a(aa)) = (aa)(aa) = ((aa)a)a; etc. Also (ar)(aa) = a((ra)a) = a(r(aa)); (ar)((aa)a) = a((r(aa))a) = a(((ra)a)a) = a(r(a(aa))); etc. q m (q k rq l )q n = q k (q m rq n )q l. a m (b k rb l )a n = b k (a m ra n )b l because a, b are polynomials in q. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 31

116 A fast attack, and a faster attack Remember the exercise: q 2 is a linear combination of 1, q. So every polynomial in q is a linear combination of 1, q. There are only p 2 of these combinations! Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 32

117 A fast attack, and a faster attack Remember the exercise: q 2 is a linear combination of 1, q. So every polynomial in q is a linear combination of 1, q. There are only p 2 of these combinations! Attacker sees a m ra n, tries p 2 possibilities for a m. Recognizing correct possibility: a n is linear combination of 1, q. Fake solutions aren t a problem: good enough for decryption. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 32

118 A fast attack, and a faster attack Remember the exercise: q 2 is a linear combination of 1, q. So every polynomial in q is a linear combination of 1, q. There are only p 2 of these combinations! Attacker sees a m ra n, tries p 2 possibilities for a m. Recognizing correct possibility: a n is linear combination of 1, q. Fake solutions aren t a problem: good enough for decryption. Even faster: Attacker tries only q, q + 1, q + 2, q + 3,.... Finds integer multiple of a m ; good enough for decryption. This was the first attack script: 2 32 fast computations. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 32

119 A fast attack, and a faster attack Remember the exercise: q 2 is a linear combination of 1, q. So every polynomial in q is a linear combination of 1, q. There are only p 2 of these combinations! Attacker sees a m ra n, tries p 2 possibilities for a m. Recognizing correct possibility: a n is linear combination of 1, q. Fake solutions aren t a problem: good enough for decryption. Even faster: Attacker tries only q, q + 1, q + 2, q + 3,.... Finds integer multiple of a m ; good enough for decryption. This was the first attack script: 2 32 fast computations. Even faster: Attacker solves a m ra n = (q + x)r(yq + z). Eight equations in three variables x, y, z; linearize. This was the second attack script: practically instantaneous. Daniel J. Bernstein, Tanja Lange, Lorenz Panny Cryptanalysis of NISTPQC submissions 32

Similar documents

HILA5 Pindakaas: On the CCA security of lattice-based encryption with error correction

HILA5 Pindakaas: On the CCA security of lattice-based encryption with error correction HILA5 Pindakaas: On the CCA security of lattice-based encryption with error correction Daniel J. Bernstein 1 Leon Groot Bruinderink 2 Tanja Lange 2 Lorenz Panny 2 1 University of Illinois at Chicago 2

More information

Report on Learning with Errors over Rings-based HILA5 and its CCA Security

Report on Learning with Errors over Rings-based HILA5 and its CCA Security Report on Learning with Errors over Rings-based HILA5 and its CCA Security Jesús Antonio Soto Velázquez January 24, 2018 Abstract HILA5 is a cryptographic primitive based on lattices that was submitted

More information

Code-based Cryptography

Code-based Cryptography a Hands-On Introduction Daniel Loebenberger Ηράκλειο, September 27, 2018 Post-Quantum Cryptography Various flavours: Lattice-based cryptography Hash-based cryptography Code-based

More information

Attacks in code based cryptography: a survey, new results and open problems

Attacks in code based cryptography: a survey, new results and open problems Attacks in code based cryptography: a survey, new results and open problems J.-P. Tillich Inria, team-project SECRET April 9, 2018 1. Code based cryptography introduction Difficult problem in coding theory

More information

CRYPTANALYSIS OF COMPACT-LWE

CRYPTANALYSIS OF COMPACT-LWE SESSION ID: CRYP-T10 CRYPTANALYSIS OF COMPACT-LWE Jonathan Bootle, Mehdi Tibouchi, Keita Xagawa Background Information Lattice-based cryptographic assumption Based on the learning-with-errors (LWE) assumption

More information

CRYSTALS Kyber and Dilithium. Peter Schwabe February 7, 2018

CRYSTALS Kyber and Dilithium. Peter Schwabe February 7, 2018 CRYSTALS Kyber and Dilithium Peter Schwabe peter@cryptojedi.org https://cryptojedi.org February 7, 2018 Crypto today 5 building blocks for a secure channel Symmetric crypto Block or stream cipher (e.g.,

More information

From NewHope to Kyber. Peter Schwabe April 7, 2017

From NewHope to Kyber. Peter Schwabe April 7, 2017 From NewHope to Kyber Peter Schwabe peter@cryptojedi.org https://cryptojedi.org April 7, 2017 In the past, people have said, maybe it s 50 years away, it s a dream, maybe it ll happen sometime. I used

More information

Elliptic curves. Tanja Lange Technische Universiteit Eindhoven. with some slides by Daniel J. Bernstein

Elliptic curves. Tanja Lange Technische Universiteit Eindhoven. with some slides by Daniel J. Bernstein Elliptic curves Tanja Lange Technische Universiteit Eindhoven with some slides by Daniel J. Bernstein Diffie-Hellman key exchange Pick some generator. Diffie-Hellman key exchange Pick some generator. Diffie-Hellman

More information

Markku-Juhani O. Saarinen

Markku-Juhani O. Saarinen Shorter Messages and Faster Post-Quantum Encryption with Round5 on Cortex M Markku-Juhani O. Saarinen S. Bhattacharya 1 O. Garcia-Morchon 1 R. Rietman 1 L. Tolhuizen 1 Z. Zhang 2 (1)

More information

Open problems in lattice-based cryptography

Open problems in lattice-based cryptography University of Auckland, New Zealand Plan Goal: Highlight some hot topics in cryptography, and good targets for mathematical cryptanalysis. Approximate GCD Homomorphic encryption NTRU and Ring-LWE Multi-linear

More information

Message Authentication Codes (MACs)

Message Authentication Codes (MACs) Message Authentication Codes (MACs) Tung Chou Technische Universiteit Eindhoven, The Netherlands October 8, 2015 1 / 22 About Me 2 / 22 About Me Tung Chou (Tony) 2 / 22 About Me Tung Chou (Tony) Ph.D.

More information

https://www.microsoft.com/en-us/research/people/plonga/ Outline Motivation recap Isogeny-based cryptography The SIDH key exchange protocol The SIKE protocol Authenticated key exchange from supersingular

More information

A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model

A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model Presented by: Angela Robinson Department of Mathematical Sciences, Florida Atlantic University April 4, 2018 Motivation Quantum-resistance

More information

A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors

A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors Qian Guo Thomas Johansson Paul Stankovski Dept. of Electrical and Information Technology, Lund University ASIACRYPT 2016 Dec 8th, 2016

More information

Introduction to Quantum Safe Cryptography. ENISA September 2018

Introduction to Quantum Safe Cryptography. ENISA September 2018 Introduction to Quantum Safe Cryptography ENISA September 2018 Introduction This talk will introduce the mathematical background of the most popular PQC primitives Code-based Lattice-based Multivariate

More information

Outline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt

Outline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nuñez, Isaac Agudo, and Javier Lopez Network, Information and Computer Security Laboratory (NICS Lab) Universidad de Málaga, Spain

More information

Post-Quantum Cryptography

Post-Quantum Cryptography Post-Quantum Cryptography Sebastian Schmittner Institute for Theoretical Physics University of Cologne 2015-10-26 Talk @ U23 @ CCC Cologne This work is licensed under a Creative Commons Attribution-ShareAlike

More information

Public-key cryptography and the Discrete-Logarithm Problem. Tanja Lange Technische Universiteit Eindhoven. with some slides by Daniel J.

Public-key cryptography and the Discrete-Logarithm Problem. Tanja Lange Technische Universiteit Eindhoven. with some slides by Daniel J. Public-key cryptography and the Discrete-Logarithm Problem Tanja Lange Technische Universiteit Eindhoven with some slides by Daniel J. Bernstein Cryptography Let s understand what our browsers do. Schoolbook

More information

Cryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups

Cryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups Great Theoretical Ideas in CS V. Adamchik CS 15-251 Upcoming Interview? Lecture 24 Carnegie Mellon University Cryptography and RSA How the World's Smartest Company Selects the Most Creative Thinkers Groups

More information

Post-quantum key exchange for the Internet based on lattices

Post-quantum key exchange for the Internet based on lattices Post-quantum key exchange for the Internet based on lattices Craig Costello Talk at MSR India Bangalore, India December 21, 2016 Based on J. Bos, C. Costello, M. Naehrig, D. Stebila Post-Quantum Key Exchange

More information

Noisy Diffie-Hellman protocols

Noisy Diffie-Hellman protocols Noisy Diffie-Hellman protocols Carlos Aguilar 1, Philippe Gaborit 1, Patrick Lacharme 1, Julien Schrek 1 and Gilles Zémor 2 1 University of Limoges, France, 2 University of Bordeaux, France. Classical

More information

Cryptography and Security Final Exam

Cryptography and Security Final Exam Cryptography and Security Final Exam Serge Vaudenay 17.1.2017 duration: 3h no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices are not

More information

NTRU Prime. Daniel J. Bernstein, Chitchanok Chuengsatiansup, Tanja Lange, and Christine van Vredendaal. Technische Universiteit Eindhoven

NTRU Prime. Daniel J. Bernstein, Chitchanok Chuengsatiansup, Tanja Lange, and Christine van Vredendaal. Technische Universiteit Eindhoven NTRU Prime Daniel J. Bernstein, Chitchanok Chuengsatiansup, Tanja Lange, and Christine van Vredendaal Technische Universiteit Eindhoven 25 August 2016 Tanja Lange NTRU Prime https://eprint.iacr.org/2016/461

More information

Post-quantum key exchange based on Lattices

Post-quantum key exchange based on Lattices Post-quantum key exchange based on Lattices Joppe W. Bos Romanian Cryptology Days Conference Cybersecurity in a Post-quantum World September 20, 2017, Bucharest 1. NXP Semiconductors Operations in > 35

More information

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator

More information

Cryptanalysis of the Algebraic Eraser

Cryptanalysis of the Algebraic Eraser Cryptanalysis of the Algebraic Eraser Simon R. Blackburn Royal Holloway University of London 9th June 2016 Simon R. Blackburn (RHUL) The Algebraic Eraser 1 / 14 Diffie-Hellman key exchange Alice and Bob

More information

Public-key Cryptography and elliptic curves

Public-key Cryptography and elliptic curves Public-key Cryptography and elliptic curves Dan Nichols University of Massachusetts Amherst nichols@math.umass.edu WINRS Research Symposium Brown University March 4, 2017 Cryptography basics Cryptography

More information

MATH 158 FINAL EXAM 20 DECEMBER 2016

MATH 158 FINAL EXAM 20 DECEMBER 2016 MATH 158 FINAL EXAM 20 DECEMBER 2016 Name : The exam is double-sided. Make sure to read both sides of each page. The time limit is three hours. No calculators are permitted. You are permitted one page

More information

Public Key Cryptography

Public Key Cryptography Public Key Cryptography Introduction Public Key Cryptography Unlike symmetric key, there is no need for Alice and Bob to share a common secret Alice can convey her public key to Bob in a public communication:

More information

A gentle introduction to isogeny-based cryptography

A gentle introduction to isogeny-based cryptography A gentle introduction to isogeny-based cryptography Craig Costello Tutorial at SPACE 2016 December 15, 2016 CRRao AIMSCS, Hyderabad, India Part 1: Motivation Part 2: Preliminaries Part 3: Brief SIDH sketch

More information

Tanja Lange Technische Universiteit Eindhoven

Tanja Lange Technische Universiteit Eindhoven Crytanalysis Course Part I Tanja Lange Technische Universiteit Eindhoven 28 Nov 2016 with some slides by Daniel J. Bernstein Main goal of this course: We are the attackers. We want to break ECC and RSA.

More information

Progressive lattice sieving

Progressive lattice sieving Progressive lattice sieving Thijs Laarhoven and Artur Mariano t s tt t s PQCrypto 2018, Fort Lauderdale (FL), USA (April 10, 2018) Lattices What is a lattice? Lattices What is a lattice? b 1 b 2 Lattices

More information

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015 L7. Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang, 5 March 2015 1 Outline The basic foundation: multiplicative group modulo prime The basic Diffie-Hellman (DH) protocol The discrete logarithm

More information

A Generic Attack on Lattice-based Schemes using Decryption Errors

A Generic Attack on Lattice-based Schemes using Decryption Errors A Generic Attack on Lattice-based Schemes using Decryption Errors with Application to ss-ntru-pke Qian Guo 1,2, Thomas Johansson 2, and Alexander Nilsson 2 1 Dept. of Informatics, University of Bergen,

More information

NewHope for ARM Cortex-M

NewHope for ARM Cortex-M for ARM Cortex-M Erdem Alkim 1, Philipp Jakubeit 2, Peter Schwabe 2 erdemalkim@gmail.com, phil.jakubeit@gmail.com, peter@cryptojedi.org 1 Ege University, Izmir, Turkey 2 Radboud University, Nijmegen, The

More information

On error distributions in ring-based LWE

On error distributions in ring-based LWE On error distributions in ring-based LWE Wouter Castryck 1,2, Ilia Iliashenko 1, Frederik Vercauteren 1,3 1 COSIC, KU Leuven 2 Ghent University 3 Open Security Research ANTS-XII, Kaiserslautern, August

More information

Public-key Cryptography and elliptic curves

Public-key Cryptography and elliptic curves Public-key Cryptography and elliptic curves Dan Nichols nichols@math.umass.edu University of Massachusetts Oct. 14, 2015 Cryptography basics Cryptography is the study of secure communications. Here are

More information

Hardness and advantages of Module-SIS and Module-LWE

Hardness and advantages of Module-SIS and Module-LWE Hardness and advantages of Module-SIS and Module-LWE Adeline Roux-Langlois EMSEC: Univ Rennes, CNRS, IRISA April 24, 2018 Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018

More information

arxiv: v2 [cs.cr] 14 Feb 2018

arxiv: v2 [cs.cr] 14 Feb 2018 Code-based Key Encapsulation from McEliece s Cryptosystem Edoardo Persichetti arxiv:1706.06306v2 [cs.cr] 14 Feb 2018 Florida Atlantic University Abstract. In this paper we show that it is possible to extend

More information

The Elliptic Curve in https

The Elliptic Curve in https The Elliptic Curve in https Marco Streng Universiteit Leiden 25 November 2014 Marco Streng (Universiteit Leiden) The Elliptic Curve in https 25-11-2014 1 The s in https:// HyperText Transfer Protocol

More information

Historical cryptography. cryptography encryption main applications: military and diplomacy

Historical cryptography. cryptography encryption main applications: military and diplomacy Historical cryptography cryptography encryption main applications: military and diplomacy ancient times world war II Historical cryptography All historical cryptosystems badly broken! No clear understanding

More information

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms CRYPTOGRAPHY 19 Cryptography 5 ElGamal cryptosystems and Discrete logarithms Definition Let G be a cyclic group of order n and let α be a generator of G For each A G there exists an uniue 0 a n 1 such

More information

Foundations of Network and Computer Security

Foundations of Network and Computer Security Foundations of Network and Computer Security John Black Lecture #9 Sep 22 nd 2005 CSCI 6268/TLEN 5831, Fall 2005 Announcements Midterm #1, next class (Tues, Sept 27 th ) All lecture materials and readings

More information

Quantum-Safe Crypto Why & How? JP Aumasson, Kudelski Security

Quantum-Safe Crypto Why & How? JP Aumasson, Kudelski Security Quantum-Safe Crypto Why & How? JP Aumasson, Kudelski Security Flight plan What s a quantum computer? How broken are your public keys? AES vs. quantum search Hidden quantum powers Defeating quantum computing

More information

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004 CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key

More information

Asymmetric Encryption

Asymmetric Encryption -3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function

More information

High-speed cryptography, part 3: more cryptosystems. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven

High-speed cryptography, part 3: more cryptosystems. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Cryptographers Working systems Cryptanalytic algorithm designers

More information

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography CS 7880 Graduate Cryptography September 10, 2015 Lecture 1: Perfect Secrecy and Statistical Authentication Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Definition of perfect secrecy One-time

More information

14 Diffie-Hellman Key Agreement

14 Diffie-Hellman Key Agreement 14 Diffie-Hellman Key Agreement 14.1 Cyclic Groups Definition 14.1 Example Let д Z n. Define д n = {д i % n i Z}, the set of all powers of д reduced mod n. Then д is called a generator of д n, and д n

More information

Introduction to Modern Cryptography. (1) Finite Groups, Rings and Fields. (2) AES - Advanced Encryption Standard

Introduction to Modern Cryptography. (1) Finite Groups, Rings and Fields. (2) AES - Advanced Encryption Standard Introduction to Modern Cryptography Lecture 3 (1) Finite Groups, Rings and Fields (2) AES - Advanced Encryption Standard +,0, and -a are only notations! Review - Groups Def (group): A set G with a binary

More information

Post-quantum security models for authenticated encryption

Post-quantum security models for authenticated encryption Post-quantum security models for authenticated encryption Vladimir Soukharev David R. Cheriton School of Computer Science February 24, 2016 Introduction Bellare and Namprempre in 2008, have shown that

More information

Code Based Cryptography

Code Based Cryptography Code Based Cryptography Alain Couvreur INRIA & LIX, École Polytechnique École de Printemps Post Scryptum 2018 A. Couvreur Code Based Crypto Post scryptum 2018 1 / 66 Outline 1 Introduction 2 A bit coding

More information

ECS 189A Final Cryptography Spring 2011

ECS 189A Final Cryptography Spring 2011 ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I

More information

Lattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.

Lattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n. Lattices A Lattice is a discrete subgroup of the additive group of n-dimensional space R n. Lattices have many uses in cryptography. They may be used to define cryptosystems and to break other ciphers.

More information

Cryptanalysis of an NTRU-based Proxy Encryption Scheme from ASIACCS 15

Cryptanalysis of an NTRU-based Proxy Encryption Scheme from ASIACCS 15 Cryptanalysis of an NTRU-based Proxy Encryption Scheme from ASIACCS 15 Zhen Liu 1,2,3, Yanbin Pan 1, and Zhenfei Zhang 4 1 Key Laboratory of Mathematics Mechanization, NCMIS, Academy of Mathematics and

More information

Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model. Shuichi Katsumata (The University of Tokyo /AIST) Takashi Yamakawa (NTT)

Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model. Shuichi Katsumata (The University of Tokyo /AIST) Takashi Yamakawa (NTT) 1 Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo /AIST) *Pronounced as Shuichi Katsumata (The University of Tokyo /AIST) Shota Yamada (AIST) Takashi Yamakawa

More information

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Intro to Public Key Cryptography Diffie & Hellman Key Exchange Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie & Hellman Key Exchange Course Summary - Math Part

More information

Winter 2011 Josh Benaloh Brian LaMacchia

Winter 2011 Josh Benaloh Brian LaMacchia Winter 2011 Josh Benaloh Brian LaMacchia Fun with Public-Key Tonight we ll Introduce some basic tools of public-key crypto Combine the tools to create more powerful tools Lay the ground work for substantial

More information

A brief survey of post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago

A brief survey of post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago A brief survey of post-quantum cryptography D. J. Bernstein University of Illinois at Chicago Once the enormous energy boost that quantum computers are expected to provide hits the street, most encryption

More information

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography Peter Schwabe October 21 and 28, 2011 So far we assumed that Alice and Bob both have some key, which nobody else has. How

More information

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key Encryption (a.k.a. private-key encryption) SKE: Syntax KeyGen outputs K K E scheme E Syntax a.k.a.

More information

Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks

Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks 1 Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks Michael Albert michael.albert@cs.otago.ac.nz 2 This week Arithmetic Knapsack cryptosystems Attacks on knapsacks Some

More information

Practical, Quantum-Secure Key Exchange from LWE

Practical, Quantum-Secure Key Exchange from LWE Practical, Quantum-Secure Key Exchange from LWE Douglas Stebila 4 th ETSI/IQC Workshop on Quantum-Safe Cryptography September 21, 2016 Acknowledgements Collaborators Joppe Bos Craig Costello and Michael

More information

Lecture 7: ElGamal and Discrete Logarithms

Lecture 7: ElGamal and Discrete Logarithms Lecture 7: ElGamal and Discrete Logarithms Johan Håstad, transcribed by Johan Linde 2006-02-07 1 The discrete logarithm problem Recall that a generator g of a group G is an element of order n such that

More information

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017 CSC 580 Cryptography and Computer Security Math for Public Key Crypto, RSA, and Diffie-Hellman (Sections 2.4-2.6, 2.8, 9.2, 10.1-10.2) March 21, 2017 Overview Today: Math needed for basic public-key crypto

More information

Cryptography CS 555. Topic 22: Number Theory/Public Key-Cryptography

Cryptography CS 555. Topic 22: Number Theory/Public Key-Cryptography Cryptography CS 555 Topic 22: Number Theory/Public Key-Cryptography 1 Exam Recap 2 Exam Recap Highest Average Score on Question Question 4: (Feistel Network with round function f(x) = 0 n ) Tougher Questions

More information

ASYMMETRIC ENCRYPTION

ASYMMETRIC ENCRYPTION ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall

More information

Public-Key Cryptosystems CHAPTER 4

Public-Key Cryptosystems CHAPTER 4 Public-Key Cryptosystems CHAPTER 4 Introduction How to distribute the cryptographic keys? Naïve Solution Naïve Solution Give every user P i a separate random key K ij to communicate with every P j. Disadvantage:

More information

Public Key Cryptography

Public Key Cryptography Public Key Cryptography Ali El Kaafarani Mathematical Institute Oxford University 1 of 74 Outline 1 Complexity measures 2 Algebra and Number Theory Background 3 Public Key Encryption: security notions

More information

Part 2 LWE-based cryptography

Part 2 LWE-based cryptography Part 2 LWE-based cryptography Douglas Stebila SAC Summer School Université d'ottawa August 14, 2017 https://www.douglas.stebila.ca/research/presentations Funding acknowledgements: SAC Summer School 2017-08-14

More information

Post-Quantum Cryptography

Post-Quantum Cryptography Post-Quantum Cryptography Code-Based Cryptography Tanja Lange with some slides by Tung Chou and Christiane Peters Technische Universiteit Eindhoven ASCrypto Summer School: 18 September 2017 Error correction

More information

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy Symmetric Cryptography Review Alice Bob Public Key x e K (x) y d K (y) x K K Instructor: Dr. Wei (Lisa) Li Department of Computer Science, GSU Two properties of symmetric (secret-key) crypto-systems: The

More information

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

Solutions for week 1, Cryptography Course - TDA 352/DIT 250 Solutions for week, Cryptography Course - TDA 352/DIT 250 In this weekly exercise sheet: you will use some historical ciphers, the OTP, the definition of semantic security and some combinatorial problems.

More information

Short generators without quantum computers: the case of multiquadratics

Short generators without quantum computers: the case of multiquadratics Short generators without quantum computers: the case of multiquadratics Daniel J. Bernstein University of Illinois at Chicago 31 July 2017 https://multiquad.cr.yp.to Joint work with: Jens Bauch & Henry

More information

b = 10 a, is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a.

b = 10 a, is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a. INTRODUCTION TO CRYPTOGRAPHY 5. Discrete Logarithms Recall the classical logarithm for real numbers: If we write b = 10 a, then a = log 10 b is the logarithm of b to the base 10. Changing the base to e

More information

Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97

Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97 Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97 Phong Nguyen and Jacques Stern École Normale Supérieure, Laboratoire d Informatique 45, rue d Ulm, F 75230 Paris Cedex 05 {Phong.Nguyen,Jacques.Stern}@ens.fr

More information

Discrete logarithm and related schemes

Discrete logarithm and related schemes Discrete logarithm and related schemes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Discrete logarithm problem examples, equivalent

More information

Lattice-Based Cryptography

Lattice-Based Cryptography Liljana Babinkostova Department of Mathematics Computing Colloquium Series Detecting Sensor-hijack Attacks in Wearable Medical Systems Krishna Venkatasubramanian Worcester Polytechnic Institute Quantum

More information

Leakage of Signal function with reused keys in RLWE key exchange

Leakage of Signal function with reused keys in RLWE key exchange Leakage of Signal function with reused keys in RLWE key exchange Jintai Ding 1, Saed Alsayigh 1, Saraswathy RV 1, Scott Fluhrer 2, and Xiaodong Lin 3 1 University of Cincinnati 2 Cisco Systems 3 Rutgers

More information

QC-MDPC: A Timing Attack and a CCA2 KEM

QC-MDPC: A Timing Attack and a CCA2 KEM QC-MDPC: A Timing Attack and a CCA2 KEM Edward Eaton 1, Matthieu Lequesne 23, Alex Parent 1, and Nicolas Sendrier 3 1 ISARA Corporation, Waterloo, Canada {ted.eaton,alex.parent}@isara.com 2 Sorbonne Universités,

More information

Supersingular Isogeny Key Encapsulation

Supersingular Isogeny Key Encapsulation Supersingular Isogeny Key Encapsulation Presented by David Jao University of Waterloo and evolutionq, Inc. Full list of submitters: Reza Azarderakhsh, FAU Matt Campagna, Amazon Craig Costello, MSR Luca

More information

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2 Contents 1 Recommended Reading 1 2 Public Key/Private Key Cryptography 1 2.1 Overview............................................. 1 2.2 RSA Algorithm.......................................... 2 3 A Number

More information

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University Number Theory, Public Key Cryptography, RSA Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr The Euler Phi Function For a positive integer n, if 0

More information

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies

More information

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1). 1 Background 1.1 The group of units MAT 3343, APPLIED ALGEBRA, FALL 2003 Handout 3: The RSA Cryptosystem Peter Selinger Let (R, +, ) be a ring. Then R forms an abelian group under addition. R does not

More information

Applied cryptography

Applied cryptography Applied cryptography Identity-based Cryptography Andreas Hülsing 19 November 2015 1 / 37 The public key problem How to obtain the correct public key of a user? How to check its authenticity? General answer:

More information

Code-based post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago

Code-based post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago Code-based post-quantum cryptography D. J. Bernstein University of Illinois at Chicago Once the enormous energy boost that quantum computers are expected to provide hits the street, most encryption security

More information

Lecture 1: Introduction to Public key cryptography

Lecture 1: Introduction to Public key cryptography Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means

More information

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 33 The Diffie-Hellman Problem

More information

Cryptography and Security Midterm Exam

Cryptography and Security Midterm Exam Cryptography and Security Midterm Exam Serge Vaudenay 23.11.2017 duration: 1h45 no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices

More information

An introduction to supersingular isogeny-based cryptography

An introduction to supersingular isogeny-based cryptography An introduction to supersingular isogeny-based cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 8, 2017 Šibenik, Croatia Towards quantum-resistant cryptosystems from supersingular

More information

Notes 10: Public-key cryptography

Notes 10: Public-key cryptography MTH6115 Cryptography Notes 10: Public-key cryptography In this section we look at two other schemes that have been proposed for publickey ciphers. The first is interesting because it was the earliest such

More information

Quantum Differential and Linear Cryptanalysis

Quantum Differential and Linear Cryptanalysis Quantum Differential and Linear Cryptanalysis Marc Kaplan 1,2 Gaëtan Leurent 3 Anthony Leverrier 3 María Naya-Plasencia 3 1 LTCI, Télécom ParisTech 2 School of Informatics, University of Edinburgh 3 Inria

More information

CS 355: Topics in Cryptography Spring Problem Set 5.

CS 355: Topics in Cryptography Spring Problem Set 5. CS 355: Topics in Cryptography Spring 2018 Problem Set 5 Due: June 8, 2018 at 5pm (submit via Gradescope) Instructions: You must typeset your solution in LaTeX using the provided template: https://crypto.stanford.edu/cs355/homework.tex

More information

Public Key Encryption

Public Key Encryption Public Key Encryption KG October 17, 2017 Contents 1 Introduction 1 2 Public Key Encryption 2 3 Schemes Based on Diffie-Hellman 3 3.1 ElGamal.................................... 5 4 RSA 7 4.1 Preliminaries.................................

More information

Cryptanalysis of a key exchange protocol based on the endomorphisms ring End(Z p Z p 2)

Cryptanalysis of a key exchange protocol based on the endomorphisms ring End(Z p Z p 2) AAECC (212) 23:143 149 DOI 1.17/s2-12-17-z ORIGINAL PAPER Cryptanalysis of a key exchange protocol based on the endomorphisms ring End(Z p Z p 2) Abdel Alim Kamal Amr M. Youssef Received: 2 November 211

More information

SOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies

SOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies SOBER Cryptanalysis Daniel Bleichenbacher and Sarvar Patel {bleichen,sarvar}@lucent.com Bell Laboratories Lucent Technologies Abstract. SOBER is a new stream cipher that has recently been developed by

More information

Ideal Lattices and NTRU

Ideal Lattices and NTRU Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin April 23-30, 2013 Ideal Lattices and NTRU Scribe: Kina Winoto 1 Algebraic Background (Reminders) Definition 1. A commutative

More information

Advanced code-based cryptography. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven

Advanced code-based cryptography. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Advanced code-based cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Lattice-basis reduction Define L = (0; 24)Z + (1; 17)Z = {(b; 24a + 17b) : a;

More information

Breaking Symmetric Cryptosystems Using Quantum Algorithms

Breaking Symmetric Cryptosystems Using Quantum Algorithms Breaking Symmetric Cryptosystems Using Quantum Algorithms Gaëtan Leurent Joined work with: Marc Kaplan Anthony Leverrier María Naya-Plasencia Inria, France FOQUS Workshop Gaëtan Leurent (Inria) Breaking

More information
2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback