Differential Cryptanalysis for Multivariate Schemes

Similar documents
Inoculating Multivariate Schemes Against Differential Attacks

Multivariate Public Key Cryptography or Why is there a rainbow hidden behind fields full of oil and vinegar?

Little Dragon Two: An efficient Multivariate Public Key Cryptosystem

Key Recovery on Hidden Monomial Multivariate Schemes

Poly Dragon: An efficient Multivariate Public Key Cryptosystem

Oil-Vinegar signature cryptosystems

Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)

Structural Cryptanalysis of SASAS

Improved Cryptanalysis of HFEv- via Projection

Cryptanalysis of the HFE Public Key Cryptosystem by Relinearization

Multivariate Public Key Cryptography

Optimized Interpolation Attacks on LowMC

Key Recovery on Hidden Monomial Multivariate Schemes

Public key cryptography using Permutation P-Polynomials over Finite Fields

Lecture 12: Block ciphers

Cryptanalysis of Simple Matrix Scheme for Encryption

Analysis of Hidden Field Equations Cryptosystem over Odd-Characteristic Fields

Cryptanalysis of the TTM Cryptosystem

Multivariate Quadratic Public-Key Cryptography Part 1: Basics

Linearity Measures for MQ Cryptography

TOT, a Fast Multivariate Public Key Cryptosystem with Basic Secure Trapdoor

Code-based Cryptography

Simple Matrix Scheme for Encryption (ABC)

Classical Cryptography

Chapter 2 Classical Cryptosystems

Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97

CHAPTER 12 CRYPTOGRAPHY OF A GRAY LEVEL IMAGE USING A MODIFIED HILL CIPHER

Cook-Levin Theorem. SAT is NP-complete

Linear Bandwidth Naccache-Stern Encryption

Cryptanalysis of the Oil & Vinegar Signature Scheme

Hidden Pair of Bijection Signature Scheme

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Gröbner Bases in Public-Key Cryptography

Hidden Field Equations

MI-T-HFE, a New Multivariate Signature Scheme

A Classification of Differential Invariants for Multivariate Post-Quantum Cryptosystems

A Large Block Cipher using an Iterative Method and the Modular Arithmetic Inverse of a key Matrix

Public-Key Cryptosystems CHAPTER 4

Lecture Notes. Advanced Discrete Structures COT S

Division Property: a New Attack Against Block Ciphers

Solution of Exercise Sheet 7

The XL and XSL attacks on Baby Rijndael. Elizabeth Kleiman. A thesis submitted to the graduate faculty

Computers and Mathematics with Applications

THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

Cube Attacks on Stream Ciphers Based on Division Property

Algebraic Aspects of Symmetric-key Cryptography

Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network

Quadratic Equations from APN Power Functions

Etude d hypothèses algorithmiques et attaques de primitives cryptographiques

Diophantine equations via weighted LLL algorithm

Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

A Block Cipher using an Iterative Method involving a Permutation

USING POLY-DRAGON CRYPTOSYSTEM IN A PSEUDORANDOM NUMBER GENERATOR MSTg. 1. Introduction

An Improved Affine Equivalence Algorithm for Random Permutations

7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

Math-Net.Ru All Russian mathematical portal

A CRYPTANALYTIC ATTACK-ON THE LU-LEE PUBLIC-KEY CRYPTOSYSTEM

Jay Daigle Occidental College Math 401: Cryptology

Fully homomorphic encryption scheme using ideal lattices. Gentry s STOC 09 paper - Part II

Cryptanalysis of a Public Key Cryptosystem Proposed at ACISP 2000

Module 2 Advanced Symmetric Ciphers

Improved Cryptanalysis of HFEv- via Projection

Lattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.

Lecture Notes, Week 6

Security of the AES with a Secret S-box

Extended Criterion for Absence of Fixed Points

Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128

Isomorphism of Polynomials : New Results

Modified Hill Cipher with Interlacing and Iteration

Looking back at lattice-based cryptanalysis

Block ciphers. Block ciphers. Data Encryption Standard (DES) DES: encryption circuit

Notes on Alekhnovich s cryptosystems

On the Goubin-Courtois Attack on TTM

Lecture Notes. Advanced Discrete Structures COT S

Lecture 4: DES and block ciphers

Candidates must show on each answer book the type of calculator used. Only calculators permitted under UEA Regulations may be used.

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

AES side channel attacks protection using random isomorphisms

A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

MODEL ANSWERS TO THE FOURTH HOMEWORK

An average case analysis of a dierential attack. on a class of SP-networks. Distributed Systems Technology Centre, and

Zero-Correlation Linear Cryptanalysis of Reduced-Round LBlock

Computational and Algebraic Aspects of the Advanced Encryption Standard

Background: Lattices and the Learning-with-Errors problem

Cryptanalysis of a homomorphic public-key cryptosystem over a finite group

Statistical and Algebraic Properties of DES

Pitfalls in public key cryptosystems based on free partially commutative monoids and groups

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII

Impossible Differential Attacks on 13-Round CLEFIA-128

CSc 466/566. Computer Security. 5 : Cryptography Basics

Low Complexity Differential Cryptanalysis and Fault Analysis of AES

5199/IOC5063 Theory of Cryptology, 2014 Fall

Algorithmic Number Theory and Public-key Cryptography

Implementation of the RSA algorithm and its cryptanalysis. Abstract. Introduction

Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents

Chapter 2 Balanced Feistel Ciphers, First Properties

Transcription:

Differential Cryptanalysis for Multivariate Schemes Jacques Stern Joint work with P. A. Fouque and L. Granboulan École normale supérieure Differential Cryptanalysis for Multivariate Schemes p.1/23

MI Cryptosystem F q a finite field of characteristic 2 Secret Key : S, T two affine bijections in (F q ) n F is defined as F (X) = X ql +1 in F q n and is thus a quadratic map from (F q ) n to (F q ) n Public key : the system E of equations in (F q ) n E = T F S Decryption function : invert T, compute F 1 by raising to the power (q l + 1) 1 mod (q n 1), and invert S Differential Cryptanalysis for Multivariate Schemes p.2/23

Perturbated MI Cryptosystem (PMI) R linear map from (F q ) n to (F q ) r with r n H quadratic function from (F q ) r to (F q ) n E = T (F + H R) S = E + T H R S The PMI scheme E is the MI scheme E plus a random-looking quadratic term T H R S q r must be small so that exhaustive search on q r is efficient, otherwise decryption is slow Secret key : (S, T, P ) where P is a table storing (λ, µ) pairs s.t. H(µ) = λ Differential Cryptanalysis for Multivariate Schemes p.3/23

MI and PMI Cryptosystems Message x Message x A S 1 F 1 E F u + A S µ λ R H B T 1 Ciphertext y B T Ciphertext y Differential Cryptanalysis for Multivariate Schemes p.4/23

PMI Decryption Algorithm Input : y ciphertext Output : x plaintext s.t. y = E (x) Compute B = T 1 (y) For the q r pairs (λ, µ), compute A λ = F 1 (B λ) until R(A λ ) = µ Return x λ = S 1 (A λ ) If many pairs (λ, µ) are possible, redundancy is added to the plaintext Differential Cryptanalysis for Multivariate Schemes p.5/23

PMI schemes and variants Ding s practical cryptosystem q = 2, n = 136, l = 40 and r = 6 so F (X) = X 240 +1, R : (F 2 ) 136 (F 2 ) 6 and H : (F 2 ) 6 (F 2 ) 136 gcd(2 136 1, 2 40 1) = 2 gcd(136,40) 1 = 2 8 1 The variant of PMI when gcd(n, l) = 8 is called Ding s scheme The variant of PMI when gcd(n, l) = 1 is called Generalized scheme Differential Cryptanalysis for Multivariate Schemes p.6/23

Patarin attack on MI Search n bilinear relations (B i ) 1 i n between the plaintext x and the ciphertext y Recover the coefficients of the bilinear relations using O(n 2 ) plaintext/ciphertext pairs Given a ciphertext y, solve the system of the n bilinear relations to find the plaintext x However, the system is not invertible ( exhaustive search to uniquely recover x) Differential Cryptanalysis for Multivariate Schemes p.7/23

Patarin attack on (2) Let A = S(x) F q n and B = T 1 (y) F q n Since F (A) = B, we have B = A ql +1 By raising to the power q l 1 and multiplying by AB, we get a bilinear expression A B ql = A q2l B Rewriting this equation in the variables x and y and projeting into (F q ) n, we get n bilinear relations between the plaintext and ciphertext Differential Cryptanalysis for Multivariate Schemes p.8/23

Breaking the PMI scheme E = E + T H R S Here, constants of affine maps are erased (see paper) If k K = ker(r S), then E (k) = E(k) On the subspace K, Patarin s attack can be applied Goal : decrypting all PMI ciphertexts when x K whose dimension (n r) is large for all x Detecting membership in K using differential cryptanalysis Differential Cryptanalysis for Multivariate Schemes p.9/23

The use of differentials Let G be a quadratic map, its differential is linear L G,k : x G(x + k) G(x) G(k) + G(0) The constant term disappears thanks to G(0), and so L G,k is a linear map and not an affine one Let X = S(x) and K = S(k) Differential of a composition of functions : if E = T F S, then L E,k (x) = T L F,K (X) Since S and T are bijection, dim(ker(l E,k )) = dim(ker(l F,K )) Differential Cryptanalysis for Multivariate Schemes p.10/23

Expression of L F,K L F,K (X) = F (X + K) F (X) F (K) + F (0) = (X + K) ql (X + K) X ql +1 K ql +1 = (X ql + K ql ) (X + K) X ql +1 K ql +1 ( ( ) ) q l = K ql X + X ql K = K ql +1 X X K + K X L F,K (X) is a linear map Differential Cryptanalysis for Multivariate Schemes p.11/23

Kernel s dimension of the differential in MI X is in the kernel of L F,K L F,K (X) = 0 Y + Y ql = 0 where Y = X K Y (1 + Y ql 1 ) = 0 Y ql 1 = 1 since char(f q ) = 2 Y = 1 K ker L F,K k ker L E,k The equation Y ql 1 = 1 has q gcd(l,n) 1 solutions Therefore, dim(ker L E,k ) = dim(ker L F,K ) = gcd(l, n) Differential Cryptanalysis for Multivariate Schemes p.12/23

Kernel s dimension of the differential in PMI What is the contribution of H R on the kernel s dimension? Since H is quadratic, its differential is L H R,K (X) = r i,j=1 α i,j[r i (X)R j (K) + R i (K)R j (X)] K is always in ker(l H R,K ) and dim(ker(l E,K)) 1 Since H is random, L H R,K is a random linear map and L E,k is also a random linear map Consequently, dim(ker L E,k) follows the distribution of random linear map Differential Cryptanalysis for Multivariate Schemes p.13/23

Breaking Ding s scheme In the proposed system, gcd(l, n) = 8 The probability that a linear map has a kernel of dimension 8 is small ( 1/2 20 ) We devise the following test : if dim(ker(l E,k)) = gcd(l, n), then decide k K otherwise decide k K Differential Cryptanalysis for Multivariate Schemes p.14/23

Total Break of Ding s scheme K can be recovered by collecting n r independent vectors as well as the bilinear relations of Patarin s attack when k K On this subspace, we can invert any ciphertext y s.t. x K where y = E (x) which holds with probability 1/q r The entire space can be divided into q r affine subspaces parallel to the K direction The same attack can be mounted in parallel on all these subspaces to recover any ciphertext y Differential Cryptanalysis for Multivariate Schemes p.15/23

Breaking the Generalized scheme When gcd(l, n) = 1, the previous test cannot be applied since dim(ker L E,k) = gcd(l, n) = 1 with high probability even if k K Therefore, if dim(ker L E,k) = 1, k may or not be in K if dim(ker L E,k) > 1, k K with probability 1 We need to filter bad values k s.t. dim(ker L E,k) = 1 and k K Differential Cryptanalysis for Multivariate Schemes p.16/23

Filtering the bad values k Since K is a linear space, if k, k K, then k + k K To decide if k K, which holds with probability 1/q r, take different k s.t. dim(ker L E,k ) = 1 and compute the distribution of dim(l E,k+k ) The distributions of dim(l E,k+k ) when k K and when k K are different and can be distinguished by statistic experiments Differential Cryptanalysis for Multivariate Schemes p.17/23

New Attack on the MI cryptosystem This new attack finds two bilinear relations C and D of n coordinates : C is between a vector f k of the kernel of the transpose matrix of L E,k and the ciphertext y corresponding to E(k) D is between the vector f k and the corresponding plaintext k Differential Cryptanalysis for Multivariate Schemes p.18/23

Decomposition of L E,k ( Since L F,K (X) = K ql +1 X + ( ) ) X q l, K K L E,k = T L F,K S can be written as T µ K ψ θ K S where µ K, ψ and θ K are the linear maps and K = S(k) and X = S(x) : θ K : X X K ψ : Y Y + Y ql independent of K µ K : Z K ql +1 Z Differential Cryptanalysis for Multivariate Schemes p.19/23

f k in the kernel of transpose of L E,k T, µ K, ψ, θ K and S are n n matrices, and (f k ) is a row vector in L E,k s.t. (f k )(T.µ K.ψ.θ K.S) = 0 Since θ K and S invertible matrices, (f k )(T.µ K ) ker ψ If gcd(l, n) = 1, then dim(ker ψ) = 1 and if q = 2 (f k )(T.µ K ) = ( ˆf) Differential Cryptanalysis for Multivariate Schemes p.20/23

The two bilinear relations C and D µ K (Z) = F (K) Z is linear in F (K) Since F (K) = T 1 (E(k)), then µ K is linear in the ciphertext E(k) So (f k )(T.µ K ) = ( ˆf) is a bilinear relation C between E(k) and f k which can be projected to the n coordinates Finally, as (f k )(L E,k ) = 0 and L E,k is linear in k, then there is a bilinear relation D between f k and the plaintext k Differential Cryptanalysis for Multivariate Schemes p.21/23

The new attack against MI Precomputation stage : Using many plaintexts k, compute f k (kernel of L E,k ) and the corresponding ciphertexts E(k) and recover the bilinear relations C(f k, E(k)) recover the bilinear relations D(f k, k) On-line stage : Given a ciphertext E(k), recover the vector f k using C and decrypt using D and f k Differential Cryptanalysis for Multivariate Schemes p.22/23

Conclusion We show that differential cryptanalysis is a nice tool which can be adapted to successfully attack multivariate schemes We apply this novel cryptanalytic method in order to propose A new attack against the MI original scheme An attack against a recently proposed variant of MI called PMI Differential Cryptanalysis for Multivariate Schemes p.23/23

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback