Pub Date : 2024-08-12DOI: 10.1007/s10623-024-01474-y
Ruikai Chen, Sihem Mesnager
In this paper, we study properties and constructions of a general family of involutions of finite abelian groups, especially those of finite fields. The involutions we are interested in have the form (lambda +gcirc tau ), where (lambda ) and (tau ) are endomorphisms of a finite abelian group and g is an arbitrary map on this group. We present some involutions explicitly written as polynomials for the special cases of multiplicative and additive groups of finite fields.
在本文中,我们将研究有限无边群,尤其是有限域的无边群的一般渐开线族的性质和构造。我们感兴趣的渐开线具有 (lambda +gcirc tau )的形式,其中 (lambda )和 (tau )是有限无边际群的内变形,g是这个群上的任意映射。对于有限域的乘法群和加法群的特殊情况,我们提出了一些明确写成多项式的渐开线。
{"title":"Involutions of finite abelian groups with explicit constructions on finite fields","authors":"Ruikai Chen, Sihem Mesnager","doi":"10.1007/s10623-024-01474-y","DOIUrl":"https://doi.org/10.1007/s10623-024-01474-y","url":null,"abstract":"<p>In this paper, we study properties and constructions of a general family of involutions of finite abelian groups, especially those of finite fields. The involutions we are interested in have the form <span>(lambda +gcirc tau )</span>, where <span>(lambda )</span> and <span>(tau )</span> are endomorphisms of a finite abelian group and <i>g</i> is an arbitrary map on this group. We present some involutions explicitly written as polynomials for the special cases of multiplicative and additive groups of finite fields.</p>","PeriodicalId":11130,"journal":{"name":"Designs, Codes and Cryptography","volume":null,"pages":null},"PeriodicalIF":1.6,"publicationDate":"2024-08-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141973838","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"数学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-08-10DOI: 10.1007/s10623-024-01473-z
Shi Bai, Hansraj Jangir, Tran Ngo, William Youmans
We describe a heuristic polynomial-time algorithm for breaking the NTRU problem with multiple keys when given a sufficient number of ring samples. Following the linearization approach of the Arora-Ge algorithm (ICALP ’11), our algorithm constructs a system of linear equations using the public keys. Our main contribution is a kernel reduction technique that extracts the secret vector from a linear space of rank n, where n is the degree of the ring in which NTRU is defined. Compared to the algorithm of Kim-Lee (Designs, Codes and Cryptography, ’23), our algorithm does not require prior knowledge of the Hamming weight of the secret keys. Our algorithm is based on some plausible heuristics. We demonstrate experiments and show that the algorithm works quite well in practice, with close to cryptographic parameters.
我们描述了一种启发式多项式时间算法,用于在给定足够数量的环样本时破解多密钥 NTRU 问题。按照 Arora-Ge 算法(ICALP '11)的线性化方法,我们的算法使用公开密钥构建了一个线性方程组。我们的主要贡献在于内核缩减技术,它能从秩为 n 的线性空间中提取秘密向量,其中 n 是定义 NTRU 的环的阶数。与 Kim-Lee 的算法(《设计、编码和密码学》,'23)相比,我们的算法不需要事先知道秘钥的汉明权重。我们的算法基于一些可信的启发式方法。我们演示了实验,结果表明该算法在实际应用中效果很好,与加密参数接近。
{"title":"An algebraic algorithm for breaking NTRU with multiple keys","authors":"Shi Bai, Hansraj Jangir, Tran Ngo, William Youmans","doi":"10.1007/s10623-024-01473-z","DOIUrl":"https://doi.org/10.1007/s10623-024-01473-z","url":null,"abstract":"<p>We describe a heuristic polynomial-time algorithm for breaking the NTRU problem with multiple keys when given a sufficient number of ring samples. Following the linearization approach of the Arora-Ge algorithm (<i>ICALP ’11</i>), our algorithm constructs a system of linear equations using the public keys. Our main contribution is a kernel reduction technique that extracts the secret vector from a linear space of rank <i>n</i>, where <i>n</i> is the degree of the ring in which NTRU is defined. Compared to the algorithm of Kim-Lee (<i>Designs, Codes and Cryptography, ’23</i>), our algorithm does not require prior knowledge of the Hamming weight of the secret keys. Our algorithm is based on some plausible heuristics. We demonstrate experiments and show that the algorithm works quite well in practice, with close to cryptographic parameters.\u0000</p>","PeriodicalId":11130,"journal":{"name":"Designs, Codes and Cryptography","volume":null,"pages":null},"PeriodicalIF":1.6,"publicationDate":"2024-08-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141915205","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"数学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-08-09DOI: 10.1007/s10623-024-01462-2
Yi Li, Xiutao Feng, Qiang Wang
Permutation polynomials with few terms (especially permutation binomials) attract many people due to their simple algebraic structure. Despite the great interests in the study of permutation binomials, a complete characterization of permutation binomials is still unknown. Let (q=2^n) for a positive integer n. In this paper, we start classifying permutation binomials of the form (x^i+ax) over ({mathbb {F}}_{q}) in terms of their indices. After carrying out an exhaustive search of these permutation binomials over ({mathbb {F}}_{2^n}) for n up to 12, we gave three new infinite classes of permutation binomials over ({mathbb {F}}_{q^2}), ({mathbb {F}}_{q^3}), and ({mathbb {F}}_{q^4}) respectively, for (q=2^n) with arbitrary positive integer n. In particular, these binomials over ({mathbb {F}}_{q^3}) have relatively large index (frac{q^2+q+1}{3}). As an application, we can completely explain all the permutation binomials of the form (x^i+ax) over ({mathbb {F}}_{2^n}) for (nle 8). Moreover, we prove that there does not exist permutation binomials of the form (x^{2q^3+2q^2+2q+3}+ax) over ({mathbb {F}}_{q^4}) such that (ain {mathbb {F}}_{q^4}^*) and (n=2,m) with (mge 2).
{"title":"Towards a classification of permutation binomials of the form $$x^i+ax$$ over $${mathbb {F}}_{2^n}$$","authors":"Yi Li, Xiutao Feng, Qiang Wang","doi":"10.1007/s10623-024-01462-2","DOIUrl":"https://doi.org/10.1007/s10623-024-01462-2","url":null,"abstract":"<p>Permutation polynomials with few terms (especially permutation binomials) attract many people due to their simple algebraic structure. Despite the great interests in the study of permutation binomials, a complete characterization of permutation binomials is still unknown. Let <span>(q=2^n)</span> for a positive integer <i>n</i>. In this paper, we start classifying permutation binomials of the form <span>(x^i+ax)</span> over <span>({mathbb {F}}_{q})</span> in terms of their indices. After carrying out an exhaustive search of these permutation binomials over <span>({mathbb {F}}_{2^n})</span> for <i>n</i> up to 12, we gave three new infinite classes of permutation binomials over <span>({mathbb {F}}_{q^2})</span>, <span>({mathbb {F}}_{q^3})</span>, and <span>({mathbb {F}}_{q^4})</span> respectively, for <span>(q=2^n)</span> with arbitrary positive integer <i>n</i>. In particular, these binomials over <span>({mathbb {F}}_{q^3})</span> have relatively large index <span>(frac{q^2+q+1}{3})</span>. As an application, we can completely explain all the permutation binomials of the form <span>(x^i+ax)</span> over <span>({mathbb {F}}_{2^n})</span> for <span>(nle 8)</span>. Moreover, we prove that there does not exist permutation binomials of the form <span>(x^{2q^3+2q^2+2q+3}+ax)</span> over <span>({mathbb {F}}_{q^4})</span> such that <span>(ain {mathbb {F}}_{q^4}^*)</span> and <span>(n=2,m)</span> with <span>(mge 2)</span>.\u0000</p>","PeriodicalId":11130,"journal":{"name":"Designs, Codes and Cryptography","volume":null,"pages":null},"PeriodicalIF":1.6,"publicationDate":"2024-08-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141909300","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"数学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-08-09DOI: 10.1007/s10623-024-01477-9
Haiyan Guan, Shenglin Zhou
In this paper, we study block-transitive automorphism groups of t-((k^2,k,lambda )) designs. We prove that a block-transitive automorphism group G of a t-((k^2,k,lambda )) design must be point-primitive, and G is either an affine group or an almost simple group. Moreover, the nontrivial t-((k^2,k,lambda )) designs admitting block-transitive automorphism groups of almost simple type with sporadic socle and alternating socle are classified.
在本文中,我们研究了 t-((k^2,k,lambda ) 设计的块变换自变群。我们证明了 t-((k^2,k,lambda ) 设计的块变换自变群 G 必须是点原始的,并且 G 要么是仿射群,要么是近似简单群。此外,我们还对容许具有零星社会群和交替社会群的几乎简单类型的块传递自变群的非难t-((k^2,k,lambda )设计进行了分类。
{"title":"Reduction for block-transitive t- $$(k^2,k,lambda )$$ designs","authors":"Haiyan Guan, Shenglin Zhou","doi":"10.1007/s10623-024-01477-9","DOIUrl":"https://doi.org/10.1007/s10623-024-01477-9","url":null,"abstract":"<p>In this paper, we study block-transitive automorphism groups of <i>t</i>-<span>((k^2,k,lambda ))</span> designs. We prove that a block-transitive automorphism group <i>G</i> of a <i>t</i>-<span>((k^2,k,lambda ))</span> design must be point-primitive, and <i>G</i> is either an affine group or an almost simple group. Moreover, the nontrivial <i>t</i>-<span>((k^2,k,lambda ))</span> designs admitting block-transitive automorphism groups of almost simple type with sporadic socle and alternating socle are classified.</p>","PeriodicalId":11130,"journal":{"name":"Designs, Codes and Cryptography","volume":null,"pages":null},"PeriodicalIF":1.6,"publicationDate":"2024-08-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141909308","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"数学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-08-07DOI: 10.1007/s10623-024-01471-1
Charlene Weiß
A finite classical polar space of rank n consists of the totally isotropic subspaces of a finite vector space over (mathbb {F}_q) equipped with a nondegenerate form such that n is the maximal dimension of such a subspace. A t-((n,k,lambda )) design in a finite classical polar space of rank n is a collection Y of totally isotropic k-spaces such that each totally isotropic t-space is contained in exactly (lambda ) members of Y. Nontrivial examples are currently only known for (tle 2). We show that t-((n,k,lambda )) designs in polar spaces exist for all t and q provided that (k>frac{21}{2}t) and n is sufficiently large enough. The proof is based on a probabilistic method by Kuperberg, Lovett, and Peled, and it is thus nonconstructive.
秩为 n 的有限经典极空间由 (mathbb {F}_q) 上的有限向量空间的完全各向同性子空间组成,该子空间具有非enerate 形式,且 n 是该子空间的最大维数。秩为 n 的有限经典极空间中的 t-((n,k,lambda )) 设计是完全各向同性 k 空间的集合 Y,使得每个完全各向同性的 t 空间都包含在 Y 的精确 (lambda ) 成员中。我们证明了极空间中的 t- ((n,k,lambda))设计对于所有的 t 和 q 都是存在的,条件是 (k>frac{21}{2}t) 和 n 足够大。证明基于库珀伯格、洛维特和佩莱德的概率方法,因此是非结构性的。
{"title":"Nontrivial t-designs in polar spaces exist for all t","authors":"Charlene Weiß","doi":"10.1007/s10623-024-01471-1","DOIUrl":"https://doi.org/10.1007/s10623-024-01471-1","url":null,"abstract":"<p>A finite classical polar space of rank <i>n</i> consists of the totally isotropic subspaces of a finite vector space over <span>(mathbb {F}_q)</span> equipped with a nondegenerate form such that <i>n</i> is the maximal dimension of such a subspace. A <i>t</i>-<span>((n,k,lambda ))</span> design in a finite classical polar space of rank <i>n</i> is a collection <i>Y</i> of totally isotropic <i>k</i>-spaces such that each totally isotropic <i>t</i>-space is contained in exactly <span>(lambda )</span> members of <i>Y</i>. Nontrivial examples are currently only known for <span>(tle 2)</span>. We show that <i>t</i>-<span>((n,k,lambda ))</span> designs in polar spaces exist for all <i>t</i> and <i>q</i> provided that <span>(k>frac{21}{2}t)</span> and <i>n</i> is sufficiently large enough. The proof is based on a probabilistic method by Kuperberg, Lovett, and Peled, and it is thus nonconstructive.</p>","PeriodicalId":11130,"journal":{"name":"Designs, Codes and Cryptography","volume":null,"pages":null},"PeriodicalIF":1.6,"publicationDate":"2024-08-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141904645","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"数学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-08-03DOI: 10.1007/s10623-024-01469-9
Huawei Huang, Changgen Peng, Lunzhi Deng
This article analyzes a key exchange protocol based on a modified tropical structure proposed by Ahmed et al. in 2023. It is shown that the modified tropical semiring is isomorphic to the (2times 2) tropical circular matrix semiring. Therefore, matrices in this modified tropical semiring can be represented as tropical matrices, and the key exchange protocol is actually based on the tropical matrix semiring. Tropical irreducible matrices exhibit almost linear periodic property. Efficient algorithms for calculating the linear period and defect of irreducible matrices are designed. Based on the public information of the protocol, the equivalent private key can be computed and then the shared key is easily obtained. The analysis shows that the key exchange protocol based on this modified tropical structure is not secure.
本文分析了 Ahmed 等人在 2023 年提出的基于修正热带结构的密钥交换协议。结果表明,修正的热带结构与热带圆矩阵结构同构。因此,该修正热带配系中的矩阵可以表示为热带矩阵,而密钥交换协议实际上是基于热带矩阵配系的。热带不可还原矩阵表现出几乎线性的周期特性。本文设计了计算不可还原矩阵线性周期和缺陷的高效算法。根据协议的公开信息,可以计算出等价私钥,然后很容易得到共享密钥。分析表明,基于这种改进的热带结构的密钥交换协议并不安全。
{"title":"Cryptanalysis of a key exchange protocol based on a modified tropical structure","authors":"Huawei Huang, Changgen Peng, Lunzhi Deng","doi":"10.1007/s10623-024-01469-9","DOIUrl":"https://doi.org/10.1007/s10623-024-01469-9","url":null,"abstract":"<p>This article analyzes a key exchange protocol based on a modified tropical structure proposed by Ahmed et al. in 2023. It is shown that the modified tropical semiring is isomorphic to the <span>(2times 2)</span> tropical circular matrix semiring. Therefore, matrices in this modified tropical semiring can be represented as tropical matrices, and the key exchange protocol is actually based on the tropical matrix semiring. Tropical irreducible matrices exhibit almost linear periodic property. Efficient algorithms for calculating the linear period and defect of irreducible matrices are designed. Based on the public information of the protocol, the equivalent private key can be computed and then the shared key is easily obtained. The analysis shows that the key exchange protocol based on this modified tropical structure is not secure.</p>","PeriodicalId":11130,"journal":{"name":"Designs, Codes and Cryptography","volume":null,"pages":null},"PeriodicalIF":1.6,"publicationDate":"2024-08-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141880329","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"数学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-07-30DOI: 10.1007/s10623-024-01463-1
Lukas Kölsch, Gohar Kyureghyan
We observe that on the binary finite fields the classification of 2-to-1 binomials is equivalent to the classification of o-monomials, which is a well-studied and elusive problem in finite geometry. This connection implies a complete classification of 2-to-1 binomials (b=x^d+ux^e) for a large set of values of (d, e). Further, we show that a number of the known infinite families of 2-to-1 maps can be traced back to o-polynomials or to difference maps of APN maps. We also provide some connections between 2-to-1 maps and hyperovals in non-desarguesian planes.
{"title":"The classifications of o-monomials and of 2-to-1 binomials are equivalent","authors":"Lukas Kölsch, Gohar Kyureghyan","doi":"10.1007/s10623-024-01463-1","DOIUrl":"https://doi.org/10.1007/s10623-024-01463-1","url":null,"abstract":"<p>We observe that on the binary finite fields the classification of 2-to-1 binomials is equivalent to the classification of o-monomials, which is a well-studied and elusive problem in finite geometry. This connection implies a complete classification of 2-to-1 binomials <span>(b=x^d+ux^e)</span> for a large set of values of (<i>d</i>, <i>e</i>). Further, we show that a number of the known infinite families of 2-to-1 maps can be traced back to o-polynomials or to difference maps of APN maps. We also provide some connections between 2-to-1 maps and hyperovals in non-desarguesian planes.</p>","PeriodicalId":11130,"journal":{"name":"Designs, Codes and Cryptography","volume":null,"pages":null},"PeriodicalIF":1.6,"publicationDate":"2024-07-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141857605","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"数学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-07-27DOI: 10.1007/s10623-024-01432-8
Pratish Datta, Tapas Pal, Katsuyuki Takashima
This paper presents the first functional encryption ((textsf{FE})) scheme for the attribute-weighted sum functionality that supports the uniform model of computation. In such an FE scheme, encryption takes as input a pair of attributes (x, z) where x is public and z is private. A secret key corresponds to some weight function f, and decryption recovers the weighted sum f(x)z. In our scheme, both the public and private attributes can be of arbitrary polynomial lengths that are not fixed at system setup. The weight functions are modelled as (text {Logspace Turing machines}). Prior schemes could only support non-uniform Logspace. The proposed scheme is proven adaptively simulation secure under the well-studied symmetric external Diffie–Hellman assumption against an arbitrary polynomial number of secret key queries both before and after the challenge ciphertext. This is the best possible security notion that could be achieved for FE. On the technical side, our contributions lie in extending the techniques of Lin and Luo [EUROCRYPT 2020] devised for indistinguishability-based payload hiding attribute-based encryption for uniform Logspace access policies and the “three-slot reduction” technique for simulation-secure attribute-hiding FE for non-uniform Logspace devised by Datta and Pal [ASIACRYPT 2021] to the context of simulation-secure attribute-hiding FE for uniform Logspace.
本文提出了第一个支持统一计算模型的属性加权和功能加密((textsf{FE}))方案。在这种 FE 方案中,加密需要输入一对属性(x, z),其中 x 是公开的,z 是私有的。秘钥与某个权重函数 f 相对应,解密则恢复加权和 f(x)z。在我们的方案中,公共属性和私人属性都可以是任意多项式长度,在系统设置时并不固定。权重函数被模拟为(text {Logspace Turing machines})。之前的方案只能支持非均匀 Logspace。在经过充分研究的对称外部 Diffie-Hellman 假设下,针对挑战密文前后任意多项式数量的秘钥查询,所提出的方案被证明是自适应模拟安全的。这是 FE 可以实现的最佳安全概念。在技术方面,我们的贡献在于将 Lin 和 Luo [EUROCRYPT 2020] 为统一 Logspace 访问策略设计的基于不可区分性的有效载荷隐藏属性加密技术,以及 Datta 和 Pal [ASIACRYPT 2021] 为非统一 Logspace 设计的模拟安全属性隐藏 FE 的 "三槽缩减 "技术,扩展到统一 Logspace 的模拟安全属性隐藏 FE。
{"title":"Compact FE for unbounded attribute-weighted sums for logspace from SXDH","authors":"Pratish Datta, Tapas Pal, Katsuyuki Takashima","doi":"10.1007/s10623-024-01432-8","DOIUrl":"https://doi.org/10.1007/s10623-024-01432-8","url":null,"abstract":"<p>This paper presents the <i>first</i> functional encryption <span>((textsf{FE}))</span> scheme for the attribute-weighted sum functionality that supports the <i>uniform</i> model of computation. In such an <span>FE</span> scheme, encryption takes as input a pair of attributes (<i>x</i>, <i>z</i>) where <i>x</i> is public and <i>z</i> is private. A secret key corresponds to some weight function <i>f</i>, and decryption recovers the weighted sum <i>f</i>(<i>x</i>)<i>z</i>. In our scheme, both the public and private attributes can be of arbitrary polynomial lengths that are not fixed at system setup. The weight functions are modelled as <span>(text {Logspace Turing machines})</span>. Prior schemes could only support non-uniform Logspace. The proposed scheme is proven <i>adaptively simulation</i> secure under the well-studied symmetric external Diffie–Hellman assumption against an arbitrary polynomial number of secret key queries both before and after the challenge ciphertext. This is the best possible security notion that could be achieved for <span>FE</span>. On the technical side, our contributions lie in extending the techniques of Lin and Luo [EUROCRYPT 2020] devised for indistinguishability-based payload hiding attribute-based encryption for uniform Logspace access policies and the “three-slot reduction” technique for simulation-secure attribute-hiding <span>FE</span> for non-uniform Logspace devised by Datta and Pal [ASIACRYPT 2021] to the context of simulation-secure attribute-hiding <span>FE</span> for uniform Logspace.</p>","PeriodicalId":11130,"journal":{"name":"Designs, Codes and Cryptography","volume":null,"pages":null},"PeriodicalIF":1.6,"publicationDate":"2024-07-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141768461","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"数学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-07-27DOI: 10.1007/s10623-024-01429-3
Sven Schäge
We present Transmission optimal protocol with active security ((textsf {TOPAS})), the first key agreement protocol with optimal communication complexity (message size and number of rounds) that provides security against fully active adversaries. The size of the protocol messages and the computational costs to generate them are comparable to the basic Diffie-Hellman protocol over elliptic curves (which is well-known to only provide security against passive adversaries). Session keys are indistinguishable from random keys—even under reflection and key compromise impersonation attacks. What makes (textsf {TOPAS})stand out is that it also features a security proof of full perfect forward secrecy (PFS), where the attacker can actively modify messages sent to or from the test-session. The proof of full PFS relies on two new extraction-based security assumptions. It is well-known that existing implicitly-authenticated 2-message protocols like (textsf {HMQV})cannot achieve this strong form of (full) security against active attackers (Krawczyk, Crypto’05). This makes (textsf {TOPAS})the first key agreement protocol with full security against active attackers that works in prime-order groups while having optimal message size. We also present a variant of our protocol, (textsf {TOPAS+}), which, under the Strong Diffie-Hellman assumption, provides better computational efficiency in the key derivation phase. Finally, we present a third protocol termed (textsf {FACTAS})(for factoring-based protocol with active security) which has the same strong security properties as (textsf {TOPAS})and (textsf {TOPAS+})but whose security is solely based on the factoring assumption in groups of composite order (except for the proof of full PFS).
{"title":"$$textsf {TOPAS}$$ 2-pass key exchange with full perfect forward secrecy and optimal communication complexity","authors":"Sven Schäge","doi":"10.1007/s10623-024-01429-3","DOIUrl":"https://doi.org/10.1007/s10623-024-01429-3","url":null,"abstract":"<p>We present Transmission optimal protocol with active security (<span>(textsf {TOPAS})</span>), the first key agreement protocol with optimal communication complexity (message size and number of rounds) that provides security against fully active adversaries. The size of the protocol messages and the computational costs to generate them are comparable to the basic Diffie-Hellman protocol over elliptic curves (which is well-known to only provide security against passive adversaries). Session keys are indistinguishable from random keys—even under reflection and key compromise impersonation attacks. What makes <span>(textsf {TOPAS})</span>stand out is that it also features a security proof of full perfect forward secrecy (PFS), where the attacker can <i>actively</i> modify messages sent to or from the test-session. The proof of full PFS relies on two new extraction-based security assumptions. It is well-known that existing implicitly-authenticated 2-message protocols like <span>(textsf {HMQV})</span>cannot achieve this strong form of (full) security against active attackers (Krawczyk, Crypto’05). This makes <span>(textsf {TOPAS})</span>the first key agreement protocol with full security against active attackers that works in prime-order groups while having optimal message size. We also present a variant of our protocol, <span>(textsf {TOPAS+})</span>, which, under the Strong Diffie-Hellman assumption, provides better computational efficiency in the key derivation phase. Finally, we present a third protocol termed <span>(textsf {FACTAS})</span>(for factoring-based protocol with active security) which has the same strong security properties as <span>(textsf {TOPAS})</span>and <span>(textsf {TOPAS+})</span>but whose security is solely based on the factoring assumption in groups of composite order (except for the proof of full PFS).</p>","PeriodicalId":11130,"journal":{"name":"Designs, Codes and Cryptography","volume":null,"pages":null},"PeriodicalIF":1.6,"publicationDate":"2024-07-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141768458","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"数学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-07-27DOI: 10.1007/s10623-024-01461-3
Tor Helleseth, Chunlei Li, Yongbo Xia
Dobbertin in 1999 proved that the Welch power function (x^{2^m+3}) was almost perferct nonlinear (APN) over the finite field (mathbb {F}_{2^{2m+1}}), where m is a positive integer. In his proof, Dobbertin showed that the APNness of (x^{2^m+3}) essentially relied on the bijectivity of the polynomial (g(x)=x^{2^{m+1}+1}+x^3+x) over (mathbb {F}_{2^{2m+1}}). In this paper, we first determine the differential and Walsh spectra of the permutation polynomial g(x), revealing its favourable cryptograhphic properties. We then explore four families of binary linear codes related to the Welch APN power functions. For two cyclic codes among them, we propose algebraic decoding algorithms that significantly outperform existing methods in terms of decoding complexity.
{"title":"Investigation of the permutation and linear codes from the Welch APN function","authors":"Tor Helleseth, Chunlei Li, Yongbo Xia","doi":"10.1007/s10623-024-01461-3","DOIUrl":"https://doi.org/10.1007/s10623-024-01461-3","url":null,"abstract":"<p>Dobbertin in 1999 proved that the Welch power function <span>(x^{2^m+3})</span> was almost perferct nonlinear (APN) over the finite field <span>(mathbb {F}_{2^{2m+1}})</span>, where <i>m</i> is a positive integer. In his proof, Dobbertin showed that the APNness of <span>(x^{2^m+3})</span> essentially relied on the bijectivity of the polynomial <span>(g(x)=x^{2^{m+1}+1}+x^3+x)</span> over <span>(mathbb {F}_{2^{2m+1}})</span>. In this paper, we first determine the differential and Walsh spectra of the permutation polynomial <i>g</i>(<i>x</i>), revealing its favourable cryptograhphic properties. We then explore four families of binary linear codes related to the Welch APN power functions. For two cyclic codes among them, we propose algebraic decoding algorithms that significantly outperform existing methods in terms of decoding complexity.</p>","PeriodicalId":11130,"journal":{"name":"Designs, Codes and Cryptography","volume":null,"pages":null},"PeriodicalIF":1.6,"publicationDate":"2024-07-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141768460","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"数学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}