Designs, Codes and Cryptography最新文献

We observe that on the binary finite fields the classification of 2-to-1 binomials is equivalent to the classification of o-monomials, which is a well-studied and elusive problem in finite geometry. This connection implies a complete classification of 2-to-1 binomials (b=x^d+ux^e) for a large set of values of (d, e). Further, we show that a number of the known infinite families of 2-to-1 maps can be traced back to o-polynomials or to difference maps of APN maps. We also provide some connections between 2-to-1 maps and hyperovals in non-desarguesian planes.

This paper presents the first functional encryption ((textsf{FE})) scheme for the attribute-weighted sum functionality that supports the uniform model of computation. In such an FE scheme, encryption takes as input a pair of attributes (x, z) where x is public and z is private. A secret key corresponds to some weight function f, and decryption recovers the weighted sum f(x)z. In our scheme, both the public and private attributes can be of arbitrary polynomial lengths that are not fixed at system setup. The weight functions are modelled as (text {Logspace Turing machines}). Prior schemes could only support non-uniform Logspace. The proposed scheme is proven adaptively simulation secure under the well-studied symmetric external Diffie–Hellman assumption against an arbitrary polynomial number of secret key queries both before and after the challenge ciphertext. This is the best possible security notion that could be achieved for FE. On the technical side, our contributions lie in extending the techniques of Lin and Luo [EUROCRYPT 2020] devised for indistinguishability-based payload hiding attribute-based encryption for uniform Logspace access policies and the “three-slot reduction” technique for simulation-secure attribute-hiding FE for non-uniform Logspace devised by Datta and Pal [ASIACRYPT 2021] to the context of simulation-secure attribute-hiding FE for uniform Logspace.

We present Transmission optimal protocol with active security ((textsf {TOPAS})), the first key agreement protocol with optimal communication complexity (message size and number of rounds) that provides security against fully active adversaries. The size of the protocol messages and the computational costs to generate them are comparable to the basic Diffie-Hellman protocol over elliptic curves (which is well-known to only provide security against passive adversaries). Session keys are indistinguishable from random keys—even under reflection and key compromise impersonation attacks. What makes (textsf {TOPAS})stand out is that it also features a security proof of full perfect forward secrecy (PFS), where the attacker can actively modify messages sent to or from the test-session. The proof of full PFS relies on two new extraction-based security assumptions. It is well-known that existing implicitly-authenticated 2-message protocols like (textsf {HMQV})cannot achieve this strong form of (full) security against active attackers (Krawczyk, Crypto’05). This makes (textsf {TOPAS})the first key agreement protocol with full security against active attackers that works in prime-order groups while having optimal message size. We also present a variant of our protocol, (textsf {TOPAS+}), which, under the Strong Diffie-Hellman assumption, provides better computational efficiency in the key derivation phase. Finally, we present a third protocol termed (textsf {FACTAS})(for factoring-based protocol with active security) which has the same strong security properties as (textsf {TOPAS})and (textsf {TOPAS+})but whose security is solely based on the factoring assumption in groups of composite order (except for the proof of full PFS).

Dobbertin in 1999 proved that the Welch power function (x^{2^m+3}) was almost perferct nonlinear (APN) over the finite field (mathbb {F}_{2^{2m+1}}), where m is a positive integer. In his proof, Dobbertin showed that the APNness of (x^{2^m+3}) essentially relied on the bijectivity of the polynomial (g(x)=x^{2^{m+1}+1}+x^3+x) over (mathbb {F}_{2^{2m+1}}). In this paper, we first determine the differential and Walsh spectra of the permutation polynomial g(x), revealing its favourable cryptograhphic properties. We then explore four families of binary linear codes related to the Welch APN power functions. For two cyclic codes among them, we propose algebraic decoding algorithms that significantly outperform existing methods in terms of decoding complexity.

Linear cryptanalysis is one of the most classical cryptanalysis methods for block ciphers. Some critical techniques of the key-recovery phase are developed for enhancing linear cryptanalysis. Collard et al. improved the time complexity for last-round key-recovery attacks by using FWT. A generalized key-recovery algorithm for an arbitrary number of rounds with an associated time complexity formula is further provided by Flórez-Gutiérrez and Naya-Plasencia based on FWT in Eurocrypt 2020. However, the previous generalized algorithms are mainly applied to block ciphers with SPN structures, where the round-keys in the first and last round XORed to the state can be easily defined as outer keys. In Asiacrypt 2021, Leurent et al. applied the algorithm by Flórez-Gutiérrez et al. to Feistel structure ciphers. However, for other structures, such as NLFSR-based, the outer keys can not be directly deduced to utilize the previous algorithms. This paper extends the algorithm by Flórez-Gutiérrez et al. for more complicated structures, including but not limited to NLFSR-based, Feistel, ARX, and SPN. We also use the dependency relationships between ciphertext, plaintext and key information bits to eliminate the redundancy calculation and the improve analysis phase. We apply the algorithm with the improved analysis phase to KATAN (NLFSR-based) and SPARX (ARX). We obtain significantly improved results. The linear results we find for SPARX-128/128 beat other cryptanalytic techniques, becoming the best key recovery attacks on this cipher. The previous best linear attacks on KATAN32, KATAN48 and KATAN64 are improved by 9, 4, and 14 rounds, respectively.

A subspace of a finite field is called a Sidon space if the product of any two of its nonzero elements is unique up to a scalar multiplier from the base field. Sidon spaces, introduced by Roth et al. in (IEEE Trans Inf Theory 64(6):4412–4422, 2018), have a close connection with optimal full-length orbit codes. In this paper, we will construct several families of large cyclic subspace codes based on the two kinds of Sidon spaces. These new codes have more codewords than the previous constructions in the literature without reducing minimum distance. In particular, in the case of (n=4k), the size of our resulting code is within a factor of (frac{1}{2}+o_{k}(1)) of the sphere-packing bound as k goes to infinity.

Modern data centers use erasure codes to provide high storage efficiency and fault tolerance. Reed–Solomon code is commonly deployed in large-scale distributed storage systems due to its ease of implementation, but it consumes massive bandwidth during node repair. Minimum storage regenerating (MSR) codes is a class of maximum distance separable (MDS) codes that achieve the lower bound on repair bandwidth. However, an exponential sub-packetization level is inevitable for MSR codes, resulting in massive disk I/O consumption during node repair. Disk I/O is becoming the bottleneck of the performance in data centers where the storage system needs to frequently provide high-speed data access to clients. In this paper, we consider disk I/O as an important metric to evaluate the performance of a code and construct MDS array codes with efficient repair under small sub-packetization level. Specifically, two explicit families of MDS codes with efficient repair are proposed at the sub-packetization level of ({mathcal {O}}(r)), where r denotes the number of parities. The first family of codes are constructed over a finite field ({mathbb {F}}_{q^m}) where (q ge n) is a prime power, (m > r(l-1) +1), n and l denote the code length and sub-packetization level, respectively. The second family of codes are built upon a special binary polynomial ring where the computation operations during node repair and file reconstruction are only XORs and cyclic shifts, avoiding complex multiplications and divisions over large finite fields.

The security requirements of new applications such as cloud computing, big data, and the Internet of Things have promoted the development and application of security protocols such as secure multi-party computation, fully homomorphic encryption, and zero-knowledge proof. In order to meet these demands, there is a need for new symmetric ciphers that minimize multiplications in ( {mathbb {F}}_{2^{n}} ) or ( {mathbb {F}}_{p} ), where p is prime. One construction that addresses this demand is Partial SPN (P-SPN) construction, where the S-box layer is only applied to a portion of the state in each round. And there have been several research on the construction over the past years. The key to the design of P-SPN construction lies in the linear layers, but systematic exploration in this direction has been lacking in the existing work. In this work, we first establish a lower bound on the dimension of the maximal invariant subspace without active S-boxes for a generic P-SPN scheme. Subsequently, we concentrate on the linear layers of P-SPN construction. Through a meticulous examination of intriguing and beneficial characteristics for various matrices, we showcase that the security of a P-SPN scheme against invariant subspace attack depends on the degree of the minimal polynomial of the matrix. Inadequate choices of the matrices allow for large invariant subspaces that navigate any number of rounds without activating any S-boxes. A comprehensive proof for the Conjecture 1 proposed by Keller and Rosemarin is presented, which not only further improves the lower bound on the dimension of the maximal invariant subspace for the P-SPN rounds of STARKAD permutation, but also implies a lower bound on the dimension of the maximal invariant subspace for block matrices with special blocks. For a block circulant matrix with special blocks, a better annihilating polynomial exists and a lower bound on the dimension of the maximal invariant subspace can be identified. For circulant matrices and block circulant matrices with circulant blocks, we introduce methods to ascertain the range or exact value of the minimal polynomial degree. This determination advances the exploration of the invariant subspaces in these matrices. Especially if the number of S-Boxes in a P-SPN scheme is 1, we can attain the exact value of the dimension for the maximal invariant subspace. All the cases discussed here are invariant subspaces with inactive S-boxes. Our work intends to provide concise cryptanalytic methods for new proposals following P-SPN or HADES design principles. In addition, we derive a way to make sure that a circulant matrix C is resistant to invariant subspace attack with inactive S-boxes, thus providing design criteria for the construction of such matrices in the design of P-SPN schemes.

We introduce the notion of a semiplanar function of index (lambda ), generalising several previous concepts. We show how semiplanar functions can be used to construct semisymmetric designs using an incidence structure determined by the function. Issues regarding the connectivity of the structure are then considered. The question of existence is addressed by establishing monomial examples over finite fields, and we examine how composition with linearized polynomials can lead to further classes of examples. We end by returning to the incidence structure and considering maximal intersection sets when the incidence structure is constructed using a particular class of functions.

STARK is a widely used transparent proof system that uses low-degree tests for proving the correctness of a computer program. STARK consumes an intermediate representation known as AIR that is more appropriate for programs with a relatively short and structured description. However, an AIR is not able to succinctly express non-equality constraints, leading to the incorporation of unwanted polynomials. We present the eSTARK protocol, a new probabilistic proof that generalizes the STARK family through the introduction of a more generic intermediate representation called eAIR. We describe eSTARK in the polynomial IOP model, which combines the optimized version of the STARK protocol with the incorporation of three arguments into the protocol. We also explain various techniques that enhance the vanilla STARK complexity, including optimizations applied to polynomial computations, and analyze the tradeoffs between controlling the constraint degree either at the representation of the AIR or inside the eSTARK itself.