Pub Date : 2022-11-25DOI: 10.48550/arXiv.2211.14196
Jason R. Goertzen, D. Stebila
The Domain Name System Security Extensions (DNSSEC) provide authentication of DNS responses using digital signatures. DNS operates primarily over UDP, which leads to several constraints: notably, packets should be at most 1232 bytes long to avoid problems during transmission. Larger DNS responses either need to be fragmented into several UDP responses or the request would need to be repeated over TCP, neither of which is sufficiently reliable in today's DNS ecosystem. While RSA or elliptic curve digital signatures are sufficiently small to avoid this problem, even for DNSSEC packets containing both a public key and a signature, this problem is unavoidable when considering the larger sizes of post-quantum schemes. We propose ARRF, a method of fragmenting DNS resource records at the application layer (rather than the transport layer) that is request-based, meaning the initial response contains a truncated fragment and then the requester sends follow-up requests for the remaining fragments. Using request-based fragmentation avoids problems identified for several previously proposed (and rejected) application-level DNS fragmentation techniques. We implement our approach and evaluate its performance in a simulated network when used for the three post-quantum digital signature schemes selected by NIST for standardization (Falcon, Dilithium, and SPHINCS+) at the 128-bit security level. Our experiments show that our request-based fragmentation approach provides substantially lower resolution times compared to standard DNS over UDP with TCP fallback, for all the tested post-quantum algorithms, and with less data transmitted in the case of both Falcon and Dilithium. Furthermore, our request-based fragmentation design can be implemented relatively easily: our implementation is in fact a small daemon that can sit in front of a DNS name server or resolver to fragment/reassemble transparently.
DNSSEC (Domain Name System Security Extensions)通过数字签名对DNS响应进行认证。DNS主要在UDP上运行,这导致了几个限制:值得注意的是,数据包最长应该是1232字节,以避免在传输过程中出现问题。较大的DNS响应要么需要分割成几个UDP响应,要么需要通过TCP重复请求,这两种方式在当今的DNS生态系统中都不够可靠。虽然RSA或椭圆曲线数字签名足够小,可以避免这个问题,即使对于同时包含公钥和签名的DNSSEC数据包,但在考虑更大的后量子方案时,这个问题是不可避免的。我们提出ARRF,这是一种基于请求的在应用层(而不是传输层)分割DNS资源记录的方法,这意味着初始响应包含截断的片段,然后请求者为剩余的片段发送后续请求。使用基于请求的分段可以避免先前提出的(和拒绝的)应用程序级DNS分段技术所存在的问题。我们实现了我们的方法,并在模拟网络中评估了它在128位安全级别上用于NIST选择的三种后量子数字签名方案(Falcon、Dilithium和SPHINCS+)的性能。我们的实验表明,对于所有测试的后量子算法,我们基于请求的碎片化方法提供的解析时间大大低于基于TCP回降的UDP标准DNS,并且在Falcon和Dilithium的情况下传输的数据更少。此外,我们基于请求的碎片化设计可以相对容易地实现:我们的实现实际上是一个小的守护进程,它可以位于DNS名称服务器或解析器前面,透明地进行碎片化/重新组装。
{"title":"Post-Quantum Signatures in DNSSEC via Request-Based Fragmentation","authors":"Jason R. Goertzen, D. Stebila","doi":"10.48550/arXiv.2211.14196","DOIUrl":"https://doi.org/10.48550/arXiv.2211.14196","url":null,"abstract":"The Domain Name System Security Extensions (DNSSEC) provide authentication of DNS responses using digital signatures. DNS operates primarily over UDP, which leads to several constraints: notably, packets should be at most 1232 bytes long to avoid problems during transmission. Larger DNS responses either need to be fragmented into several UDP responses or the request would need to be repeated over TCP, neither of which is sufficiently reliable in today's DNS ecosystem. While RSA or elliptic curve digital signatures are sufficiently small to avoid this problem, even for DNSSEC packets containing both a public key and a signature, this problem is unavoidable when considering the larger sizes of post-quantum schemes. We propose ARRF, a method of fragmenting DNS resource records at the application layer (rather than the transport layer) that is request-based, meaning the initial response contains a truncated fragment and then the requester sends follow-up requests for the remaining fragments. Using request-based fragmentation avoids problems identified for several previously proposed (and rejected) application-level DNS fragmentation techniques. We implement our approach and evaluate its performance in a simulated network when used for the three post-quantum digital signature schemes selected by NIST for standardization (Falcon, Dilithium, and SPHINCS+) at the 128-bit security level. Our experiments show that our request-based fragmentation approach provides substantially lower resolution times compared to standard DNS over UDP with TCP fallback, for all the tested post-quantum algorithms, and with less data transmitted in the case of both Falcon and Dilithium. Furthermore, our request-based fragmentation design can be implemented relatively easily: our implementation is in fact a small daemon that can sit in front of a DNS name server or resolver to fragment/reassemble transparently.","PeriodicalId":228749,"journal":{"name":"Post-Quantum Cryptography","volume":"17 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-11-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124817749","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-08-02DOI: 10.48550/arXiv.2208.01442
M. Bardet, Manon Bertin
The MinRank (MR) problem is a computational problem that arises in many cryptographic applications. In Verbel et al. [24], the authors introduced a new way to solve superdetermined instances of the MinRank problem, starting from the bilinear Kipnis-Shamir (KS) modeling. They use linear algebra on specific Macaulay matrices, considering only multiples of the initial equations by one block of variables, the so called “kernel” variables. Later, Bardet et al. [7] introduced a new Support Minors modeling (SM), that consider the Plücker coordinates associated to the kernel variables, i.e. the maximal minors of the Kernel matrix in the KS modeling. In this paper, we give a complete algebraic explanation of the link between the (KS) and (SM) modelings (for any instance). We then show that superdetermined MinRank instances can be seen as easy instances of the SM modeling. In particular, we show that performing computation at the smallest possible degree (the “first degree fall”) and the smallest possible number of variables is not always the best strategy. We give complexity estimates of the attack for generic random instances. We apply those results to the DAGS cryptosystem, that was submitted to the first round of the NIST standardization process. We show that the algebraic attack from Barelli and Couvreur [8], improved in Bardet et al. [5], is a particular superdetermined MinRank instance. Here, the instances are not generic, but we show that it is possible to analyse the particular instances from DAGS and provide a way to select the optimal parameters (number of shortened positions) to solve a particular instance.
MinRank (MR)问题是许多密码学应用中出现的一个计算问题。在Verbel et al. b[24]中,作者从双线性Kipnis-Shamir (KS)建模开始,引入了一种新的方法来解决MinRank问题的超确定实例。他们在特定的麦考利矩阵上使用线性代数,只考虑初始方程与一组变量的倍数,即所谓的“核”变量。后来,Bardet等人引入了一种新的Support minor modeling (SM),该模型考虑了与内核变量相关的pl cker坐标,即KS建模中内核矩阵的最大minor。在本文中,我们给出了一个完整的代数解释(KS)和(SM)模型之间的联系(对于任何实例)。然后,我们展示了超确定的MinRank实例可以看作是SM建模的简单实例。特别是,我们表明,在尽可能小的程度(“第一次下降”)和尽可能小的变量数量上执行计算并不总是最好的策略。我们给出了针对一般随机实例的攻击复杂度估计。我们将这些结果应用于提交给NIST标准化过程第一轮的DAGS密码系统。我们证明了Bardet et al.[5]改进的Barelli和Couvreur[8]的代数攻击是一个特殊的超确定MinRank实例。在这里,实例不是通用的,但是我们表明有可能分析来自DAGS的特定实例,并提供一种选择最佳参数(缩短位置的数量)来解决特定实例的方法。
{"title":"Improvement of algebraic attacks for solving superdetermined MinRank instances","authors":"M. Bardet, Manon Bertin","doi":"10.48550/arXiv.2208.01442","DOIUrl":"https://doi.org/10.48550/arXiv.2208.01442","url":null,"abstract":"The MinRank (MR) problem is a computational problem that arises in many cryptographic applications. In Verbel et al. [24], the authors introduced a new way to solve superdetermined instances of the MinRank problem, starting from the bilinear Kipnis-Shamir (KS) modeling. They use linear algebra on specific Macaulay matrices, considering only multiples of the initial equations by one block of variables, the so called “kernel” variables. Later, Bardet et al. [7] introduced a new Support Minors modeling (SM), that consider the Plücker coordinates associated to the kernel variables, i.e. the maximal minors of the Kernel matrix in the KS modeling. In this paper, we give a complete algebraic explanation of the link between the (KS) and (SM) modelings (for any instance). We then show that superdetermined MinRank instances can be seen as easy instances of the SM modeling. In particular, we show that performing computation at the smallest possible degree (the “first degree fall”) and the smallest possible number of variables is not always the best strategy. We give complexity estimates of the attack for generic random instances. We apply those results to the DAGS cryptosystem, that was submitted to the first round of the NIST standardization process. We show that the algebraic attack from Barelli and Couvreur [8], improved in Bardet et al. [5], is a particular superdetermined MinRank instance. Here, the instances are not generic, but we show that it is possible to analyse the particular instances from DAGS and provide a way to select the optimal parameters (number of shortened positions) to solve a particular instance.","PeriodicalId":228749,"journal":{"name":"Post-Quantum Cryptography","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-08-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131189188","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-06-29DOI: 10.1007/978-3-031-40003-2_19
Maxime Remaud, A. Schrottenloher, J. Tillich
{"title":"Time and Query Complexity Tradeoffs for the Dihedral Coset Problem","authors":"Maxime Remaud, A. Schrottenloher, J. Tillich","doi":"10.1007/978-3-031-40003-2_19","DOIUrl":"https://doi.org/10.1007/978-3-031-40003-2_19","url":null,"abstract":"","PeriodicalId":228749,"journal":{"name":"Post-Quantum Cryptography","volume":"46 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-06-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129780839","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-06-23DOI: 10.48550/arXiv.2206.11961
C. A. Melchor, Nicolas Aragon, Victor Dyseryn, P. Gaborit, Gilles Z'emor
We introduce a new rank-based key encapsulation mechanism (KEM) with public key and ciphertext sizes around 3.5 Kbytes each, for 128 bits of security, without using ideal structures. Such structures allow to compress objects, but give reductions to specific problems whose security is potentially weaker than for unstructured problems. To the best of our knowledge, our scheme improves in size all the existing unstructured post-quantum lattice or code-based algorithms such as FrodoKEM or Classic McEliece. Our technique, whose efficiency relies on properties of rank metric, is to build upon existing Low Rank Parity Check (LRPC) code-based KEMs and to send multiple syndromes in one ciphertext, allowing to reduce the parameters and still obtain an acceptable decoding failure rate. Our system relies on the hardness of the Rank Support Learning problem, a well-known variant of the Rank Syndrome Decoding problem. The gain on parameters is enough to significantly close the gap between ideal and non-ideal constructions. It enables to choose an error weight close to the rank Gilbert-Varshamov bound, which is a relatively harder zone for algebraic attacks. We also give a version of our KEM that keeps an ideal structure and permits to roughly divide the bandwidth by two compared to previous versions of LRPC KEMs submitted to the NIST with a Decoding Failure Rate (DFR) of $2^{-128}$.
{"title":"LRPC codes with multiple syndromes: near ideal-size KEMs without ideals","authors":"C. A. Melchor, Nicolas Aragon, Victor Dyseryn, P. Gaborit, Gilles Z'emor","doi":"10.48550/arXiv.2206.11961","DOIUrl":"https://doi.org/10.48550/arXiv.2206.11961","url":null,"abstract":"We introduce a new rank-based key encapsulation mechanism (KEM) with public key and ciphertext sizes around 3.5 Kbytes each, for 128 bits of security, without using ideal structures. Such structures allow to compress objects, but give reductions to specific problems whose security is potentially weaker than for unstructured problems. To the best of our knowledge, our scheme improves in size all the existing unstructured post-quantum lattice or code-based algorithms such as FrodoKEM or Classic McEliece. Our technique, whose efficiency relies on properties of rank metric, is to build upon existing Low Rank Parity Check (LRPC) code-based KEMs and to send multiple syndromes in one ciphertext, allowing to reduce the parameters and still obtain an acceptable decoding failure rate. Our system relies on the hardness of the Rank Support Learning problem, a well-known variant of the Rank Syndrome Decoding problem. The gain on parameters is enough to significantly close the gap between ideal and non-ideal constructions. It enables to choose an error weight close to the rank Gilbert-Varshamov bound, which is a relatively harder zone for algebraic attacks. We also give a version of our KEM that keeps an ideal structure and permits to roughly divide the bandwidth by two compared to previous versions of LRPC KEMs submitted to the NIST with a Decoding Failure Rate (DFR) of $2^{-128}$.","PeriodicalId":228749,"journal":{"name":"Post-Quantum Cryptography","volume":"23 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-06-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115710327","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Due to the recent challenges in post-quantum cryptography, several new approaches for code-based cryptography have been proposed. For example, a variant of the McEliece cryptosystem based on interleaved codes was proposed. In order to deem such new settings secure, we first need to understand and analyze the complexity of the underlying problem, in this case the problem of decoding a random interleaved code. A simple approach to decode such codes, would be to randomly choose a vector in the row span of the received matrix and run a classical information set decoding algorithm on this erroneous codeword. In this paper, we propose a new generic decoder for interleaved codes, which is an adaption of the classical idea of information set decoding by Prange and perfectly fits the interleaved setting. We then analyze the cost of the new algorithm and a comparison to the simple approach described above shows the superiority of Interleaved Prange.
{"title":"Interleaved Prange: A New Generic Decoder for Interleaved Codes","authors":"Anmoal Porwal, Lukas Holzbaur, Hedongliang Liu, Julian Renner, A. Wachter-Zeh, Violetta Weger","doi":"10.48550/arXiv.2205.14068","DOIUrl":"https://doi.org/10.48550/arXiv.2205.14068","url":null,"abstract":"Due to the recent challenges in post-quantum cryptography, several new approaches for code-based cryptography have been proposed. For example, a variant of the McEliece cryptosystem based on interleaved codes was proposed. In order to deem such new settings secure, we first need to understand and analyze the complexity of the underlying problem, in this case the problem of decoding a random interleaved code. A simple approach to decode such codes, would be to randomly choose a vector in the row span of the received matrix and run a classical information set decoding algorithm on this erroneous codeword. In this paper, we propose a new generic decoder for interleaved codes, which is an adaption of the classical idea of information set decoding by Prange and perfectly fits the interleaved setting. We then analyze the cost of the new algorithm and a comparison to the simple approach described above shows the superiority of Interleaved Prange.","PeriodicalId":228749,"journal":{"name":"Post-Quantum Cryptography","volume":"46 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-05-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134061858","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2021-02-12DOI: 10.1007/978-3-030-81293-5_17
Tamar Lichter Blanks, S. Miller
{"title":"Generating Cryptographically-Strong Random Lattice Bases and Recognizing Rotations of $mathbb {Z}^n$","authors":"Tamar Lichter Blanks, S. Miller","doi":"10.1007/978-3-030-81293-5_17","DOIUrl":"https://doi.org/10.1007/978-3-030-81293-5_17","url":null,"abstract":"","PeriodicalId":228749,"journal":{"name":"Post-Quantum Cryptography","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-02-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123088778","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2020-04-15DOI: 10.1007/978-3-030-44223-1_21
Daniel Smith-Tone, Javier A. Verbel
{"title":"A Rank Attack Against Extension Field Cancellation","authors":"Daniel Smith-Tone, Javier A. Verbel","doi":"10.1007/978-3-030-44223-1_21","DOIUrl":"https://doi.org/10.1007/978-3-030-44223-1_21","url":null,"abstract":"","PeriodicalId":228749,"journal":{"name":"Post-Quantum Cryptography","volume":"77 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-04-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126716781","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2020-04-15DOI: 10.1007/978-3-030-44223-1_19
Bagus Santoso
{"title":"Generalization of Isomorphism of Polynomials with Two Secrets and Its Application to Public Key Encryption","authors":"Bagus Santoso","doi":"10.1007/978-3-030-44223-1_19","DOIUrl":"https://doi.org/10.1007/978-3-030-44223-1_19","url":null,"abstract":"","PeriodicalId":228749,"journal":{"name":"Post-Quantum Cryptography","volume":"119 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-04-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121341249","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2020-04-15DOI: 10.1007/978-3-030-44223-1_25
S. Hodžić, L. Knudsen, Andreas B. Kidmose
{"title":"On Quantum Distinguishers for Type-3 Generalized Feistel Network Based on Separability","authors":"S. Hodžić, L. Knudsen, Andreas B. Kidmose","doi":"10.1007/978-3-030-44223-1_25","DOIUrl":"https://doi.org/10.1007/978-3-030-44223-1_25","url":null,"abstract":"","PeriodicalId":228749,"journal":{"name":"Post-Quantum Cryptography","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-04-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126142465","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: