Abstract In this article, all multipartite access structures obtained from uniform integer polymatroids were investigated using the method developed by Farràs, Martí-Farré, and Padró. They are matroid ports, i.e., they satisfy the necessary condition to be ideal. Moreover, each uniform integer polymatroid defines some ideal access structures. Some objects in this family can be useful for the applications of secret sharing. The method presented in this article is universal and can be continued with other classes of polymatroids in further similar studies. Here, we are especially interested in hierarchy of participants determined by the access structure, and we distinguish two main classes: they are compartmented and hierarchical access structures. The main results obtained for access structures determined by uniform integer polymatroids and a monotone increasing family Δ Delta can be summarized as follows. If the increment sequence of the polymatroid is non-constant, then the access structure is connected. If Δ Delta does not contain any singletons or the height of the polymatroid is maximal and its increment sequence is not constant starting from the second element, then the access structure is compartmented. If Δ Delta is generated by a singleton or the increment sequence of the polymatroid is constant starting from the second element, then the obtained access structures are hierarchical. They are proven to be ideal, and their hierarchical orders are completely determined. Moreover, if the increment sequence of the polymatroid is constant and ∣Δ∣>1 | Delta | gt 1 , then the hierarchical order is not antisymmetric, i.e., some different blocks are equivalent. The hierarchical order of access structures obtained from uniform integer polymatroids is always flat, that is, every hierarchy chain has at most two elements.
{"title":"Access structures determined by uniform polymatroids","authors":"Renata Kawa, Mieczyslaw Kula","doi":"10.1515/jmc-2022-0017","DOIUrl":"https://doi.org/10.1515/jmc-2022-0017","url":null,"abstract":"Abstract In this article, all multipartite access structures obtained from uniform integer polymatroids were investigated using the method developed by Farràs, Martí-Farré, and Padró. They are matroid ports, i.e., they satisfy the necessary condition to be ideal. Moreover, each uniform integer polymatroid defines some ideal access structures. Some objects in this family can be useful for the applications of secret sharing. The method presented in this article is universal and can be continued with other classes of polymatroids in further similar studies. Here, we are especially interested in hierarchy of participants determined by the access structure, and we distinguish two main classes: they are compartmented and hierarchical access structures. The main results obtained for access structures determined by uniform integer polymatroids and a monotone increasing family <m:math xmlns:m=\"http://www.w3.org/1998/Math/MathML\"> <m:mi mathvariant=\"normal\">Δ</m:mi> </m:math> Delta can be summarized as follows. If the increment sequence of the polymatroid is non-constant, then the access structure is connected. If <m:math xmlns:m=\"http://www.w3.org/1998/Math/MathML\"> <m:mi mathvariant=\"normal\">Δ</m:mi> </m:math> Delta does not contain any singletons or the height of the polymatroid is maximal and its increment sequence is not constant starting from the second element, then the access structure is compartmented. If <m:math xmlns:m=\"http://www.w3.org/1998/Math/MathML\"> <m:mi mathvariant=\"normal\">Δ</m:mi> </m:math> Delta is generated by a singleton or the increment sequence of the polymatroid is constant starting from the second element, then the obtained access structures are hierarchical. They are proven to be ideal, and their hierarchical orders are completely determined. Moreover, if the increment sequence of the polymatroid is constant and <m:math xmlns:m=\"http://www.w3.org/1998/Math/MathML\"> <m:mo>∣</m:mo> <m:mi mathvariant=\"normal\">Δ</m:mi> <m:mo>∣</m:mo> <m:mo>></m:mo> <m:mn>1</m:mn> </m:math> | Delta | gt 1 , then the hierarchical order is not antisymmetric, i.e., some different blocks are equivalent. The hierarchical order of access structures obtained from uniform integer polymatroids is always flat, that is, every hierarchy chain has at most two elements.","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":"40 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"135784808","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Abstract Recent lightweight hardware-based stream cipher designs keep an external non-volatile internal state that is not part of the cipher’s hardware module. The purpose of these so-called small-state ciphers is to keep the size of the hardware and the power consumption low. We propose a random oracle model for stream ciphers. This will allow us to analyse the recent small-state stream cipher designs’ resistance against generic attacks and, in particular, time-memory-data tradeoff attacks. We analyse the conventional construction underlying stream ciphers like Grain and Trivium, constructions continuously using the external non-volatile secret key during keystream generation like Sprout, Plantlet, Fruit, and Atom, constructions continuously using the external non-volatile IV, and constructions using a combination of the IV and the key like DRACO. We show the tightness of all bounds by first presenting the time-memory-data tradeoff attacks on the respective constructions, establishing the upper bound on security, and then presenting the proof of security to establish the lower bound on security. In this work, we extend the theoretical work done by Hamann et al. who introduced the DRACO stream cipher at FSE 2023. We use the same random oracle model as the aforementioned work and apply it to the earlier work by Hamann et al. presented at SAC 2019, which showed security for two of the four constructions we consider in this work. Our model is equivalent but allows for a much simpler proof of security. Furthermore, we provide a proof of security for stream ciphers continuously using the secret key during keystream generation, giving upper and lower bounds for all four generic stream cipher constructions proposed so far.
{"title":"Provable security against generic attacks on stream ciphers","authors":"Alexander Moch","doi":"10.1515/jmc-2022-0033","DOIUrl":"https://doi.org/10.1515/jmc-2022-0033","url":null,"abstract":"Abstract Recent lightweight hardware-based stream cipher designs keep an external non-volatile internal state that is not part of the cipher’s hardware module. The purpose of these so-called small-state ciphers is to keep the size of the hardware and the power consumption low. We propose a random oracle model for stream ciphers. This will allow us to analyse the recent small-state stream cipher designs’ resistance against generic attacks and, in particular, time-memory-data tradeoff attacks. We analyse the conventional construction underlying stream ciphers like Grain and Trivium, constructions continuously using the external non-volatile secret key during keystream generation like Sprout, Plantlet, Fruit, and Atom, constructions continuously using the external non-volatile IV, and constructions using a combination of the IV and the key like DRACO. We show the tightness of all bounds by first presenting the time-memory-data tradeoff attacks on the respective constructions, establishing the upper bound on security, and then presenting the proof of security to establish the lower bound on security. In this work, we extend the theoretical work done by Hamann et al. who introduced the DRACO stream cipher at FSE 2023. We use the same random oracle model as the aforementioned work and apply it to the earlier work by Hamann et al. presented at SAC 2019, which showed security for two of the four constructions we consider in this work. Our model is equivalent but allows for a much simpler proof of security. Furthermore, we provide a proof of security for stream ciphers continuously using the secret key during keystream generation, giving upper and lower bounds for all four generic stream cipher constructions proposed so far.","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":" ","pages":""},"PeriodicalIF":1.2,"publicationDate":"2023-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"46218051","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Abstract In CANDARW ’18, Isobe et al. proposed a secure encryption protocol on non-abelian groups based on the Anshel–Anshel–Goldfeld key exchange protocol. There have remained two weak points on the protocol: one is that the protocol is indistinguishable against adaptive chosen ciphertext attack (IND-CCA) in a slightly restricted sense, what they call IND-rCCA secure, and the other is that the conditions imposed on groups and hashing schemes are too strict to make the protocol practical. In this article, we propose an IND-CCA secure protocol that resolves those problems. The key idea is to employ some specific semidirect product as platform groups, so that we can achieve the exact IND-CCA security from concise conditions on groups and hashing schemes. Our protocol is not dependent on any computational assumptions on abelian subgroups.
{"title":"A construction of encryption protocols over some semidirect products","authors":"Shuji Isobe, E. Koizumi","doi":"10.1515/jmc-2022-0018","DOIUrl":"https://doi.org/10.1515/jmc-2022-0018","url":null,"abstract":"Abstract In CANDARW ’18, Isobe et al. proposed a secure encryption protocol on non-abelian groups based on the Anshel–Anshel–Goldfeld key exchange protocol. There have remained two weak points on the protocol: one is that the protocol is indistinguishable against adaptive chosen ciphertext attack (IND-CCA) in a slightly restricted sense, what they call IND-rCCA secure, and the other is that the conditions imposed on groups and hashing schemes are too strict to make the protocol practical. In this article, we propose an IND-CCA secure protocol that resolves those problems. The key idea is to employ some specific semidirect product as platform groups, so that we can achieve the exact IND-CCA security from concise conditions on groups and hashing schemes. Our protocol is not dependent on any computational assumptions on abelian subgroups.","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":" ","pages":""},"PeriodicalIF":1.2,"publicationDate":"2023-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"46554520","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Abstract Plactic key agreement is a new type of cryptographic key agreement that uses Knuth’s multiplication of semistandard tableaux from combinatorial algebra. The security of plactic key agreement relies on the difficulty of some computational problems, particularly the division of semistandard tableaux. Tableau division can be used to find the private key from its public key or to find the shared secret from the two exchanged public keys. Monico found a fast division algorithm, which could be a polynomial time in the length of the tableaux. Monico’s algorithm solved a challenge that had been previously estimated to cost 2128 steps to break, which is an infeasibly large number for any foreseeable computing power on earth. Monico’s algorithm solves this challenge in only a few minutes. Therefore, Monico’s attack likely makes the plactic key agreement insecure. If it were not for Monico’s attack, plactic key agreement with 1,000-byte public keys might perhaps have provided 128-bit security, with a runtime of a millisecond. But Monico’s attack breaks these public keys’ sizes in minutes.
{"title":"Plactic key agreement (insecure?)","authors":"Daniel R. L. Brown","doi":"10.1515/jmc-2022-0010","DOIUrl":"https://doi.org/10.1515/jmc-2022-0010","url":null,"abstract":"Abstract Plactic key agreement is a new type of cryptographic key agreement that uses Knuth’s multiplication of semistandard tableaux from combinatorial algebra. The security of plactic key agreement relies on the difficulty of some computational problems, particularly the division of semistandard tableaux. Tableau division can be used to find the private key from its public key or to find the shared secret from the two exchanged public keys. Monico found a fast division algorithm, which could be a polynomial time in the length of the tableaux. Monico’s algorithm solved a challenge that had been previously estimated to cost 2128 steps to break, which is an infeasibly large number for any foreseeable computing power on earth. Monico’s algorithm solves this challenge in only a few minutes. Therefore, Monico’s attack likely makes the plactic key agreement insecure. If it were not for Monico’s attack, plactic key agreement with 1,000-byte public keys might perhaps have provided 128-bit security, with a runtime of a millisecond. But Monico’s attack breaks these public keys’ sizes in minutes.","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":" ","pages":""},"PeriodicalIF":1.2,"publicationDate":"2023-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"47945266","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Abstract In this article, we analyze two digital signature schemes, proposed in Moldovyan et al., that use finite noncommutative associative algebras as underlying platforms. We prove that these schemes do not possess the claimed property of being quantum safe. We also show that in many cases these schemes are, in fact, vulnerable to “classical” algebraic cryptanalysis.
{"title":"Algebraic and quantum attacks on two digital signature schemes","authors":"V. Roman’kov, A. Ushakov, V. Shpilrain","doi":"10.1515/jmc-2022-0023","DOIUrl":"https://doi.org/10.1515/jmc-2022-0023","url":null,"abstract":"Abstract In this article, we analyze two digital signature schemes, proposed in Moldovyan et al., that use finite noncommutative associative algebras as underlying platforms. We prove that these schemes do not possess the claimed property of being quantum safe. We also show that in many cases these schemes are, in fact, vulnerable to “classical” algebraic cryptanalysis.","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":"17 1","pages":""},"PeriodicalIF":1.2,"publicationDate":"2023-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"42837125","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Abstract In this article, the group algebra K [ T ] {mathcal{K}}left[{mathscr{T}}] of the binary tetrahedral group T {mathscr{T}} over a splitting field K {mathcal{K}} of T {mathscr{T}} with char ( K ) ≠ 2 , 3 {rm{char}}left({mathcal{K}})ne 2,3 is studied and the unique idempotents corresponding to all seven characters of the binary tetrahedral group are computed. Furthermore, the minimum weights and dimensions of various group codes generated by linear and nonlinear idempotents in this group algebra are characterized to establish these group codes.
{"title":"Group codes over binary tetrahedral group","authors":"M. Dadhwal, Pankaj","doi":"10.1515/jmc-2022-0009","DOIUrl":"https://doi.org/10.1515/jmc-2022-0009","url":null,"abstract":"Abstract In this article, the group algebra K [ T ] {mathcal{K}}left[{mathscr{T}}] of the binary tetrahedral group T {mathscr{T}} over a splitting field K {mathcal{K}} of T {mathscr{T}} with char ( K ) ≠ 2 , 3 {rm{char}}left({mathcal{K}})ne 2,3 is studied and the unique idempotents corresponding to all seven characters of the binary tetrahedral group are computed. Furthermore, the minimum weights and dimensions of various group codes generated by linear and nonlinear idempotents in this group algebra are characterized to establish these group codes.","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":"16 1","pages":"310 - 319"},"PeriodicalIF":1.2,"publicationDate":"2022-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"45079336","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Abstract A multiplexer generator is a device that accepts two or more inputs and based on some logic sends one of them as output. In a special case when inputs to a multiplexer generator are 2 k {2}^{k} bits and one of them is selected according to the value of a k k -bit number, a multiplexer generator can be regarded as a Boolean function in 2 k + k {2}^{k}+k variables. We call this generator a multiplexer Boolean function. Boolean functions serve as combiners and filters in cryptographic designs. The study of their cryptographic strength attracts the cryptographer because of the extremely simple and cost effective of their design. The study of algebraic attacks on multiplexer generators is another major concern to judging the suitability for its use in cryptographic designs. In this article, we calculate the algebraic immunity of the multiplexer Boolean function, which is not an obvious task in the case of a Boolean function like a multiplexer generator.
{"title":"On the algebraic immunity of multiplexer Boolean functions","authors":"P. Mishra, Shashi Kant Pandey","doi":"10.1515/jmc-2021-0027","DOIUrl":"https://doi.org/10.1515/jmc-2021-0027","url":null,"abstract":"Abstract A multiplexer generator is a device that accepts two or more inputs and based on some logic sends one of them as output. In a special case when inputs to a multiplexer generator are 2 k {2}^{k} bits and one of them is selected according to the value of a k k -bit number, a multiplexer generator can be regarded as a Boolean function in 2 k + k {2}^{k}+k variables. We call this generator a multiplexer Boolean function. Boolean functions serve as combiners and filters in cryptographic designs. The study of their cryptographic strength attracts the cryptographer because of the extremely simple and cost effective of their design. The study of algebraic attacks on multiplexer generators is another major concern to judging the suitability for its use in cryptographic designs. In this article, we calculate the algebraic immunity of the multiplexer Boolean function, which is not an obvious task in the case of a Boolean function like a multiplexer generator.","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":"16 1","pages":"198 - 204"},"PeriodicalIF":1.2,"publicationDate":"2022-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"42124731","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Abstract Dougherty et al. introduced the common information (CI) method as a method to produce non-Shannon inequalities satisfied by linear random variables, which are called linear rank inequalities. This method is based on the fact that linear random variables have CI. Dougerthy et al. asked whether this method is complete, in the sense that it can be used to produce all linear rank inequalities. We study this question, and we attack it using the theory of secret sharing schemes. To this end, we introduce the notions of Abelian secret sharing scheme and Abelian capacity. We prove that: If there exists an access structure whose Abelian capacity is smaller than its linear capacity, then the CI method is not complete. We investigate the existence of such an access structure.
{"title":"Abelian sharing, common informations, and linear rank inequalities","authors":"Carolina Mejía, J. Montoya","doi":"10.1515/jmc-2022-0020","DOIUrl":"https://doi.org/10.1515/jmc-2022-0020","url":null,"abstract":"Abstract Dougherty et al. introduced the common information (CI) method as a method to produce non-Shannon inequalities satisfied by linear random variables, which are called linear rank inequalities. This method is based on the fact that linear random variables have CI. Dougerthy et al. asked whether this method is complete, in the sense that it can be used to produce all linear rank inequalities. We study this question, and we attack it using the theory of secret sharing schemes. To this end, we introduce the notions of Abelian secret sharing scheme and Abelian capacity. We prove that: If there exists an access structure whose Abelian capacity is smaller than its linear capacity, then the CI method is not complete. We investigate the existence of such an access structure.","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":"16 1","pages":"233 - 250"},"PeriodicalIF":1.2,"publicationDate":"2022-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"48895200","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Abstract The SIDH and CSIDH are now the two most well-known post-quantum key exchange protocols from the supersingular isogeny-based cryptography, which have attracted much attention in recent years and served as the building blocks of other supersingular isogeny-based cryptographic schemes. The famous SIKE is a post-quantum key encapsulation mechanism (KEM) constructed on the SIDH, motivated by which, this article presents a new post-quantum KEM-based on the CSIDH, which is thereby named as CSIKE. The presented CSIKE has much higher computation efficiency in the decapsulation part by involving an additional tag in the encapsulation results. The new CSIKE is formally proved to be IND-CCA secure under the standard isogeny-based quantum resistant security assumption. Moreover, by comparing the new CSIKE with the only two existing CSIDH-based KEM schemes, i.e., CSIDH-PSEC-KEM and CSIDH-ECIES-KEM, it can be easily found that the new CSIKE has a slightly longer encapsulation size than CSIDH-PSEC-KEM and CSIDH-ECIES-KEM, but (i) it beats the CSIDH-PSEC-KEM by the improvement of approximately 50% in decapsulation speed, and (ii) it has a certain advantage over the CSIDH-ECIES-KEM in security since in the random oracle model, the security proof for CSIDH-ECIES-KEM needs to rely on the stronger CSI-GDH assumption, while the new CSIKE just needs to rely on the basic CSI-CDH assumption.
{"title":"An efficient post-quantum KEM from CSIDH","authors":"Mingping Qi","doi":"10.1515/jmc-2022-0007","DOIUrl":"https://doi.org/10.1515/jmc-2022-0007","url":null,"abstract":"Abstract The SIDH and CSIDH are now the two most well-known post-quantum key exchange protocols from the supersingular isogeny-based cryptography, which have attracted much attention in recent years and served as the building blocks of other supersingular isogeny-based cryptographic schemes. The famous SIKE is a post-quantum key encapsulation mechanism (KEM) constructed on the SIDH, motivated by which, this article presents a new post-quantum KEM-based on the CSIDH, which is thereby named as CSIKE. The presented CSIKE has much higher computation efficiency in the decapsulation part by involving an additional tag in the encapsulation results. The new CSIKE is formally proved to be IND-CCA secure under the standard isogeny-based quantum resistant security assumption. Moreover, by comparing the new CSIKE with the only two existing CSIDH-based KEM schemes, i.e., CSIDH-PSEC-KEM and CSIDH-ECIES-KEM, it can be easily found that the new CSIKE has a slightly longer encapsulation size than CSIDH-PSEC-KEM and CSIDH-ECIES-KEM, but (i) it beats the CSIDH-PSEC-KEM by the improvement of approximately 50% in decapsulation speed, and (ii) it has a certain advantage over the CSIDH-ECIES-KEM in security since in the random oracle model, the security proof for CSIDH-ECIES-KEM needs to rely on the stronger CSI-GDH assumption, while the new CSIKE just needs to rely on the basic CSI-CDH assumption.","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":"16 1","pages":"103 - 113"},"PeriodicalIF":1.2,"publicationDate":"2022-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"41771307","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Abstract Rahman and Shpilrain proposed a Diffie–Hellman style key exchange based on a semidirect product of n × n ntimes n -matrices over a finite field. We show that, using public information, an adversary can recover the agreed upon secret key by solving a system of n 2 {n}^{2} linear equations.
{"title":"Cryptanalysis of “MAKE”","authors":"Daniel R. L. Brown, N. Koblitz, Jason Legrow","doi":"10.1515/jmc-2021-0016","DOIUrl":"https://doi.org/10.1515/jmc-2021-0016","url":null,"abstract":"Abstract Rahman and Shpilrain proposed a Diffie–Hellman style key exchange based on a semidirect product of n × n ntimes n -matrices over a finite field. We show that, using public information, an adversary can recover the agreed upon secret key by solving a system of n 2 {n}^{2} linear equations.","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":"16 1","pages":"98 - 102"},"PeriodicalIF":1.2,"publicationDate":"2022-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"45670596","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: