Abstract The discrete logarithm problem (DLP) in semigroups has attracted some interests and serves as the foundation of many cryptographic schemes. In this work, we study algorithms and lower bounds for DLP in semigroups. First, we propose a variant of the deterministic algorithm for solving the cycle length of torsion elements and show the lower bound of computing the DLP in a semigroup. Then, we propose an algorithm for solving the multiple discrete logarithm (MDL) problem in the semigroup and give the lower bound for solving the MDL problem by considering the MDL problem in the generic semigroup model. Besides, we solve the multidimensional DLP and product DLP in the semigroup.
{"title":"DLP in semigroups: Algorithms and lower bounds","authors":"Jiao Han, Jincheng Zhuang","doi":"10.1515/jmc-2021-0049","DOIUrl":"https://doi.org/10.1515/jmc-2021-0049","url":null,"abstract":"Abstract The discrete logarithm problem (DLP) in semigroups has attracted some interests and serves as the foundation of many cryptographic schemes. In this work, we study algorithms and lower bounds for DLP in semigroups. First, we propose a variant of the deterministic algorithm for solving the cycle length of torsion elements and show the lower bound of computing the DLP in a semigroup. Then, we propose an algorithm for solving the multiple discrete logarithm (MDL) problem in the semigroup and give the lower bound for solving the MDL problem by considering the MDL problem in the generic semigroup model. Besides, we solve the multidimensional DLP and product DLP in the semigroup.","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":"16 1","pages":"278 - 288"},"PeriodicalIF":1.2,"publicationDate":"2022-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"46189954","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Abstract In recent years, the demand for lightweight cryptographic protocols has grown immensely. To fulfill this necessity, the National Institute of Standards and Technology (NIST) has initiated a standardization process for lightweight cryptographic encryption. NIST’s call for proposal demands that the scheme should have one primary member that has a key length of 128 bits, and it should be secure up to 2 50 − 1 {2}^{50}-1 byte queries and 2 112 {2}^{112} computations. In this article, we propose a tweakable block cipher (TBC)-based authenticated encryption with associated data (AEAD) scheme, which we call mF {mathsf{mF}} . We provide authenticated encryption security analysis for mF {mathsf{mF}} under some weaker security assumptions (stated in the article) on the underlying TBC. We instantiate a TBC using block cipher and show that the TBC achieves these weaker securities, provided the key update function has high periodicity. mixFeed {mathsf{mixFeed}} is a round 2 candidate in the aforementioned lightweight cryptographic standardization competition. When we replace the key update function with the key scheduling function of Advanced Encryption Standard (AES), the mF {mathsf{mF}} mode reduces to mixFeed {mathsf{mixFeed}} . Recently, the low periodicity of AES key schedule is shown. Exploiting this feature, a practical attack on mixFeed {mathsf{mixFeed}} is reported. We have shown that multiplication by primitive element satisfies the high periodicity property, and we have a secure instantiation of mF {mathsf{mF}} , a secure variant of mixFeed {mathsf{mixFeed}} .
{"title":"The mF mode of authenticated encryption with associated data","authors":"Bishwajit Chakraborty, M. Nandi","doi":"10.1515/jmc-2020-0054","DOIUrl":"https://doi.org/10.1515/jmc-2020-0054","url":null,"abstract":"Abstract In recent years, the demand for lightweight cryptographic protocols has grown immensely. To fulfill this necessity, the National Institute of Standards and Technology (NIST) has initiated a standardization process for lightweight cryptographic encryption. NIST’s call for proposal demands that the scheme should have one primary member that has a key length of 128 bits, and it should be secure up to 2 50 − 1 {2}^{50}-1 byte queries and 2 112 {2}^{112} computations. In this article, we propose a tweakable block cipher (TBC)-based authenticated encryption with associated data (AEAD) scheme, which we call mF {mathsf{mF}} . We provide authenticated encryption security analysis for mF {mathsf{mF}} under some weaker security assumptions (stated in the article) on the underlying TBC. We instantiate a TBC using block cipher and show that the TBC achieves these weaker securities, provided the key update function has high periodicity. mixFeed {mathsf{mixFeed}} is a round 2 candidate in the aforementioned lightweight cryptographic standardization competition. When we replace the key update function with the key scheduling function of Advanced Encryption Standard (AES), the mF {mathsf{mF}} mode reduces to mixFeed {mathsf{mixFeed}} . Recently, the low periodicity of AES key schedule is shown. Exploiting this feature, a practical attack on mixFeed {mathsf{mixFeed}} is reported. We have shown that multiplication by primitive element satisfies the high periodicity property, and we have a secure instantiation of mF {mathsf{mF}} , a secure variant of mixFeed {mathsf{mixFeed}} .","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":"16 1","pages":"73 - 97"},"PeriodicalIF":1.2,"publicationDate":"2022-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"48034522","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Abstract In this article, we study the connections between pseudo-free families of computational Ω Omega -algebras (in appropriate varieties of Ω Omega -algebras for suitable finite sets Ω Omega of finitary operation symbols) and certain standard cryptographic primitives. We restrict ourselves to families ( H d ∣ d ∈ D ) left({H}_{d}hspace{0.33em}| hspace{0.33em}din D) of computational Ω Omega -algebras (where D ⊆ { 0 , 1 } ∗ Dsubseteq {left{0,1right}}^{ast } ) such that for every d ∈ D din D , each element of H d {H}_{d} is represented by a unique bit string of the length polynomial in the length of d d . Very loosely speaking, our main results are as follows: (i) pseudo-free families of computational mono-unary algebras with one to one fundamental operation (in the variety of all mono-unary algebras) exist if and only if one-way families of permutations exist; (ii) for any m ≥ 2 mge 2 , pseudo-free families of computational m m -unary algebras with one to one fundamental operations (in the variety of all m m -unary algebras) exist if and only if claw resistant families of m m -tuples of permutations exist; (iii) for a certain Ω Omega and a certain variety V {mathfrak{V}} of Ω Omega -algebras, the existence of pseudo-free families of computational Ω Omega -algebras in V {mathfrak{V}} implies the existence of families of trapdoor permutations.
{"title":"Pseudo-free families and cryptographic primitives","authors":"M. Anokhin","doi":"10.1515/jmc-2020-0055","DOIUrl":"https://doi.org/10.1515/jmc-2020-0055","url":null,"abstract":"Abstract In this article, we study the connections between pseudo-free families of computational Ω Omega -algebras (in appropriate varieties of Ω Omega -algebras for suitable finite sets Ω Omega of finitary operation symbols) and certain standard cryptographic primitives. We restrict ourselves to families ( H d ∣ d ∈ D ) left({H}_{d}hspace{0.33em}| hspace{0.33em}din D) of computational Ω Omega -algebras (where D ⊆ { 0 , 1 } ∗ Dsubseteq {left{0,1right}}^{ast } ) such that for every d ∈ D din D , each element of H d {H}_{d} is represented by a unique bit string of the length polynomial in the length of d d . Very loosely speaking, our main results are as follows: (i) pseudo-free families of computational mono-unary algebras with one to one fundamental operation (in the variety of all mono-unary algebras) exist if and only if one-way families of permutations exist; (ii) for any m ≥ 2 mge 2 , pseudo-free families of computational m m -unary algebras with one to one fundamental operations (in the variety of all m m -unary algebras) exist if and only if claw resistant families of m m -tuples of permutations exist; (iii) for a certain Ω Omega and a certain variety V {mathfrak{V}} of Ω Omega -algebras, the existence of pseudo-free families of computational Ω Omega -algebras in V {mathfrak{V}} implies the existence of families of trapdoor permutations.","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":"16 1","pages":"114 - 140"},"PeriodicalIF":1.2,"publicationDate":"2022-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"44040424","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Abstract In this article, we propose a new approach to the study of lattice problems used in cryptography. We specifically focus on module lattices of a fixed rank over some number field. An essential question is the hardness of certain computational problems on such module lattices, as the additional structure may allow exploitation. The fundamental insight is the fact that the collection of those lattices are quotients of algebraic manifolds by arithmetic subgroups. Functions in these spaces are studied in mathematics as part of the number theory. In particular, those form a module over the Hecke algebra associated with the general linear group. We use results on these function spaces to define a class of distributions on the space of lattices. Using the Hecke algebra, we define Hecke operators associated with collections of prime ideals of the number field and show a criterion on distributions to converge to the uniform distribution, if the Hecke operators are applied to the chosen distribution. Our approach is motivated by the work of de Boer, Ducas, Pellet-Mary, and Wesolowski (CRYPTO’20) on self-reduction of ideal lattices via Arakelov divisors.
{"title":"Application of automorphic forms to lattice problems","authors":"Samed Düzlü, Julian Krämer","doi":"10.1515/jmc-2021-0045","DOIUrl":"https://doi.org/10.1515/jmc-2021-0045","url":null,"abstract":"Abstract In this article, we propose a new approach to the study of lattice problems used in cryptography. We specifically focus on module lattices of a fixed rank over some number field. An essential question is the hardness of certain computational problems on such module lattices, as the additional structure may allow exploitation. The fundamental insight is the fact that the collection of those lattices are quotients of algebraic manifolds by arithmetic subgroups. Functions in these spaces are studied in mathematics as part of the number theory. In particular, those form a module over the Hecke algebra associated with the general linear group. We use results on these function spaces to define a class of distributions on the space of lattices. Using the Hecke algebra, we define Hecke operators associated with collections of prime ideals of the number field and show a criterion on distributions to converge to the uniform distribution, if the Hecke operators are applied to the chosen distribution. Our approach is motivated by the work of de Boer, Ducas, Pellet-Mary, and Wesolowski (CRYPTO’20) on self-reduction of ideal lattices via Arakelov divisors.","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":"16 1","pages":"156 - 197"},"PeriodicalIF":1.2,"publicationDate":"2022-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"46348820","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Abstract We investigate the problem of recovering integer inputs (up to an affine scaling) when given only the integer monotonic polynomial outputs. Given n n integer outputs of a degree- d d integer monotonic polynomial whose coefficients and inputs are integers within known bounds and n ≫ d ngg d , we give an algorithm to recover the polynomial and the integer inputs (up to an affine scaling). A heuristic expected time complexity analysis of our method shows that it is exponential in the size of the degree of the polynomial but polynomial in the size of the polynomial coefficients. We conduct experiments with real-world data as well as randomly chosen parameters and demonstrate the effectiveness of our algorithm over a wide range of parameters. Using only the polynomial evaluations at specific integer points, the apparent hardness of recovering the input data served as the basis of security of a recent protocol proposed by Kesarwani et al. for secure k k -nearest neighbor computation on encrypted data that involved secure sorting. The protocol uses the outputs of randomly chosen monotonic integer polynomial to hide its inputs except to only reveal the ordering of input data. By using our integer polynomial recovery algorithm, we show that we can recover the polynomial and the inputs within a few seconds, thereby demonstrating an attack on the protocol of Kesarwani et al.
摘要我们研究了当只给定整数单调多项式输出时,恢复整数输入(直到仿射标度)的问题。给定一个系数和输入都是已知界内整数的次数-d d整数单调多项式的n n个整数输出和n d ngg d,我们给出了一个恢复多项式和整数输入(直到仿射缩放)的算法。我们的方法的启发式期望时间复杂性分析表明,它在多项式的次数大小上是指数的,但在多项式系数的大小上是多项式的。我们用真实世界的数据以及随机选择的参数进行了实验,并在广泛的参数范围内证明了我们算法的有效性。仅使用特定整数点上的多项式评估,恢复输入数据的表观硬度是Kesarwani等人最近提出的一个协议的安全性基础。该协议用于对涉及安全排序的加密数据进行安全的k k-最近邻计算。该协议使用随机选择的单调整数多项式的输出来隐藏其输入,除了只显示输入数据的顺序。通过使用我们的整数多项式恢复算法,我们证明了我们可以在几秒内恢复多项式和输入,从而证明了对Kesarwani等人的协议的攻击。
{"title":"Integer polynomial recovery from outputs and its application to cryptanalysis of a protocol for secure sorting","authors":"S. Vivek, Shyam Murthy, D. Kumaraswamy","doi":"10.1515/jmc-2021-0054","DOIUrl":"https://doi.org/10.1515/jmc-2021-0054","url":null,"abstract":"Abstract We investigate the problem of recovering integer inputs (up to an affine scaling) when given only the integer monotonic polynomial outputs. Given n n integer outputs of a degree- d d integer monotonic polynomial whose coefficients and inputs are integers within known bounds and n ≫ d ngg d , we give an algorithm to recover the polynomial and the integer inputs (up to an affine scaling). A heuristic expected time complexity analysis of our method shows that it is exponential in the size of the degree of the polynomial but polynomial in the size of the polynomial coefficients. We conduct experiments with real-world data as well as randomly chosen parameters and demonstrate the effectiveness of our algorithm over a wide range of parameters. Using only the polynomial evaluations at specific integer points, the apparent hardness of recovering the input data served as the basis of security of a recent protocol proposed by Kesarwani et al. for secure k k -nearest neighbor computation on encrypted data that involved secure sorting. The protocol uses the outputs of randomly chosen monotonic integer polynomial to hide its inputs except to only reveal the ordering of input data. By using our integer polynomial recovery algorithm, we show that we can recover the polynomial and the inputs within a few seconds, thereby demonstrating an attack on the protocol of Kesarwani et al.","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":"16 1","pages":"251 - 277"},"PeriodicalIF":1.2,"publicationDate":"2022-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"44952054","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Abstract In this article, we give a digital signature by using Lindner–Peikert cryptosystem. The security of this digital signature is based on the assumptions about hardness of Ring-LWE and Ring-SIS problems, along with providing public key and signature of compact (1–1.5 kilobytes) size. We prove the security of our signature scheme in the Quantum Random Oracle Model. Our cryptanalysis has been done based on methods of Aggarwal et al. and Chen et al.
{"title":"A Ring-LWE-based digital signature inspired by Lindner–Peikert scheme","authors":"J. Sharafi, H. Daghigh","doi":"10.1515/jmc-2021-0013","DOIUrl":"https://doi.org/10.1515/jmc-2021-0013","url":null,"abstract":"Abstract In this article, we give a digital signature by using Lindner–Peikert cryptosystem. The security of this digital signature is based on the assumptions about hardness of Ring-LWE and Ring-SIS problems, along with providing public key and signature of compact (1–1.5 kilobytes) size. We prove the security of our signature scheme in the Quantum Random Oracle Model. Our cryptanalysis has been done based on methods of Aggarwal et al. and Chen et al.","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":"16 1","pages":"205 - 214"},"PeriodicalIF":1.2,"publicationDate":"2022-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"44959316","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2021-12-14DOI: 10.36227/techrxiv.17283899.v1
Jean Belo Klamti, M. Hasan
Abstract A key encapsulation mechanism ( KEM {mathsf{KEM}} ) that takes as input an arbitrary string, i.e., a tag, is known as tag- KEM {mathsf{KEM}} , while a scheme that combines signature and encryption is called signcryption. In this article, we present a code-based signcryption tag- KEM {mathsf{KEM}} scheme. We utilize a code-based signature and an IND - CCA2 {mathsf{IND}}hspace{0.1em}text{-}hspace{0.1em}{mathsf{CCA2}} (adaptive chosen ciphertext attack) secure version of McEliece’s encryption scheme. The proposed scheme uses an equivalent subcode as a public code for the receiver, making the NP-completeness of the subcode equivalence problem be one of our main security assumptions. We then base the signcryption tag- KEM {mathsf{KEM}} to design a code-based hybrid signcryption scheme. A hybrid scheme deploys asymmetric- as well as symmetric-key encryption. We give security analyses of both our schemes in the standard model and prove that they are secure against IND - CCA2 {mathsf{IND}}hspace{0.1em}text{-}hspace{0.1em}{mathsf{CCA2}} (indistinguishability under adaptive chosen ciphertext attack) and SUF - CMA {mathsf{SUF}}hspace{0.1em}text{-}hspace{0.1em}{mathsf{CMA}} (strong existential unforgeability under chosen message attack).
{"title":"A code-based hybrid signcryption scheme","authors":"Jean Belo Klamti, M. Hasan","doi":"10.36227/techrxiv.17283899.v1","DOIUrl":"https://doi.org/10.36227/techrxiv.17283899.v1","url":null,"abstract":"Abstract A key encapsulation mechanism ( KEM {mathsf{KEM}} ) that takes as input an arbitrary string, i.e., a tag, is known as tag- KEM {mathsf{KEM}} , while a scheme that combines signature and encryption is called signcryption. In this article, we present a code-based signcryption tag- KEM {mathsf{KEM}} scheme. We utilize a code-based signature and an IND - CCA2 {mathsf{IND}}hspace{0.1em}text{-}hspace{0.1em}{mathsf{CCA2}} (adaptive chosen ciphertext attack) secure version of McEliece’s encryption scheme. The proposed scheme uses an equivalent subcode as a public code for the receiver, making the NP-completeness of the subcode equivalence problem be one of our main security assumptions. We then base the signcryption tag- KEM {mathsf{KEM}} to design a code-based hybrid signcryption scheme. A hybrid scheme deploys asymmetric- as well as symmetric-key encryption. We give security analyses of both our schemes in the standard model and prove that they are secure against IND - CCA2 {mathsf{IND}}hspace{0.1em}text{-}hspace{0.1em}{mathsf{CCA2}} (indistinguishability under adaptive chosen ciphertext attack) and SUF - CMA {mathsf{SUF}}hspace{0.1em}text{-}hspace{0.1em}{mathsf{CMA}} (strong existential unforgeability under chosen message attack).","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":"17 1","pages":""},"PeriodicalIF":1.2,"publicationDate":"2021-12-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"43908328","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Christopher Battarbee, Delaram Kahrobaei, Dylan Tailor, S. F. Shahandashti
Abstract All instances of the semidirect key exchange protocol, a generalisation of the famous Diffie-Hellman key exchange protocol, satisfy the so-called telescoping equality; in some cases, this equality has been used to construct an attack. In this report, we present computational evidence suggesting that an instance of the scheme called “MOBS (matrices over bitstrings)” is an example of a scheme where the telescoping equality has too many solutions to be a practically viable means to conduct an attack.
{"title":"On the efficiency of a general attack against the MOBS cryptosystem","authors":"Christopher Battarbee, Delaram Kahrobaei, Dylan Tailor, S. F. Shahandashti","doi":"10.1515/jmc-2021-0050","DOIUrl":"https://doi.org/10.1515/jmc-2021-0050","url":null,"abstract":"Abstract All instances of the semidirect key exchange protocol, a generalisation of the famous Diffie-Hellman key exchange protocol, satisfy the so-called telescoping equality; in some cases, this equality has been used to construct an attack. In this report, we present computational evidence suggesting that an instance of the scheme called “MOBS (matrices over bitstrings)” is an example of a scheme where the telescoping equality has too many solutions to be a practically viable means to conduct an attack.","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":"16 1","pages":"289 - 297"},"PeriodicalIF":1.2,"publicationDate":"2021-11-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"49440738","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Abstract The notion of the confusion coefficient is a property that attempts to characterize confusion property of cryptographic algorithms against differential power analysis. In this article, we establish a relationship between the confusion coefficient and the autocorrelation function for any Boolean function and give a tight upper bound and a tight lower bound on the confusion coefficient for any (balanced) Boolean function. We also deduce some deep relationships between the sum-of-squares of the confusion coefficient and other cryptographic indicators (the sum-of-squares indicator, hamming weight, algebraic immunity and correlation immunity), respectively. Moreover, we obtain some trade-offs among the sum-of-squares of the confusion coefficient, the signal-to-noise ratio and the redefined transparency order for a Boolean function.
{"title":"On the confusion coefficient of Boolean functions","authors":"Yu Zhou, Jianyong Hu, Xudong Miao, Yu Han, Fuzhong Zhang","doi":"10.1515/jmc-2021-0012","DOIUrl":"https://doi.org/10.1515/jmc-2021-0012","url":null,"abstract":"Abstract The notion of the confusion coefficient is a property that attempts to characterize confusion property of cryptographic algorithms against differential power analysis. In this article, we establish a relationship between the confusion coefficient and the autocorrelation function for any Boolean function and give a tight upper bound and a tight lower bound on the confusion coefficient for any (balanced) Boolean function. We also deduce some deep relationships between the sum-of-squares of the confusion coefficient and other cryptographic indicators (the sum-of-squares indicator, hamming weight, algebraic immunity and correlation immunity), respectively. Moreover, we obtain some trade-offs among the sum-of-squares of the confusion coefficient, the signal-to-noise ratio and the redefined transparency order for a Boolean function.","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":"16 1","pages":"1 - 13"},"PeriodicalIF":1.2,"publicationDate":"2021-08-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"43412352","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Abstract The discrete logarithm problem (DLP) in a finite group is the basis for many protocols in cryptography. The best general algorithms which solve this problem have a time complexity of O ( N log N ) Oleft(sqrt{N}log N) and a space complexity of O ( N ) Oleft(sqrt{N}) , where N N is the order of the group. (If N N is unknown, a simple modification would achieve a time complexity of O ( N ( log N ) 2 ) Oleft(sqrt{N}{left(log N)}^{2}) .) These algorithms require the inversion of some group elements or rely on finding collisions and the existence of inverses, and thus do not adapt to work in the general semigroup setting. For semigroups, probabilistic algorithms with similar time complexity have been proposed. The main result of this article is a deterministic algorithm for solving the DLP in a semigroup. Specifically, let x x be an element in a semigroup having finite order N x {N}_{x} . The article provides an algorithm, which, given any element y ∈ ⟨ x ⟩ yin langle xrangle , provides all natural numbers m m with x m = y {x}^{m}=y , and has time complexity O ( N x ( log N x ) 2 ) Oleft(sqrt{{N}_{x}}{left(log {N}_{x})}^{2}) steps. The article also gives an analysis of the success rates of the existing probabilistic algorithms, which were so far only conjectured or stated loosely.
{"title":"A deterministic algorithm for the discrete logarithm problem in a semigroup","authors":"Simran Tinani, J. Rosenthal","doi":"10.1515/jmc-2021-0022","DOIUrl":"https://doi.org/10.1515/jmc-2021-0022","url":null,"abstract":"Abstract The discrete logarithm problem (DLP) in a finite group is the basis for many protocols in cryptography. The best general algorithms which solve this problem have a time complexity of O ( N log N ) Oleft(sqrt{N}log N) and a space complexity of O ( N ) Oleft(sqrt{N}) , where N N is the order of the group. (If N N is unknown, a simple modification would achieve a time complexity of O ( N ( log N ) 2 ) Oleft(sqrt{N}{left(log N)}^{2}) .) These algorithms require the inversion of some group elements or rely on finding collisions and the existence of inverses, and thus do not adapt to work in the general semigroup setting. For semigroups, probabilistic algorithms with similar time complexity have been proposed. The main result of this article is a deterministic algorithm for solving the DLP in a semigroup. Specifically, let x x be an element in a semigroup having finite order N x {N}_{x} . The article provides an algorithm, which, given any element y ∈ ⟨ x ⟩ yin langle xrangle , provides all natural numbers m m with x m = y {x}^{m}=y , and has time complexity O ( N x ( log N x ) 2 ) Oleft(sqrt{{N}_{x}}{left(log {N}_{x})}^{2}) steps. The article also gives an analysis of the success rates of the existing probabilistic algorithms, which were so far only conjectured or stated loosely.","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":"16 1","pages":"141 - 155"},"PeriodicalIF":1.2,"publicationDate":"2021-01-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"43508095","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: