Elliptic curves are typically defined by Weierstrass equations. Given a kernel, the well-known Vélu's formula shows how to explicitly write down an isogeny between Weierstrass curves. However, it is not clear how to do the same on other forms of elliptic curves without isomorphisms mapping to and from the Weierstrass form. Previous papers have shown some isogeny formulas for (twisted) Edwards, Huff, and Montgomery forms of elliptic curves. Continuing this line of work, this paper derives explicit formulas for isogenies between elliptic curves in (twisted) Hessian form. In addition, we examine the numbers of operations in the base field to compute the formulas. In comparison with other isogeny formulas, we note that our formulas for twisted Hessian curves have the lowest costs for processing the kernel and our X-affine formula has the lowest cost for processing an input point in affine coordinates.
{"title":"Isogenies on twisted Hessian curves.","authors":"Fouazou Lontouo Perez, Thinh Dang, Emmanuel Fouotsa, Dustin Moody","doi":"10.1515/jmc-2020-0037","DOIUrl":"10.1515/jmc-2020-0037","url":null,"abstract":"<p><p>Elliptic curves are typically defined by Weierstrass equations. Given a kernel, the well-known Vélu's formula shows how to explicitly write down an isogeny between Weierstrass curves. However, it is not clear how to do the same on other forms of elliptic curves without isomorphisms mapping to and from the Weierstrass form. Previous papers have shown some isogeny formulas for (twisted) Edwards, Huff, and Montgomery forms of elliptic curves. Continuing this line of work, this paper derives explicit formulas for isogenies between elliptic curves in (twisted) Hessian form. In addition, we examine the numbers of operations in the base field to compute the formulas. In comparison with other isogeny formulas, we note that our formulas for twisted Hessian curves have the lowest costs for processing the kernel and our <i>X</i>-affine formula has the lowest cost for processing an input point in affine coordinates.</p>","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":"15 1","pages":""},"PeriodicalIF":0.5,"publicationDate":"2021-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.ncbi.nlm.nih.gov/pmc/articles/PMC8314185/pdf/nihms-1714399.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"39254343","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Abstract Attribute-based proxy re-encryption (ABPRE), which combines the notions of proxy re-encryption (PRE) and attribute-based encryption (ABE), allows a semi-trusted proxy with re-encryption key to transform a ciphertext under a particular access policy into a ciphertext under another access policy, without revealing any information about the underlying plaintext. This primitive is very useful in applications where encrypted data need to be stored in untrusted environments, such as cloud storage. In many practical applications, and in order to address scenarios where users misbehave or the re-encryption keys are compromised, an efficient revocation mechanism is necessary for ABPRE. Previously, revocation mechanism was considered in the settings of identity-based encryption (IBE), ABE, predicate encryption (PE), and broadcast PRE, but not ABPRE, which is what we set to do in this paper. We first formalize the concept of revocable ABPRE and its security model. Then, we propose a lattice-based instantiation of revocable ABPRE. Our scheme not only supports an efficient revocation mechanism but also supports polynomial-depth policy circuits and has short private keys, where the size of the keys is dependent only on the depth of the supported policy circuits. In addition, we prove that our scheme is selectively chosen-plaintext attack (CPA) secure in the standard model, based on the learning with errors assumption.
{"title":"Revocable attribute-based proxy re-encryption","authors":"Fucai Luo, S. Al-Kuwari","doi":"10.1515/jmc-2020-0039","DOIUrl":"https://doi.org/10.1515/jmc-2020-0039","url":null,"abstract":"Abstract Attribute-based proxy re-encryption (ABPRE), which combines the notions of proxy re-encryption (PRE) and attribute-based encryption (ABE), allows a semi-trusted proxy with re-encryption key to transform a ciphertext under a particular access policy into a ciphertext under another access policy, without revealing any information about the underlying plaintext. This primitive is very useful in applications where encrypted data need to be stored in untrusted environments, such as cloud storage. In many practical applications, and in order to address scenarios where users misbehave or the re-encryption keys are compromised, an efficient revocation mechanism is necessary for ABPRE. Previously, revocation mechanism was considered in the settings of identity-based encryption (IBE), ABE, predicate encryption (PE), and broadcast PRE, but not ABPRE, which is what we set to do in this paper. We first formalize the concept of revocable ABPRE and its security model. Then, we propose a lattice-based instantiation of revocable ABPRE. Our scheme not only supports an efficient revocation mechanism but also supports polynomial-depth policy circuits and has short private keys, where the size of the keys is dependent only on the depth of the supported policy circuits. In addition, we prove that our scheme is selectively chosen-plaintext attack (CPA) secure in the standard model, based on the learning with errors assumption.","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":"15 1","pages":"465 - 482"},"PeriodicalIF":1.2,"publicationDate":"2021-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1515/jmc-2020-0039","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"49261995","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Abstract Boolean functions have important applications in molecular regulatory networks, engineering, cryptography, information technology, and computer science. Symmetric Boolean functions have received a lot of attention in several decades. Sensitivity and block sensitivity are important complexity measures of Boolean functions. In this paper, we study the sensitivity of elementary symmetric Boolean functions and obtain many explicit formulas. We also obtain a formula for the block sensitivity of symmetric Boolean functions and discuss its applications in elementary symmetric Boolean functions.
{"title":"Sensitivities and block sensitivities of elementary symmetric Boolean functions","authors":"Jing Zhang, Yuan Li, J. Adeyeye","doi":"10.1515/jmc-2020-0042","DOIUrl":"https://doi.org/10.1515/jmc-2020-0042","url":null,"abstract":"Abstract Boolean functions have important applications in molecular regulatory networks, engineering, cryptography, information technology, and computer science. Symmetric Boolean functions have received a lot of attention in several decades. Sensitivity and block sensitivity are important complexity measures of Boolean functions. In this paper, we study the sensitivity of elementary symmetric Boolean functions and obtain many explicit formulas. We also obtain a formula for the block sensitivity of symmetric Boolean functions and discuss its applications in elementary symmetric Boolean functions.","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":"15 1","pages":"434 - 453"},"PeriodicalIF":1.2,"publicationDate":"2021-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1515/jmc-2020-0042","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"42226461","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Abstract We generalize our earlier works on computing short discrete logarithms with tradeoffs, and bridge them with Seifert's work on computing orders with tradeoffs, and with Shor's groundbreaking works on computing orders and general discrete logarithms. In particular, we enable tradeoffs when computing general discrete logarithms. Compared to Shor's algorithm, this yields a reduction by up to a factor of two in the number of group operations evaluated quantumly in each run, at the expense of having to perform multiple runs. Unlike Shor's algorithm, our algorithm does not require the group order to be known. It simultaneously computes both the order and the logarithm. We analyze the probability distributions induced by our algorithm, and by Shor's and Seifert's order-finding algorithms, describe how these algorithms may be simulated when the solution is known, and estimate the number of runs required for a given minimum success probability when making different tradeoffs.
{"title":"Quantum algorithms for computing general discrete logarithms and orders with tradeoffs","authors":"Martin Ekerå","doi":"10.1515/jmc-2020-0006","DOIUrl":"https://doi.org/10.1515/jmc-2020-0006","url":null,"abstract":"Abstract We generalize our earlier works on computing short discrete logarithms with tradeoffs, and bridge them with Seifert's work on computing orders with tradeoffs, and with Shor's groundbreaking works on computing orders and general discrete logarithms. In particular, we enable tradeoffs when computing general discrete logarithms. Compared to Shor's algorithm, this yields a reduction by up to a factor of two in the number of group operations evaluated quantumly in each run, at the expense of having to perform multiple runs. Unlike Shor's algorithm, our algorithm does not require the group order to be known. It simultaneously computes both the order and the logarithm. We analyze the probability distributions induced by our algorithm, and by Shor's and Seifert's order-finding algorithms, describe how these algorithms may be simulated when the solution is known, and estimate the number of runs required for a given minimum success probability when making different tradeoffs.","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":"15 1","pages":"359 - 407"},"PeriodicalIF":1.2,"publicationDate":"2021-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1515/jmc-2020-0006","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"47751125","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Abstract We generalize a protocol by Yu for comparing two integers with relatively small difference in a secure multiparty computation setting. Yu's protocol is based on the Legendre symbol. A prime number p is found for which the Legendre symbol (· | p) agrees with the sign function for integers in a certain range {−N, . . . , N} ⊂ ℤ. This can then be computed efficiently. We generalize this idea to higher residue symbols in cyclotomic rings ℤ[ζr] for r a small odd prime. We present a way to determine a prime number p such that the r-th residue symbol (· | p)r agrees with a desired function f:A→{ζr0,…,ζrr−1} f:A to left{ {zeta _r^0, ldots ,zeta _r^{r - 1}} right} on a given small subset A ⊂ ℤ[ζr], when this is possible. We also explain how to efficiently compute the r-th residue symbol in a secret shared setting.
{"title":"A note on secure multiparty computation via higher residue symbols","authors":"Ignacio Cascudo, R. Schnyder","doi":"10.1515/jmc-2020-0013","DOIUrl":"https://doi.org/10.1515/jmc-2020-0013","url":null,"abstract":"Abstract We generalize a protocol by Yu for comparing two integers with relatively small difference in a secure multiparty computation setting. Yu's protocol is based on the Legendre symbol. A prime number p is found for which the Legendre symbol (· | p) agrees with the sign function for integers in a certain range {−N, . . . , N} ⊂ ℤ. This can then be computed efficiently. We generalize this idea to higher residue symbols in cyclotomic rings ℤ[ζr] for r a small odd prime. We present a way to determine a prime number p such that the r-th residue symbol (· | p)r agrees with a desired function f:A→{ζr0,…,ζrr−1} f:A to left{ {zeta _r^0, ldots ,zeta _r^{r - 1}} right} on a given small subset A ⊂ ℤ[ζr], when this is possible. We also explain how to efficiently compute the r-th residue symbol in a secret shared setting.","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":"15 1","pages":"284 - 297"},"PeriodicalIF":1.2,"publicationDate":"2021-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1515/jmc-2020-0013","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"44851427","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Abstract There are many cryptographic applications of Boolean functions. Recently, research has been done on monomial rotation symmetric (MRS) functions which have useful cryptographic properties. In this paper we use the inclusion/exclusion principle to construct formulas for the weights of two subclasses of MRS functions: degree d short MRS functions and d-functions. From these results we classify bent and balanced functions of these forms.
{"title":"Using Inclusion / Exclusion to find Bent and Balanced Monomial Rotation Symmetric Functions","authors":"Elizabeth M. Reid","doi":"10.1515/jmc-2020-0021","DOIUrl":"https://doi.org/10.1515/jmc-2020-0021","url":null,"abstract":"Abstract There are many cryptographic applications of Boolean functions. Recently, research has been done on monomial rotation symmetric (MRS) functions which have useful cryptographic properties. In this paper we use the inclusion/exclusion principle to construct formulas for the weights of two subclasses of MRS functions: degree d short MRS functions and d-functions. From these results we classify bent and balanced functions of these forms.","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":"15 1","pages":"298 - 304"},"PeriodicalIF":1.2,"publicationDate":"2021-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1515/jmc-2020-0021","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"48587099","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Arghya Bhattacharjee, C. M. López, Eik List, M. Nandi
Abstract Permutation-based modes have been established for lightweight authenticated encryption, as can be seen from the high interest in the ongoing NIST lightweight competition. However, their security is upper bounded by O(σ2/2c) bits, where σ are the number of calls and c is the hidden capacity of the state. The development of more schemes that provide higher security bounds led to the CHES’18 proposal Beetle that raised the bound to O(rσ/2c), where r is the public rate of the state. While authenticated encryption can be performed in an on-line manner, authenticated decryption assumes that the resulting plaintext is buffered and never released if the corresponding tag is incorrect. Since lightweight devices may lack the resources for buffering, additional robustness guarantees, such as integrity under release of unverified plaintexts (Int-RUP), are desirable. In this stronger setting, the security of the established schemes, including Beetle, is limited by O(qpqd/2c), where qd is the maximal number of decryption queries, and qp that of off-line primitive queries, which motivates novel approaches. This work proposes Oribatida, a permutation-based AE scheme that derives s-bit masks from previous permutation outputs to mask ciphertext blocks. Oribatida can provide a security bound of O(rσ2/c+s), which allows smaller permutations for the same level of security. It provides a security level dominated by O(σd2/2c) O(sigma_d^2{/2^c}) under Int-RUP adversaries, which eliminates the dependency on primitive queries. We prove its security under nonce-respecting and Int-RUP adversaries. We show that our Int-RUP bound is tight and show general attacks on previous constructions.
{"title":"The Oribatida v1.3 Family of Lightweight Authenticated Encryption Schemes","authors":"Arghya Bhattacharjee, C. M. López, Eik List, M. Nandi","doi":"10.1515/jmc-2020-0018","DOIUrl":"https://doi.org/10.1515/jmc-2020-0018","url":null,"abstract":"Abstract Permutation-based modes have been established for lightweight authenticated encryption, as can be seen from the high interest in the ongoing NIST lightweight competition. However, their security is upper bounded by O(σ2/2c) bits, where σ are the number of calls and c is the hidden capacity of the state. The development of more schemes that provide higher security bounds led to the CHES’18 proposal Beetle that raised the bound to O(rσ/2c), where r is the public rate of the state. While authenticated encryption can be performed in an on-line manner, authenticated decryption assumes that the resulting plaintext is buffered and never released if the corresponding tag is incorrect. Since lightweight devices may lack the resources for buffering, additional robustness guarantees, such as integrity under release of unverified plaintexts (Int-RUP), are desirable. In this stronger setting, the security of the established schemes, including Beetle, is limited by O(qpqd/2c), where qd is the maximal number of decryption queries, and qp that of off-line primitive queries, which motivates novel approaches. This work proposes Oribatida, a permutation-based AE scheme that derives s-bit masks from previous permutation outputs to mask ciphertext blocks. Oribatida can provide a security bound of O(rσ2/c+s), which allows smaller permutations for the same level of security. It provides a security level dominated by O(σd2/2c) O(sigma_d^2{/2^c}) under Int-RUP adversaries, which eliminates the dependency on primitive queries. We prove its security under nonce-respecting and Int-RUP adversaries. We show that our Int-RUP bound is tight and show general attacks on previous constructions.","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":"15 1","pages":"305 - 344"},"PeriodicalIF":1.2,"publicationDate":"2021-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1515/jmc-2020-0018","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"43381301","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Abstract Structured linear block codes such as cyclic, quasi-cyclic and quasi-dyadic codes have gained an increasing role in recent years both in the context of error control and in that of code-based cryptography. Some well known families of structured linear block codes have been separately and intensively studied, without searching for possible bridges between them. In this article, we start from well known examples of this type and generalize them into a wider class of codes that we call ℱ-reproducible codes. Some families of ℱ-reproducible codes have the property that they can be entirely generated from a small number of signature vectors, and consequently admit matrices that can be described in a very compact way. We denote these codes as compactly reproducible codes and show that they encompass known families of compactly describable codes such as quasi-cyclic and quasi-dyadic codes. We then consider some cryptographic applications of codes of this type and show that their use can be advantageous for hindering some current attacks against cryptosystems relying on structured codes. This suggests that the general framework we introduce may enable future developments of code-based cryptography.
{"title":"Reproducible families of codes and cryptographic applications","authors":"P. Santini, Edoardo Persichetti, M. Baldi","doi":"10.1515/jmc-2020-0003","DOIUrl":"https://doi.org/10.1515/jmc-2020-0003","url":null,"abstract":"Abstract Structured linear block codes such as cyclic, quasi-cyclic and quasi-dyadic codes have gained an increasing role in recent years both in the context of error control and in that of code-based cryptography. Some well known families of structured linear block codes have been separately and intensively studied, without searching for possible bridges between them. In this article, we start from well known examples of this type and generalize them into a wider class of codes that we call ℱ-reproducible codes. Some families of ℱ-reproducible codes have the property that they can be entirely generated from a small number of signature vectors, and consequently admit matrices that can be described in a very compact way. We denote these codes as compactly reproducible codes and show that they encompass known families of compactly describable codes such as quasi-cyclic and quasi-dyadic codes. We then consider some cryptographic applications of codes of this type and show that their use can be advantageous for hindering some current attacks against cryptosystems relying on structured codes. This suggests that the general framework we introduce may enable future developments of code-based cryptography.","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":"16 1","pages":"20 - 48"},"PeriodicalIF":1.2,"publicationDate":"2021-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"42499702","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Abstract Extra-reductions occurring in Montgomery multiplications disclose side-channel information which can be exploited even in stringent contexts. In this article, we derive stochastic attacks to defeat Rivest-Shamir-Adleman (RSA) with Montgomery ladder regular exponentiation coupled with base blinding. Namely, we leverage on precharacterized multivariate probability mass functions of extra-reductions between pairs of (multiplication, square) in one iteration of the RSA algorithm and that of the next one(s) to build a maximum likelihood distinguisher. The efficiency of our attack (in terms of required traces) is more than double compared to the state-of-the-art. In addition to this result, we also apply our method to the case of regular exponentiation, base blinding, and modulus blinding. Quite surprisingly, modulus blinding does not make our attack impossible, and so even for large sizes of the modulus randomizing element. At the cost of larger sample sizes our attacks tolerate noisy measurements. Fortunately, effective countermeasures exist.
{"title":"Stochastic methods defeat regular RSA exponentiation algorithms with combined blinding methods","authors":"Margaux Dugardin, W. Schindler, S. Guilley","doi":"10.1515/jmc-2020-0010","DOIUrl":"https://doi.org/10.1515/jmc-2020-0010","url":null,"abstract":"Abstract Extra-reductions occurring in Montgomery multiplications disclose side-channel information which can be exploited even in stringent contexts. In this article, we derive stochastic attacks to defeat Rivest-Shamir-Adleman (RSA) with Montgomery ladder regular exponentiation coupled with base blinding. Namely, we leverage on precharacterized multivariate probability mass functions of extra-reductions between pairs of (multiplication, square) in one iteration of the RSA algorithm and that of the next one(s) to build a maximum likelihood distinguisher. The efficiency of our attack (in terms of required traces) is more than double compared to the state-of-the-art. In addition to this result, we also apply our method to the case of regular exponentiation, base blinding, and modulus blinding. Quite surprisingly, modulus blinding does not make our attack impossible, and so even for large sizes of the modulus randomizing element. At the cost of larger sample sizes our attacks tolerate noisy measurements. Fortunately, effective countermeasures exist.","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":"15 1","pages":"408 - 433"},"PeriodicalIF":1.2,"publicationDate":"2021-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1515/jmc-2020-0010","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"46335939","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Abstract ElGamal cryptosystem has emerged as one of the most important construction in Public Key Cryptography (PKC) since Diffie-Hellman key exchange protocol was proposed. However, public key schemes which are based on number theoretic problems such as discrete logarithm problem (DLP) are at risk because of the evolution of quantum computers. As a result, other non-number theoretic alternatives are a dire need of entire cryptographic community. In 2016, Saba Inam and Rashid Ali proposed a ElGamal-like cryptosystem based on matrices over group rings in ‘Neural Computing & Applications’. Using linear algebra approach, Jia et al. provided a cryptanalysis for the cryptosystem in 2019 and claimed that their attack could recover all the equivalent keys. However, this is not the case and we have improved their cryptanalysis approach and derived all equivalent key pairs that can be used to totally break the ElGamal-like cryptosystem proposed by Saba and Rashid. Using the decomposition of matrices over group rings to larger size matrices over rings, we have made the cryptanalysing algorithm more practical and efficient. We have also proved that the ElGamal cryptosystem proposed by Saba and Rashid does not achieve the security of IND-CPA and IND-CCA.
{"title":"Improved cryptanalysis of a ElGamal Cryptosystem Based on Matrices Over Group Rings","authors":"A. Pandey, Indivar Gupta, D. Singh","doi":"10.1515/jmc-2019-0054","DOIUrl":"https://doi.org/10.1515/jmc-2019-0054","url":null,"abstract":"Abstract ElGamal cryptosystem has emerged as one of the most important construction in Public Key Cryptography (PKC) since Diffie-Hellman key exchange protocol was proposed. However, public key schemes which are based on number theoretic problems such as discrete logarithm problem (DLP) are at risk because of the evolution of quantum computers. As a result, other non-number theoretic alternatives are a dire need of entire cryptographic community. In 2016, Saba Inam and Rashid Ali proposed a ElGamal-like cryptosystem based on matrices over group rings in ‘Neural Computing & Applications’. Using linear algebra approach, Jia et al. provided a cryptanalysis for the cryptosystem in 2019 and claimed that their attack could recover all the equivalent keys. However, this is not the case and we have improved their cryptanalysis approach and derived all equivalent key pairs that can be used to totally break the ElGamal-like cryptosystem proposed by Saba and Rashid. Using the decomposition of matrices over group rings to larger size matrices over rings, we have made the cryptanalysing algorithm more practical and efficient. We have also proved that the ElGamal cryptosystem proposed by Saba and Rashid does not achieve the security of IND-CPA and IND-CCA.","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":"15 1","pages":"266 - 279"},"PeriodicalIF":1.2,"publicationDate":"2020-12-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1515/jmc-2019-0054","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"47451469","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
扫码关注我们
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号