Jean-François Biasse, X. Bonnetain, Benjamin Pring, A. Schrottenloher, William Youmans
Abstract We propose a heuristic algorithm to solve the underlying hard problem of the CSIDH cryptosystem (and other isogeny-based cryptosystems using elliptic curves with endomorphism ring isomorphic to an imaginary quadratic order 𝒪). Let Δ = Disc(𝒪) (in CSIDH, Δ = −4p for p the security parameter). Let 0 < α < 1/2, our algorithm requires: A classical circuit of size 2O˜log(|Δ|)1−α. $2^{tilde{O}left(log(|Delta|)^{1-alpha}right)}.$ A quantum circuit of size 2O˜log(|Δ|)α. $2^{tilde{O}left(log(|Delta|)^{alpha}right)}.$ Polynomial classical and quantum memory. Essentially, we propose to reduce the size of the quantum circuit below the state-of-the-art complexity 2O˜log(|Δ|)1/2 $2^{tilde{O}left(log(|Delta|)^{1/2}right)}$ at the cost of increasing the classical circuit-size required. The required classical circuit remains subexponential, which is a superpolynomial improvement over the classical state-of-the-art exponential solutions to these problems. Our method requires polynomial memory, both classical and quantum.
{"title":"A trade-off between classical and quantum circuit size for an attack against CSIDH","authors":"Jean-François Biasse, X. Bonnetain, Benjamin Pring, A. Schrottenloher, William Youmans","doi":"10.1515/JMC-2020-0070","DOIUrl":"https://doi.org/10.1515/JMC-2020-0070","url":null,"abstract":"Abstract We propose a heuristic algorithm to solve the underlying hard problem of the CSIDH cryptosystem (and other isogeny-based cryptosystems using elliptic curves with endomorphism ring isomorphic to an imaginary quadratic order 𝒪). Let Δ = Disc(𝒪) (in CSIDH, Δ = −4p for p the security parameter). Let 0 < α < 1/2, our algorithm requires: A classical circuit of size 2O˜log(|Δ|)1−α. $2^{tilde{O}left(log(|Delta|)^{1-alpha}right)}.$ A quantum circuit of size 2O˜log(|Δ|)α. $2^{tilde{O}left(log(|Delta|)^{alpha}right)}.$ Polynomial classical and quantum memory. Essentially, we propose to reduce the size of the quantum circuit below the state-of-the-art complexity 2O˜log(|Δ|)1/2 $2^{tilde{O}left(log(|Delta|)^{1/2}right)}$ at the cost of increasing the classical circuit-size required. The required classical circuit remains subexponential, which is a superpolynomial improvement over the classical state-of-the-art exponential solutions to these problems. Our method requires polynomial memory, both classical and quantum.","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":"15 1","pages":"4 - 17"},"PeriodicalIF":1.2,"publicationDate":"2020-11-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1515/JMC-2020-0070","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"48066193","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
M. Joye, Oleksandra Lapiha, Ky Nguyen, D. Naccache
Abstract This paper presents an efficient algorithm for computing 11th-power residue symbols in the cyclo-tomic field ℚ(ζ11), $ mathbb{Q}left( {{zeta }_{11}} right), $where 11 is a primitive 11th root of unity. It extends an earlier algorithm due to Caranay and Scheidler (Int. J. Number Theory, 2010) for the 7th-power residue symbol. The new algorithm finds applications in the implementation of certain cryptographic schemes.
{"title":"The Eleventh Power Residue Symbol","authors":"M. Joye, Oleksandra Lapiha, Ky Nguyen, D. Naccache","doi":"10.1515/jmc-2020-0077","DOIUrl":"https://doi.org/10.1515/jmc-2020-0077","url":null,"abstract":"Abstract This paper presents an efficient algorithm for computing 11th-power residue symbols in the cyclo-tomic field ℚ(ζ11), $ mathbb{Q}left( {{zeta }_{11}} right), $where 11 is a primitive 11th root of unity. It extends an earlier algorithm due to Caranay and Scheidler (Int. J. Number Theory, 2010) for the 7th-power residue symbol. The new algorithm finds applications in the implementation of certain cryptographic schemes.","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":"15 1","pages":"111 - 122"},"PeriodicalIF":1.2,"publicationDate":"2020-11-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1515/jmc-2020-0077","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"41654824","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Oleg Taraskin, Vladimir Soukharev, David Jao, Jason Legrow
Abstract Password authenticated key establishment (PAKE) is a cryptographic primitive that allows two parties who share a low-entropy secret (a password) to securely establish cryptographic keys in the absence of public key infrastructure. We propose the first quantum-resistant password-authenticated key exchange scheme based on supersingular elliptic curve isogenies. The scheme is built upon supersingular isogeny Diffie-Hellman [15], and uses the password to generate permutations which obscure the auxiliary points. We include elements of a security proof, and discuss roadblocks to obtaining a proof in the BPR model [1]. We also include some performance results.
{"title":"Towards Isogeny-Based Password-Authenticated Key Establishment","authors":"Oleg Taraskin, Vladimir Soukharev, David Jao, Jason Legrow","doi":"10.1515/jmc-2020-0071","DOIUrl":"https://doi.org/10.1515/jmc-2020-0071","url":null,"abstract":"Abstract Password authenticated key establishment (PAKE) is a cryptographic primitive that allows two parties who share a low-entropy secret (a password) to securely establish cryptographic keys in the absence of public key infrastructure. We propose the first quantum-resistant password-authenticated key exchange scheme based on supersingular elliptic curve isogenies. The scheme is built upon supersingular isogeny Diffie-Hellman [15], and uses the password to generate permutations which obscure the auxiliary points. We include elements of a security proof, and discuss roadblocks to obtaining a proof in the BPR model [1]. We also include some performance results.","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":"15 1","pages":"18 - 30"},"PeriodicalIF":1.2,"publicationDate":"2020-11-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1515/jmc-2020-0071","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"48040540","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
D. Dachman-Soled, Huijing Gong, Mukul Kulkarni, Aria Shahverdi
Abstract We initiate the study of partial key exposure in Ring-LWE (RLWE)-based cryptosystems. Specifically, we (1) Introduce the search and decision Leaky R-LWE assumptions (Leaky R-SLWE, Leaky R-DLWE), to formalize the hardness of search/decision RLWE under leakage of some fraction of coordinates of the NTT transform of the RLWE secret. (2) Present and implement an efficient key exposure attack that, given certain 1/4-fraction of the coordinates of the NTT transform of the RLWE secret, along with samples from the RLWE distribution, recovers the full RLWE secret for standard parameter settings. (3) Present a search-to-decision reduction for Leaky R-LWE for certain types of key exposure. (4) Propose applications to the security analysis of RLWE-based cryptosystems under partial key exposure.
{"title":"(In)Security of Ring-LWE Under Partial Key Exposure","authors":"D. Dachman-Soled, Huijing Gong, Mukul Kulkarni, Aria Shahverdi","doi":"10.1515/jmc-2020-0075","DOIUrl":"https://doi.org/10.1515/jmc-2020-0075","url":null,"abstract":"Abstract We initiate the study of partial key exposure in Ring-LWE (RLWE)-based cryptosystems. Specifically, we (1) Introduce the search and decision Leaky R-LWE assumptions (Leaky R-SLWE, Leaky R-DLWE), to formalize the hardness of search/decision RLWE under leakage of some fraction of coordinates of the NTT transform of the RLWE secret. (2) Present and implement an efficient key exposure attack that, given certain 1/4-fraction of the coordinates of the NTT transform of the RLWE secret, along with samples from the RLWE distribution, recovers the full RLWE secret for standard parameter settings. (3) Present a search-to-decision reduction for Leaky R-LWE for certain types of key exposure. (4) Propose applications to the security analysis of RLWE-based cryptosystems under partial key exposure.","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":"15 1","pages":"72 - 86"},"PeriodicalIF":1.2,"publicationDate":"2020-11-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1515/jmc-2020-0075","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"48269224","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Abstract As one of the most efficient lattice-based signature schemes, and one of the only ones to have seen deployment beyond an academic setting (e.g., as part of the VPN software suite strongSwan), BLISS has attracted a significant amount of attention in terms of its implementation security, and side-channel vulnerabilities of several parts of its signing algorithm have been identified in previous works. In this paper, we present an even simpler timing attack against it. The bimodal Gaussian distribution that BLISS is named after is achieved using a random sign flip during signature generation, and neither the original implementation of BLISS nor strongSwan ensure that this sign flip is carried out in constant time. It is therefore possible to recover the corresponding sign through side-channel leakage (using, e.g., cache attacks or branch tracing). We show that obtaining this single bit of leakage (for a moderate number of signatures) is in fact sufficient for a full key recovery attack. The recovery is carried out using a maximum likelihood estimation on the space of parameters, which can be seen as a statistical manifold. The analysis of the attack thus reduces to the computation of the Fisher information metric.
{"title":"One Bit is All It Takes: A Devastating Timing Attack on BLISS’s Non-Constant Time Sign Flips","authors":"Mehdi Tibouchi, Alexandre Wallet","doi":"10.1515/jmc-2020-0079","DOIUrl":"https://doi.org/10.1515/jmc-2020-0079","url":null,"abstract":"Abstract As one of the most efficient lattice-based signature schemes, and one of the only ones to have seen deployment beyond an academic setting (e.g., as part of the VPN software suite strongSwan), BLISS has attracted a significant amount of attention in terms of its implementation security, and side-channel vulnerabilities of several parts of its signing algorithm have been identified in previous works. In this paper, we present an even simpler timing attack against it. The bimodal Gaussian distribution that BLISS is named after is achieved using a random sign flip during signature generation, and neither the original implementation of BLISS nor strongSwan ensure that this sign flip is carried out in constant time. It is therefore possible to recover the corresponding sign through side-channel leakage (using, e.g., cache attacks or branch tracing). We show that obtaining this single bit of leakage (for a moderate number of signatures) is in fact sufficient for a full key recovery attack. The recovery is carried out using a maximum likelihood estimation on the space of parameters, which can be seen as a statistical manifold. The analysis of the attack thus reduces to the computation of the Fisher information metric.","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":"15 1","pages":"131 - 142"},"PeriodicalIF":1.2,"publicationDate":"2020-11-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1515/jmc-2020-0079","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"43516450","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Abstract We offer a public key exchange protocol based on a semidirect product of two cyclic (semi)groups of matrices over Z p {{mathbb{Z}}}_{p} . One of the (semi)groups is additive, and the other one is multiplicative. This allows us to take advantage of both operations on matrices to diffuse information. We note that in our protocol, no power of any matrix or of any element of Z p {{mathbb{Z}}}_{p} is ever exposed, so standard classical attacks on Diffie–Hellman-like protocols are not applicable.
{"title":"MAKE: A matrix action key exchange","authors":"Nael Rahman, V. Shpilrain","doi":"10.1515/jmc-2020-0053","DOIUrl":"https://doi.org/10.1515/jmc-2020-0053","url":null,"abstract":"Abstract We offer a public key exchange protocol based on a semidirect product of two cyclic (semi)groups of matrices over Z p {{mathbb{Z}}}_{p} . One of the (semi)groups is additive, and the other one is multiplicative. This allows us to take advantage of both operations on matrices to diffuse information. We note that in our protocol, no power of any matrix or of any element of Z p {{mathbb{Z}}}_{p} is ever exposed, so standard classical attacks on Diffie–Hellman-like protocols are not applicable.","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":"16 1","pages":"64 - 72"},"PeriodicalIF":1.2,"publicationDate":"2020-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"49628878","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
L. Babinkostova, Ariana Chin, Aaron Kirtland, V. Nazarchuk, Esther Plotnick
Abstract As quantum computing advances rapidly, guaranteeing the security of cryptographic protocols resistant to quantum attacks is paramount. Some leading candidate cryptosystems use the learning with errors (LWE) problem, attractive for its simplicity and hardness guaranteed by reductions from hard computational lattice problems. Its algebraic variants, ring-learning with errors (RLWE) and polynomial learning with errors (PLWE), gain efficiency over standard LWE, but their security remains to be thoroughly investigated. In this work, we consider the “smearing” condition, a condition for attacks on PLWE and RLWE introduced in Elias et al. We expand upon some questions about smearing posed by Elias et al. and show how smearing is related to the coupon collector’s problem. Furthermore, we develop an algorithm for computing probabilities related to smearing. Finally, we present a smearing-based algorithm for solving the PLWE problem.
{"title":"The polynomial learning with errors problem and the smearing condition","authors":"L. Babinkostova, Ariana Chin, Aaron Kirtland, V. Nazarchuk, Esther Plotnick","doi":"10.1515/jmc-2020-0035","DOIUrl":"https://doi.org/10.1515/jmc-2020-0035","url":null,"abstract":"Abstract As quantum computing advances rapidly, guaranteeing the security of cryptographic protocols resistant to quantum attacks is paramount. Some leading candidate cryptosystems use the learning with errors (LWE) problem, attractive for its simplicity and hardness guaranteed by reductions from hard computational lattice problems. Its algebraic variants, ring-learning with errors (RLWE) and polynomial learning with errors (PLWE), gain efficiency over standard LWE, but their security remains to be thoroughly investigated. In this work, we consider the “smearing” condition, a condition for attacks on PLWE and RLWE introduced in Elias et al. We expand upon some questions about smearing posed by Elias et al. and show how smearing is related to the coupon collector’s problem. Furthermore, we develop an algorithm for computing probabilities related to smearing. Finally, we present a smearing-based algorithm for solving the PLWE problem.","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":"16 1","pages":"215 - 232"},"PeriodicalIF":1.2,"publicationDate":"2020-08-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"45068552","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Abstract In previous work, we developed a single evolutionary algorithm (EA) to solve random instances of the Anshel–Anshel–Goldfeld (AAG) key exchange protocol over polycyclic groups. The EA consisted of six simple heuristics which manipulated strings. The present work extends this by exploring the use of hyper-heuristics in group-theoretic cryptology for the first time. Hyper-heuristics are a way to generate new algorithms from existing algorithm components (in this case, simple heuristics), with EAs being one example of the type of algorithm which can be generated by our hyper-heuristic framework. We take as a starting point the above EA and allow hyper-heuristics to build on it by making small tweaks to it. This adaptation is through a process of taking the EA and injecting chains of heuristics built from the simple heuristics. We demonstrate we can create novel heuristic chains, which when placed in the EA create algorithms that out perform the existing EA. The new algorithms solve a greater number of random AAG instances than the EA. This suggests the approach may be applied to many of the same kinds of problems, providing a framework for the solution of cryptology problems over groups. The contribution of this article is thus a framework to automatically build algorithms to attack cryptology problems given an applicable group.
{"title":"Evolution of group-theoretic cryptology attacks using hyper-heuristics","authors":"M. J. Craven, J. Woodward","doi":"10.1515/jmc-2021-0017","DOIUrl":"https://doi.org/10.1515/jmc-2021-0017","url":null,"abstract":"Abstract In previous work, we developed a single evolutionary algorithm (EA) to solve random instances of the Anshel–Anshel–Goldfeld (AAG) key exchange protocol over polycyclic groups. The EA consisted of six simple heuristics which manipulated strings. The present work extends this by exploring the use of hyper-heuristics in group-theoretic cryptology for the first time. Hyper-heuristics are a way to generate new algorithms from existing algorithm components (in this case, simple heuristics), with EAs being one example of the type of algorithm which can be generated by our hyper-heuristic framework. We take as a starting point the above EA and allow hyper-heuristics to build on it by making small tweaks to it. This adaptation is through a process of taking the EA and injecting chains of heuristics built from the simple heuristics. We demonstrate we can create novel heuristic chains, which when placed in the EA create algorithms that out perform the existing EA. The new algorithms solve a greater number of random AAG instances than the EA. This suggests the approach may be applied to many of the same kinds of problems, providing a framework for the solution of cryptology problems over groups. The contribution of this article is thus a framework to automatically build algorithms to attack cryptology problems given an applicable group.","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":"16 1","pages":"49 - 63"},"PeriodicalIF":1.2,"publicationDate":"2020-06-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"42053351","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Abstract We consider a key-exchange protocol based on matrices over a tropical semiring which was recently proposed in [2]. We show that a particular private parameter of that protocol can be recovered with a simple binary search, rendering it insecure.
{"title":"Remarks on a Tropical Key Exchange System","authors":"D. Rudy, C. Monico","doi":"10.1515/jmc-2019-0061","DOIUrl":"https://doi.org/10.1515/jmc-2019-0061","url":null,"abstract":"Abstract We consider a key-exchange protocol based on matrices over a tropical semiring which was recently proposed in [2]. We show that a particular private parameter of that protocol can be recovered with a simple binary search, rendering it insecure.","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":"15 1","pages":"280 - 283"},"PeriodicalIF":1.2,"publicationDate":"2020-05-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1515/jmc-2019-0061","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"44555950","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Abstract Recently, Blanco-Chacón proved the equivalence between the Ring Learning With Errors and Polynomial Learning With Errors problems for some families of cyclotomic number fields by giving some upper bounds for the condition number Cond(Vn) of the Vandermonde matrix Vn associated to the nth cyclotomic polynomial. We prove some results on the singular values of Vn and, in particular, we determine Cond(Vn) for n = 2kpℓ, where k, ℓ ≥ 0 are integers and p is an odd prime number.
{"title":"On the condition number of the Vandermonde matrix of the nth cyclotomic polynomial","authors":"A. J. Scala, C. Sanna, Edoardo Signorini","doi":"10.1515/jmc-2020-0009","DOIUrl":"https://doi.org/10.1515/jmc-2020-0009","url":null,"abstract":"Abstract Recently, Blanco-Chacón proved the equivalence between the Ring Learning With Errors and Polynomial Learning With Errors problems for some families of cyclotomic number fields by giving some upper bounds for the condition number Cond(Vn) of the Vandermonde matrix Vn associated to the nth cyclotomic polynomial. We prove some results on the singular values of Vn and, in particular, we determine Cond(Vn) for n = 2kpℓ, where k, ℓ ≥ 0 are integers and p is an odd prime number.","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":"15 1","pages":"174 - 178"},"PeriodicalIF":1.2,"publicationDate":"2020-02-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1515/jmc-2020-0009","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"44445517","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: