{"title":"勒让德PRF(多)密钥攻击和预处理的力量","authors":"Alexander May, Floyd Zweydinger","doi":"10.1109/CSF54842.2022.9919640","DOIUrl":null,"url":null,"abstract":"Due to its amazing speed and multiplicative properties the Legendre PRF recently finds widespread applications e.g. in Ethereum 2.0, multiparty computation and in the quantum-secure signature proposal LegRoast. However, its security is not yet extensively studied. The Legendre PRF computes for a key <tex>$k$</tex> on input <tex>$x$</tex> the Legendre symbol <tex>$L_{k}(x)=(\\frac{x+k}{p})$</tex> in some finite field <tex>$\\mathbb{F}_{p}$</tex>. As standard notion, PRF security is analysed by giving an attacker oracle access to <tex>$L_{k}(\\cdot)$</tex>. Khovratovich's collision-based algorithm recovers <tex>$k$</tex> using <tex>$L_{k}(\\cdot)$</tex> in time <tex>$\\sqrt{p}$</tex> with constant memory. It is a major open problem whether this birthday-bound complexity can be beaten. We show a somewhat surprising wide-ranging analogy between the discrete logarithm problem and Legendre symbol computations. This analogy allows us to adapt various algorithmic ideas from the discrete logarithm setting. More precisely, we present a small memory multiple-key attack on <tex>$m$</tex> Legendre keys <tex>$k_{1}, \\ldots, k_{m}$</tex> in time <tex>$\\sqrt{mp}$</tex>, i.e. with amortized cost <tex>$\\sqrt{p/m}$</tex> per key. This multiple-key attack might be of interest in the Ethereum context, since recovering many keys simultaneously maximizes an attacker's profit. Moreover, we show that the Legendre PRF admits precomputation attacks, where the precomputation depends on the public <tex>$p$</tex> only - and not on a key <tex>$k$</tex>. Namely, an attacker may compute e.g. in precomputation time <tex>$p^{\\frac{2}{3}}$</tex> a hint of size <tex>$p^{\\frac{1}{3}}$</tex>. On receiving access to <tex>$L_{k}(\\cdot)$</tex> in an online phase, the attacker then uses the hint to recover the desired key <tex>$k$</tex> in time only <tex>$p^{\\frac{1}{3}}$</tex>. Thus, the attacker's online complexity again beats the birthday-bound. In addition, our precomputation attack can also be combined with our multiple-key attack. We explicitly give various tradeoffs between precomputation and online phase. E.g. for attacking <tex>$m$</tex> keys one may spend time <tex>$mp^{\\frac{2}{3}}$</tex> in the precomputation phase for constructing a hint of size <tex>$m^{2}p^{\\frac{1}{3}}$</tex>. In an online phase, one then finds all <tex>$m$</tex> keys in total time only <tex>$p^{\\frac{1}{3}}$</tex>. Precomputation attacks might again be interesting in the Ethereum 2.0 context, where keys are frequently changed such that a heavy key-independent precomputation pays off.","PeriodicalId":412553,"journal":{"name":"2022 IEEE 35th Computer Security Foundations Symposium (CSF)","volume":"14 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2022-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":"{\"title\":\"Legendre PRF (Multiple) Key Attacks and the Power of Preprocessing\",\"authors\":\"Alexander May, Floyd Zweydinger\",\"doi\":\"10.1109/CSF54842.2022.9919640\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Due to its amazing speed and multiplicative properties the Legendre PRF recently finds widespread applications e.g. in Ethereum 2.0, multiparty computation and in the quantum-secure signature proposal LegRoast. However, its security is not yet extensively studied. The Legendre PRF computes for a key <tex>$k$</tex> on input <tex>$x$</tex> the Legendre symbol <tex>$L_{k}(x)=(\\\\frac{x+k}{p})$</tex> in some finite field <tex>$\\\\mathbb{F}_{p}$</tex>. As standard notion, PRF security is analysed by giving an attacker oracle access to <tex>$L_{k}(\\\\cdot)$</tex>. Khovratovich's collision-based algorithm recovers <tex>$k$</tex> using <tex>$L_{k}(\\\\cdot)$</tex> in time <tex>$\\\\sqrt{p}$</tex> with constant memory. It is a major open problem whether this birthday-bound complexity can be beaten. We show a somewhat surprising wide-ranging analogy between the discrete logarithm problem and Legendre symbol computations. This analogy allows us to adapt various algorithmic ideas from the discrete logarithm setting. More precisely, we present a small memory multiple-key attack on <tex>$m$</tex> Legendre keys <tex>$k_{1}, \\\\ldots, k_{m}$</tex> in time <tex>$\\\\sqrt{mp}$</tex>, i.e. with amortized cost <tex>$\\\\sqrt{p/m}$</tex> per key. This multiple-key attack might be of interest in the Ethereum context, since recovering many keys simultaneously maximizes an attacker's profit. Moreover, we show that the Legendre PRF admits precomputation attacks, where the precomputation depends on the public <tex>$p$</tex> only - and not on a key <tex>$k$</tex>. Namely, an attacker may compute e.g. in precomputation time <tex>$p^{\\\\frac{2}{3}}$</tex> a hint of size <tex>$p^{\\\\frac{1}{3}}$</tex>. On receiving access to <tex>$L_{k}(\\\\cdot)$</tex> in an online phase, the attacker then uses the hint to recover the desired key <tex>$k$</tex> in time only <tex>$p^{\\\\frac{1}{3}}$</tex>. Thus, the attacker's online complexity again beats the birthday-bound. In addition, our precomputation attack can also be combined with our multiple-key attack. We explicitly give various tradeoffs between precomputation and online phase. E.g. for attacking <tex>$m$</tex> keys one may spend time <tex>$mp^{\\\\frac{2}{3}}$</tex> in the precomputation phase for constructing a hint of size <tex>$m^{2}p^{\\\\frac{1}{3}}$</tex>. In an online phase, one then finds all <tex>$m$</tex> keys in total time only <tex>$p^{\\\\frac{1}{3}}$</tex>. Precomputation attacks might again be interesting in the Ethereum 2.0 context, where keys are frequently changed such that a heavy key-independent precomputation pays off.\",\"PeriodicalId\":412553,\"journal\":{\"name\":\"2022 IEEE 35th Computer Security Foundations Symposium (CSF)\",\"volume\":\"14 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2022-08-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"3\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2022 IEEE 35th Computer Security Foundations Symposium (CSF)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/CSF54842.2022.9919640\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2022 IEEE 35th Computer Security Foundations Symposium (CSF)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/CSF54842.2022.9919640","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Legendre PRF (Multiple) Key Attacks and the Power of Preprocessing
Due to its amazing speed and multiplicative properties the Legendre PRF recently finds widespread applications e.g. in Ethereum 2.0, multiparty computation and in the quantum-secure signature proposal LegRoast. However, its security is not yet extensively studied. The Legendre PRF computes for a key $k$ on input $x$ the Legendre symbol $L_{k}(x)=(\frac{x+k}{p})$ in some finite field $\mathbb{F}_{p}$. As standard notion, PRF security is analysed by giving an attacker oracle access to $L_{k}(\cdot)$. Khovratovich's collision-based algorithm recovers $k$ using $L_{k}(\cdot)$ in time $\sqrt{p}$ with constant memory. It is a major open problem whether this birthday-bound complexity can be beaten. We show a somewhat surprising wide-ranging analogy between the discrete logarithm problem and Legendre symbol computations. This analogy allows us to adapt various algorithmic ideas from the discrete logarithm setting. More precisely, we present a small memory multiple-key attack on $m$ Legendre keys $k_{1}, \ldots, k_{m}$ in time $\sqrt{mp}$, i.e. with amortized cost $\sqrt{p/m}$ per key. This multiple-key attack might be of interest in the Ethereum context, since recovering many keys simultaneously maximizes an attacker's profit. Moreover, we show that the Legendre PRF admits precomputation attacks, where the precomputation depends on the public $p$ only - and not on a key $k$. Namely, an attacker may compute e.g. in precomputation time $p^{\frac{2}{3}}$ a hint of size $p^{\frac{1}{3}}$. On receiving access to $L_{k}(\cdot)$ in an online phase, the attacker then uses the hint to recover the desired key $k$ in time only $p^{\frac{1}{3}}$. Thus, the attacker's online complexity again beats the birthday-bound. In addition, our precomputation attack can also be combined with our multiple-key attack. We explicitly give various tradeoffs between precomputation and online phase. E.g. for attacking $m$ keys one may spend time $mp^{\frac{2}{3}}$ in the precomputation phase for constructing a hint of size $m^{2}p^{\frac{1}{3}}$. In an online phase, one then finds all $m$ keys in total time only $p^{\frac{1}{3}}$. Precomputation attacks might again be interesting in the Ethereum 2.0 context, where keys are frequently changed such that a heavy key-independent precomputation pays off.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
