Attacks on the Mersenne-based AJPS cryptosystem Koen de Boer 1 , L. Ducas 1 , S. Jeffery 1 , 2 , R. de Wolf 1 , 2 , 3 1 Centrum Wiskunde en Informatica, Amsterdam 2 QuSoft, Amsterdam 3 University of Amsterdam April 9, 2018 April 9, PQCrypto, Fort Lauderdale, Florida 1 / 15
Overview Aggarwal, Joux, Prakash, Santha [AJPS17] Propose potentially quantum-safe public-key cryptosystem based on Mersenne numbers and May ’17 NTRU [HPS98]. April 9, PQCrypto, Fort Lauderdale, Florida 2 / 15
Overview Aggarwal, Joux, Prakash, Santha [AJPS17] Propose potentially quantum-safe public-key cryptosystem based on Mersenne numbers and May ’17 NTRU [HPS98]. Consider but dismiss Meet-in-the-Middle and lattice attacks. April 9, PQCrypto, Fort Lauderdale, Florida 2 / 15
Overview Aggarwal, Joux, Prakash, Santha [AJPS17] Propose potentially quantum-safe public-key cryptosystem based on Mersenne numbers and May ’17 NTRU [HPS98]. Consider but dismiss Meet-in-the-Middle and lattice attacks. Hope that ‘brute force’ is the optimal attack. April 9, PQCrypto, Fort Lauderdale, Florida 2 / 15
Overview Aggarwal, Joux, Prakash, Santha [AJPS17] Propose potentially quantum-safe public-key cryptosystem based on Mersenne numbers and May ’17 NTRU [HPS98]. Consider but dismiss Meet-in-the-Middle and Jun ’17 lattice attacks. Hope that ‘brute force’ is the optimal attack. Beunardeau, Connolly, G´ eraud, Naccache [BCGN17] Describe an experimental lattice-reduction attack. April 9, PQCrypto, Fort Lauderdale, Florida 2 / 15
Overview Aggarwal, Joux, Prakash, Santha [AJPS17] Propose potentially quantum-safe public-key cryptosystem based on Mersenne numbers and May ’17 NTRU [HPS98]. Consider but dismiss Meet-in-the-Middle and Jun ’17 lattice attacks. Hope that ‘brute force’ is the optimal attack. Beunardeau, Connolly, G´ eraud, Naccache [BCGN17] Describe an experimental lattice-reduction attack. Our contribution Meet-in-the-Middle attack Dec ’17 April 9, PQCrypto, Fort Lauderdale, Florida 2 / 15
Overview Aggarwal, Joux, Prakash, Santha [AJPS17] Propose potentially quantum-safe public-key cryptosystem based on Mersenne numbers and May ’17 NTRU [HPS98]. Consider but dismiss Meet-in-the-Middle and Jun ’17 lattice attacks. Hope that ‘brute force’ is the optimal attack. Beunardeau, Connolly, G´ eraud, Naccache [BCGN17] Describe an experimental lattice-reduction attack. Our contribution Meet-in-the-Middle attack Dec ’17 Analysis of the lattice-attack of Beunardeau et al. April 9, PQCrypto, Fort Lauderdale, Florida 2 / 15
Overview Aggarwal, Joux, Prakash, Santha [AJPS17] Propose potentially quantum-safe public-key cryptosystem based on Mersenne numbers and May ’17 NTRU [HPS98]. Consider but dismiss Meet-in-the-Middle and Jun ’17 lattice attacks. Hope that ‘brute force’ is the optimal attack. Beunardeau, Connolly, G´ eraud, Naccache [BCGN17] Describe an experimental lattice-reduction attack. Our contribution Meet-in-the-Middle attack ← this talk Dec ’17 Analysis of the lattice-attack of Beunardeau et al. April 9, PQCrypto, Fort Lauderdale, Florida 2 / 15
Table of Contents The Mersenne-number based AJPS-cryptosystem 1 Meet-in-the-Middle attack on the AJPS cryptosystem 2 Example: Subset-sum problem MITM in the AJPS-cryptosystem April 9, PQCrypto, Fort Lauderdale, Florida 3 / 15
The AJPS cryptosystem Set R = Z / N Z , where N = 2 n − 1 with n prime. April 9, PQCrypto, Fort Lauderdale, Florida 4 / 15
The AJPS cryptosystem Set R = Z / N Z , where N = 2 n − 1 with n prime. Each element in R can be uniquely identified by its binary representation in { 0 , 1 } n \{ 1 n } . a ∈ R bin. rep. | a | 0 0 0...000 1 0...001 1 2 1 0...010 3 0...011 2 . . . . . . . . . 2 n − 2 n − 1 1...110 April 9, PQCrypto, Fort Lauderdale, Florida 4 / 15
The AJPS cryptosystem Set R = Z / N Z , where N = 2 n − 1 with n prime. Each element in R can be uniquely identified by its binary representation in { 0 , 1 } n \{ 1 n } . For a ∈ R , set | a | := the Hamming weight of the binary representation of a . a ∈ R bin. rep. | a | 0 0 0...000 1 0...001 1 2 1 0...010 3 0...011 2 . . . . . . . . . 2 n − 2 n − 1 1...110 April 9, PQCrypto, Fort Lauderdale, Florida 4 / 15
The AJPS cryptosystem Set R = Z / N Z , where N = 2 n − 1 with n prime. Each element in R can be uniquely identified by its binary representation in { 0 , 1 } n \{ 1 n } . For a ∈ R , set | a | := the Hamming weight of the binary representation of a . a ∈ R bin. rep. | a | 0 0 0...000 1 0...001 1 2 1 0...010 3 0...011 2 . . . . . . . . . 2 n − 2 n − 1 1...110 April 9, PQCrypto, Fort Lauderdale, Florida 4 / 15
The AJPS cryptosystem Set R = Z / N Z , where N = 2 n − 1 with n prime. Each element in R can be uniquely identified by its binary representation in { 0 , 1 } n \{ 1 n } . For a ∈ R , set | a | := the Hamming weight of the binary representation of a . Set w = ⌊√ n / 2 ⌋ . April 9, PQCrypto, Fort Lauderdale, Florida 4 / 15
The AJPS cryptosystem Set R = Z / N Z , where N = 2 n − 1 with n prime. Each element in R can be uniquely identified by its binary representation in { 0 , 1 } n \{ 1 n } . For a ∈ R , set | a | := the Hamming weight of the binary representation of a . Set w = ⌊√ n / 2 ⌋ . Choose f , g ∈ R such that | f | = | g | = w and g invertible. f = , g = April 9, PQCrypto, Fort Lauderdale, Florida 4 / 15
The AJPS cryptosystem Set R = Z / N Z , where N = 2 n − 1 with n prime. Each element in R can be uniquely identified by its binary representation in { 0 , 1 } n \{ 1 n } . For a ∈ R , set | a | := the Hamming weight of the binary representation of a . Set w = ⌊√ n / 2 ⌋ . Choose f , g ∈ R such that | f | = | g | = w and g invertible. Set h = f / g . Public key is h and secret key g . f = , g = h = f g = April 9, PQCrypto, Fort Lauderdale, Florida 4 / 15
The AJPS cryptosystem Set R = Z / N Z , where N = 2 n − 1 with n prime. Each element in R can be uniquely identified by its binary representation in { 0 , 1 } n \{ 1 n } . For a ∈ R , set | a | := the Hamming weight of the binary representation of a . Set w = ⌊√ n / 2 ⌋ . Choose f , g ∈ R such that | f | = | g | = w and g invertible. Set h = f / g . Public key is h and secret key g . The Mersenne Low Hamming Ratio Problem April 9, PQCrypto, Fort Lauderdale, Florida 4 / 15
The AJPS cryptosystem Set R = Z / N Z , where N = 2 n − 1 with n prime. Each element in R can be uniquely identified by its binary representation in { 0 , 1 } n \{ 1 n } . For a ∈ R , set | a | := the Hamming weight of the binary representation of a . Set w = ⌊√ n / 2 ⌋ . Choose f , g ∈ R such that | f | = | g | = w and g invertible. Set h = f / g . Public key is h and secret key g . The Mersenne Low Hamming Ratio Problem Given h ∈ R , which is quotient of two elements of low Hamming wt. April 9, PQCrypto, Fort Lauderdale, Florida 4 / 15
The AJPS cryptosystem Set R = Z / N Z , where N = 2 n − 1 with n prime. Each element in R can be uniquely identified by its binary representation in { 0 , 1 } n \{ 1 n } . For a ∈ R , set | a | := the Hamming weight of the binary representation of a . Set w = ⌊√ n / 2 ⌋ . Choose f , g ∈ R such that | f | = | g | = w and g invertible. Set h = f / g . Public key is h and secret key g . The Mersenne Low Hamming Ratio Problem Given h ∈ R , which is quotient of two elements of low Hamming wt. Find f , g ∈ R with | f | = | g | = w such that h = f / g . April 9, PQCrypto, Fort Lauderdale, Florida 4 / 15
The AJPS cryptosystem Set R = Z / N Z , where N = 2 n − 1 with n prime. Each element in R can be uniquely identified by its binary representation in { 0 , 1 } n \{ 1 n } . For a ∈ R , set | a | := the Hamming weight of the binary representation of a . Set w = ⌊√ n / 2 ⌋ . Choose f , g ∈ R such that | f | = | g | = w and g invertible. Set h = f / g . Public key is h and secret key g . The Mersenne Low Hamming Ratio Problem Given h ∈ R , which is quotient of two elements of low Hamming wt. Find f , g ∈ R with | f | = | g | = w such that h = f / g . Brute force attack: Guess a g ∈ R with | g | = w , check whether | g h | = w . � n � time: . w April 9, PQCrypto, Fort Lauderdale, Florida 4 / 15
Table of Contents The Mersenne-number based AJPS-cryptosystem 1 Meet-in-the-Middle attack on the AJPS cryptosystem 2 Example: Subset-sum problem MITM in the AJPS-cryptosystem April 9, PQCrypto, Fort Lauderdale, Florida 5 / 15
Meet-in-the-Middle attack Improved time complexity, at the cost of greater space complexity. April 9, PQCrypto, Fort Lauderdale, Florida 6 / 15
MITM in the subset-sum problem Subset-sum problem Given z 1 , . . . , z n ∈ Z Find I ⊆ { 1 , . . . , n } such that � i ∈ I z i = 0. z 1 6 2 z 2 z 3 − 1 10 z 4 z 5 9 − 5 z 6 April 9, PQCrypto, Fort Lauderdale, Florida 7 / 15
MITM in the subset-sum problem Subset-sum problem Given z 1 , . . . , z n ∈ Z Find I ⊆ { 1 , . . . , n } such that � i ∈ I z i = 0. �� � For all I 1 ⊆ { 1 , . . . , n / 2 } , store I 1 in the bucket L i ∈ I 1 z i . L [ i ] i z 1 6 2 z 2 z 3 − 1 10 z 4 z 5 9 − 5 z 4 April 9, PQCrypto, Fort Lauderdale, Florida 7 / 15
Recommend
More recommend