attacks on the mersenne based ajps cryptosystem
play

Attacks on the Mersenne-based AJPS cryptosystem Koen de Boer 1 , L. - PowerPoint PPT Presentation

Feb 27, 2023 •261 likes •1.03k views

Attacks on the Mersenne-based AJPS cryptosystem Koen de Boer 1 , L. Ducas 1 , S. Jeffery 1 , 2 , R. de Wolf 1 , 2 , 3 1 Centrum Wiskunde en Informatica, Amsterdam 2 QuSoft, Amsterdam 3 University of Amsterdam April 9, 2018 April 9, PQCrypto, Fort

  1. Attacks on the Mersenne-based AJPS cryptosystem Koen de Boer 1 , L. Ducas 1 , S. Jeffery 1 , 2 , R. de Wolf 1 , 2 , 3 1 Centrum Wiskunde en Informatica, Amsterdam 2 QuSoft, Amsterdam 3 University of Amsterdam April 9, 2018 April 9, PQCrypto, Fort Lauderdale, Florida 1 / 15

  2. Overview Aggarwal, Joux, Prakash, Santha [AJPS17] Propose potentially quantum-safe public-key cryptosystem based on Mersenne numbers and May ’17 NTRU [HPS98]. April 9, PQCrypto, Fort Lauderdale, Florida 2 / 15

  3. Overview Aggarwal, Joux, Prakash, Santha [AJPS17] Propose potentially quantum-safe public-key cryptosystem based on Mersenne numbers and May ’17 NTRU [HPS98]. Consider but dismiss Meet-in-the-Middle and lattice attacks. April 9, PQCrypto, Fort Lauderdale, Florida 2 / 15

  4. Overview Aggarwal, Joux, Prakash, Santha [AJPS17] Propose potentially quantum-safe public-key cryptosystem based on Mersenne numbers and May ’17 NTRU [HPS98]. Consider but dismiss Meet-in-the-Middle and lattice attacks. Hope that ‘brute force’ is the optimal attack. April 9, PQCrypto, Fort Lauderdale, Florida 2 / 15

  5. Overview Aggarwal, Joux, Prakash, Santha [AJPS17] Propose potentially quantum-safe public-key cryptosystem based on Mersenne numbers and May ’17 NTRU [HPS98]. Consider but dismiss Meet-in-the-Middle and Jun ’17 lattice attacks. Hope that ‘brute force’ is the optimal attack. Beunardeau, Connolly, G´ eraud, Naccache [BCGN17] Describe an experimental lattice-reduction attack. April 9, PQCrypto, Fort Lauderdale, Florida 2 / 15

  6. Overview Aggarwal, Joux, Prakash, Santha [AJPS17] Propose potentially quantum-safe public-key cryptosystem based on Mersenne numbers and May ’17 NTRU [HPS98]. Consider but dismiss Meet-in-the-Middle and Jun ’17 lattice attacks. Hope that ‘brute force’ is the optimal attack. Beunardeau, Connolly, G´ eraud, Naccache [BCGN17] Describe an experimental lattice-reduction attack. Our contribution Meet-in-the-Middle attack Dec ’17 April 9, PQCrypto, Fort Lauderdale, Florida 2 / 15

  7. Overview Aggarwal, Joux, Prakash, Santha [AJPS17] Propose potentially quantum-safe public-key cryptosystem based on Mersenne numbers and May ’17 NTRU [HPS98]. Consider but dismiss Meet-in-the-Middle and Jun ’17 lattice attacks. Hope that ‘brute force’ is the optimal attack. Beunardeau, Connolly, G´ eraud, Naccache [BCGN17] Describe an experimental lattice-reduction attack. Our contribution Meet-in-the-Middle attack Dec ’17 Analysis of the lattice-attack of Beunardeau et al. April 9, PQCrypto, Fort Lauderdale, Florida 2 / 15

  8. Overview Aggarwal, Joux, Prakash, Santha [AJPS17] Propose potentially quantum-safe public-key cryptosystem based on Mersenne numbers and May ’17 NTRU [HPS98]. Consider but dismiss Meet-in-the-Middle and Jun ’17 lattice attacks. Hope that ‘brute force’ is the optimal attack. Beunardeau, Connolly, G´ eraud, Naccache [BCGN17] Describe an experimental lattice-reduction attack. Our contribution Meet-in-the-Middle attack ← this talk Dec ’17 Analysis of the lattice-attack of Beunardeau et al. April 9, PQCrypto, Fort Lauderdale, Florida 2 / 15

  9. Table of Contents The Mersenne-number based AJPS-cryptosystem 1 Meet-in-the-Middle attack on the AJPS cryptosystem 2 Example: Subset-sum problem MITM in the AJPS-cryptosystem April 9, PQCrypto, Fort Lauderdale, Florida 3 / 15

  10. The AJPS cryptosystem Set R = Z / N Z , where N = 2 n − 1 with n prime. April 9, PQCrypto, Fort Lauderdale, Florida 4 / 15

  11. The AJPS cryptosystem Set R = Z / N Z , where N = 2 n − 1 with n prime. Each element in R can be uniquely identified by its binary representation in { 0 , 1 } n \{ 1 n } . a ∈ R bin. rep. | a | 0 0 0...000 1 0...001 1 2 1 0...010 3 0...011 2 . . . . . . . . . 2 n − 2 n − 1 1...110 April 9, PQCrypto, Fort Lauderdale, Florida 4 / 15

  12. The AJPS cryptosystem Set R = Z / N Z , where N = 2 n − 1 with n prime. Each element in R can be uniquely identified by its binary representation in { 0 , 1 } n \{ 1 n } . For a ∈ R , set | a | := the Hamming weight of the binary representation of a . a ∈ R bin. rep. | a | 0 0 0...000 1 0...001 1 2 1 0...010 3 0...011 2 . . . . . . . . . 2 n − 2 n − 1 1...110 April 9, PQCrypto, Fort Lauderdale, Florida 4 / 15

  13. The AJPS cryptosystem Set R = Z / N Z , where N = 2 n − 1 with n prime. Each element in R can be uniquely identified by its binary representation in { 0 , 1 } n \{ 1 n } . For a ∈ R , set | a | := the Hamming weight of the binary representation of a . a ∈ R bin. rep. | a | 0 0 0...000 1 0...001 1 2 1 0...010 3 0...011 2 . . . . . . . . . 2 n − 2 n − 1 1...110 April 9, PQCrypto, Fort Lauderdale, Florida 4 / 15

  14. The AJPS cryptosystem Set R = Z / N Z , where N = 2 n − 1 with n prime. Each element in R can be uniquely identified by its binary representation in { 0 , 1 } n \{ 1 n } . For a ∈ R , set | a | := the Hamming weight of the binary representation of a . Set w = ⌊√ n / 2 ⌋ . April 9, PQCrypto, Fort Lauderdale, Florida 4 / 15

  15. The AJPS cryptosystem Set R = Z / N Z , where N = 2 n − 1 with n prime. Each element in R can be uniquely identified by its binary representation in { 0 , 1 } n \{ 1 n } . For a ∈ R , set | a | := the Hamming weight of the binary representation of a . Set w = ⌊√ n / 2 ⌋ . Choose f , g ∈ R such that | f | = | g | = w and g invertible. f = , g = April 9, PQCrypto, Fort Lauderdale, Florida 4 / 15

  16. The AJPS cryptosystem Set R = Z / N Z , where N = 2 n − 1 with n prime. Each element in R can be uniquely identified by its binary representation in { 0 , 1 } n \{ 1 n } . For a ∈ R , set | a | := the Hamming weight of the binary representation of a . Set w = ⌊√ n / 2 ⌋ . Choose f , g ∈ R such that | f | = | g | = w and g invertible. Set h = f / g . Public key is h and secret key g . f = , g = h = f g = April 9, PQCrypto, Fort Lauderdale, Florida 4 / 15

  17. The AJPS cryptosystem Set R = Z / N Z , where N = 2 n − 1 with n prime. Each element in R can be uniquely identified by its binary representation in { 0 , 1 } n \{ 1 n } . For a ∈ R , set | a | := the Hamming weight of the binary representation of a . Set w = ⌊√ n / 2 ⌋ . Choose f , g ∈ R such that | f | = | g | = w and g invertible. Set h = f / g . Public key is h and secret key g . The Mersenne Low Hamming Ratio Problem April 9, PQCrypto, Fort Lauderdale, Florida 4 / 15

  18. The AJPS cryptosystem Set R = Z / N Z , where N = 2 n − 1 with n prime. Each element in R can be uniquely identified by its binary representation in { 0 , 1 } n \{ 1 n } . For a ∈ R , set | a | := the Hamming weight of the binary representation of a . Set w = ⌊√ n / 2 ⌋ . Choose f , g ∈ R such that | f | = | g | = w and g invertible. Set h = f / g . Public key is h and secret key g . The Mersenne Low Hamming Ratio Problem Given h ∈ R , which is quotient of two elements of low Hamming wt. April 9, PQCrypto, Fort Lauderdale, Florida 4 / 15

  19. The AJPS cryptosystem Set R = Z / N Z , where N = 2 n − 1 with n prime. Each element in R can be uniquely identified by its binary representation in { 0 , 1 } n \{ 1 n } . For a ∈ R , set | a | := the Hamming weight of the binary representation of a . Set w = ⌊√ n / 2 ⌋ . Choose f , g ∈ R such that | f | = | g | = w and g invertible. Set h = f / g . Public key is h and secret key g . The Mersenne Low Hamming Ratio Problem Given h ∈ R , which is quotient of two elements of low Hamming wt. Find f , g ∈ R with | f | = | g | = w such that h = f / g . April 9, PQCrypto, Fort Lauderdale, Florida 4 / 15

  20. The AJPS cryptosystem Set R = Z / N Z , where N = 2 n − 1 with n prime. Each element in R can be uniquely identified by its binary representation in { 0 , 1 } n \{ 1 n } . For a ∈ R , set | a | := the Hamming weight of the binary representation of a . Set w = ⌊√ n / 2 ⌋ . Choose f , g ∈ R such that | f | = | g | = w and g invertible. Set h = f / g . Public key is h and secret key g . The Mersenne Low Hamming Ratio Problem Given h ∈ R , which is quotient of two elements of low Hamming wt. Find f , g ∈ R with | f | = | g | = w such that h = f / g . Brute force attack: Guess a g ∈ R with | g | = w , check whether | g h | = w . � n � time: . w April 9, PQCrypto, Fort Lauderdale, Florida 4 / 15

  21. Table of Contents The Mersenne-number based AJPS-cryptosystem 1 Meet-in-the-Middle attack on the AJPS cryptosystem 2 Example: Subset-sum problem MITM in the AJPS-cryptosystem April 9, PQCrypto, Fort Lauderdale, Florida 5 / 15

  22. Meet-in-the-Middle attack Improved time complexity, at the cost of greater space complexity. April 9, PQCrypto, Fort Lauderdale, Florida 6 / 15

  23. MITM in the subset-sum problem Subset-sum problem Given z 1 , . . . , z n ∈ Z Find I ⊆ { 1 , . . . , n } such that � i ∈ I z i = 0. z 1 6 2 z 2 z 3 − 1 10 z 4 z 5 9 − 5 z 6 April 9, PQCrypto, Fort Lauderdale, Florida 7 / 15

  24. MITM in the subset-sum problem Subset-sum problem Given z 1 , . . . , z n ∈ Z Find I ⊆ { 1 , . . . , n } such that � i ∈ I z i = 0. �� � For all I 1 ⊆ { 1 , . . . , n / 2 } , store I 1 in the bucket L i ∈ I 1 z i . L [ i ] i z 1 6 2 z 2 z 3 − 1 10 z 4 z 5 9 − 5 z 4 April 9, PQCrypto, Fort Lauderdale, Florida 7 / 15

Recommend

Improved Cryptanalysis of the AJPS Mersenne Based Cryptosystem Jean-Sbastien Coron and Agnese

Improved Cryptanalysis of the AJPS Mersenne Based Cryptosystem Jean-Sbastien Coron and Agnese

Improved Cryptanalysis of the AJPS Mersenne Based Cryptosystem Jean-Sbastien Coron and Agnese Gini University of Luxembourg June 27, 2019 NutMiC 1 / 20 Timeline 2016 NIST calling for quantum-resistant cryptographic algorithms for new

341 views • 31 slides
Key Escrow free Identity-based Identity-based Cryptosystem Cryptosystem Identity-based

Key Escrow free Identity-based Identity-based Cryptosystem Cryptosystem Identity-based

Contents Background Key Escrow free Identity-based Identity-based Cryptosystem Cryptosystem Identity-based Signature Conclusion Manik Lal Das DA-IICT, Gandhinagar, India About DA-IICT and Our Group DA-IICT is a private university,

563 views • 35 slides
McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Z urich

McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Z urich

Traditional McEliece Crypto System Variants of McEliece System Distinguisher Attacks McEliece for Rank Metric Codes McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Z urich ALCOMA, March 19, 2015 joint

763 views • 54 slides
The centre Mersenne for Open Scientific Publishing An academic-led open access publishing

The centre Mersenne for Open Scientific Publishing An academic-led open access publishing

The centre Mersenne for Open Scientific Publishing An academic-led open access publishing infrastructure Academic-Led Publishing Day, 7 February 2019 Centre Mersenne 1 / 15 Presentation of the centre Mersenne Centre Mersenne Centre Mersenne

475 views • 15 slides
The Paillier Cryptosystem A Look Into The Cryptosystem And Its Potential Application By Michael

The Paillier Cryptosystem A Look Into The Cryptosystem And Its Potential Application By Michael

The Paillier Cryptosystem A Look Into The Cryptosystem And Its Potential Application By Michael OKeeffe The College of New Jersey Mathematics Department April 18, 2008 A BSTRACT So long as there are secrets, there is a need for encryption

357 views • 16 slides
A Code-Based Cryptosystem using GRS Codes Violetta Weger University of Zurich Master Thesis

A Code-Based Cryptosystem using GRS Codes Violetta Weger University of Zurich Master Thesis

A Code-Based Cryptosystem using GRS Codes Violetta Weger University of Zurich Master Thesis Presentation Seminar Coding Theory and Cryptography 07 December 2016 Violetta Weger Code-based Cryptosystem using GRS Codes Outline 1 Motivation 2

1.31k views • 61 slides
A New Cryptosystem and Algebraic Constructions for its Key Space K. T. Arasu, Riverside Research

A New Cryptosystem and Algebraic Constructions for its Key Space K. T. Arasu, Riverside Research

A New Cryptosystem and Algebraic Constructions for its Key Space K. T. Arasu, Riverside Research Beavercreek, Ohio karasu@RiversideResearch.org Snake-and-Ladder Blocks We introduce a new symmetric cryptosystem based on snake-and- ladder

408 views • 21 slides
The Frobenius problem for Mersenne numerical semigroups M.B. Branco Setember 2014 This is joint

The Frobenius problem for Mersenne numerical semigroups M.B. Branco Setember 2014 This is joint

The Frobenius problem for Mersenne numerical semigroups M.B. Branco Setember 2014 This is joint work with: J.C. Rosales and D. Torro The Frobenius problem for Mersenne numerical semigroups > Introduction > The embedding dimension >

726 views • 43 slides
Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr.

Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr.

Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr. Principal Software Engineer 2019/02/19 What are cache based attacks ? In cryptography In cryptographic operations, leaking the internal state of a

338 views • 8 slides
The RSA Cryptosystem February 27, 2008 Introducing PS4: RSA encryption Problem set 4 is about

The RSA Cryptosystem February 27, 2008 Introducing PS4: RSA encryption Problem set 4 is about

The RSA Cryptosystem February 27, 2008 Introducing PS4: RSA encryption Problem set 4 is about implementing a famous public key cryptosystem, RSA. Administrative Details: Posted by tomorrow. Due Friday March 7, at Noon. My office hours will be

610 views • 23 slides
Cryptanaylsis of Knapsack Cryptosystem Rajendra Kumar April 2017 1 Introduction Subset sum

Cryptanaylsis of Knapsack Cryptosystem Rajendra Kumar April 2017 1 Introduction Subset sum

Cryptanaylsis of Knapsack Cryptosystem Rajendra Kumar April 2017 1 Introduction Subset sum problem is a NP-complete problem[2]. Based on this problem knapsack cryptosystem was given by Merkle and Hellman[4]. In 1982 shamir[6] found the first

400 views • 4 slides
New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs

New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs

Introduction New generic attacks HMAC-GOST key-recovery Conclusion New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs Asiacrypt 2013 1 / 22 . . . . . . . . . . . . . . . . . Gatan Leurent,

759 views • 52 slides
NTRU Cryptosystem: Recent Developments Ron Steinfeld School of IT Monash University, Australia

NTRU Cryptosystem: Recent Developments Ron Steinfeld School of IT Monash University, Australia

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments NTRU Cryptosystem: Recent Developments Ron Steinfeld School of IT Monash University, Australia (partly based on joint work with

1.29k views • 76 slides
Code-based Cryptography Christiane Peters Technical University of Denmark ECC 2011 September

Code-based Cryptography Christiane Peters Technical University of Denmark ECC 2011 September

Code-based Cryptography Christiane Peters Technical University of Denmark ECC 2011 September 20, 2011 Code-based cryptography 1. Background 2. The McEliece cryptosystem 3. Information-set-decoding attacks 4. Designs: Wild McEliece 5.

721 views • 55 slides
Cryptanalysis of the Sidelnikov cryptosystem Lorenz Minder, Amin Shokrollahi {

Cryptanalysis of the Sidelnikov cryptosystem Lorenz Minder, Amin Shokrollahi {

Cryptanalysis of the Sidelnikov cryptosystem Lorenz Minder, Amin Shokrollahi { lorenz.minder,amin.shokrollahi } @epfl.ch. LMA, EPFL Cryptanalysis of the Sidelnikov cryptosystem p.1/18 McEliece type cryptosystems PKCS based on

785 views • 18 slides
Perfect Secrecy A cryptosystem is unconditionally secure if it cannot be broken, even with

Perfect Secrecy A cryptosystem is unconditionally secure if it cannot be broken, even with

Perfect Secrecy A cryptosystem is unconditionally secure if it cannot be broken, even with infinite computational resources. (There are other (weaker) types of security; well talk about those later.) A cryptosystem is unconditionally secure

642 views • 4 slides
Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse) Detection Intrusion Detection Host-based Network-based Boriana Ditcheva and Lisa Fowler Active/Passive University of North Carolina at

401 views • 12 slides
Quantum LLL with an Application to Mersenne Number Cryptosystems Marcel Tiepelt 1 Alan Szepieniec

Quantum LLL with an Application to Mersenne Number Cryptosystems Marcel Tiepelt 1 Alan Szepieniec

Quantum LLL with an Application to Mersenne Number Cryptosystems Marcel Tiepelt 1 Alan Szepieniec 2 1 Karlsruhe Institute of Technology 2 Nervos Foundation Latincrypt 2019 Santiago de Chile, Oct. 2-4 www.kit.edu KIT The Research University

1.23k views • 41 slides
P UBLIC - KEY CRYPTOGRAPHY (PKC) E RROR - CORRECTING PAIRS FOR A PUBLIC - KEY CRYPTOSYSTEM P UBLIC

P UBLIC - KEY CRYPTOGRAPHY (PKC) E RROR - CORRECTING PAIRS FOR A PUBLIC - KEY CRYPTOSYSTEM P UBLIC

E RROR - CORRECTING PAIRS FOR A PUBLIC - KEY CRYPTOSYSTEM E RROR - CORRECTING PAIRS P UBLIC - KEY CRYPTOGRAPHY FOR A PUBLIC - KEY CRYPTOSYSTEM C ODE BASED CRYPTOGRAPHY P REREQUISITES E RROR - CORRECTING CODES I. M RQUEZ -C ORBELLA 1 R. P

1.2k views • 97 slides
Cryptography: Joining the RSA Cryptosystem Greg Plaxton Theory in Programming Practice, Spring

Cryptography: Joining the RSA Cryptosystem Greg Plaxton Theory in Programming Practice, Spring

Cryptography: Joining the RSA Cryptosystem Greg Plaxton Theory in Programming Practice, Spring 2004 Department of Computer Science University of Texas at Austin Joining the RSA Cryptosystem: Overview First, Bob randomly chooses two large

263 views • 8 slides
Variants of Mersenne Twister Suitable for Graphic Processors Mutsuo Saito 1 , Makoto Matsumoto 2 1

Variants of Mersenne Twister Suitable for Graphic Processors Mutsuo Saito 1 , Makoto Matsumoto 2 1

Variants of Mersenne Twister Suitable for Graphic Processors Mutsuo Saito 1 , Makoto Matsumoto 2 1 Hiroshima University, 2 University of Tokyo August 16, 2010 This study is granted in part by JSPS Grant-In-Aid #21654004, #19204002, #21654017,

501 views • 35 slides
Revisiting Division Property Based Cube Attacks: Key-Recovery or Distinguishing Attacks?

Revisiting Division Property Based Cube Attacks: Key-Recovery or Distinguishing Attacks?

Introduction Motivations and Contributions Preliminaries Our Main Idea Main Results Revisiting Division Property Based Cube Attacks: Key-Recovery or Distinguishing Attacks? Chen-Dong Ye and Tian Tian . . . . . . Chen-Dong Ye and Tian

734 views • 58 slides
Exploring the parameter space in lattice attacks Daniel J. Bernstein Tanja Lange Based on

Exploring the parameter space in lattice attacks Daniel J. Bernstein Tanja Lange Based on

1 Exploring the parameter space in lattice attacks Daniel J. Bernstein Tanja Lange Based on attack survey from 2019 BernsteinChuengsatiansup Langevan Vredendaal. Some hard lattice meta-problems: Analyze cost of known attacks.

489 views • 36 slides
pq Outline Description of the FSB Hash Function Classic Attacks Recent Attacks

pq Outline Description of the FSB Hash Function Classic Attacks Recent Attacks

Syndrome Based Collision Resistant Hashing Matthieu Finiasz pq Outline Description of the FSB Hash Function Classic Attacks Recent Attacks Proposed Improvements and Parameters pq 1 Description of the FSB Hash Function pq

286 views • 28 slides

More recommend