cryptanalysis of the legendre prf and generalizations
play

Cryptanalysis of the Legendre PRF and Generalizations W. Beullens 1 - PowerPoint PPT Presentation

Mar 09, 2023 •661 likes •977 views

Cryptanalysis of the Legendre PRF and Generalizations W. Beullens 1 T. Beyne 1 A. Udovenko 2 G. Vitto 2 1 imec-COSIC, ESAT, KULeuven 2 SnT, University of Luxembourg November 13, 2020 COSIC Legendre symbol Early 1900s: equidistribution results

  1. Cryptanalysis of the Legendre PRF and Generalizations W. Beullens 1 T. Beyne 1 A. Udovenko 2 G. Vitto 2 1 imec-COSIC, ESAT, KULeuven 2 SnT, University of Luxembourg November 13, 2020 COSIC

  2. Legendre symbol Early 1900s: equidistribution results p k p k Damgård (1990) conjectures pseudorandomness of Jacobsthal (1906) and Davenport (1931) 2 p ◮ Legendre symbol of a ∈ F p (prime p > 2 ):  if a = b 2 for some b ∈ F × 1 � a �  p ,  = 0 if a = 0 ,   − 1 otherwise .

  3. Legendre symbol Jacobsthal (1906) and Davenport (1931) p p 2 p ◮ Legendre symbol of a ∈ F p (prime p > 2 ):  if a = b 2 for some b ∈ F × 1 � a �  p ,  = 0 if a = 0 ,   − 1 otherwise . ◮ Early 1900s: equidistribution results ◮ Damgård (1990) conjectures pseudorandomness of � k � � k + 1 � , , . . .

  4. Legendre PRF p – Ethereum 2.0 proof-of-custody – LegRoast signatures Beullens et al. (2020) 3 ◮ Pseudorandom function proposed by Grassi et al. (2016): � x + k � L k ( x ) = ∈ {− 1 , 0 , 1 } ◮ MPC-friendly ◮ Applications

  5. Cryptanalysis of the Legendre PRF Bounties announced this work � https://legendreprf.org/ Overview 09/10 4 20/08 Khovratovich (2019) 24/07 � O ( p / M ) Challenges announced ( M = 2 20 ) � O ( p / M 2 ) √ p .) 4 (Time complexities for M <

  6. Cryptanalysis of the Legendre PRF Bounties announced this work � https://legendreprf.org/ Overview 09/10 4 20/08 Khovratovich (2019) 24/07 � O ( p / M ) Challenges announced ( M = 2 20 ) � O ( p / M 2 ) √ p .) 4 (Time complexities for M <

  7. Cryptanalysis of the Legendre PRF 14/10 log p improvement by Kaluđerović et al. (2020) 84-bit challenge solved 30/11 this work 74-bit challenge solved 21/10 Overview 64-bit challenge solved � https://legendreprf.org/ 09/10 Bounties announced 20/08 Khovratovich (2019) 24/07 4 � O ( p / M ) Challenges announced ( M = 2 20 ) � O ( p / M 2 ) √ p .) 4 (Time complexities for M <

  8. Observation: L k x 1. Query L k M of the form L k a L k a Cryptanalysis of the Legendre PRF m 2. Extract M m sequences m ○ Sample L c if m until collision . log p then probably c k a Cost: M p M operations M memory . . . Khovratovich (2019) m L k x m . . . a . . . m . . . . . 5 ◮ Notation: L k ( x + [ m ]) = ( L k ( x ) , L k ( x + 1) , . . . , L k ( x + m − 1))

  9. Cryptanalysis of the Legendre PRF . . . . . Khovratovich (2019) . . . . 5 . . . a . . . ◮ Notation: L k ( x + [ m ]) = ( L k ( x ) , L k ( x + 1) , . . . , L k ( x + m − 1)) ◮ Observation: L k ( x + [ m ]) = L 0 ( k + x + [ m ]) 1. Query L k ([ M ]) 2. Extract M − m sequences of the form L k ( a + [ m ]) L k ( a + [ m ]) ○ Sample L 0 ( c + [ m ]) until collision if m = Ω( log p ) then probably c = k + a Cost: � O ( M + p / M ) operations � O ( M ) memory

  10. Cryptanalysis of the Legendre PRF . . . . . Khovratovich (2019) . . . . 5 . . . a . . . ◮ Notation: L k ( x + [ m ]) = ( L k ( x ) , L k ( x + 1) , . . . , L k ( x + m − 1)) ◮ Observation: L k ( x + [ m ]) = L 0 ( k + x + [ m ]) 1. Query L k ([ M ]) 2. Extract M − m sequences of the form L k ( a + [ m ]) L k ( a + [ m ]) ○ Sample L 0 ( c + [ m ]) until collision if m = Ω( log p ) then probably c = k + a Cost: � O ( M + p / M ) operations � O ( M ) memory

  11. 1. Query L k M of the form L k b a b L k b a b Cryptanalysis of the Legendre PRF until collision . 2. Extract M m sequences m ○ Sample L c m if m . log p then probably c k a b Cost: M p M operations M memory . . . a b p p p = Our attack: idea . . . . . . . . 6 . m . ◮ Multiplicativity of the Legendre symbol: � ab � � a � � b � = ⇒ L 0 ( b ) L k / b ( a / b +[ m ]) = L k ( a + b [ m ])

  12. Cryptanalysis of the Legendre PRF . . . . . . . . . . Our attack: idea . . . . p . p p 6 = ◮ Multiplicativity of the Legendre symbol: � ab � � a � � b � = ⇒ L 0 ( b ) L k / b ( a / b +[ m ]) = L k ( a + b [ m ]) 1. Query L k ([ M ]) 2. Extract ∼ M 2 / m sequences of the form L k / b ( a / b + [ m ]) L k / b ( a / b + [ m ]) a , b ○ Sample L 0 ( c + [ m ]) until collision if m = Ω( log p ) then probably c = ( k + a )/ b O ( M 2 + p / M 2 ) operations Cost: � O ( M 2 ) memory

  13. Cryptanalysis of the Legendre PRF . . . . . . . . . . Our attack: idea . . . . p . p p 6 = ◮ Multiplicativity of the Legendre symbol: � ab � � a � � b � = ⇒ L 0 ( b ) L k / b ( a / b +[ m ]) = L k ( a + b [ m ]) 1. Query L k ([ M ]) 2. Extract ∼ M 2 / m sequences of the form L k / b ( a / b + [ m ]) L k / b ( a / b + [ m ]) a , b ○ Sample L 0 ( c + [ m ]) until collision if m = Ω( log p ) then probably c = ( k + a )/ b O ( M 2 + p / M 2 ) operations Cost: � O ( M 2 ) memory

  14. Cryptanalysis of the Legendre PRF b log p memory M time p log p M M Cost: – Only store sequences with a Our attack: optimizations Cost dominated by sequence extraction and table lookups – Amortizes Legendre symbol computation Advantages: Caveat : sequences in the table are not random 7 ◮ Use consecutive samples in offmine phase: 1. Compute L 0 ( c + [ w ]) for some w > m 2. Extract ∼ w 2 / m sequences of the form L 0 ( c / d + [ m ])

  15. Cryptanalysis of the Legendre PRF Our attack: optimizations – Amortizes Legendre symbol computation 7 ◮ Use consecutive samples in offmine phase: 1. Compute L 0 ( c + [ w ]) for some w > m 2. Extract ∼ w 2 / m sequences of the form L 0 ( c / d + [ m ]) ◮ Caveat : sequences in the table are not random ◮ Advantages: → Cost dominated by sequence extraction and table lookups – Only store sequences with | a | < | b | ◮ Cost: O ( M 2 + p log 2 p / M 2 ) time O ( M 2 / log p ) memory

  16. Cryptanalysis of the Legendre PRF Our attack: implementation results � https://github.com/cryptolu/LegendrePRF 128 GB of RAM 3 1500 3 1.5 8 Memory / thread (GB) Time (core-hours) p ◮ First M = 2 20 consecutive PRF outputs L k ([ M ]) were given ◮ Bottleneck: table lookups ( 0 . 08 µ s ) 2 40 − 87 < 0.001 < 1 2 64 − 59 2 74 − 35 ◮ Dell C6420 server; two Intel Xeon Gold 6132 CPUs (2.6 GHz)

  17. Generalizations of the Legendre PRF Overview First analysis by Khovratovich (2019) Damgård (1990) 9 ◮ Higher-degree Legendre PRF ◮ Jacobi symbols ◮ Power-residue symbols

  18. Generalizations of the Legendre PRF p d – Weak keys (next slides) p d p – Kaluđerović et al. (2020): using sequence extraction p d p – This work: time – Khovratovich (2019): Higher-degree Legendre PRF ): Attacks ( d p 10 ◮ Degree- 1 Legendre PRF: � x + k � L k ( x ) = k ∈ F p ,

  19. Generalizations of the Legendre PRF p d – Weak keys (next slides) p d p – Kaluđerović et al. (2020): using sequence extraction p d p – This work: time – Khovratovich (2019): Higher-degree Legendre PRF ): Attacks ( d p p 10 ◮ Degree- d Legendre PRF: � x d + k d − 1 x d − 1 + . . . + k 1 x + k 0 � L k ( x ) = k ∈ F d ,

  20. Generalizations of the Legendre PRF p – Weak keys (next slides) Higher-degree Legendre PRF p 10 ◮ Degree- d Legendre PRF: � x d + k d − 1 x d − 1 + . . . + k 1 x + k 0 � L k ( x ) = k ∈ F d , ◮ Attacks ( d ≥ 2 ): – Khovratovich (2019): � O ( p d − 1 ) time O ( p 2 + p d − 2 ) using sequence extraction – This work: � O ( p 3 + p d − 3 ) – Kaluđerović et al. (2020): �

  21. Generalizations of the Legendre PRF Higher-degree Legendre PRF x Security? 11 ◮ Example: x d + k d − 1 x d − 1 + . . . + k 1 x + k 0 = � d i =1 ( x − α i ) with α 1 , . . . , α d ∈ F p distinct · · · L α 1 L α 2 L α 3 L α d ×

  22. Generalizations of the Legendre PRF Higher-degree Legendre PRF Security? x 11 ◮ Example: x d + k d − 1 x d − 1 + . . . + k 1 x + k 0 = � d i =1 ( x − α i ) with α 1 , . . . , α d ∈ F p distinct · · · L α 1 L α 2 L α 3 L α d × � � O ( p ⌈ d /2 ⌉ ) attack

  23. Generalizations of the Legendre PRF p Higher-degree Legendre PRF 12 ◮ Weak key when x d + k d − 1 x d − 1 + . . . + k 1 x + k 0 is reducible ◮ Worst case: two factors of equal degree L k ( x ) = L k 1 ( x ) L k 2 ( x ) with k 1 , k 2 ∈ F d /2 ◮ Attack: fjnd collision between L k ([ m ]) L k 1 ([ m ]) and L k 2 ([ m ]) 30 Fraction of keys 20% 25 attack complexity 50% 20 70% 90% 15 100% 10 5 0 0 5 10 15 20 25 30 degree

  24. Generalizations of the Legendre PRF p 3. Apply the Chinese Remainder Theorem 2. Use attack on Legendre PRF to obtain k mod p 1. Use attack on Legendre PRF to obtain k mod q Attack: q x k p q p p k q px k k Jacobi PRF pq px k Observation q p pq 13 ◮ Let p , q > 2 be primes. Jacobi symbol of a ∈ Z /( pq ) Z : � a � � a � � a � =

  25. Generalizations of the Legendre PRF pq 3. Apply the Chinese Remainder Theorem 2. Use attack on Legendre PRF to obtain k mod p 1. Use attack on Legendre PRF to obtain k mod q q q p q p Jacobi PRF 13 p q pq ◮ Let p , q > 2 be primes. Jacobi symbol of a ∈ Z /( pq ) Z : � a � � a � � a � = ◮ Observation � k + px � � k � � k + px � � k � � p � � k / p + x � = = ◮ Attack:

Recommend

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Cryptanalysis of Classical Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Models for Cryptanalysis Cryptanalysis of

657 views • 20 slides
Legendre Polynomials Bernd Schr oder logo1 Bernd Schr oder Louisiana Tech University,

Legendre Polynomials Bernd Schr oder logo1 Bernd Schr oder Louisiana Tech University,

Overview Solving the Legendre Equation Application Legendre Polynomials Bernd Schr oder logo1 Bernd Schr oder Louisiana Tech University, College of Engineering and Science Legendre Polynomials Overview Solving the Legendre Equation

942 views • 82 slides
Orthogonal Functions: The Legendre, Laguerre, and Hermite Polynomials Thomas Coverson 1 Savarnik

Orthogonal Functions: The Legendre, Laguerre, and Hermite Polynomials Thomas Coverson 1 Savarnik

General Orthogonality Legendre Polynomials Sturm-Liouville Conclusion Orthogonal Functions: The Legendre, Laguerre, and Hermite Polynomials Thomas Coverson 1 Savarnik Dixit 3 Alysha Harbour 2 Tyler Otto 3 1 Department of Mathematics Morehouse

499 views • 26 slides
Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC Outline Outline Distribution of Correlation Data Complexity Linear Hulls Zero

659 views • 30 slides
Separation of Variables Legendre Equations Bernd Schr oder logo1 Bernd Schr oder

Separation of Variables Legendre Equations Bernd Schr oder logo1 Bernd Schr oder

Introduction in a Spherically Symmetric Geometry Separating Spherical Coordinates Obtaining the Legendre Equation Separation of Variables Legendre Equations Bernd Schr oder logo1 Bernd Schr oder Louisiana Tech University,

950 views • 77 slides
Outline DMP204 SCHEDULING, TIMETABLING AND ROUTING Lecture 16 Job Shop 1. Job Shop

Outline DMP204 SCHEDULING, TIMETABLING AND ROUTING Lecture 16 Job Shop 1. Job Shop

Job Shop Generalizations Outline DMP204 SCHEDULING, TIMETABLING AND ROUTING Lecture 16 Job Shop 1. Job Shop Generalizations The Alternative Graph Model Marco Chiarandini 2 Job Shop Generalizations Job Shop Generalizations Resume

509 views • 5 slides
Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May, 2017 0/35 Cryptanalysis of Affine Cipher Outline Cryptanalysis of Affine Cipher 1 Hypothesis Testing 2 Linear Cryptanalysis 3 0/35

1.52k views • 110 slides
Generalizations are driven by semantics and constrained by statistical preemption New evidence

Generalizations are driven by semantics and constrained by statistical preemption New evidence

Generalizations are driven by semantics and constrained by statistical preemption New evidence from artificial language experiments Florent Perek &amp; Adele Goldberg University of Birmingham &amp; Princeton University Generalizations Previous

360 views • 25 slides
The Computational and Logical Nature of Phonological Generalizations Jeffrey Heinz , Jane

The Computational and Logical Nature of Phonological Generalizations Jeffrey Heinz , Jane

Intro Generalizations Stringsets String mappings The Computational and Logical Nature of Phonological Generalizations Jeffrey Heinz , Jane Chandlee , Bill Idsardi , and Jim Rogers University of Delaware, University of

1.15k views • 86 slides
Secondary structure prediction of RNA complexes Audrey Legendre , Eric Angel, Fariza Tahi

Secondary structure prediction of RNA complexes Audrey Legendre , Eric Angel, Fariza Tahi

Colloque MASIM@Journes BIM 2019 Secondary structure prediction of RNA complexes Audrey Legendre , Eric Angel, Fariza Tahi 05/11/2019 Audrey Legendre , Eric Angel, Fariza Tahi 05/11/2019 1 / 21 CONTEXT Audrey Legendre , Eric Angel, Fariza Tahi

422 views • 39 slides
Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential cryptanalysis Linear cryptanalysis Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and Linear Cryptanalysis Differential cryptanalysis Linear cryptanalysis Iterated block ciphers (DES,

910 views • 53 slides
The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas

The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas

Introduction Previous cryptanalysis techniques The Super-Sbox cryptanalysis Results The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas Peyrin Orange Labs and Ingenico FSE 2010 - Seoul - Korea

1.38k views • 19 slides
A Linear Algebra Problem Related to Legendre Polynomials Scott Cameron Dalhousie University,

A Linear Algebra Problem Related to Legendre Polynomials Scott Cameron Dalhousie University,

A Linear Algebra Problem Related to Legendre Polynomials Scott Cameron Dalhousie University, Halifax, Nova Scotia, Canada June 27, 2018 Scott Cameron A Linear Algebra Problem Related to Legendre Polynomials Introduction: Statement of the

2.34k views • 117 slides
Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship between the difference of two inputs and the difference of the corresponding two outputs. - the difference M Z of two strings of bits Z and Z

556 views • 10 slides
Generalizations of Gowers Theorem Dana Barto sov a (USP) Aleksandra Kwiatkowska (UCLA)

Generalizations of Gowers Theorem Dana Barto sov a (USP) Aleksandra Kwiatkowska (UCLA)

Generalizations of Gowers Theorem Dana Barto sov a (USP) Aleksandra Kwiatkowska (UCLA) BWB 2014 Maresias August 25-29, 2014 This work was supported by the grant FAPESP 2013/14458-9. Dana Barto sov a Generalizations of

832 views • 70 slides
Multivariate generalizations of the Foata-Sch utzenberger equidistribution Fourth Colloquium

Multivariate generalizations of the Foata-Sch utzenberger equidistribution Fourth Colloquium

Generalizations of the Foata-Sch utzenberger equidistribution MathInfo 2006 1 de 26 Multivariate generalizations of the Foata-Sch utzenberger equidistribution Fourth Colloquium in Mathematics and Computer Science F. Hivert, J.-C.

478 views • 26 slides
O N G E O D E S I C M A P P I N G S and THEIR GENERALIZATIONS Josef MIKE S Department of

O N G E O D E S I C M A P P I N G S and THEIR GENERALIZATIONS Josef MIKE S Department of

O N G E O D E S I C M A P P I N G S and THEIR GENERALIZATIONS Josef MIKE S Department of Algebra and Geometry Palacky University Olomouc Czech Republic mikes@inf.upol.cz VARNA (ODESSOS) 2 0 0 7 1. Introduction Diffeomorphisms and

587 views • 32 slides
Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU

Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU

Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU Leuven, and imec, Belgium FSE, March 2017 1 Table of Contents ARX &amp; Rotational Cryptanalysis Rotational cryptanalysis with constants Experiment

1.12k views • 72 slides
Differential Cryptanalysis The first method which reduced the complexity of attacking DES below

Differential Cryptanalysis The first method which reduced the complexity of attacking DES below

Differential Cryptanalysis The first method which reduced the complexity of attacking DES below (half of) exhaustive search. Differential Cryptanalysis Note : In all the following discussion we ignore the existence of the initial and the final

330 views • 8 slides
Communicating generalizations (in computational terms) Michael Henry Tessler Stanford University

Communicating generalizations (in computational terms) Michael Henry Tessler Stanford University

Communicating generalizations (in computational terms) Michael Henry Tessler Stanford University A Generic Workshop (CSLI) May 20, 2017 What do generalizations in language mean? Dogs bark. Metric: P ( F | K ) = prevalence Some dogs bark.

1.08k views • 78 slides
Cryptanalysis of LAC G. Leurent (Inria) Cryptanalysis of LAC DIAC 2014 1 / 9 . . . . . . . .

Cryptanalysis of LAC G. Leurent (Inria) Cryptanalysis of LAC DIAC 2014 1 / 9 . . . . . . . .

Description of LAC Differentials and Characteristics Forgery attack Cryptanalysis of LAC G. Leurent (Inria) Cryptanalysis of LAC DIAC 2014 1 / 9 . . . . . . . . Gatan Leurent Inria, France DIAC 2014 2 / 9 Description of LAC DIAC

1.04k views • 36 slides
Representation of a dissimilarity matrix using reticulograms Pierre Legendre Universit de

Representation of a dissimilarity matrix using reticulograms Pierre Legendre Universit de

Representation of a dissimilarity matrix using reticulograms Pierre Legendre Universit de Montral and Vladimir Makarenkov Universit du Qubec Montral DIMACS Workshop on Reticulated Evolution, Rutgers University, September 20-21,

657 views • 32 slides
TWO-DIMENSIONAL GAUSS-LEGENDRE QUADRATURE: SEEMINGLY UNRELATED DISPERSION-FLEXIBLE COUNT

TWO-DIMENSIONAL GAUSS-LEGENDRE QUADRATURE: SEEMINGLY UNRELATED DISPERSION-FLEXIBLE COUNT

TWO-DIMENSIONAL GAUSS-LEGENDRE QUADRATURE: SEEMINGLY UNRELATED DISPERSION-FLEXIBLE COUNT REGRESSIONS by Joseph V. Terza and Abbie Zhang Department of Economics Indiana University School of Liberal Arts at IUPUI Indianapolis, IN 46202

635 views • 29 slides
MATA IMPLEMENTATION OF GAUSS-LEGENDRE QUADRATURE IN THE M-ESTIMATION CONTEXT: CORRECTING FOR

MATA IMPLEMENTATION OF GAUSS-LEGENDRE QUADRATURE IN THE M-ESTIMATION CONTEXT: CORRECTING FOR

MATA IMPLEMENTATION OF GAUSS-LEGENDRE QUADRATURE IN THE M-ESTIMATION CONTEXT: CORRECTING FOR SAMPLE SELCTION BIAS IN A GENERIC NONLINEAR SETTING by Joseph V. Terza Department of Economics Indiana University Purdue University Indianapolis

568 views • 19 slides

More recommend