Improved Cryptanalysis of the AJPS Mersenne Based Cryptosystem Jean-Sébastien Coron and Agnese Gini University of Luxembourg June 27, 2019 NutMiC 1 / 20
Timeline 2016 NIST calling for quantum-resistant cryptographic algorithms for new public-key crypto standards. 2017 Aggarwal, Joux, Prakash, Santha propose A new public-key cryptosystem via Mersenne numbers . 2017 Deadline submission to Round 1 NIST PQC "Competition": 69 accepted papers of 82, more than 40% lattice-based including Mersenne-756839 . 2019 Round 2 candidates announced: 26 selected, ∼ 46% lattice-based not including Mersenne-756839 . 2 / 20
Ring+Small Noise p Z , where n is a prime and p = 2 n − 1 a ◮ Let R := Z � Mersenne prime. 3 / 20
Ring+Small Noise p Z , where n is a prime and p = 2 n − 1 a ◮ Let R := Z � Mersenne prime. ◮ There is a bijection between integers mod p and strings of length n (up to 1 n ≃ 0 n ). 3 / 20
Ring+Small Noise p Z , where n is a prime and p = 2 n − 1 a ◮ Let R := Z � Mersenne prime. ◮ There is a bijection between integers mod p and strings of length n (up to 1 n ≃ 0 n ). ◮ Reducing mod p preserves low Hamming weight strings. 3 / 20
Ring+Small Noise p Z , where n is a prime and p = 2 n − 1 a ◮ Let R := Z � Mersenne prime. ◮ There is a bijection between integers mod p and strings of length n (up to 1 n ≃ 0 n ). ◮ Reducing mod p preserves low Hamming weight strings. 3 / 20
Ring+Small Noise p Z , where n is a prime and p = 2 n − 1 a ◮ Let R := Z � Mersenne prime. ◮ There is a bijection between integers mod p and strings of length n (up to 1 n ≃ 0 n ). ◮ Reducing mod p preserves low Hamming weight strings. n = 7 , p = 2 7 − 1 2 19 + 2 ∈ Z 2 5 0 2 34 ∈ R 3 / 20
Ring+Small Noise n = 31 , p = 2 31 − 1 · 2 4 4 ◮ HW (2 i · A ) = HW ( A ) 4 / 20
Ring+Small Noise + 5 / 20
Ring+Small Noise + = ◮ HW ( A + B ) ≤ HW ( A ) + HW ( B ) ◮ HW ( A · B ) ≤ HW ( A ) HW ( B ) ◮ HW ( − B ) = n − HW ( B ) 5 / 20
AJPS-2 Setup n , p = 2 n − 1 prime, h = λ ∈ N , ( E , D ) error correcting code where E : { 0 , 1 } h → { 0 , 1 } n . - F, G ∈ R random such that HW ( F ) = HW ( G ) = h KeyGen - R ∈ R random pk = ( R, F · R + G ) = ( R, T ) and sk = F Encrypt Given m ∈ { 0 , 1 } h : - generate random A , B 1 , B 2 ∈ R such that HW ( A ) = HW ( B 1 ) = HW ( B 2 ) = h - ( C 1 , C 2 ) := ( A · R + B 1 , ( A · T + B 2 ) ⊕ E ( m )) Decrypt m = D (( F · C 1 ) ⊕ C 2 ) 6 / 20
AJPS-2 Setup n , p = 2 n − 1 prime, h = λ ∈ N , ( E , D ) error correcting code where E : { 0 , 1 } h → { 0 , 1 } n . - F, G ∈ R random such that HW ( F ) = HW ( G ) = h KeyGen - R ∈ R random pk = ( R, F · R + G ) = ( R, T ) and sk = F Encrypt Given m ∈ { 0 , 1 } h : - generate random A , B 1 , B 2 ∈ R such that HW ( A ) = HW ( B 1 ) = HW ( B 2 ) = h - ( C 1 , C 2 ) := ( A · R + B 1 , ( A · T + B 2 ) ⊕ E ( m )) Decrypt m = D (( F · C 1 ) ⊕ C 2 ) Note: F · C 1 = A · F · R + F · B 1 = A · ( T − G ) + F · B 1 =( A · T + B 2 ) − A · G − B 2 + B 1 · F. 6 / 20
Mersenne Low Hamming Combination Search Problem (MLHCSP) Let p = 2 n − 1 be an n -bit Mersenne prime, h be an integer, R be a uniformly random n -bit string and F, G having Hamming weight h . Given ( R, FR + G ) , find F, G . 7 / 20
Mersenne Low Hamming Combination Search Problem (MLHCSP) Let p = 2 n − 1 be an n -bit Mersenne prime, h be an integer, R be a uniformly random n -bit string and F, G having Hamming weight h . Given ( R, FR + G ) , find F, G . F = 2 24 + 2 19 + 2 and G = 2 18 + 2 7 + 2 5 F G R = 2 30 +2 25 +2 23 +2 21 +2 19 +2 15 +2 13 +2 11 +2 10 +2 7 +2 6 +2 5 +2 3 +2 T = FR + G R T 7 / 20
Weak-key Attack, Beunardeau et al. Considers the lattice L generated by the rows of the matrix and T = FR + G mod p = FR + G + Kp : � 1 � − R 0 p ◮ [0 , T ] − [ F, G ] = − F [1 , − R ] + K [0 , p ] ∈ L , ◮ if F, G < √ p ⇒ [0 , T ] is close to L , ◮ if F, G < √ p this is a Closest Vector Problem in a lattice of dimension 2. ◮ This enables to recover F and G . 8 / 20
Weak-key Attack, Beunardeau et al. Considers the lattice L generated by the rows of the matrix and T = FR + G mod p = FR + G + Kp : � 1 � − R 0 p ◮ [0 , T ] − [ F, G ] = − F [1 , − R ] + K [0 , p ] ∈ L , ◮ if F, G < √ p ⇒ [0 , T ] is close to L , ◮ if F, G < √ p this is a Closest Vector Problem in a lattice of dimension 2. ◮ This enables to recover F and G . 2 n/ 2 0 T L ′ = 0 1 − R 0 0 p - It contains a vector of norm ≃ (vol L ′ ) 1 / 3 ≃ 2 n 2 , n n 2 , F, G ] � ≃ 2 - � [2 2 8 / 20
n 2 is 2 − h . - HW ( F ) = h ⇒ the probability that F < 2 n 2 is 2 − h . - HW ( G ) = h ⇒ the probability that G < 2 F G We can recover the private key with probability 2 − 2 h . 9 / 20
◮ The previous attack is a weak key attack: recover sk from pk with probability 2 − 2 h over the public-keys. ◮ Beunardeau et al. showed that by using random partitions of the strings F and G , for any pk one can recover the secret F and G with complexity O (2 2 h ) . 10 / 20
Our New Attack Assume that m = 0 and E ( m ) = 0 . C 1 = A · R + B 1 ❍❍ ✟ C 2 = A · T + B 2 + ✟✟ E ( m ) ❍ 11 / 20
Our New Attack Assume that m = 0 and E ( m ) = 0 . C 1 = A · R + B 1 ❍❍ ✟ C 2 = A · T + B 2 + ✟✟ E ( m ) ❍ 2 3 n 2 0 C 1 C 2 0 1 − R − T 0 0 p 0 0 0 0 p 1 2 ◮ L contains vectors of norm ≃ (vol L ) 2 ≃ 2 3 n , ◮ s = [2 2 n/ 3 , A, B 1 , B 2 ] ∈ L , 3 n ⇒ � s � ≃ 2 2 2 ◮ if A, B 1 , B 2 < 2 3 n , 11 / 20
� 2 3 n is 2 � h . ◮ HW ( A ) = h ⇒ the probability that A < 2 3 = A � 2 3 n is � h . 2 ◮ HW ( B 1 ) = h ⇒ the probability that B 1 < 2 3 � 2 3 n is 2 � h . ◮ HW ( B 2 ) = h ⇒ the probability that B 2 < 2 3 � 2 � 3 h . We can recover A, B 1 , B 2 with probability 3 12 / 20
Small summary Beunardeau et al. weak-key attack: - It recovers the secret key, n 2 , - F, G < 2 - the probability is O (2 − 2 h ) Our attack: - It distinguishes between m = 0 and m � = 0 , 2 3 n , - A, B 1 , B 2 < 2 �� 2 � 3 h � ≃ O (2 − 1 . 75 h ) . - the probability is O 3 Using random partitions as in Beunardeau et al. , our attack complexity becomes O (2 1 . 75 h ) instead of O (2 2 h ) 13 / 20
Case 1: 3 n and A = 2 23 > 2 2 2 3 n n = 31 , h = 1 . Suppose we sampled B 1 , B 2 < 2 A A = 2 7 · 2 16 ⇒ s ′ = [2 2 3 n , 2 7 , B 1 , B 2 ] is a candidate shortest vector of 2 3 n 2 0 C 1 C 2 − R · 2 16 − T · 2 16 0 1 0 0 p 0 0 0 0 p A · 2 − 16 14 / 20
Case 2: Suppose h = 4 = A for any shift is not possible to recover A, B 1 , B 2 . Split in 16+15 bits: a → ( x 1 , x 2 ) = (129 , 129) and A = 129 · 2 16 + 129 . We have a representative of A of lower norm but higher dimension. 15 / 20
L β,P,Q,S = � M β,P,Q,S � , given β ∈ Z \ { 0 } and P, Q, S three interval-like partitions of [ n ] C 1 · 2 − q 1 C 2 · 2 − s 1 0 0 · · · 0 0 · · · 0 0 · · · 0 β − R · 2 p k − q 1 − T · 2 p k − s 1 0 1 0 · · · 0 0 · · · 0 0 · · · 0 − R · 2 p k − 1 − q 1 − T · 2 p k − 1 − s 1 0 0 1 · · · 0 0 · · · 0 0 · · · 0 ... − R · 2 p 2 − q 1 − T · 2 p 2 − s 1 0 0 · · · 0 0 · · · 0 − R · 2 p 1 − q 1 − T · 2 p 1 − s 1 0 0 0 · · · 1 0 · · · 0 0 · · · 0 − 2 q ℓ − q 1 0 0 0 · · · 0 1 · · · 0 0 · · · 0 0 0 ... 0 − 2 q i − q 1 0 0 0 · · · 0 0 · · · 0 0 − 2 q 2 − q 1 0 0 0 · · · 0 0 · · · 1 0 · · · 0 0 0 0 0 · · · 0 0 · · · 0 0 · · · 0 0 p − 2 s j − s 1 0 0 0 · · · 0 0 · · · 0 0 1 · · · 0 0 ... 0 − 2 s i − s 1 0 0 0 · · · 0 0 · · · 0 0 − 2 s 2 − s 1 0 0 0 · · · 0 0 · · · 0 0 0 · · · 1 0 0 0 · · · 0 0 · · · 0 0 0 · · · 0 p 16 / 20
a) L β,P,Q,S is full-rank lattice of dimension d = k + ℓ + j + 1 , b) vol( L β,P,Q,S ) ≃ 2 (2+ t ) n where β = 2 tn , c) we have to ensure that structural vectors are not shorter than our target secret vector, d) we expect the entries of the target vector to be about of the same size for a β - lucky tuple ( P, Q, S ) . 17 / 20
a) L β,P,Q,S is full-rank lattice of dimension d = k + ℓ + j + 1 , b) vol( L β,P,Q,S ) ≃ 2 (2+ t ) n where β = 2 tn , c) we have to ensure that structural vectors are not shorter than our target secret vector, d) we expect the entries of the target vector to be about of the same size for a β - lucky tuple ( P, Q, S ) . Then k = ℓ = j is a good choice and in such a case ◮ d = 3 k + 1 3 k n we have a 2 ◮ if the norm of the target vector is less then 2 lucky tuple. 17 / 20
The success probability is roughly ( k · 2 n/ 3 k · 1 /n ) 3 h ≃ 2 − 1 . 75 h . 18 / 20
Recommend
More recommend