THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK Russian Workshop on Complexity and Model Theory, Russian Workshop on Complexity and Model Theory, Algebraic cryptology: methods of cryptanalysis via (non)linear decomposition and new protection against them Moscow, June 9-11, 2019 Vitaly Roman’kov
THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK Speaker Vitaly Roman’kov DOSTOEVSKY OMSK STATE UNIVERSITY, OMSK, RUSSIA Vitaly Roman’kov
THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK Goal of this talk Attack is the secret of defense; defense is the planning of an attack. – Sun Tzu, The Art of War We are to present methods of linear and nonlinear algebraic cryptanalysis and show how we can protect against them and other methods based on linear algebra. Vitaly Roman’kov
THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK Part I. ALGEBRAIC CRYPTANALYSIS Vitaly Roman’kov
THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK THE METHODS OF LINEAR & NONLINEAR DECOMPOSITIONS IN ALGEBRAIC CRYPTANALYSIS Vitaly Roman’kov
THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK The linear decomposition attack: invention. The linear decomposition attack The linear decomposition method in cryptanalysis and corresponding linear decomposition attack have been introduced by VR (2012-13) in: Cryptanalysis of some schemes applying automorphisms, Prikl. Diskr. Mat., 2013, No. 3 (2013), 35-51 (in Russian) , Algebraic cryptography, Omsk, 2013 (in Russian) , Linear decomposition method in analyzing hidden information protocols on algebraic platforms, Algebra and Logic, 54, No.1, (2015), 81-87 , and series of lectures at SYBECRYPT’15. Vitaly Roman’kov
THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK The linear decomposition attack: development These method and attack were developed : by VR and A. Myasnikov in A linear decomposition attack, Groups, Complexity, Cryptology, 2015 and in a number of other papers. The results are collected in monograph ”Essays in algebra and cryptology. Algebraic cryptanalysis”, published by Dostoevsky OmSU Publishing House, 2018. Vitaly Roman’kov
THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK The linear decomposition attack: applications These both, method and attack, were applied to the following cryptoschemes: Ko-Lee et al., Markov-Mikhalev et al., Gribov-Zolotykh et al., Rososhek, Harley, Megrelishvili et al., Mahalanobis, Kahrobaei-Shpilrain et al., Shpilrain-Ushakov, Andrecut, Alvares-Martines et al., Sakalauskas-Tvarijonas et al., Romanczuk-Ustimenko, Kurt, Fine-Kahrobaei et al., Stickel, Wang et al., Hecht, and so on. Vitaly Roman’kov
THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK General scheme General scheme. Let G be a group, { g 1 , ..., g s } ⊆ G be a set of public/private elements. Then Alice and Bob publish sequentially elements of the form φ ( f ) where f ∈ G is a chosen or previously built element and φ : G → G is a private map. The exchanged key has the form K = φ l ( φ l − 1 ( ... ( φ 1 ( g )))) , where g is one of the chosen elements. Specifically φ can be: one-side multiplication g �→ ga or ag , two-side multiplication g �→ agb , conjugation g �→ aga − 1 = g a , action by (endo)automorphism g �→ α ( g ), and so on. Vitaly Roman’kov
THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK General scheme using two-side multiplications. General scheme: version with two-side multiplications. We assume that the platform (semi)group G is a subset of a finitely dimensional linear space V over a constructive field F (finite or infinite). Alice and Bob publish sequentially elements of the form φ c , c ′ ( f ) = cfc ′ ; c , c ′ ∈ G , where f ∈ G is a given or previously built element. The parameters c , c ′ are private. The exchanged key has the form 1 ( g )))) = c l c l − 1 ... c 1 gc ′ 1 ... c ′ l − 1 c ′ K = φ c l , c ′ l ( φ c l − 1 , c ′ l − 1 ( ... ( φ c 1 , c ′ l . Vitaly Roman’kov
THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK General scheme using two-side multiplications. We suppose that Alice chooses parameters ( c , c ′ ) = ( a , a ′ ) in a given finitely generated subgroup A , and Bob picks up parameters ( c , c ′ ) = ( b , b ′ ) in a finitely generated subgroup B of G . Usually A and B are point wise commuting. Then, under some natural assumptions about G , A and B , we show that each intruder can efficiently calculate the exchanged key K without calculation the transformations used in the scheme. Note, that Alice and Bob calculate the exchanged key K basing on public data and one of the two parts of private data. We claim that K under some natural assumptions can be efficiently calculated basing only on public data. Vitaly Roman’kov
THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK Cryptanalysis. Suppose that all main computations over V can be efficiently done. Then each finite set of linear equations can be efficiently solved. Then we can efficiently construct a basis E = { e 1 , ..., e s } of the linear subspace Lin( AhA ), generated by all elements of the form aha ′ , where a , a ′ ∈ A (we can do similarly for B ). Vitaly Roman’kov
THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK Cryptanalysis. Let v = φ a , a ′ ( u ) , where a , a ′ ∈ A are Alice’s private parameters. Then for every element of the form w = φ b , b ′ ( u ) , where b , b ′ ∈ B (in other words w ∈ BuB ), we can efficiently construct z = φ a , a ′ ( w ) based on the structure of V . Vitaly Roman’kov
THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK Cryptanalysis. Theorem v = aua ′ , w = bub ′ ⇒ z = awa ′ = abub ′ a ′ . Obviously v ∈ AuA = lin ( E ), E = { d 1 ud ′ 1 , ..., d r ud ′ r } , d i , d ′ i ∈ A ) } . By the Gauss elimination process we efficiently obtain the unique expression of the form r � α i d i ud ′ v = i , α i ∈ F . i =1 We substitute to the right hand side of w instead of u . Since elements of A and B are pairwise commuting we obtain r r r � � � α i d i wd ′ α i d i bub ′ d ′ α i d i ud ′ i ) b ′ i = i = b ( i =1 i =1 i =1 = bvb ′ = baua ′ b ′ = a ( bub ′ ) a ′ = awa ′ = z . Vitaly Roman’kov
THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK Examples. Example Ko-Lee et al. G = B n is one of the Artin braid groups (linear by Krammer-Bigelow theorem, with efficient inverse function). Then g ∈ G is a public element, A , B ≤ G are public point wise computing subgroups. Alice chooses a ∈ A and publishes aga − 1 , Bob picks up b ∈ B and publishes bgb − 1 . The schared key is K = abga − 1 b − 1 = bagb − 1 a − 1 . Oscar constructs a basis E for AgA and then computes K . Nevertheless, he does not compute a or b . Vitaly Roman’kov
THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK Examples. Example Wang et al. Public data: a group G ⊆ V , h ∈ G , f.g, A , B ≤ G ( ab = ba , a ∈ A , b ∈ B ) . 1 Alice chooses: c 1 , c 2 , d 1 , d 2 ∈ A , then computes and publishes x = d 1 c 1 hc 2 d 2 . 2 Bob chooses: f 1 , f 2 , g 1 , g 2 , g 3 , g 4 ∈ B , then computes and publishes y = g 1 f 1 hf 2 g 2 and w = g 3 f 1 xf 2 g 4 , . 3 Alice picks up: d 3 , d 4 ∈ A , then computes and publishes z = d 3 c 1 yc 2 d 4 and u = d − 1 1 wd − 1 2 , . 4 Bob computes and publishes v = g − 1 1 zg − 1 2 . 5 Alice computes K A = d − 1 3 vd − 1 = c 1 f 1 hf 2 c 2 . 4 6 Bob computes K B = g − 1 3 ug − 1 = c 1 f 1 hf 2 c 2 . 4 7 The shared key: K = K A = K B . Vitaly Roman’kov
THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK Cryptanalysis. The following transformations were used in the protocol: φ d 1 c 1 , c 2 d 2 , φ g 1 f 1 , f 2 g 2 , φ g 3 f 1 , f 2 g 4 , φ d 3 c 1 , c 2 d 4 , φ − 1 d 1 , d 2 , φ − 1 (1) g 1 , g 2 . By direct computation we get an expression of K = φ c 1 f 1 , f 2 c 2 ( h ) = φ − 1 d 1 , d 2 ( φ d 1 c 1 , c 2 d 2 ( φ − 1 g 1 , g 2 ( φ g 1 f 1 , f 2 g 2 ( h )))) . Vitaly Roman’kov
THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK The output of the following transformations can be efficiently obtained by the rule: 1 y = φ g 1 f 1 , f 2 g 2 ( h ) is public. 2 v = φ − 1 g 1 , g 2 ( z ) & y ∈ AzA ⇒ φ − 1 g 1 , g 2 ( y ) = f 1 hf 2 . 3 x = φ d 1 c 1 , c 2 d 2 ( h ) & f 1 hf 2 ∈ BhB ⇒ φ d 1 c 1 , c 2 d 2 ( f 1 hf 2 ) = d 1 c 1 f 1 hf 2 c 2 d 2 . 4 u = φ − 1 d 1 , d 2 ( w ) & d 1 c 1 f 1 hf 2 c 2 d 2 ∈ BwB ⇒ φ − 1 d 1 , d 2 ( d 1 c 1 f 1 hf 2 c 2 d 2 ) = c 1 f 1 hf 2 c 2 = K . Vitaly Roman’kov
THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK The nonlinear decomposition attack. The nonlinear decomposition method in cryptanalysis and corresponding nonlinear decomposition attack have been introduced by VR (2016) in: A nonlinear decomposition attack, Groups, Complexity, Cryptology, V. 8, No. 2 (2016), 197-207. The results are collected in monograph ”Essays in algebra and cryptology. Algebraic cryptanalysis”, published by Dostoevsky OmSU Publishing House, 2018. Vitaly Roman’kov
Recommend
More recommend