Showing papers in "Journal of Mathematical Cryptology in 2015"

On the concrete hardness of Learning with Errors

Abstract: The Learning with Errors (LWE) problem has become a central building block of modern cryptographic constructions. This work collects and presents hardness results for concrete instances of LWE. In particular, we discuss algorithms proposed in the literature and give the expected resources required to run them. We consider both generic instances of LWE as well as small secret variants. Since for several methods of solving LWE we require a lattice reduction step, we also review lattice reduction algorithms and use a refined model for estimating their running times. We also give concrete estimates for various families of LWE instances, provide a Sage module for computing these estimates and highlight gaps in the knowledge about algorithms for solving the Learning with Errors problem.

The round functions of KASUMI generate the alternating group

Abstract: Abstract We show that the round functions of the KASUMI block cipher for odd and even round type generate the alternating group on the message space. Moreover, under the assumption of independent round keys, we prove that also the KASUMI two-round functions and the KASUMI encryption functions generate the alternating group.

Cryptanalysis of the MORE symmetric key fully homomorphic encryption scheme

Abstract: The fully homomorphic symmetric encryption scheme MORE encrypts keys by conjugation with a random invertible matrix over an RSA modulus. We provide a two known-ciphertexts cryptanalysis recovering a linear dependence among the two encrypted keys. 1. The FHE scheme MORE In their paper [1], Kipnis and Hibshoosh propose, among other things, to use the following type of fully homomorphic encryption (FHE) of keys, which they named Matrix Operation for Randomization or Encryption (MORE). Let N be an RSA modulus. The secret key is an invertible matrix A ∈ GL2(ZN). The scheme only encrypts random elements k ∈ ZN , and is constrained not to encrypt the same element twice. The encryption is randomized. To encrypt a key k, choose a random secret s ∈ ZN , and output EA(k) := A −1 ( s 0 0 k ) A. To decrypt, conjugate by A−1 instead of A. It is immediate that this is a fully homomorphic function of k. This scheme is proved to be secure in the sense that, given encryptions of uniformly random, independent keys k1, . . . , kn, for arbitrary n, one can learn nothing about the key k1 [1, page 12]. A second FHE proposed in [1], Polynomial Operation for Randomization or Encryption (PORE), is shown there to be equivalent to MORE. An application to signatures is provided in [1], but Hibshoosh reported to us that this specific application has in the meanwhile been cryptanalyzed. 2. Cryptanalysis of MORE We do not invalidate the Kipnis-Hibshoosh proof of security. But we identify another potential problem with improper uses of this scheme. 1 2 BOAZ TSABAN AND NOAM LIFSHITZ Lemma 2.1. A 2 × 2 matrix commutes with all diagonal matrices if an only if it is diagonal. Proof. It is necessary that C commutes with the basis matrix E11, which implies that the off-diagonal entries of C are 0. Thus, C is diagonal. Being diagonal is also sufficient for C commuting with all diagonal matrices. Lemma 2.2. Each matrix A with nonzero diagonal entries is of the form ( a 0 0 d )( 1 ∗ ∗ 1 ) . Proof. We have that ( a b c d ) = ( a 0 0 d )( 1 b/a c/d 1 ) . The cryptanalysis. Let A be the secret matrix. We may assume that the diagonal entries of A are nonzero, and thus write

Towards efficient private distributed computation on unbounded input streams

Abstract: In the problem of private "swarm" computing, n agents wish to securely and distributively perform a computation on common inputs, in such a way that even if the entire memory contents of some of them are exposed, no information is revealed about the state of the computation. Recently, Dolev, Garay, Gilboa and Kolesnikov [ICS 2011] considered this problem in the setting of information-theoretic security, showing how to perform such computations on input streams of unbounded length. The cost of their solution, however, is exponential in the size of the Finite State Automaton (FSA) computing the function. In this work we are interested in efficient (i.e., polynomial time) computation in the above model, at the expense of minimal additional assumptions. Relying on the existence of one-way functions, we show how to process unbounded inputs (but of course, polynomial in the security parameter) at a cost linear in m, the number of FSA states. In particular, our algorithms achieve the following: · In the case of (n,n)-reconstruction (i.e., in which all n agents participate in the reconstruction of the distributed computation) and at most n−1 agents are corrupted, the agent storage, the time required to process each input symbol, and the time complexity for reconstruction are all O(mn). · In the case of (n−t,n)-reconstruction (where only n−t agents take part in the reconstruction) and at most t agents are corrupted, the agents' storage and time required to process each input symbol are $O(m{n-1 \choose n-t})$. The complexity of reconstruction is O(mt). We achieve the above through a carefully orchestrated use of pseudo-random generators and secret-sharing, and in particular a novel share re-randomization technique which might be of independent interest.

Time-memory trade-offs for index calculus in genus 3

Abstract: In this paper, we present a variant of Diem’s O~(q)">O˜(q)O~(q) index calculus algorithm to attack the discrete logarithm problem (DLP) in Jacobians of genus 3">33 non-hyperelliptic curves over a finite field Fq">FqFq . We implement this new variant in C++ and study the complexity in both theory and practice, making the logarithmic factors and constants hidden in the O~">O˜O~ -notation precise. Our variant improves the computational complexity at the cost of a moderate increase in memory consumption, but we also improve the computational complexity even when we limit the memory usage to that of Diem’s original algorithm. Finally, we examine how parallelization can help to reduce both the memory cost per computer and the running time for our algorithms.

Linear approaches to resilient aggregation in sensor networks

Abstract: Abstract A sensor network is a network comprised of many small, wireless, resource-limited nodes that sense data about their environment and report readings to a base station. One technique to conserve power in a sensor network is to aggregate sensor readings hop-by-hop as they travel towards a base station, thereby reducing the total number of messages required to collect each sensor reading. In an adversarial setting, the ability of a malicious node to alter this aggregate total must be limited. We present three aggregation protocols inspired by three natural key pre-distribution schemes for linear networks. Assuming no more than k consecutive nodes are malicious, each of these protocols limits the capability of a malicious node to altering the aggregate total by at most a single valid sensor reading. Additionally, our protocols are able to detect malicious behavior as it occurs, allowing the protocol to be aborted early, thereby conserving energy in the remaining nodes. A rigorous proof of security is given for each protocol. We then demonstrate how to extend our linear protocols to tree-based topologies, thereby allowing linear-based approaches to be applied in a much wider range of network topologies.

Analysis of a certain polycyclic-group-based cryptosystem

Abstract: We investigate security properties of the Anshel-Anshel-Goldfeld commutator key-establishment protocol used with certain polycyclic groups. We show that despite low success of the length based attack the protocol can be broken by a deterministic polynomial-time algorithm.

Length-based attacks in polycyclic groups

Abstract: The Anshel–Anshel–Goldfeld (AAG) key-exchange protocol was implemented and studied with the braid groups as its underlying platform. The length-based attack, introduced by Hughes and Tannenbaum, has been used to cryptanalyze the AAG protocol in this setting. Eick and Kahrobaei suggest to use the polycyclic groups as a possible platform for the AAG protocol. In this paper, we apply several known variants of the length-based attack against the AAG protocol with the polycyclic group as the underlying platform. The experimental results show that, in these groups, the implemented variants of the length-based attack are unsuccessful in the case of polycyclic groups having high Hirsch length. This suggests that the length-based attack is insucient to cryptanalyze the AAG protocol when implemented over this type of polycyclic groups. This implies that polycyclic groups could be a potential platform for some cryptosystems based on conjugacy search problem, such as non-commutative Die–Hellman, El Gamal and Cramer–Shoup key-exchange protocols. Moreover, we compare for the rst time the success rates of the dierent variants of the length-based attack. These experiments show that, in these groups, the memory length-based attack introduced by Garber, Kaplan, Teicher, Tsaban and Vishne does better than the other variants proposed thus far in this context.

A characterisation of ideal weighted secret sharing schemes

Abstract: Abstract Beimel, Tassa and Weinreb [SIAM J. Discrete Math. 22 (2008), 360–397] and Farràs and Padró [Lecture Notes in Comput. Sci. 5978, Springer, 2010, 219–236] partially characterised access structures of ideal weighted secret sharing schemes in terms of the operation of composition. They proved that any weighted ideal access structure is a composition of indecomposable ones. Farràs and Padró gave a list of seven classes of access structures – one unipartite, three bipartite and three tripartite – to which all weighted ideal indecomposable access structures may belong. In this paper we determine exactly which access structures from those classes are indecomposable. We also determine which compositions of indecomposable weighted access structures are again weighted and obtain an if-and-only-if characterisation of ideal weighted secret sharing schemes. We use game-theoretic techniques to achieve this.

On a class of strongly asymmetric PKA algorithms

Abstract: Abstract In the papers [New features for public key exchange algorithms, in: 18-th International ICWG Meeting (Krakow 2011)], [Strongly asymmetric PKD cryptographic algorithms: An implementation using the matrix model, in: Proceedings ISEC Conference (Shizuoka 2011)] a new scheme to produce public key agreement (PKA) algorithms was proposed and some examples based on polynomials (toy models) were discussed. In the present paper we introduce a non-commutative realization of the above mentioned scheme and prove that non-commutativity can be an essential ingredient of security in the sense that, in the class of algorithms constructed, under some commutativity assumptions on the matrices involved, we can find a breaking strategy, but dropping these assumptions we can not, even if we assume, as we do in all the attacks discussed in the present paper, that discrete logarithms have zero cost.

A new method of choosing primitive elements for Brezing–Weng families of pairing-friendly elliptic curves

Abstract: In this paper we present a new method of choosing primitive elements for BrezingWeng families of pairing friendly elliptic curves with small rho-value, and we improve on previously-known best rho-values of families [10] for the cases k = 16, 22, 28 and 46. Our construction uses xed discriminants.

Two-Permutation-Based Hashing with Binary Mixing

Abstract: We consider the generic design of compression functions based on two n-bit permutations and XOR-based mixing functions. It is known that any such function mapping n + α to α bits, with 1 ≤ α ≤ n, can achieve at most min{2, 2n/2−α/4} collision security. Using techniques similar to Mennink and Preneel (CRYPTO 2012), we show that there is only one equivalence class of these functions achieving optimal collision security, and additionally min{2, 2} preimage security. The equivalence class compares well with existing functions based on two or three permutations, and is well-suited for wide-pipe hashing.

Theory of 3-rotation symmetric cubic Boolean functions

Abstract: Abstract Rotation symmetric Boolean functions have been extensively studied in the last 15 years or so because of their importance in cryptography and coding theory. Until recently, very little was known about such basic questions as when two such functions are affine equivalent. This question in important in applications, because almost all important properties of Boolean functions (such as Hamming weight, nonlinearity, etc.) are affine invariants, so when searching a set for functions with useful properties, it suffices to consider just one function in each equivalence class. This can greatly reduce computation time. Even for quadratic functions, the analysis of affine equivalence was only completed in 2009. The much more complicated case of cubic functions was completed in the special case of affine equivalence under permutations for monomial rotation symmetric functions in two papers from 2011 and 2014. There has also been recent progress for some special cases for functions of degree >3${> 3}$ . In 2007 it was found that functions satisfying a new notion of k-rotation symmetry for k > 1 (where the case k = 1 is ordinary rotation symmetry) were of substantial interest in cryptography and coding theory. Since then several researchers have used these functions for k = 2 and 3 to study such topics as construction of bent functions, nonlinearity and covering radii of various codes. In this paper we develop a detailed theory for the monomial 3-rotation symmetric cubic functions, extending earlier work for the case k = 2 of these functions.

Optimal constructions for ID-based one-way-function key predistribution schemes realizing specified communication graphs

Abstract: We study a method for key predistribution in a network of n users where pairwise keys are computed by hashing users’ IDs along with secret information that has been (pre)distributed to the network users by a trusted entity. A communication graph G can be specified to indicate which pairs of users should be able to compute keys. We determine necessary and sufficient conditions for schemes of this type to be secure. We also consider the problem of minimizing the storage requirements of such a scheme; we are interested in the total storage as well as the maximum storage required by any user. Minimizing the total storage is NP-hard, whereas minimizing the maximum storage required by a user can be computed in polynomial time.

Secure message transmission in the presence of a fully generalised adversary

Abstract: We investigate the problem of secure message transmission in the presence of a "fully generalised" adversary, who disrupts and listens to separate sets of communication wires. We extend previous results by considering the case when these sets may have arbitrary size, providing necessary and sufficient conditions for both one-way and two-way communication.

Classes of weak Dembowski-Ostrom polynomials for multivariate quadratic cryptosystems

Abstract: Abstract T. Harayama and D. K. Friesen [J. Math. Cryptol. 1 (2007), 79–104] proposed the linearized binomial attack for multivariate quadratic cryptosystems and introduced weak Dembowski–Ostrom (DO) polynomials in this framework over the finite field 𝔽2. We extend the linearized binomial attack to multivariate quadratic cryptosystems over 𝔽p for any prime p and redefine the weak DO polynomials for general case. We identify infinite classes of weak DO polynomials for these systems by considering highly degenerate quadratic forms over algebraic function fields and Artin–Schreier type curves to achieve our results. This gives a general answer to the conjecture stated by Harayama and Friesen and also a partial enumeration of weak DO polynomials over finite fields.