M. Jurkiewicz,K. Prabucka

2024-10-08

Abstract:In this paper we construct a new efficient updatable encryption (UE) scheme based on FrodoPKE learning with errors key encapsulation. We analyse the security of the proposed scheme in the backward-leak uni-directional setting within the rand-ind-eu-cpa model. Since the underlying computationally hard problem here is LWE, the scheme is secure against both classical and quantum attacks.

Cryptography and Security

Xiwen Wang,Kai Zhang,Junqing Gong,Shi-Feng Sun,Jianting Ning

DOI: https://doi.org/10.1016/j.tcs.2023.114304

IF: 1.002

2024-01-01

Theoretical Computer Science

Abstract:Searchable symmetric encryption (SSE) allows a client to search over encrypted data. To address the real threat of key compromise in practice, this work initiates the study of key rotation for SSE and introduces the notion of updatable SSE (USSE). In USSE, a client can issue a single update token that permits the server to convert existing encrypted data from the old key to the new key. In particular, center dot we formalize the syntax of USSE and define the security model that captures the inference of key, search token, update token and encrypted data with bi-/uni-/no-directional key updates and bi-/uni-directional encrypted data updates. center dot we present a USSE scheme that supports conjunctive queries with sub -linear complexity, and prove its security with no -directional key update and bi-directional encrypted data update. We also give extensions for concerning different key/encrypted data updates. center dot we implement our USSE schemes and evaluate the performance with real -world dataset, which illustrates that our schemes achieve practically acceptable computational overhead and communication cost. Technically, our formalization of USSE is inspired by updatable encryption (UE); our USSE schemes are obtained by a semi -generic transformation from Cash et al.'s SSE and UE. The transformation itself only relies on DL and DBDH assumptions. We believe that the transformation is of independent interest and applicable to other scenarios where the SSE systems follow the structure of Cash et al.'s work.

Jintai Ding,Joshua Deaton,Kurt Schmidt,Vishakha,Zheng Zhang

2019-01-01

Abstract:In 1998, Jeffrey Hoffstein, Jill Pipher, and Joseph H. Silverman introduced the famous NTRU cryptosystem, and called it "A ring-based public key cryptosystem". Actually, it turns out to be a lattice based cryptosystem that is resistant to Shor’s algorithm. There are several modifications to the original NTRU and two of them are selected as round 2 candidates of NIST post quantum public key scheme standardization. In this paper, we present a simple attack on the original NTRU scheme. The idea comes from Ding et al.’s key mismatch attack. Essentially, an adversary can find information on the private key of a KEM by not encrypting a message as intended but in a manner which will cause a failure in decryption if the private key is in a certain form. In the present, NTRU has the encrypter generating a random polynomial with "small" coefficients, but we will have the coefficients be "large". After this, some further work will create an equivalent key.

Xiujie Zhang,Chunxiang Xu

DOI: https://doi.org/10.3969/j.issn.1001-3695.2016.08.040

2016-01-01

Abstract:The proposed forward-secure public-key encryption scheme with untrusted update has no provable security,so there is doubt about the security of the proposed schemes.This paper extended the forward-secure public-key encryption scheme and proposed the provable secure forward-secure public-key encryption scheme with untrusted update.It presented the definition of forward-secure public-key encryption scheme with untrusted update.According to the definition of scheme,it proposed the for-ward-secure public-key encryption scheme with untrusted update using bilinear mapping and efficient symmetric encryption scheme,and proved the security of the scheme based on random oracle.Through analysis,the proposed scheme is practicality as it has constant size ciphertext,constant size of private key,constant overhead of encryption and decryption algorithms,con-stant overhead of key update algorithm.

Zhichuang Liang,Boyue Fang,Jieyu Zheng,Yunlei Zhao

DOI: https://doi.org/10.1016/j.csi.2023.103828

IF: 3.721

2024-01-01

Computer Standards & Interfaces

Abstract:The NTRU lattice is a promising candidate to construct practical cryptosystems, in particular key encapsulation mechanism (KEM), resistant to quantum computing attacks. Nevertheless, there are still some inherent obstacles to NTRU-based KEM schemes when considering integrated performance, taking security, bandwidth, error probability, and computational efficiency as a whole, that is as good as and even better than their {R,M}LWE-based counterparts. In this work, we address the challenges by presenting a new family of NTRU-based KEM schemes, denoted as CTRU and CNTR. By bridging low-dimensional lattice codes and high-dimensional NTRU-lattice-based cryptography with careful design and analysis, to the best of our knowledge, CTRU and CNTR are the first NTRU-based KEM schemes featuring scalable ciphertext compression via only one single ciphertext polynomial, and are the first that can outperform {R,M}LWE-based KEM schemes in terms of integrated performance. For instance, when compared to Kyber, the only KEM scheme currently standardized by NIST, our recommended parameter set CNTR-768 exhibits approximately 12% smaller ciphertext size, when its security is strengthened by (8,7) bits for classical and quantum security respectively, with a significantly lower error probability (2−230 for CNTR-768 vs. 2−164 for Kyber-768). In terms of the state-of-the-art AVX2 implementation of Kyber-768, CNTR-768,achieves a speedup of 2.7X in KeyGen, 3.3X in Encaps, and 1.6X in Decaps, respectively. When compared to the NIST Round 3 finalist NTRU-HRSS, CNTR-768,features 15% smaller ciphertext size, coupled with an improvement of (55,49) bits for classical and quantum security respectively. As for the AVX2 implementation, CNTR-768,outperforms NTRU-HRSS by 26X in KeyGen, 3.0X in Encaps, and 2.2X in Decaps, respectively. Along the way, we develop new techniques for more accurate error probability analysis, and a unified number theoretic transform (NTT) implementation for multiple parameter sets, which may be of independent interest.

Joohee Lee,Hansol Ryu,Minju Lee,Jaehui Park

DOI: https://doi.org/10.1109/tifs.2024.3471074

IF: 7.231

2024-10-15

IEEE Transactions on Information Forensics and Security

Abstract:In IEEE TIFS 2023, NTRU+ has been proposed, an efficient lattice-based post-quantum Key Encapsulation Mechanism (KEM), which has also been submitted to the KpqC competition. In this paper, we propose an effective classical chosen ciphertext attack to recover the transmitted session key for NTRU+ with all but negligible probability for the first time. With the proposed attacks, we show that all the suggested parameters of NTRU+ do not satisfy the claimed IND-CCA security. Moreover, we elaborate on some flaws in the security proof, a part of which introduces our attack. We also suggest a way to modify the NTRU+ scheme to defend our attack while maintaining its practical performance.

computer science, theory & methods,engineering, electrical & electronic

Zhen Liu,Vishakha,Jintai Ding,Chi Cheng,Yanbin Pan

DOI: https://doi.org/10.1007/978-3-031-62743-9_11

2024-01-01

Abstract:NTRU is a very famous lattice-based public key cryptosystem, whose security has undergone analysis for the past two decades. Hoffstein, Pipher and Silverman firstly proposed a key recovery attack against the original NTRU with a key mismatch oracle that helps to determine whether the ciphertext can be decrypted correctly or not. However, some additional assumptions are needed to make their attack work. In this paper, we present a key mismatch attack against NTRU that eliminates these assumptions. Using polynomials with coefficients satisfying a fixed l(1) norm to construct ciphertexts, we can keep recovering the coefficients of consecutive positions until the private key is fully recovered. In our experiment, we always succeeded to recover the private keys of NTRUEncrypt and NTRU-HPS with the recommended parameters, which were submitted to the NIST Post-Quantum Cryptography Standardization. Above all, regrading NTRU, our attack has the minimum number of queries to the oracle so far, which is also closest to the theoretical lower bound on the minimum average number of queries analyzed in Qin et al.'s work at Asiacrypt 2021.

Jiacheng Zhou,Zhenhua Liu,Baocang Wang

DOI: https://doi.org/10.1002/nem.2304

2024-09-25

International Journal of Network Management

Abstract:We analyze the security of the first definitional framework of Updatable signature, which was proposed in PKC 2021 by Cini et al. (as the above image). We propose an improved updatable signature scheme that changes the generation mode of the update token (the details is shown below) to weaken it's power, and use the technique of indistinguishability obfuscation to make the token no‐directional key update and unidirectional signature update. Updatable signature (US) resists key compromise attacks and is integral in numerous fields that require authentication. However, previous US schemes granted excessive power to update token, which cannot achieve no‐directional key update. In this paper, we improve Cini et al.'s US scheme by weakening update token. The improvement lies in changing the mode of generating an update token, from the signer alone to the signer and the server cooperatively. Specifically, they first negotiate a secret value, which is then used by the signer to generate an update token. This mode ensures that only the entity who owns the secret value can use the update token to update a signature. Furthermore, we employ indistinguishability obfuscation to minimize information leakage through update token. These advancements make the improved updatable signature scheme achieve no‐directional key update and unidirectional signature update. Finally, we present an enhanced security model, where an adversary is permitted to freely corrupt update tokens and signing keys, except the signing key at challenge epoch, and then prove the improved scheme to be unforgeable based on CDH hardness.

computer science, information systems,telecommunications

Huige Wang,Kefei Chen,Baodong Qin,Xuejia Lai,Yunhua Wen

DOI: https://doi.org/10.1007/s11432-015-1037-2

2016-01-01

Science China Information Sciences

Abstract:We present a new primitive of randomized message-locked encryption(MLE) in this paper and define a new security model for it. The new primitive, named message-locked encryption3(hereafter referred as MLE3),is actually a variant of randomized message-locked encryption(Bellare et al. Eurocrypt’13). In order to prevent trivial attacks, our primitive admits a semi-trusted server, which is allowed to hold a secret key of public key encryption(PKE), to verify the correctness of a tag. The new security notion, called privacy chosen-distribution attacks3(PRV-CDA3), requires that a ciphertext generated by encrypting an unpredictable message and another ciphertext(possible invalid) chosen randomly from a ciphertext space are indistinguishable. Compared with the priori proposed security notion, privacy chosen-distribution attacks(PRV-CDA)(Bellare et al. Eurocrypt’13),which requires that two ciphertexts generated by encrypting two unpredictable messages are indistinguishable,the security notion we propose is much stronger. Based on the new primitive, under the blackbox reductions,we put forward a novel construction which achieves both privacy chosen-distribution attacks3(PRV-CDA3) and strong tag consistency(STC) securities in the standard model via universal computational extractors(UCEs)(Bellare et al. Crypto’13). In addition, our scheme also provides the validity-testing for ciphertext.

Huige Wang,Kefei Chen,Yu Long,Junyao Ye,Liangliang Wang

DOI: https://doi.org/10.1007/s12083-016-0488-6

IF: 3.488

2016-01-01

Peer-to-Peer Networking and Applications

Abstract:In this paper, we propose a new construction for randomized message-locked encryption (MLE) with privacy chosen-distribution attacks (PRV-CDA) and strong tag consistency (STC) securities in the standard model via UCEs. The new construction is based on \(\mathsf {UCE}[\mathsf {S}^{sup}\cap \mathsf {S}^{q\text {-}query}]\) secure family of hash functions, adaptively secure non-interactive zero knowledge proof system (NIZK) and indistinguishable chosen-plaintext attacks (IND-CPA) secure symmetric encryption (SE). Compared with existing randomized MLE schemes such as Bellare et al.’s XtESPKE scheme (Eurocrypt 2013), our scheme gives concrete instantiation and detailed security proofs. Although Abadi et al.’s construction for randomized MLE (Crypto 2013) achieves STC and PRV-CDA2, but their construction is designed in the random oracle model and cannot be instantiated, while our scheme can be instantiated in the standard model and achieves both STC and PRV-CDA securities.

Jeffrey Champion,Fuyuki Kitagawa,Ryo Nishimaki,Takashi Yamakawa

2024-11-01

Abstract:We initiate the study of untelegraphable encryption (UTE), founded on the no-telegraphing principle, which allows an encryptor to encrypt a message such that a binary string representation of the ciphertext cannot be decrypted by a user with the secret key, a task that is classically impossible. This is a natural relaxation of unclonable encryption, inspired by the recent work of Nehoran and Zhandry (ITCS 2024), who showed a computational separation between the no-cloning and no-telegraphing principles. In this work, we define and construct UTE information-theoretically in the plain model. Building off this, we give several applications of UTE and study the interplay of UTE with UE and well-studied tasks in quantum state learning, yielding the following contributions: - A construction of collusion-resistant UTE from standard secret-key encryption. We additionally show that hyper-efficient shadow tomography (HEST) is impossible assuming collusion-resistant UTE exists. By considering a relaxation of collusion-resistant UTE, we are able to show the impossibility of HEST assuming only pseudorandom state generators (which may not imply one-way functions). This almost completely answers an open inquiry of Aaronson (STOC 2019). - A construction of UTE from a one-shot message authentication code in the classical oracle model, such that there is an explicit attack that breaks UE security for an unbounded polynomial number of decryptors. - A construction of everlasting secure collusion-resistant UTE, where the decryptor adversary can run in unbounded time, in the quantum random oracle model (QROM), and formal evidence that a construction in the plain model is a challenging task. We additionally show that HEST with unbounded post-processing time is impossible in the QROM. - Constructions (and definitions) of untelegraphable secret sharing and untelegraphable functional encryption.

Quantum Physics,Cryptography and Security

Tomáš Rabas,Jiří Buček,Róbert Lórencz

DOI: https://doi.org/10.1007/s42979-023-02493-7

2024-01-27

SN Computer Science

Abstract:Most of the currently used cryptosystems are not secure in the presence of cryptographically relevant quantum computers. As the research in quantum technologies proceeds, a need for quantum-safe cryptography is imminent. NTRU is a post-quantum public-key cryptosystem based on lattices and was a finalist in the 3rd round of the post-quantum standardization process organized by the National Institute of Standards and Technology (NIST). This paper aims to study the implementation security of the cryptosystem with respect to an attacker with access to power leakage. Such a threat model is relevant especially, but not only, for embedded devices. We studied a countermeasure implementation of the NTRU decryption algorithm from An et al. (Appl Sci https://doi.org/10.3390/app8112014, 2018) that claimed its security against power attacks. This paper revisits an attack presented in as reported by Rabas (In: Proceedings of the 9th International Conference on Information Systems Security and Privacy, ICISSP 2023, Lisbon, 2023) that shows it is in fact vulnerable even in the case of just a single trace available to the enemy for extracting the key. We then describe a new profiling template attack on the implementation and show experimental results of the attack using the same datasets, resulting in a comparison of these two methods and further confirmation of the vulnerability of the algorithm even to generic profiling attacks. Several possible types of countermeasures are discussed.

Jiang Jun,He Chen

DOI: https://doi.org/10.1631/jzus.2005.a0399

2005-01-01

Journal of Zhejiang University SCIENCE A

Abstract:In this paper, the authors present a novel mutual authentication and key agreement protocol based on the Number Theory Research Unit (NTRU) public key cryptography. The symmetric encryption hash and “challenge-response” techniques were adopted to build their protocol. To implement the mutual authentication and session key agreement, the proposed protocol contains two stages: namely initial procedure and real execution stage. Since the lightweight NTRU public key cryptography is employed, their protocol can not only overcome the security flaws of secret-key based authentication protocols such as those used in Global System for Mobile Communications (GSM) and Universal Mobile Telecommunications System (UMTS), but also provide greater security and lower computational complexity in comparison with currently well-known public key based wireless authentication schemes such as Beller-Yacobi and M. Aydos protocols.

Zhuang Xu,Owen Pemberton,David Oswald,Zhiming Zheng

DOI: https://doi.org/10.1007/978-3-031-25319-5_12

2022-01-01

Abstract:NTRU is a well-known lattice-based cryptosystem that has been selected as one of the four key encapsulation mechanism finalists in Round 3 of NIST's post-quantum cryptography standardization. This paper presents two succinct and efficient chosen-ciphertext side-channel attacks on the latest variants of NTRU, i.e., NTRU-HPS and NTRU-HRSS as in Round 3 submissions. Both methods utilize the leakage from the polynomial modular reduction to recover the long-term secret key. For the first attack, although the side-channel leakage does not directly reveal the secret polynomial f, we recover differences between adjacent coefficients using appropriately chosen ciphertexts, and finally reconstruct f through linear algebra. The second attack is based on the inherent relation between the secret key and the public key in NTRU-HPS: we first reveal the "invisible" secret polynomial g with chosen ciphertexts and then use g and the public polynomial h to compute f. In theory, these attacks only need 4 and 2 ciphertexts, respectively. We then practically apply those attacks on all reference implementations of four instances in the PQClean library and show that the accuracy of secret-key recovery can reach 100% with only few traces (4 to 24 and 2 to 6, respectively). We also observe similar leakage in optimized implementations in the pqm4 library and propose an according analysis scheme.

Mi Song,Shufen Niu,Lizhi Fang

DOI: https://doi.org/10.1109/cecit53797.2021.00012

2021-12-01

Abstract:To ensure that multiple data users can access the data and realize the dynamic change of user authority, this paper proposes a ciphertext updatable attribute-based searchable encryption scheme based on blockchain. Combine the blockchain with the cloud server, keyword ciphertext is stored on the blockchain, symmetric key ciphertext and data ciphertext are stored on the cloud server. When the data user wants to change the access policy or revoke the access rights of some users, this scheme uses the proxy re-encryption technology to realize attribute revocation and ciphertext update of the data requester. At the same time, the access policy is hidden, which realizes the user's privacy protection. The security analysis shows that our scheme is safe and effective. In addition, the performance analysis shows that the proposed scheme is efficient and feasible.

Li Bin,Ling Li

DOI: https://doi.org/10.3969/j.issn.1000-386X.2012.04.078

2012-01-01

Abstract:With RFID technology research development,RFID system applications are becoming increasingly popular.Hence some problems,which are caused by RFID system's intrinsic restrictions,such as RFID security and privacy issues,become prominent and significant.Therefore,considering about the development of RFID systems and applications,the RFID systems must satisfy certain safety requirements.On the basis of NTRU public key encryption system,a new RFID security authentication protocol is proposed.In addition,by combining NTRU public key encryption system security and general compositional model,there are systematic and formal description and analysis on the safety of the new protocol.

Jianhua Yan,Xiuhua Lu,Muzi Li,Licheng Wang,Jingxian Zhou,Wenbin Yao

DOI: https://doi.org/10.3390/e25121651

2023-12-13

Abstract:Based on the NTRU trapdoor used in NIST's Falcon, a signcryption scheme following the sign-then-encrypt paradigm is constructed. The existing partitioning technique based on Waters hash over the lattice can not complete the security reduction in the standard model for the signature part due to the "partiality" of the pre-image generated with the NTRU trapdoor. To address this, a variant of Waters hash over small integers is proposed and, the probability of the successful reduction is analyzed. The resulting signcryption achieves existential unforgeability under the adaptive chosen-message attacks. By utilizing the uniqueness of the secret and the noise in an NTRU instance, the tag used in encryption is eliminated. Furthermore, a method to construct tamper-sensitive lattice public key encryption is proposed. This approach implants the ciphertext-sensitive information into the lattice public key encryption and binds it to the encrypted information. The malleability to the public key ciphertext triggers the change of the message-signature pair so that the IND-CCA2 security of the entire ciphertext can be guaranteed by the signature for the message. Thanks to the rational design and the efficiency of the NTRU trapdoor, the computational overhead of the proposed scheme is reduced significantly compared to the existing lattice-based signcryption scheme, reaching orders of magnitude improvement in efficiency. The experiment shows that the proposed scheme is efficient.

Chien-Ming Chen,Zhuoyu Tie,Eric Ke Wang,Muhammad Khurram Khan,Sachin Kumar,Saru Kumari

DOI: https://doi.org/10.1007/s12083-021-01132-3

2021-04-30

Abstract:Searchable encryption performs satisfactorily in protecting the privacy of outsourced data in cloud storage scenarios because it encrypts data and provides a secure way of searching on the ciphertext. Dynamic searchable encryption is designed to support the insertion and deletion of outsourced data. However, insertion may cause information leakage of updated keywords. Thus, forward privacy is proposed to limit the leakage of insertion, and it has become a vital security attribute for dynamic schemes. A verifiable dynamic encryption with ranked search (VDERS) scheme helps users to update outsourced data and verify the search result’s accuracy. However, as demonstrated in this study, a VDERS scheme proposed recently fails to satisfy forward privacy because there are two links between the previous search token and the added document. Thus, we designed an improved scheme VDERSc to achieve forward privacy. In our work, we cut off the two links by adding counters and an update buffer. Finally, experiment results showed that our improved scheme supports verification at a finer granularity, leading to a significant proof generation reduction.

computer science, information systems,telecommunications

Xinwei Gao,Jintai Ding,Lin Li,Jiqiang Liu

DOI: https://doi.org/10.1109/tc.2018.2808527

IF: 3.183

2018-01-01

IEEE Transactions on Computers

Abstract:Ring Learning With Errors (RLWE)-based key exchange is one of the most efficient and secure primitive for post-quantum cryptography. One common approach to achieve key exchange over RLWE is error reconciliation. Recently, an efficient attack against reconciliation-based RLWE key exchange protocols with reused keys was proposed. This attack can recover a long-term private key if a key pair is reused. We also know that in the real world, key reuse is commonly adopted in applications like the Transport Layer Security (TLS) protocol to improve performance. Directly motivated by this attack, we construct a new randomized RLWE-based key exchange protocol against this attack. Our lightweight approach incorporates an additional ephemeral public error term into key exchange materials, so that this attack no longer works. With the same attack, we practically show that the signal value of our protocol is indistinguishable from uniform random, therefore, this attack no longer works. We explain how the attack fails, present 200-bit classic and 80-bit quantum secure parameter choice, efficient implementations, comparisons and discussion. Benchmark shows our protocol is truly efficient and even faster than related vulnerable protocols.

Tingle Shen,Li Miao,Bin Hua,Shuai Li

DOI: https://doi.org/10.3390/math12132051

IF: 2.4

2024-07-01

Mathematics

Abstract:An important feature of Nyberg-Rueppel type digital signature algorithms is message recovery, this signature algorithm can recover the original information from the signature directly by the verifier in the verification phase after signing the message. However, this algorithm is currently vulnerable to quantum attacks and its security cannot be guaranteed. Number Theory Research Unit (NTRU) is an efficient public-key cryptosystem and is considered to be one of the best quantum-resistant encryption schemes. This paper proposes an NTRU-like message recoverable signature algorithm to meet the key agreement requirements in the post-quantum world. This algorithm, designed for the Internet of Things (IoT), constructs a secure system using the Group-Based Message Recoverable Signature Algorithm (NR-GTRU), by integrating a Group-Based NTRU-Like Public-Key Cryptosystem (GTRU) with an efficient Nyberg-Rueppel type of NTRU digital signature algorithm (NR-NTRU). This signature algorithm, resistant to quantum algorithm attacks, offers higher security at the cost of a slight efficiency reduction compared to traditional NTRU signature algorithms, and features Nyberg-Rueppel message recovery, making it well-suited for IoT applications.

mathematics