Xianhui Lu,Jiang Zhang

DOI: https://doi.org/10.1093/nsr/nwab090

IF: 20.6

2021-05-24

National Science Review

Abstract:The invention of public-key cryptography (PKC) by Diffie and Hellman in 1976 is one of two milestones marking the beginning of modern cryptography. The security of a PKC system requires that it should be infeasible to compute the private key from a given public key, which in turn is typically guaranteed by the difficulty in solving some cryptographic-friendly mathematical problems. Among those problems, the integer factorization and discrete logarithm problems play pivotal roles in the development of public-key cryptography. In particular, the assumption that there is no polynomial time (classical) algorithm that solves the above two problems constitutes the basis for the security of almost all currently used public-key cryptosystems, such as RSA and ElGamal. However, Shor [1] found an efficient quantum solving algorithm for the integer factorization and discrete logarithm problems in 1994, which would destroy the security basis for most real deployed PKC systems if large-scale quantum computers become available. The rapid development of quantum technology in recent years suggests that we are getting closer to the quantum crisis of current PKC systems.

multidisciplinary sciences

George S. Rizos,Konstantinos A. Draziotis

DOI: https://doi.org/10.1016/j.jisa.2024.103781

IF: 4.96

2024-05-02

Journal of Information Security and Applications

Abstract:The present paper builds upon prior research on an id scheme that utilizes a compact knapsack problem defined by a single equation. We introduce a three-move id scheme founded on a compact knapsack problem defined by an integer matrix. Through our analysis, we investigate the possible lattice-based attacks on this problem. Additionally, we present the corresponding digital signature gained through the Fiat–Shamir transform and demonstrate its security under ROM. These cryptographic primitives are potentially post quantum resistant.

computer science, information systems

Junfang Xiao,Guihua Zeng,Baocang Wang

DOI: https://doi.org/10.6138/jit.2012.13.1.08

2012-01-01

Abstract:The knapsack cipher 0/255 is cryptanalyzed. It is shown that given the public key of the knapsack cipher 0/255, one can recover the corresponding modular multiplier by using the continued fraction algorithm. Hence, the secret key is reconstructed from the recovered multiplier and the public key. So the knapsack cipher 0/255 is totally breakable.

Quang Dao,Aayush Jain

2024-02-06

Abstract:Over the past few decades, we have seen a proliferation of advanced cryptographic primitives with lossy or homomorphic properties built from various assumptions such as Quadratic Residuosity, Decisional Diffie-Hellman, and Learning with Errors. These primitives imply hard problems in the complexity class $SZK$ (statistical zero-knowledge); as a consequence, they can only be based on assumptions that are broken in $BPP^{SZK}$. This poses a barrier for building advanced primitives from code-based assumptions, as the only known such assumption is Learning Parity with Noise (LPN) with an extremely low noise rate $\frac{\log^2 n}{n}$, which is broken in quasi-polynomial time.

Cryptography and Security,Computational Complexity,Information Theory

Yu Yu,François-Xavier Standaert

DOI: https://doi.org/10.1007/978-3-642-36095-4_15

2013-01-01

Abstract:One of the main challenges in leakage-resilient cryptography is to obtain proofs of security against side-channel attacks, under realistic assumptions and for efficient constructions. In a recent work from CHES 2012, Faust et al. proposed new designs of stream ciphers and pseudorandom functions for this purpose. Yet, a remaining limitation of these constructions is that they require large amounts of public randomness to be proven leakage-resilient. In this paper, we show that tweaked designs with minimum randomness requirements can be proven leakage-resilient in minicrypt. That is, either these constructions are secure, or we are able to construct public-key cryptographic primitives from symmetric-key building blocks and their leakage functions (which is very unlikely). Hence, our results improve the practical relevance of two important leakage-resilient pseudorandom objects.

Zhen Liu,Xiaoyuan Yang

DOI: https://doi.org/10.1109/incos.2013.108

2013-01-01

Abstract:The cipher text consistency check that can be implemented publicly has practical significance, and it is always an interested studying aspect to construct cryptographic algorithm without pairings in the field of cryptographic. On the other hand, it is one of the most important research topics to design CCA-secure PKE schemes with weaker assumptions. Especially, there have been no CCA-secure PKE scheme under factoring assumption, except for a recent work by Hofheinz, D., Kiltz, E. A fly in the ointment is that HK09's scheme is not a public verifiable construction. Using the Gap quality that the Decisional Diffie-Hellman problem is easy but the Computational Diffie-Hellman problem is difficult as factoring, we instantiated HK09's scheme over the group of signed quadratic residues, and realized public verifiable construct. It will be used to construct threshold schemes.

ZHAO Xin-jie,GUO Shi-ze,WANG Tao,ZHANG Fan,LIU Huiying,JI Ke-ke

DOI: https://doi.org/10.3969/j.issn.1671-1742.2012.04.001

2012-01-01

Abstract:The security of a lightweight block cipher KLEIN against the algebraic side-channel attack is evaluated by combining algebraic attack with side-channel attack under the Hamming weight leakage model.Firstly,the algebraic representation of KLEIN is given.Then,the Hamming weights of the intermediate states are deduced from analyzing the power leakages and converted into algebraic equations.Finally,the CryptoMinisat solver is applied to solve for the key.Based on three different error tolerant strategies,many physical experiments are conducted on KLEIN under an 8-bit microcontroller and the complexity of the attack is also evaluated.Experiment results show that: the unprotected software implementation of KLEIN is vulnerable to algebraic side-channel attack.Full 64-bit master key of KLEIN can be recovered by analyzing the Hamming weight leakages of the first round under know plaintext/ciphertext scenario and 2 rounds under unknown plaintext/ciphertext scenario.

Lior Rotem,Gil Segev

DOI: https://doi.org/10.1007/s00145-024-09506-5

2024-06-08

Journal of Cryptology

Abstract:The Schnorr identification and signature schemes have been among the most influential cryptographic protocols of the past 3 decades. Unfortunately, although the best-known attacks on these two schemes are via discrete logarithm computation, the known approaches for basing their security on the hardness of the discrete logarithm problem encounter the "square-root barrier." In particular, in any group of order p where Shoup's generic hardness result for the discrete logarithm problem is believed to hold (and is thus used for setting concrete security parameters), the best-known t -time attacks on the Schnorr identification and signature schemes have success probability , whereas existing proofs of security only rule out attacks with success probabilities and , respectively, where denotes the number of random oracle queries issued by the attacker. We establish tighter security guarantees for identification and signature schemes which result from -protocols with special soundness based on the hardness of their underlying relation, and in particular for Schnorr's schemes based on the hardness of the discrete logarithm problem. We circumvent the square-root barrier by introducing a high-moment generalization of the classic forking lemma, relying on the assumption that the underlying relation is " d -moment hard": The success probability of any algorithm in the task of producing a witness for a random instance is dominated by the d th moment of the algorithm's running time. In the concrete context of the discrete logarithm problem, already Shoup's original proof shows that the discrete logarithm problem is 2-moment hard in the generic group model, and thus, our assumption can be viewed as a highly plausible strengthening of the discrete logarithm assumption in any group where no better-than-generic algorithms are currently known. Applying our high-moment forking lemma in this context shows that, assuming the 2-moment hardness of the discrete logarithm problem, any t -time attacker breaks the security of the Schnorr identification and signature schemes with probabilities at most and , respectively.

computer science, theory & methods,engineering, electrical & electronic,mathematics, applied

Simran Tinani,Carlo Matteotti,Joachim Rosenthal

2023-10-08

Abstract:In the recently emerging field of nonabelian group-based cryptography, a prominently used one-way function is the Conjugacy Search Problem (CSP), and two important classes of platform groups are polycyclic and matrix groups. In this paper, we discuss the complexity of the conjugacy search problem (CSP) in these two classes of platform groups using the three protocols in [10], [26], and [29] as our starting point. We produce a polynomial time solution for the CSP in a finite polycyclic group with two generators, and show that a restricted CSP is reducible to a DLP. In matrix groups over finite fields, we usedthe Jordan decomposition of a matrix to produce a polynomial time reduction of an A-restricted CSP, where A is a cyclic subgroup of the general linear group, to a set of DLPs over an extension of Fq. We use these general methods and results to describe concrete cryptanalysis algorithms for these three systems. In particular, we show that in the group of invertible matrices over finite fields and in polycyclic groups with two generators, a CSP where conjugators are restricted to a cyclic subgroup is reducible to a set of O(n2) discrete logarithm problems. Using our general results, we demonstrate concrete cryptanalysis algorithms for each of these three schemes. We believe that our methods and findings are likely to allow for several other heuristic attacks in the general case.

Cryptography and Security,Computational Complexity

Aubrey Alston,Yanrong Wo

DOI: https://doi.org/10.48550/arXiv.1707.00078

2017-07-01

Cryptography and Security

Abstract:While the reliable use of some NP-complete problem in tandem with the assumption that P is not equal to NP has eluded cryptographers due to lack of results showing average-case hardness, one alternative which has been explored is reliance on assumptions that solving certain NP-hard optimization problems within some degree of accuracy is computationally difficult in specific instance classes. In this work, we explore one such example of this effort which attempts to provide cryptographic primitives by relying on the planted clique conjecture. More specifically, we (1) present this construction in summary, (2) propose a simple cryptanalytic method using only approximation algorithms, and (3) consider the feasibility of such cryptanalysis in the context of existing approximation algorithms for the maximum clique problem. We ultimately find that recent advances in the area of combinatoric approximation algorithms fatally hinders the prospect of any serious application of existing candidate constructions based upon the planted clique conjecture.

Harmeet Singh

DOI: https://doi.org/10.48550/arXiv.1606.06047

2016-06-20

Abstract:Cryptanalysis of knapsack cipher is a fascinating problem which has eluded the computing fraternity for decades. However, in most of the cases either the time complexity of the proposed algorithm is colossal or an insufficient number of samples have been taken for verification. The present work proposes a Genetic Algorithm based technique for cryptanalysis of knapsack cipher. The experiments conducted prove the validity of the technique. The results prove that the technique is better than the existing techniques. An extensive review has been carried out in order to find the gaps in the existing techniques. The work paves the way of the application of computational intelligence techniques to the discipline of cryptanalysis.

Cryptography and Security,Neural and Evolutionary Computing

Qizheng He,Zhean Xu

DOI: https://doi.org/10.1137/1.9781611977936.6

2023-08-22

Abstract:In this paper, we obtain a number of new simple pseudo-polynomial time algorithms on the well-known knapsack problem, focusing on the running time dependency on the number of items $n$, the maximum item weight $w_\mathrm{max}$, and the maximum item profit $p_\mathrm{max}$. Our results include: - An $\widetilde{O}(n^{3/2}\cdot \min\{w_\mathrm{max},p_\mathrm{max}\})$-time randomized algorithm for 0-1 knapsack, improving the previous $\widetilde{O}(\min\{n w_\mathrm{max} p_\mathrm{max}^{2/3},n p_\mathrm{max} w_\mathrm{max}^{2/3}\})$ [Bringmann and Cassis, ESA'23] for the small $n$ case. - An $\widetilde{O}(n+\min\{w_\mathrm{max},p_\mathrm{max}\}^{5/2})$-time randomized algorithm for bounded knapsack, improving the previous $O(n+\min\{w_\mathrm{max}^3,p_\mathrm{max}^3\})$ [Polak, Rohwedder and Wegrzyck, ICALP'21].

Data Structures and Algorithms

Baocang Wang,Fagen Li,Yupu Hu

DOI: https://doi.org/10.1587/transfun.E97.A.421

2014-01-01

IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences

Abstract:In this letter, we propose an improvement on a knapsack probabilistic encryption scheme [B. Wang, Q. Wu, Y. Hu, Information Sciences 177 (2007)], which was shown vulnerable to attacks due to Youssef [A.M. Youssef, Information Sciences 179 (2009)] and Lee [M.S. Lee, Information Sciences 222 (2013)], respectively. The modified encryption scheme is secure against Youssef's and Lee's attacks only at the costs of slightly compromising the efficiency of the original proposal.

Klaus Heeger,Danny Hermelin,Matthias Mnich,Dvir Shabtay

2023-10-10

Abstract:This paper focuses on kernelization algorithms for the fundamental Knapsack problem. A kernelization algorithm (or kernel) is a polynomial-time reduction from a problem onto itself, where the output size is bounded by a function of some problem-specific parameter. Such algorithms provide a theoretical model for data reduction and preprocessing and are central in the area of parameterized complexity. In this way, a kernel for Knapsack for some parameter $k$ reduces any instance of Knapsack to an equivalent instance of size at most $f(k)$ in polynomial time, for some computable function $f(\cdot)$. When $f(k)=k^{O(1)}$ then we call such a reduction a polynomial kernel. Our study focuses on two natural parameters for Knapsack: The number of different item weights $w_{\#}$, and the number of different item profits $p_{\#}$. Our main technical contribution is a proof showing that Knapsack does not admit a polynomial kernel for any of these two parameters under standard complexity-theoretic assumptions. Our proof discovers an elaborate application of the standard kernelization lower bound framework, and develops along the way novel ideas that should be useful for other problems as well. We complement our lower bounds by showing the Knapsack admits a polynomial kernel for the combined parameter $w_{\#}+p_{\#}$.

Data Structures and Algorithms,Discrete Mathematics,Combinatorics

Ce Jin

2024-04-01

Abstract:We study pseudo-polynomial time algorithms for the fundamental \emph{0-1 Knapsack} problem. Recent research interest has focused on its fine-grained complexity with respect to the number of items $n$ and the \emph{maximum item weight} $w_{\max}$. Under $(\min,+)$-convolution hypothesis, 0-1 Knapsack does not have $O((n+w_{\max})^{2-\delta})$ time algorithms (Cygan-Mucha-Węgrzycki-Włodarczyk 2017 and Künnemann-Paturi-Schneider 2017). On the upper bound side, currently the fastest algorithm runs in $\tilde O(n + w_{\max}^{12/5})$ time (Chen, Lian, Mao, and Zhang 2023), improving the earlier $O(n + w_{\max}^3)$-time algorithm by Polak, Rohwedder, and Węgrzycki (2021). In this paper, we close this gap between the upper bound and the conditional lower bound (up to subpolynomial factors): - The 0-1 Knapsack problem has a deterministic algorithm in $O(n + w_{\max}^{2}\log^4w_{\max})$ time. Our algorithm combines and extends several recent structural results and algorithmic techniques from the literature on knapsack-type problems: - We generalize the "fine-grained proximity" technique of Chen, Lian, Mao, and Zhang (2023) derived from the additive-combinatorial results of Bringmann and Wellnitz (2021) on dense subset sums. This allows us to bound the support size of the useful partial solutions in the dynamic program. - To exploit the small support size, our main technical component is a vast extension of the "witness propagation" method, originally designed by Deng, Mao, and Zhong (2023) for speeding up dynamic programming in the easier unbounded knapsack settings. To extend this approach to our 0-1 setting, we use a novel pruning method, as well as the two-level color-coding of Bringmann (2017) and the SMAWK algorithm on tall matrices.

Data Structures and Algorithms

Ilia Toli

DOI: https://doi.org/10.48550/arXiv.cs/0304013

2003-04-09

Cryptography and Security

Abstract:We propose public-key cryptosystems with public key a system of polynomial equations, algebraic or differential, and private key a single polynomial or a small-size ideal. We set up probabilistic encryption, signature, and signcryption protocols.

HaiJian Zhou,Ping Luo,DaoShun Wang,YiQi Dai

DOI: https://doi.org/10.1007/s11432-009-0159-9

2009-01-01

Science in China Series F Information Sciences

Abstract:Finding the solution to a general multivariate modular linear equation plays an important role in cryptanalysis field. Earlier results show that obtaining a relatively short solution is possible in polynomial time. However, one problem arises here that if the equation has a short solution in given bounded range, the results outputted by earlier algorithms are often not the ones we are interested in. In this paper, we present a probability method based on lattice basis reduction to solve the problem. For a general multivariate modular linear equation with short solution in the given bounded range, the new method outputs this short solution in polynomial time, with a high probability. When the number of unknowns is not too large (smaller than 68), the probability is approximating 1. Experimental results show that Knapsack systems and Lu-Lee type systems are easily broken in polynomial time with this new method.

Jannik Dreier,Jean-Guillaume Dumas,Pascal Lafourcade,Léo Robert

DOI: https://doi.org/10.3233/jcs-210065

2021-12-21

Journal of Computer Security

Abstract:In 1968, Liu described the problem of securing documents in a shared secret project. In an example, at least six out of eleven participating scientists need to be present to open the lock securing the secret documents. Shamir proposed a mathematical solution to this physical problem in 1979, by designing an efficient k-out-of-n secret sharing scheme based on Lagrange’s interpolation. Liu and Shamir also claimed that the minimal solution using physical locks is clearly impractical and exponential in the number of participants. In this paper we relax some implicit assumptions in their claim and propose an optimal physical solution to the problem of Liu that uses physical padlocks, but the number of padlocks is not greater than the number of participants. Then, we show that no device can do better for k-out-of-n threshold padlock systems as soon as k ⩾ 2 n , which holds true in particular for Liu’s example. More generally, we derive bounds required to implement any threshold system and prove a lower bound of O ( log ( n ) ) padlocks for any threshold larger than 2. For instance we propose an optimal scheme reaching that bound for 2-out-of-n threshold systems and requiring less than 2 log 2 ( n ) padlocks. We also discuss more complex access structures, a wrapping technique, and other sublinear realizations like an algorithm to generate 3-out-of-n systems with 2.5 n padlocks. Finally we give an algorithm building k-out-of-n threshold padlock systems with only O ( log ( n ) k − 1 ) padlocks. Apart from the physical world, our results also show that it is possible to implement secret sharing over small fields.

Laszlo B. Kish

DOI: https://doi.org/10.1142/s0219477524500287

2024-02-26

Fluctuation and Noise Letters

Abstract:Fluctuation and Noise Letters, Ahead of Print. Known key exchange schemes offering information-theoretic (unconditional) security are complex and costly to implement. Nonetheless, they remain the only known methods for achieving unconditional security in key exchange. Therefore, the explorations for simpler solutions for information-theoretic security are highly justified. Lin et al. [1] proposed an interesting hardware key distribution scheme that utilizes thermal-noise-free resistances and DC voltages. A crypto analysis of this system is presented. It is shown that, if Eve gains access to the initial shared secret at any time in the past or future, she can successfully crack all the generated keys in the past and future, even retroactively, using passively obtained and recorded voltages and currents. Therefore, the scheme is not a secure key exchanger, but it is rather a key expander with no more information entropy than the originally shared secret at the beginning. We also point out that the proposed defense methods against active attacks do not function when the original shared secret is compromised because then the communication cannot be efficiently authenticated. However, they do work when an unconditionally secure key exchanger is applied to enable the authenticated communication protocol.

mathematics, interdisciplinary applications,physics, applied

Jeremy Jean,Ivica Nikolic,Yu Sasaki,Lei Wang

DOI: https://doi.org/10.1007/978-3-319-13051-4_14

2014-01-01

Abstract:We present two practical attacks on the CAESAR candidate PAES. The first attack is a universal forgery for any plaintext with at least 240 bytes. It works for the nonce-repeating variant of PAES and in a nutshell it is a state recovery based on solving differential equations for the S-box leaked throught the ciphertext that arise when the plaintext has a certain difference. We show that to produce the forgery based on this method the attacker needs only 2(11) time and data. The second attack is a distinguisher for 2(64) out of 2(128) keys that requires negligible complexity and only one pair of known plaintext-ciphertext. The attack is based on the lack of constants in the initialization of the PAES which allows to exploit the symmetric properties of the keyless AES round. Both of our attacks contradict the security goals of PAES.