Iván Blanco-Chacón,Raúl Durán-Díaz,Rahinatou Yuh Njah Nchiwo,Beatriz Barbero-Lucas

DOI: https://doi.org/10.46298/cm.11153

2023-07-16

Abstract:We describe a decisional attack against a version of the PLWE problem in which the samples are taken from a certain proper subring of large dimension of the cyclotomic ring $\mathbb{F}_q[x]/(\Phi_{p^k}(x))$ with $k>1$ in the case where $q\equiv 1\pmod{p}$ but $\Phi_{p^k}(x)$ is not totally split over $\mathbb{F}_q$. Our attack uses the fact that the roots of $\Phi_{p^k}(x)$ over suitable extensions of $\mathbb{F}_q$ have zero-trace and has overwhelming success probability as a function of the number of input samples. An implementation in Maple and some examples of our attack are also provided.

Cryptography and Security

Iván Blanco Chacón,Raúl Durán Díaz,Rodrigo Martín Sánchez-Ledesma

2024-10-02

Abstract:The Polynomial Learning With Errors problem (PLWE) serves as the background of two of the three cryptosystems standardized in August 2024 by the National Institute of Standards and Technology to replace non-quantum resistant current primitives like those based on RSA, Diffie-Hellman or its elliptic curve analogue. Although PLWE is highly believed to be quantum resistant, this fact has not yet been established, contrariwise to other post-quantum proposals like multivariate and some code based ones. Moreover, several vulnerabilities have been encountered for a number of specific instances. In a search for more flexibility, it becomes fully relevant to study the robustness of PLWE based on other polynomials, not necessarily cyclotomic. In 2015, Elias et al found a good number of attacks based on different features of the roots of the polynomial. In the present work we present an overview of the approximations made against PLWE derived from this and subsequent works, along with several new attacks which refine those by Elias et al. exploiting the order of the trace of roots over finite extensions of the finite field under the three scenarios laid out by Elias et al., allowing to generalize the setting in which the attacks can be carried out.

Cryptography and Security

Joonas Ahola,Iván Blanco-Chacón,Wilmar Bolaños,Antti Haavikko,Camilla Hollanti,Rodrigo Martín Sánchez-Ledesma

2024-10-01

Abstract:We prove the equivalence between the Ring Learning With Errors (RLWE) and the Polynomial Learning With Errors (PLWE) problems for the maximal totally real subfield of the $2^r 3^s$-th cyclotomic field for $r \geq 3$ and $s \geq 1$. Moreover, we describe a fast algorithm for computing the product of two elements in the ring of integers of these subfields. This multiplication algorithm has quasilinear complexity in the dimension of the field, as it makes use of the fast Discrete Cosine Transform (DCT). Our approach assumes that the two input polynomials are given in a basis of Chebyshev-like polynomials, in contrast to the customary power basis. To validate this assumption, we prove that the change of basis from the power basis to the Chebyshev-like basis can be computed with $\mathcal{O}(n \log n)$ arithmetic operations, where $n$ is the problem dimension. Finally, we provide a heuristic and theoretical comparison of the vulnerability to some attacks for the $p$-th cyclotomic field versus the maximal totally real subextension of the $4p$-th cyclotomic field for a reasonable set of parameters of cryptographic size.

Cryptography and Security,Number Theory

Qi Cheng,Jun Zhang,Jincheng Zhuang

DOI: https://doi.org/10.1007/s10623-021-00973-6

2021-11-24

Abstract:The Learning-With-Errors (LWE) problem (and its variants including Ring-LWE and Module-LWE), whose security are based on hard ideal lattice problems, has proven to be a promising primitive with diverse applications in cryptography. For the sake of expanding sources for constructing LWE, we study the LWE problem on group rings in this work. One can regard the Ring-LWE on cyclotomic integers as a special case when the underlying group is cyclic, while our proposal utilizes non-commutative groups. In particular, we show how to build public key encryption schemes from dihedral group rings, while maintaining the efficiency of the Ring-LWE. We prove that the PKC system is semantically secure, by providing a reduction from the SIVP problem of group ring ideal lattice to the decisional group ring LWE problem. It turns out that irreducible representations of groups play important roles here. We believe that the introduction of the representation view point enriches the tool set for studying the Ring-LWE problem.

Lorenzo Grassi,Irati Manterola Ayala,Martha Norberg Hovd,Morten Oygarden,Havard Raddum,Qingju Wang

DOI: https://doi.org/10.1007/978-3-031-38548-3_11

2023-01-01

Abstract:Symmetric primitives are a cornerstone of cryptography, and have traditionally been defined over fields, where cryptanalysis is now well understood. However, a few symmetric primitives defined over rings Z q for a composite number q have recently been proposed, a setting where security is much less studied. In this paper we focus on studying established algebraic attacks typically defined over fields and the extent of their applicability to symmetric primitives defined over the ring of integers modulo a composite q . Based on our analysis, we present an attack on full Rubato, a family of symmetric ciphers proposed by Ha et al. at Eurocrypt 2022 designed to be used in a transciphering framework for approximate fully homomorphic encryption. We show that at least 25 % of the possible choices for q satisfy certain conditions that lead to a successful key recovery attack with complexity significantly lower than the claimed security level for five of the six ciphers in the Rubato family.

Jorge Nakahara,Pouyan Sepehrdad,Bingsheng Zhang,Meiqin Wang

DOI: https://doi.org/10.1007/978-3-642-10433-6_5

2009-01-01

Abstract:The contributions of this paper include the first linear hull and a revisit of the algebraic cryptanalysis of reduced-round variants of the block cipher PRESENT, under known-plaintext and ciphertext-only settings. We introduce a pure algebraic cryptanalysis of 5-round PRESENT and in one of our attacks we recover half of the bits of the key in less than three minutes using an ordinary desktop PC. The PRESENT block cipher is a design by Bogdanov et al., announced in CHES 2007 and aimed at RFID tags and sensor networks. For our linear attacks, we can attack 25-round PRESENT with the whole code book, 296.68 25-round PRESENT encryptions, 240 blocks of memory and 0.61 success rate. Further we can extend the linear attack to 26-round with small success rate. As a further contribution of this paper we computed linear hulls in practice for the original PRESENT cipher, which corroborated and even improved on the predicted bias (and the corresponding attack complexities) of conventional linear relations based on a single linear trail.

Niklas Nolte,Mohamed Malhou,Emily Wenger,Samuel Stevens,Cathy Li,François Charton,Kristin Lauter

2024-10-10

Abstract:Sparse binary LWE secrets are under consideration for standardization for Homomorphic Encryption and its applications to private computation. Known attacks on sparse binary LWE secrets include the sparse dual attack and the hybrid sparse dual-meet in the middle attack which requires significant memory. In this paper, we provide a new statistical attack with low memory requirement. The attack relies on some initial lattice reduction. The key observation is that, after lattice reduction is applied to the rows of a q-ary-like embedded random matrix $\mathbf A$, the entries with high variance are concentrated in the early columns of the extracted matrix. This allows us to separate out the "hard part" of the LWE secret. We can first solve the sub-problem of finding the "cruel" bits of the secret in the early columns, and then find the remaining "cool" bits in linear time. We use statistical techniques to distinguish distributions to identify both the cruel and the cool bits of the secret. We provide concrete attack timings for recovering secrets in dimensions $n=256$, $512$, and $768$. For the lattice reduction stage, we leverage recent improvements in lattice reduction (e.g. flatter) applied in parallel. We also apply our new attack in the RLWE setting for $2$-power cyclotomic rings, showing that these RLWE instances are much more vulnerable to this attack than LWE.

Cryptography and Security

Jintai Ding,Momonari Kudo,Shinya Okumura,Tsuyoshi Takagi,Chengdong Tao

DOI: https://doi.org/10.1007/s13160-018-0316-x

2018-01-01

Japan Journal of Industrial and Applied Mathematics

Abstract:Researching post-quantum cryptography is now an important task in cryptography. Although various candidates of post-quantum cryptosystems (PQC) have been constructed, sizes of their public keys are large. Okumura constructed a candidate of PQC whose security is expected to be based on certain Diophantine equations (DEC). Okumura analysis suggests that DEC achieves the high security with small public key sizes. This paper proposes a polynomial time-attack on the one-way property of DEC. We reduce the security of DEC to finding special short lattice points of some low-rank lattices derived from public data. The usual LLL algorithm could not find the most important lattice point in our experiments because of certain properties of the lattice point. Our heuristic analysis leads us to using a variant of the LLL algorithm, called a weighted LLL algorithm by us. Our experiments suggest that DEC with 128 bit security becomes insecure by our attack.

Katherine E. Stange

DOI: https://doi.org/10.48550/arXiv.1902.07140

2020-07-11

Abstract:We provide a reduction of the Ring-LWE problem to Ring-LWE problems in subrings, in the presence of samples of a restricted form (i.e. $(a,b)$ such that $a$ is restricted to a multiplicative coset of the subring). To create and exploit such restricted samples, we propose Ring-BKW, a version of the Blum-Kalai-Wasserman algorithm which respects the ring structure. Off-the-shelf BKW dimension reduction (including coded-BKW and sieving) can be used for the reduction phase. Its primary advantage is that there is no need for back-substitution, and the solving/hypothesis-testing phase can be parallelized. We also present a method to exploit symmetry to reduce table sizes, samples needed, and runtime during the reduction phase. The results apply to two-power cyclotomic Ring-LWE with parameters proposed for practical use (including all splitting types).

Cryptography and Security,Number Theory

Weiwei Cao,Xiuyun Nie,Lei Hu,Xiling Tang,Jintai Ding

DOI: https://doi.org/10.1007/978-3-642-12929-2_4

2010-01-01

Abstract:MFE, a multivariate public key encryption scheme proposed by Wang et al in CT-RSA 2006, was conquered by second order linearization equation (SOLE) attack by Ding et al in PKC 2007. To resist this attack, many improved schemes were proposed. Wang et al in [WFW09 and Wang in [Wan07] both modified MFE and raised the public key from quadratic to quartic equations. We call the two quartic schemes Quartic-1 and Quartic-2 respectively for convenience. They are indeed immune to the SOLE attack. However, we find that there exist many quadratization equations (QEs), which are quadratic in plaintext variables and linear in ciphertext variables and can be derived from the public keys of Quartic-1 and Quartic-2. In this paper, we utilize QEs to recover the corresponding plaintext for a given ciphertext. For Quartic-1, we firstly find there are at least 2r SOLEs, which was regarded as impossible by the original authors, furthermore, we can find at least 35r QEs with a complexity $\mathcal {O}((90r^2(15r+1)+180r^2+15r(15r+1)/2+27r+1)^w)$, where r is a small number denoting the degree of extension of finite fields and w≈2.732. The computational complexity of deriving these equations is about 237. But to find the original plaintext, there still needs 240 times Gröbner basis computations, which needs practically 1.328 seconds each time. For Quartic-2, we make a theoretical analysis and find 18r QEs with a computational complexity $\mathcal {O}((15r+1)6r(12r+1)+180r^2+27r+1)^w$. The complexity is 236 for the parameter proposed in [Wan07], and we can break the scheme practically in 3110.734 seconds. Finally, we show that another improved version of MFE in [WZY07] is insecure against the linearization equation attack although its authors claimed it is secure against high order linearization equation attack. Our attack on the two quartic schemes illustrates that non-linearization equations like quadratization equations which are not degree one in plaintext variables can also be used efficiently to analyze multivariate cryptosystems.

Chris Peikert,Zachary Pepin

DOI: https://doi.org/10.1007/s00145-024-09508-3

2024-06-15

Journal of Cryptology

Abstract:In recent years, there has been a proliferation of algebraically structured Learning With Errors (LWE) variants, including Ring-LWE, Module-LWE, Polynomial-LWE, Order-LWE, and Middle-Product LWE, and a web of reductions to support their hardness, both among these problems themselves and from related worst-case problems on structured lattices. However, these reductions are often difficult to interpret and use, due to the complexity of their parameters and analysis, and most especially their (frequently large) blowup and distortion of the error distributions. In this paper, we unify and simplify this line of work. First, we give a general framework that encompasses all proposed LWE variants (over commutative base rings) and in particular unifies all prior "algebraic" LWE variants defined over number fields. We then use this framework to give much simpler, more general, and tighter reductions from Ring-LWE to other algebraic LWE variants, including Module-LWE, Order-LWE, and Middle-Product LWE. In particular, all of our reductions have easy-to-analyze and frequently small error expansion; in most cases, they even leave the error unchanged. A main message of our work is that it is straightforward to use the hardness of the original Ring-LWE problem as a foundation for the hardness of all other algebraic LWE problems defined over number fields, via simple and rather tight reductions.

computer science, theory & methods,engineering, electrical & electronic,mathematics, applied

Boru Gong,Yunlei Zhao

DOI: https://doi.org/10.1007/978-3-319-59879-6_10

2017-01-01

Abstract:Authenticated key exchange (AKE) plays a fundamental role in modern cryptography. Up to now, the HMQV protocol family is among the most efficient provably secure AKE protocols, which has been widely standardized and in use. Given recent advances in quantum computing, it would be desirable to develop lattice-based analogue of HMQV for the possible upcoming post-quantum era. Towards this goal, a family of AKE schemes from ideal lattice was recently proposed at Eurocrypt 2015 [ZZD+15], which could be seen as an HMQV-analogue based on the ring-LWE (RLWE) problem. It consists a two-pass variant \(\Uppi _2\) and a one-pass variant \(\Uppi _1\).

Ziqing Wang,Dianhua Tang,Haomiao Yang,Fagen Li

DOI: https://doi.org/10.1016/j.sysarc.2021.102165

IF: 5.836

2021-01-01

Journal of Systems Architecture

Abstract:The lattice cryptosystem is considered to be able to resist the attacks of quantum computers. Lattice-based Public Key Encryption (PKE) schemes have attracted the interest of many researchers. In lattice-based cryptography, Learning With Errors (LWE) problem is a hard problem usually used to construct PKE scheme. To ensure the correctness of decryption, LWE-based schemes have a large ciphertext size. This makes these encryption schemes not practical enough when the communication bandwidth is limited. We propose a new variant of LWE, named Learning With Modulus (LWM) and prove that the new problem can be reduced from LWE problem. The proof idea of our reduction is similar to the reduction of LWR problem. We also construct a new PKE scheme based on the proposed LWM and LWE, which has small ciphertext size. For a 128 bits plaintext, the ciphertext size of our scheme is 53.57% of Lindner–Peikert’s (LP) scheme under the same security level. We use python to test the performance of our scheme. The results show that our scheme is only about 0.015 ms slower than LP in the decryption. The performance of our scheme for generating keys and encrypting messages is similar to LP.

Xuyun Nie,Lei Hu,Jintai Ding,Jianyu Li,John Wagner

DOI: https://doi.org/10.1007/978-3-540-72738-5_7

2007-01-01

Abstract:In 2006, the inventors of TRMC public key cryptosystem proposed a new variant of TRMC, TRMC-4, which can resist the existing attack, in particular, the Joux et al attack. In this paper, we show that the new version is vulnerable to attack via the linearization equations (LE) method. For any given valid ciphertext and its corresponding TRMC-4 public key, we can derive the corresponding plaintext within 224$\mathbb{F}_{2^8}$-operations, after performing once for the public key a computation of complexity less than 234. Our results are confirmed by computer experiments.

Iván Blanco-Chacón,Alberto Pedrouzo-Ulloa,Rahinatou Yuh Njah Nchiwo,Beatriz Barbero-Lucas

2023-06-07

Abstract:We discuss the advantages and limitations of cyclotomic fields to have fast polynomial arithmetic within homomorphic encryption, and show how these limitations can be overcome by replacing cyclotomic fields by a family that we refer to as cyclo-multiquadratic. This family is of particular interest due to its arithmetic efficiency properties and to the fact that the Polynomial Learning with Errors (PLWE) and Ring Learning with Errors (RLWE) problems are equivalent for it. Likewise, we provide exact expressions for the condition number for any cyclotomic field, but under what we call the twisted power basis. As a tool for our result, we obtain refined polynomial upper bounds for the condition number of cyclotomic fields with up to 6 different primes dividing the conductor. From a more practical side, we also show that for this family, swapping between NTT and coefficient representations can be achieved at least twice faster than for the usual cyclotomic family.

Cryptography and Security

Iván Blanco-Chacón

DOI: https://doi.org/10.1142/S0219498822502188

2021-08-21

Journal of Algebra and Its Applications

Abstract:We propose and justify a generalized approach to prove the polynomial reduction of the RLWE to the PLWE problem attached to the ring of integers of a monogenic number field. We prove such equivalence in the case of the maximal totally real subextension of the 4p th cyclotomic field, with p arbitrary prime.

mathematics, applied

Hung-Min Sun,Mu-En Wu,Ron Steinfeld,Jian Guo,Huaxiong Wang

DOI: https://doi.org/10.1007/978-3-540-89641-8_4

2008-01-01

Abstract:LSBS-RSA denotes an RSA system with modulus primes, p and q , sharing a large number of least significant bits. In ISC 2007 , Zhao and Qi analyzed the security of short exponent LSBS-RSA. They claimed that short exponent LSBS-RSA is much more vulnerable to the lattice attack than the standard RSA. In this paper, we further raise the security boundary of the Zhao-Qi attack by considering another polynomial. Our improvemet supports the result of analogue Fermat factoring on LSBS-RSA, which claims that p and q cannot share more than $\frac{n}{4}$ least significant bits, where n is the bit-length of pq . In conclusion, it is a trade-off between the number of sharing bits and the security level in LSBS-RSA. One should be more careful when using LSBS-RSA with short exponents.

Haijian Zhou,Ping Luo,Daoshun Wang,Yiqi Dai

DOI: https://doi.org/10.1109/csie.2009.890

2009-01-01

Abstract:Lattice basis reduction algorithms have contributed a lot to cryptanalysis of RSA systems. A typical application is Boneh-Durfee's seminal work for breaking low private key RSA (and its successors in other applications). Although it's well known that this technique is not guaranteed to succeed, there is no thorough proof yet when it fails. In this paper, we summarize the Boneh-Durfee-like algorithms using generalized terminology. We also show that when the number of solutions in given bounded range is larger than $8(w/3)^7$, where $w$ is the dimension of the lattice involved in the reduction procedure, then the algorithm always fails. As a result, it is proven that MSB (Most Significant Bits)partial key exposure attacks on low public key RSA using this technique is difficult, if we have not sufficient private key exposed.

Zhedong Wang,Qiqi La,Feng-Hao Liu

DOI: https://doi.org/10.1007/978-3-031-57722-2_9

2024-01-01

Abstract:This paper studies the hardness of decision Module Learning with Errors (MLWE) under linear leakage, which has been used as a foundation to derive more efficient lattice-based zero-knowledge proofs in a recent paradigm of Lyubashevsky, Nguyen, and Seiler (PKC 21). Unlike in the plain LWE setting, it was unknown whether this problem remains provably hard in the module/ring setting. This work shows a reduction from the standard search MLWE to decision MLWE with linear leakage. Thus, the main problem remains hard asymptotically as long as the non-leakage version of MLWE is hard. Additionally, we also refine the paradigm of Lyubashevsky, Nguyen, and Seiler (PKC 21) by showing a more fine-grained tradeoff between efficiency and leakage. This can lead to further optimizations of lattice proofs under the paradigm.

Zhuang Xu,Owen Pemberton,David Oswald,Zhiming Zheng

DOI: https://doi.org/10.1007/978-3-031-25319-5_12

2022-01-01

Abstract:NTRU is a well-known lattice-based cryptosystem that has been selected as one of the four key encapsulation mechanism finalists in Round 3 of NIST's post-quantum cryptography standardization. This paper presents two succinct and efficient chosen-ciphertext side-channel attacks on the latest variants of NTRU, i.e., NTRU-HPS and NTRU-HRSS as in Round 3 submissions. Both methods utilize the leakage from the polynomial modular reduction to recover the long-term secret key. For the first attack, although the side-channel leakage does not directly reveal the secret polynomial f, we recover differences between adjacent coefficients using appropriately chosen ciphertexts, and finally reconstruct f through linear algebra. The second attack is based on the inherent relation between the secret key and the public key in NTRU-HPS: we first reveal the "invisible" secret polynomial g with chosen ciphertexts and then use g and the public polynomial h to compute f. In theory, these attacks only need 4 and 2 ciphertexts, respectively. We then practically apply those attacks on all reference implementations of four instances in the PQClean library and show that the accuracy of secret-key recovery can reach 100% with only few traces (4 to 24 and 2 to 6, respectively). We also observe similar leakage in optimized implementations in the pqm4 library and propose an according analysis scheme.