Chi Zhang

2024-09-13

Abstract:Lattices have many significant applications in cryptography. In 2021, the $p$-adic signature scheme and public-key encryption cryptosystem were introduced. They are based on the Longest Vector Problem (LVP) and the Closest Vector Problem (CVP) in $p$-adic lattices. These problems are considered to be challenging and there are no known deterministic polynomial time algorithms to solve them. In this paper, we improve the LVP algorithm in local fields. The modified LVP algorithm is a deterministic polynomial time algorithm when the field is totally ramified and $p$ is a polynomial in the rank of the input lattice. We utilize this algorithm to attack the above schemes so that we are able to forge a valid signature of any message and decrypt any ciphertext. Although these schemes are broken, this work does not mean that $p$-adic lattices are not suitable in constructing cryptographic primitives. We propose some possible modifications to avoid our attack at the end of this paper.

Cryptography and Security,Number Theory

Yingpu Deng

2023-05-13

Abstract:In his famous book ``Basic Number Theory", Weil proved several theorems about the existence of norm-orthogonal bases in finite-dimensional vector spaces and lattices over local fields. In this paper, we transform Weil's proofs into algorithms for finding out various norm-orthogonal bases. These algorithms are closely related to the recently introduced closest vector problem (CVP) in $p$-adic lattices and they have applications in cryptography based on $p$-adic lattices.

Number Theory

Chi Zhang,Yingpu Deng,Zhaonan Wang

DOI: https://doi.org/10.48550/arXiv.2311.17415

2024-01-24

Abstract:In 2018, the longest vector problem (LVP) and the closest vector problem (CVP) in $p$-adic lattices were introduced. These problems are closely linked to the orthogonalization process. In this paper, we first prove that every $p$-adic lattice has an orthogonal basis and give definition to the successive maxima and the escape distance, as the $p$-adic analogues of the successive minima and the covering radius in Euclidean lattices. Then, we present deterministic polynomial time algorithms to perform the orthogonalization process, solve the LVP and solve the CVP with an orthogonal basis of the whole vector space. Finally, we conclude that orthogonalization and the CVP are polynomially equivalent.

Number Theory

Meng Zhang,Xuehong Chen,Maozhi Xu,Jie Wang

DOI: https://doi.org/10.1007/978-981-15-2777-7_5

2019-01-01

Abstract:Since Boneh and Franklin implemented the Identity Based Encryption in 2001, a number of novel schemes have been proposed based on bilinear pairings, which have been widely used in the scenario of blockchain. The elliptic curves with low embedding degree and large prime-order subgroup (a.k.a pairing-friendly elliptic curves) are the basic components for such schemes, where prime order elliptic curves are most frequently used in practice. In this paper, a systematic method is utilized to find all the possible prime order families, then it is shown that all the existing constructions can be explained via our method. We further give the evidence that it's unlikely to produce extra families.

Mengce Zheng,Noboru Kunihiro,Yuanzhi Yao

DOI: https://doi.org/10.1016/j.tcs.2021.08.001

IF: 1.002

2021-01-01

Theoretical Computer Science

Abstract:RSA (Rivest-Shamir-Adleman) cryptosystem is the most popular asymmetric key cryptographic algorithm used in computer science and information security. Recently, an RSA-like cryptosystem was proposed using a novel product that arises from a cubic field connected to the cubic Pell equation. The relevant key equation is e d ≡ 1 mod ( p 2 + p + 1 ) ( q 2 + q + 1 ) with N = p q. This RSA variant is claimed to be robust against the Wiener's attack and hence the bit-size of the private key could be shorter, namely d < N 1 / 4. In this paper, we explore the further security analysis and investigate the potential small private exponent attack. We show that such RSA variant is particularly vulnerable to the lattice-based method. To be specific, we can carry out the lattice-based small private exponent attack if d < N 2 − 2, which is less secure than the standard RSA. Furthermore, we conduct numerical experiments to verify the validity of the proposed attack.

Tao Zheng,Bican Xia

DOI: https://doi.org/10.1145/3326229.3326243

2019-01-01

Abstract:Computing a basis for the exponent lattice of algebraic numbers is a basic problem in the field of computational number theory with applications to many other areas. The bottleneck of the computation of a well-known algorithm [4, 7] solving the problem is the computation of the primitive element of the extended field generated by the given algebraic numbers. When the extended field is of large degree, the problem seems intractable by the tool implementing the algorithm. In this paper, a special kind of exponent lattice basis is introduced. An important feature of that basis is that it can be inductively constructed, which allows us to deal with the given algebraic numbers one by one and to work in smaller fields while computing the basis. Based on this, an effective framework for constructing exponent lattice basis is proposed. Through computing a so-called pre-basis first and then solving some linear Diophantine equations, the basis can be efficiently constructed. A new certificate for multiplicative independence and some techniques for decreasing degrees of algebraic numbers are provided to speed up the computation. The new algorithm has been implemented with Mathematica and its effectiveness is verified by testing various examples.

Yao Lu,Rui Zhang,Dongdai Lin

DOI: https://doi.org/10.1007/978-3-642-38631-2_29

2013-01-01

Abstract:This paper investigates the problem of factoring RSA modulus N = pq with some known bits from both p and q. In Asiacrypt'08, Herrmann and May presented a heuristic algorithm to factorize N with the knowledge of a random subset of the bits (distributed over small contiguous blocks) of a factor. However, in a real attack, an adversary often obtain some bits which distributed in both primes. This paper studies this extended setting and introduces a lattice-based approach. Our strategy is an extension of Coppersmiths technique on more variables, thus it is a heuristic method, which we heuristically assumed that the polynomials resulting from the lattice basis reduction are algebraically independent. However, in our experiments, we have observed that the well-established assumption is not always true, and for these scenarios, we also propose a method to fix it. © 2013 Springer-Verlag.

Zi-dong Lu,Xue-jia Lai

DOI: https://doi.org/10.2991/cnct-16.2017.79

2016-01-01

Abstract:Orthomorphic permutation is proposed in 1942, which is a special permutation with many good cryptographic properties. Orthomorphic permutation has similar structure with a one-way function used in hash functions called Davies-Meyer construction. However, the algebraic degrees of previous constructions of orthomorphic permutations by Boolean functions are not the highest, which can be attacked by higher order differential attack. In this paper, we develop a new method for construction of orthomorphic permutations with the highest degree so that they are resistant to higher order differential analysis. We also generalize the construction from four aspects to generate more orthomorphic permutations with the highest degree. Moreover, we give the total number of orthomorphic permutations constructed after applying these generalizations. Our improvement on the degree of orthomorphic permutation can be used as a reference of designing S-box with great cryptographic properties in new algorithms.

Georges Gras

2024-09-02

Abstract:Let $k = \mathbb{Q}(\sqrt {-m})$ and $p > 2$ split in $k$. We prove new properties of the $\mathbb{Z}_p$-extensions $K/k$, distinct from the cyclotomic; we do not assume $K/k$ totally ramified, nor the triviality of the $p$-class group of $k$. These properties are governed by the $p$-valuation, $\delta_p(k)$, of a suitable Fermat quotient of the fundamental $p$-unit $x$ of $k$, which also yields the order of the logarithmic class group (2.2, App. A), and generalize the Gold-Sands criterion (5.1, 5.3, 5.4, 5.5). These results use the second element $(\mathcal{H}_{K_n}/\mathcal{H}_{K_n}^{G_n})^{G_n}$ of the filtration of the $p$-class groups in $K=\cup_n K_n$, without any argument of Iwasawa's theory, and provide new perspectives. We compute, Sec. 7, the first layer $K_1$, using the Log-function, then give a short proof of a result of Kundu-Washington (5.6), and show (7.4, 7.6) that capitulation is possible in $K$, suggesting Conjecture 5.8. Calculations are gathered App. B.

Number Theory

Shreya Dhar,River Newman,Grayson Plumpton,Chenglu Wang

2024-11-12

Abstract:Let $p$ be a prime and let $\mathbb{Q}_p$ be the field of $p$-adic numbers. It is known that the finite extensions of $\mathbb{Q}_p$ of a given degree are finite up to isomorphism. Given a cubic field extension $L$ of $\mathbb{Q}_p$ generated by the root of an irreducible polynomial $h$, we present a practical (closed-form) method to determine the isomorphism class in which $L$ lives, based on the coefficients of $h$. We discuss the subtleties of the wildly ramified case, when the degree of the extension coincides with $p$, the characteristic of the residue field. We also present a method for tamely ramified extensions of arbitrary prime degree.

Number Theory

Gary McConnell

2024-06-21

Abstract:Fix a finite collection of primes $\{ p_j \}$, not containing $2$ or $3$. Using some observations which arose from attempts to solve the SIC-POVMs problem in quantum information, we give a simple methodology for constructing an infinite family of simultaneously non-$p_j$-rational real quadratic fields, unramified above any of the $p_j$. Alternatively these may be described as infinite sequences of instances of $\mathbb{Q}(\sqrt{D})$, for varying $D$, where every $p_j$ is a $k$-Wall-Sun-Sun prime, or equivalently a generalised Fibonacci-Wieferich prime. One feature of these techniques is that they may be used to yield fields $K=\mathbb{Q}(\sqrt{D})$ for which a $p$-power cyclic component of the torsion group of the Galois groups of the maximal abelian pro-$p$-extension of $K$ unramified outside primes above $p$, is of size $p^a$ for $a\geq1$ arbitrarily large.

Number Theory,Quantum Physics

Alan Szepieniec,Jintai Ding,Bart Preneel

DOI: https://doi.org/10.1007/978-3-319-29360-8_12

2016-01-01

Abstract:This paper introduces a new central trapdoor for multivariate quadratic (MQ) public-key cryptosystems that allows for encryption, in contrast to time-tested MQ primitives such as Unbalanced Oil and Vinegar or Hidden Field Equations which only allow for signatures. Our construction is a mixed-field scheme that exploits the commutativity of the extension field to dramatically reduce the complexity of the extension field polynomial implicitly present in the public key. However, this reduction can only be performed by the user who knows concise descriptions of two simple polynomials, which constitute the private key. After applying this transformation, the plaintext can be recovered by solving a linear system. We use the minus and projection modifiers to inoculate our scheme against known attacks. A straightforward C++ implementation confirms the efficient operation of the public key algorithms.

BAI Guo-qiang,CAI Mian,XIAO Guo-zhen

DOI: https://doi.org/10.3969/j.issn.1001-2400.2000.06.015

2000-01-01

Abstract:Very recently, Guang Gong and Lein harn have proposed a new Diffie Hellman public key exchange scheme based on the 3 rd order linear feedback shift register sequences over GF(q). A method for attacking the scheme is investigated in this paper. For some special private keys, with the method we can easily obtain them from their public keys and the system open parameters.

Liu, Feng-Hao

DOI: https://doi.org/10.1007/s10623-024-01523-6

IF: 1.4

2024-11-25

Designs Codes and Cryptography

Abstract:Achieving tight security is a fundamental task in cryptography. While one of the most important purposes of this task is to improve the overall efficiency of a construction (by allowing smaller security parameters), many current lattice-based instantiations do not completely achieve the goal. Particularly, a super-polynomial modulus seems to be necessary in all prior work for (almost) tight schemes that allow the adversary to conduct queries, such as PRF, IBE, and Signatures. As the super-polynomial modulus would affect the noise-to-modulus ratio and thus increase the parameters, this might cancel out the advantages (in efficiency) brought from the tighter analysis. To determine the full power of tight security/analysis in lattices, it is necessary to determine whether the super-polynomial modulus restriction is inherent. In this work, we remove the super-polynomial modulus restriction for many important primitives—PRF, IBE, all-but-many Lossy Trapdoor Functions, and Signatures. The crux relies on an improvement over the framework of Boyen and Li (Asiacrypt 16), and an almost tight reduction from LWE to LWR, which improves prior work by Alwen et al. (Eurocrypt 13), Bogdanov et al. (TCC 16), and Bai et al. (Asiacrypt 15). By combining these two advances, we are able to derive these almost tight schemes under LWE with a polynomial modulus.

mathematics, applied,computer science, theory & methods

Yoshinosuke Hirakawa

2024-01-25

Abstract:In this article, we prove a modulo $p$ congruence which connects the class number of the quadratic field $\mathbb{Q}(\sqrt{(-1)^{(p-1)/2}p})$ and the trace of a certain monomial in a root $\theta$ of the Artin-Schreier polynomial $\theta^{p}-\theta-1$ over the field $\mathbb{F}_{p}$ of $p$ elements. This formula has a flavor of Dirichlet's class number formula which connects the class number and the $L$-value. The proof of our formula is based on several formulae satisfied by the Bell number, where the latter is defined as the number of partitions of $\{ 1, 2, ..., n \}$ and a purely combinatorial object. Among such formulae, we prove a generalization of the so called ``trace formula'' due to Barsky and Benzaghou which describes the special values of the Bell polynomials modulo $p$ by the trace mentioned above.

Number Theory

Mohamadou Sall,M. Anwar Hasan

2024-02-18

Abstract:Binary field extensions are fundamental to many applications, such as multivariate public key cryptography, code-based cryptography, and error-correcting codes. Their implementation requires a foundation in number theory and algebraic geometry and necessitates the utilization of efficient bases. The continuous increase in the power of computation, and the design of new (quantum) computers increase the threat to the security of systems and impose increasingly demanding encryption standards with huge polynomial or extension degrees. For cryptographic purposes or other common implementations of finite fields arithmetic, it is essential to explore a wide range of implementations with diverse bases. Unlike some bases, polynomial and Gaussian normal bases are well-documented and widely employed. In this paper, we explore other forms of bases of $\mathbb{F}_{2^n}$ over $\mathbb{F}_2$ to demonstrate efficient implementation of operations within different ranges. To achieve this, we leverage results on fast computations and elliptic periods introduced by Couveignes and Lercier, and subsequently expanded upon by Ezome and Sall. This leads to the establishment of new tables for efficient computation over binary fields.

Cryptography and Security

Hung-Min Sun,Mu-En Wu,Yao-Hsin Chen

DOI: https://doi.org/10.1007/978-3-540-72738-5_8

2007-01-01

Abstract:In the RSA system, balanced modulus Ndenotes a product of two large prime numbers pand q, where qpq. Since Integer-Factorization is difficult, pand qare simply estimated as ${\sqrt{N}}$. In the Wiener attack, $2\sqrt{N}$ is adopted to be the estimation of p+ qin order to raise the security boundary of private-exponent d. This work proposes a novel approach, called EPF, to determine the appropriate prime-factors of N. The estimated values are called "EPFs of N", and are denoted as pEand qE. Thus pEand qEcan be adopted to estimate p+ qmore accurately than by simply adopting $2\sqrt{N}$. In addition, we show that the Verheul and Tilborg's extension of the Wiener attack can be considered to be brute-guessing for the MSBs of p+ q. Comparing with their work, EPF can extend the Wiener attack to reduce the cost of exhaustive-searching for 2r+ 8 bits down to 2r茂戮驴 10 bits, where rdepends on Nand the private key d. The security boundary of private-exponent dcan be raised 9 bits again over Verheul and Tilborg's result.

Haijian Zhou,Ping Luo,Daoshun Wang,Yiqi Dai

DOI: https://doi.org/10.1109/csie.2009.890

2009-01-01

Abstract:Lattice basis reduction algorithms have contributed a lot to cryptanalysis of RSA systems. A typical application is Boneh-Durfee's seminal work for breaking low private key RSA (and its successors in other applications). Although it's well known that this technique is not guaranteed to succeed, there is no thorough proof yet when it fails. In this paper, we summarize the Boneh-Durfee-like algorithms using generalized terminology. We also show that when the number of solutions in given bounded range is larger than $8(w/3)^7$, where $w$ is the dimension of the lattice involved in the reduction procedure, then the algorithm always fails. As a result, it is proven that MSB (Most Significant Bits)partial key exposure attacks on low public key RSA using this technique is difficult, if we have not sufficient private key exposed.

Lasha Ephremidze,Ilya Spitkovsky

2023-05-14

Abstract:We propose a superfast method for constructing orthogonal matrices $M\in\mathcal{O}(n,q)$ in finite fields $GF(q)$. It can be used to construct $n\times n$ orthogonal matrices in $Z_p$ with very high values of $n$ and $p$, and also orthogonal matrices with a certain circulant structure. Equally well one can construct paraunitary filter banks or wavelet matrices over finite fields. The construction mechanism is highly efficient, allowing for the complete screening and selection of an orthogonal matrix that meets specific constraints. For instance, one can generate a complete list of orthogonal matrices with given $n$ and $q=p^m$ provided that the order of $\mathcal{O}(n,q)$ is not too large. Although the method is based on randomness, isolated cases of failure can be identified well in advance of the basic procedure's start. The proposed procedures are based on the Janashia-Lagvilava method which was developed for an entirely different task, therefore, it may seem somewhat unexpected.

Information Theory

Johannes Buchmann,Daniel Cabarcas,Jintai Ding,Mohamed Saied Emam Mohamed

DOI: https://doi.org/10.1007/978-3-642-12678-9_5

2010-01-01

Abstract:Recent developments in multivariate polynomial solving algorithms have made algebraic cryptanalysis a plausible threat to many cryptosystems. However, theoretical complexity estimates have shown this kind of attack unfeasible for most realistic applications. In this paper we present a strategy for computing Gröbner basis that challenges those complexity estimates. It uses a flexible partial enlargement technique together with reduced row echelon forms to generate lower degree elements–mutants. This new strategy surpasses old boundaries and obligates us to think of new paradigms for estimating complexity of Gröbner basis computation. The new proposed algorithm computed a Gröbner basis of a degree 2 random system with 32 variables and 32 equations using 30 GB which was never done before by any known Gröbner bases solver.