Xuyun Nie,Xin Jiang,Lei Hu,Jintai Ding

2007-01-01

Abstract:In 2006, Nie et al proposed an attack to break an instance of TTM cryptosystems. However, the inventor of TTM disputed this attack and he proposed two new instances of TTM to support his viewpoint. At this time, he did not give the detail of key construction — the construction of the lock polynomials in these instances which would be used in decryption. The two instances are claimed to achieve a security of 2 against Nie et al attack. In this paper, we show that these instances are both still insecure, and in fact, they do not achieve a better design in the sense that we can find a ciphertext-only attack utilizing the First Order Linearization Equations while for the previous version of TTM, only Second Order Linearization Equations can be used in the beginning stage of the previous attack. Different from previous attacks, we use an iterated linearization method to break these two instances. For any given valid ciphertext, we can find its corresponding plaintext within 2 F28 computations after performing once for any public key a computation of complexity less than 2. Our experiment result shows we have unlocked the lock polynomials after several iterations, though we do not know the detailed construction of lock polynomials. Keyword: multivariate public key cryptosystem, TTM, algebraic attack, linearization equation, triangular cryptosystem.

Xuyun Nie,Lei Hu,Jianyu Li,Crystal Updegrove,Jintai Ding

DOI: https://doi.org/10.1007/11767480_14

2006-01-01

Abstract:In 2004, the inventors of TTM cryptosystems proposed a new scheme that could resist the existing attacks, in particular, the Goubin-Courtois attack [GC00] and the Ding-Schmidt attack [DS03]. In this paper, we show the new version is still insecure, and we find that the polynomial components of the cipher (Fi) satisfy nontrivial equations of the special form$$\sum\limits_{i=0}^{n-1}a_ix_i+\sum\limits_{0\leq j\leq k\leq m-1}b_{jk}F_jF_k+\sum\limits_{j=0}^{m-1}c_jF_j+d=0,$$ which could be found with 238 computations. From these equations and consequently the linear equations we derive from these equations for any given ciphertext, we can eliminate some of the variables xi by restricting the functions to an affine subspace, such that, on this subspace, we can trivialize the ”lock” polynomials, which are the key structure to ensure its security in this new instance of TTM. Then with method similar to Ding-Schmidt [DS03], we can find the corresponding plaintext for any given ciphertext. The total computational complexity of the attack is less than 239 operations over a finite field of size 28. Our results are further confirmed by computer experiments.

Jintai Ding,John Wagner

DOI: https://doi.org/10.1007/978-3-540-88403-3_9

2008-01-01

Abstract:In 1989, Tsujii, Fujioka, and Hirayama proposed a family of multivariate public key cryptosystems, where the public key is given as a set of multivariate rational functions of degree 4. These cryptosystems are constructed via composition of two quadratic rational maps. In this paper, we present the cryptanalysis of this family of cryptosystems. The key point of our attack is to transform a problem of decomposition of two rational maps into a problem of decomposition of two polynomial maps. We develop a new improved 2R decomposition method and other new techniques, which allows us to find an equivalent decomposition of the rational maps to break the system completely. For the example suggested for practical applications, it is very fast to derive an equivalent private key, and it requires only a few seconds on a standard PC.

Jintai Ding,Timonthy Hodges

DOI: https://doi.org/10.1142/S0219498804000861

2011-01-01

Journal of Algebra and Its Applications

Abstract:A Tamed Transformation Method (TTM) cryptosystem was proposed by T. T. Moh in 1999. We describe how the first implementation scheme of the TTM system can be defeated. The computational complexity of our attack is 2(33) computations on the finite field with 2(8) elements. The cipher of the TTM systems are degree 2 polynomial maps derived from composition of invertible maps of either total degree 2 or linear maps which can be easily calculated and can be easily inverted. To ensure the system to be of degree two, the key construction of the implementation schemes of the TTM systems is a multi-variable polynomial Q(8)(x(1),..., x(n)) and a set of linearly independent quadratic polynomials q(i)(x(1),..., x(m)), i = 1,..., n such that Q(8)(q(1),..., q(n)) is again a degree 2 polynomials of x(1),..., x(m). In this paper, we study the first implementation scheme of the TTM systems [6]. We discovered that in this implementation scheme the specific polynomial Q(8) can be decomposed further into a factorization in terms of composition. By taking powers of the equality satisfied by the new composition factors, we can actually derive a set of equations, that can produce linear equations satisfied by the plaintext. These linear equations lead us to find a way to defeat this implementation scheme.

Maria Eichlseder,Lorenzo Grassi,Reinhard Lüftenegger,Morten Øygarden,Christian Rechberger,Markus Schofnegger,Qingju Wang

DOI: https://doi.org/10.1007/978-3-030-64837-4_16

2020-01-01

Abstract:Algebraically simple PRFs, ciphers, or cryptographic hash functions are becoming increasingly popular, for example due to their attractive properties for MPC and new proof systems (SNARKs, STARKs, among many others). In this paper, we focus on the algebraically simple construction MiMC, which became an attractive cryptanalytic target due to its simplicity, but also due to its use as a baseline in a competition for more recent algorithms exploring this design space. For the first time, we are able to describe key-recovery attacks on all full-round versions of MiMC over $${\mathbb {F}}_{2^n}$$ , requiring half the code book. In the chosen-ciphertext scenario, recovering the key from this data for the n-bit full version of MiMC takes the equivalent of less than $$2^{n-\log _2(n) +1}$$ calls to MiMC and negligible amounts of memory. The attack procedure is a generalization of higher-order differential cryptanalysis, and it is based on two main ingredients. First, we present a higher-order distinguisher which exploits the fact that the algebraic degree of MiMC grows significantly slower than originally believed. Secondly, we describe an approach to turn this distinguisher into a key-recovery attack without guessing the full subkey. Finally, we show that approximately $$\lceil \log _3(2\cdot R)\rceil $$ more rounds (where $$R = \lceil n \cdot \log _3(2)\rceil $$ is the current number of rounds of MiMC-n/n) can be necessary and sufficient to restore the security against the key-recovery attack presented here. The attack has been practically verified on toy versions of MiMC. Note that our attack does not affect the security of MiMC over prime fields.

LU Gang,NIE Xu-yun,QIN Zhi-guang,HOU Chuan-yong

DOI: https://doi.org/10.3969/j.issn.1001-0548.2018.02.013

2018-01-01

Abstract:In 2014, Yuan et al. proposed a new multivariate public key cryptosystem by combining "small field-big field" and "stepwise triangular" methods. The authors claimed that their scheme can be secure against rank attack, linearization equation attack and differential attack. Through analysis, we found that there are a lot of linearization equations satisfied by this scheme. We can transform it to an equivalent square encryption scheme by linearization equation method and then recover corresponding plaintext for any given cipheretext by differential attack. As to two recommended parameters, for given public key, the complexities of recovering plaintext are 233 and 235, respectively. The results above are further confirmed by computer experiments.

Jintai Ding,Joshua Deaton,Kurt Schmidt,Vishakha,Zheng Zhang

2019-01-01

Abstract:In 1998, Jeffrey Hoffstein, Jill Pipher, and Joseph H. Silverman introduced the famous NTRU cryptosystem, and called it "A ring-based public key cryptosystem". Actually, it turns out to be a lattice based cryptosystem that is resistant to Shor’s algorithm. There are several modifications to the original NTRU and two of them are selected as round 2 candidates of NIST post quantum public key scheme standardization. In this paper, we present a simple attack on the original NTRU scheme. The idea comes from Ding et al.’s key mismatch attack. Essentially, an adversary can find information on the private key of a KEM by not encrypting a message as intended but in a manner which will cause a failure in decryption if the private key is in a certain form. In the present, NTRU has the encrypter generating a random polynomial with "small" coefficients, but we will have the coefficients be "large". After this, some further work will create an equivalent key.

Xuyun Nie,Xin Jiang,Lei Hu,Jintai Ding,Fengli Zhang

DOI: https://doi.org/10.1109/iih-msp.2008.246

2008-01-01

Abstract:TTM (tame transformation method) is a type of multivariate public key cryptosystem. In 2007, the inventor of TTM proposed two new instances of TTM to resist the existing attacks, in particular, the Nie et al attack. The two instances are claimed to achieve a security of 2109 against Nie et al attack. Through computation, we found that the instance II satisfied First Order Linearization Equations. After finding all linearization equations, we can perform a ciphertext-only attack to break it.

Zhuang Xu,Owen Pemberton,David Oswald,Zhiming Zheng

DOI: https://doi.org/10.1007/978-3-031-25319-5_12

2022-01-01

Abstract:NTRU is a well-known lattice-based cryptosystem that has been selected as one of the four key encapsulation mechanism finalists in Round 3 of NIST's post-quantum cryptography standardization. This paper presents two succinct and efficient chosen-ciphertext side-channel attacks on the latest variants of NTRU, i.e., NTRU-HPS and NTRU-HRSS as in Round 3 submissions. Both methods utilize the leakage from the polynomial modular reduction to recover the long-term secret key. For the first attack, although the side-channel leakage does not directly reveal the secret polynomial f, we recover differences between adjacent coefficients using appropriately chosen ciphertexts, and finally reconstruct f through linear algebra. The second attack is based on the inherent relation between the secret key and the public key in NTRU-HPS: we first reveal the "invisible" secret polynomial g with chosen ciphertexts and then use g and the public polynomial h to compute f. In theory, these attacks only need 4 and 2 ciphertexts, respectively. We then practically apply those attacks on all reference implementations of four instances in the PQClean library and show that the accuracy of secret-key recovery can reach 100% with only few traces (4 to 24 and 2 to 6, respectively). We also observe similar leakage in optimized implementations in the pqm4 library and propose an according analysis scheme.

Weiwei Cao,Xiuyun Nie,Lei Hu,Xiling Tang,Jintai Ding

DOI: https://doi.org/10.1007/978-3-642-12929-2_4

2010-01-01

Abstract:MFE, a multivariate public key encryption scheme proposed by Wang et al in CT-RSA 2006, was conquered by second order linearization equation (SOLE) attack by Ding et al in PKC 2007. To resist this attack, many improved schemes were proposed. Wang et al in [WFW09 and Wang in [Wan07] both modified MFE and raised the public key from quadratic to quartic equations. We call the two quartic schemes Quartic-1 and Quartic-2 respectively for convenience. They are indeed immune to the SOLE attack. However, we find that there exist many quadratization equations (QEs), which are quadratic in plaintext variables and linear in ciphertext variables and can be derived from the public keys of Quartic-1 and Quartic-2. In this paper, we utilize QEs to recover the corresponding plaintext for a given ciphertext. For Quartic-1, we firstly find there are at least 2r SOLEs, which was regarded as impossible by the original authors, furthermore, we can find at least 35r QEs with a complexity $\mathcal {O}((90r^2(15r+1)+180r^2+15r(15r+1)/2+27r+1)^w)$, where r is a small number denoting the degree of extension of finite fields and w≈2.732. The computational complexity of deriving these equations is about 237. But to find the original plaintext, there still needs 240 times Gröbner basis computations, which needs practically 1.328 seconds each time. For Quartic-2, we make a theoretical analysis and find 18r QEs with a computational complexity $\mathcal {O}((15r+1)6r(12r+1)+180r^2+27r+1)^w$. The complexity is 236 for the parameter proposed in [Wan07], and we can break the scheme practically in 3110.734 seconds. Finally, we show that another improved version of MFE in [WZY07] is insecure against the linearization equation attack although its authors claimed it is secure against high order linearization equation attack. Our attack on the two quartic schemes illustrates that non-linearization equations like quadratization equations which are not degree one in plaintext variables can also be used efficiently to analyze multivariate cryptosystems.

Haina Zhangi,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-540-76788-6_18

2007-01-01

Abstract:TSC-4 is a T-function based stream cipher with. 80-bit key, and proposed as a candidate for ECRYPT eStream project. In this paper, we introduce a differential method to analyze TSC-4. Our attack is based on the vulnerable differential characteristics in the state initialization of TSC-4, and for the chosen IV pairs, the differential probability is up to 2(-15.40) in the case of weak keys. We show that there are about 2(72) weak keys among the total 2(80) keys. To recover 8 bits of a weak key needs about 2(40.53) chosen IV pairs. After that, we can search the other 72 key bits by an exhaustive attack.

Jintai Ding,Dieter Schmidt

DOI: https://doi.org/10.1007/978-3-0348-7865-4_6

2004-01-01

Abstract: We show that the new TTM implementation schemes have a defect. There exist linearization equations å</font >i = 1,j = 1n,m aijxiyj(x1, ¼</font >,xn) + å</font >i = 1n bixi + å</font >j = 1m cjyj(x1, ¼</font >,xn) + d = 0,\sum\limits_{i = 1,j = 1}^{n,m} {{a_{ij}}{x_i}{y_j}({x_1}, \ldots ,{x_n}) + \sum\limits_{i = 1}^n {{b_i}{x_i} + \sum\limits_{j = 1}^m {{c_j}{y_j}({x_1}, \ldots ,{x_n}) + d = 0,} } } which are satisfied by the components y3 (x1 … xn) of the ciphers of the TTM schemes. The inventor of TTM used two versions of the paper [2] to refute a claim in [3]. When we do a linear substitution with the linear equations derived from the linearization equations for a given ciphertext,we can find the plaintext by an iteration of the procedure of first search for linear equations by linear combinations and then linear substitution. The computational complexity of the attack on these two schemes is less than 235 over a finite field of size 28.

NIE Xu-yun,LIU Bo,LU Gang,ZHONG Ting

DOI: https://doi.org/10.11959/j.issn.1000-436x.2015182

2015-01-01

Abstract:The novel extended multivariate public key cryptosystem is a new security enhancement method on multivariate public key cryptosystems,which is proposed by Qiao,et al.A nonlinear invertible transformation was used,named“tame transformation”,on the original multivariate public key cryptosystem to hide its weakness such as linearization equation.However,it is found that if there are many linearization equations satisfied by the original MPKC,there would be many quadratization equations (QE) satisfied by the improved scheme.Given a public key,after finding all QE,a valid cipheretext can be substituted into the QE to derive a set of quadratic equations on the plaintext variable.This exactly reduce the degree of the system wanted to solve.Then the corresponding plaintext can be recovered for a given valid ciphertext combining with Groebner basis method.

Zhen Liu,Vishakha,Jintai Ding,Chi Cheng,Yanbin Pan

DOI: https://doi.org/10.1007/978-3-031-62743-9_11

2024-01-01

Abstract:NTRU is a very famous lattice-based public key cryptosystem, whose security has undergone analysis for the past two decades. Hoffstein, Pipher and Silverman firstly proposed a key recovery attack against the original NTRU with a key mismatch oracle that helps to determine whether the ciphertext can be decrypted correctly or not. However, some additional assumptions are needed to make their attack work. In this paper, we present a key mismatch attack against NTRU that eliminates these assumptions. Using polynomials with coefficients satisfying a fixed l(1) norm to construct ciphertexts, we can keep recovering the coefficients of consecutive positions until the private key is fully recovered. In our experiment, we always succeeded to recover the private keys of NTRUEncrypt and NTRU-HPS with the recommended parameters, which were submitted to the NIST Post-Quantum Cryptography Standardization. Above all, regrading NTRU, our attack has the minimum number of queries to the oracle so far, which is also closest to the theoretical lower bound on the minimum average number of queries analyzed in Qin et al.'s work at Asiacrypt 2021.

Terry Shue Chien Lau,Chik How Tan

DOI: https://doi.org/10.1007/s10623-021-01002-2

2022-01-18

Abstract:Recently, Horlemann-Trautmann and Weger (Adv Math Commun, https://doi.org/10.3934/amc.2020089, 2020) proposed a general framework for a Quaternary McEliece cryptosystem over the ring Z4$${\mathbb {Z}}_4$$, and generalized the construction over the ring Zpm$${\mathbb {Z}}_{p^m}$$ where p is a prime integer. By considering the Lee metric, the public key size for the McEliece cryptosystems can be substantially smaller than their counterparts in the Hamming metric. Furthermore, the hardness of the McEliece cryptosystems over Zpm$${\mathbb {Z}}_{p^m}$$ is based on the Lee Syndrome Decoding problem, which was shown to be NP-complete. This paper aims to analyze the design and security of the Lee metric McEliece cryptosystem over Zpm$${\mathbb {Z}}_{p^m}$$ in the Lee metric. We derive some necessary conditions for the quaternary codes used in the Lee metric McEliece cryptosystem, and show that the theoretical quaternary codes proposed in (Adv Math Commun, https://doi.org/10.3934/amc.2020089, 2020) do not exist. Furthermore, we propose a plaintext recovery attack on the Lee metric McEliece cryptosystem over Zpm$${\mathbb {Z}}_{p^m}$$, when the minimum Lee distance of the underlying codes with certain structures is greater than twice the Lee weight of the error. Our plaintext recovery attack is applicable to the cryptosystems over Zpm$${\mathbb {Z}}_{p^m}$$ when m&gt;1$$m&gt;1$$. We apply our plaintext recovery attack on the Quaternary McEliece cryptosystem, and manage to recover partial plaintext of length k1$$k_1$$ within O2min{k1,0.0473n}$$O \left( 2^{\min \{ k_1, 0.0473 n\}} \right) $$ operations, where n is the length of ciphertext. Hence, the proposed theoretical parameters for the Quaternary McEliece over Z4$${\mathbb {Z}}_4$$ in (Adv Math Commun, https://doi.org/10.3934/amc.2020089, 2020) do not achieve 128-bit security, as we can recover the partial plaintext within 0.591 s. This also implies that the use of quaternary codes in the McEliece cryptosystem may not reduce the public key size significantly. Furthermore, for some parameters of the Lee metric McEliece cryptosystems over Z4$${\mathbb {Z}}_4$$, our plaintext recovery attack can be more efficient than the Lee-Brickell’s and Stern’s Information Set Decoding Algorithm over Z4$${\mathbb {Z}}_4$$.

ZHAO Xin-jie,GUO Shi-ze,WANG Tao,ZHANG Fan,LIU Huiying,JI Ke-ke

DOI: https://doi.org/10.3969/j.issn.1671-1742.2012.04.001

2012-01-01

Abstract:The security of a lightweight block cipher KLEIN against the algebraic side-channel attack is evaluated by combining algebraic attack with side-channel attack under the Hamming weight leakage model.Firstly,the algebraic representation of KLEIN is given.Then,the Hamming weights of the intermediate states are deduced from analyzing the power leakages and converted into algebraic equations.Finally,the CryptoMinisat solver is applied to solve for the key.Based on three different error tolerant strategies,many physical experiments are conducted on KLEIN under an 8-bit microcontroller and the complexity of the attack is also evaluated.Experiment results show that: the unprotected software implementation of KLEIN is vulnerable to algebraic side-channel attack.Full 64-bit master key of KLEIN can be recovered by analyzing the Hamming weight leakages of the first round under know plaintext/ciphertext scenario and 2 rounds under unknown plaintext/ciphertext scenario.

LiDong Han,XiaoYun Wang,GuangWu Xu

DOI: https://doi.org/10.1007/s11432-010-4029-2

2010-01-01

Science China Information Sciences

Abstract:This paper concerns the RSA system with private CRT-exponents. Since Chinese remainder rep- resentation provides efficiency in computation, such system is of some practical significance. In this paper, an existing attack to small private CRT-exponents is analyzed. It is indicated that this attack makes nice use of lattice in RSA analysis, but some argument does not hold in general. Several counterexamples are constructed. Refinements and more precise statements of the attack are given.

李子臣,戴一奇

DOI: https://doi.org/10.3321/j.issn:1000-0054.2001.07.023

2001-01-01

Abstract:Supposedly secure cryptosystems have been designed using the quadratic residue problem. However as shown in this paper, Morrison Brillhart's factorization method can be used to successfully attack these systems and we design a new attack on these cryptosystems. Under the new attack, these cryptosystems are insecure. Basic rules are then presented for designing a secure cryptosystem based on the quadratic residue problem.

Joohee Lee,Hansol Ryu,Minju Lee,Jaehui Park

DOI: https://doi.org/10.1109/tifs.2024.3471074

IF: 7.231

2024-10-15

IEEE Transactions on Information Forensics and Security

Abstract:In IEEE TIFS 2023, NTRU+ has been proposed, an efficient lattice-based post-quantum Key Encapsulation Mechanism (KEM), which has also been submitted to the KpqC competition. In this paper, we propose an effective classical chosen ciphertext attack to recover the transmitted session key for NTRU+ with all but negligible probability for the first time. With the proposed attacks, we show that all the suggested parameters of NTRU+ do not satisfy the claimed IND-CCA security. Moreover, we elaborate on some flaws in the security proof, a part of which introduces our attack. We also suggest a way to modify the NTRU+ scheme to defend our attack while maintaining its practical performance.

computer science, theory & methods,engineering, electrical & electronic

Chengqing Li,Yuansheng Liu,Leo Yu Zhang,Kwok-wo Wong

DOI: https://doi.org/10.1016/j.image.2014.06.011

2016-09-29

Abstract:As a fundamental theorem in number theory, the Chinese Reminder Theorem (CRT) is widely used to construct cryptographic primitives. This paper investigates the security of a class of image encryption schemes based on CRT, referred to as CECRT. Making use of some properties of CRT, the equivalent secret key of CECRT can be recovered efficiently. The required number of pairs of chosen plaintext and the corresponding ciphertext is only $(1+\lceil (\log_2L)/l \rceil)$. The attack complexity is only $O(L)$, where $L$ is the plaintext length and $l$ is the number of bits representing a plaintext symbol. In addition, other defects of CECRT such as invalid compression function and low sensitivity to plaintext, are reported. The work in this paper will help clarify positive role of CRT in cryptology.

Cryptography and Security