Xuyun Nie,Lei Hu,Jianyu Li,Crystal Updegrove,Jintai Ding

DOI: https://doi.org/10.1007/11767480_14

2006-01-01

Abstract:In 2004, the inventors of TTM cryptosystems proposed a new scheme that could resist the existing attacks, in particular, the Goubin-Courtois attack [GC00] and the Ding-Schmidt attack [DS03]. In this paper, we show the new version is still insecure, and we find that the polynomial components of the cipher (Fi) satisfy nontrivial equations of the special form$$\sum\limits_{i=0}^{n-1}a_ix_i+\sum\limits_{0\leq j\leq k\leq m-1}b_{jk}F_jF_k+\sum\limits_{j=0}^{m-1}c_jF_j+d=0,$$ which could be found with 238 computations. From these equations and consequently the linear equations we derive from these equations for any given ciphertext, we can eliminate some of the variables xi by restricting the functions to an affine subspace, such that, on this subspace, we can trivialize the ”lock” polynomials, which are the key structure to ensure its security in this new instance of TTM. Then with method similar to Ding-Schmidt [DS03], we can find the corresponding plaintext for any given ciphertext. The total computational complexity of the attack is less than 239 operations over a finite field of size 28. Our results are further confirmed by computer experiments.

Jintai Ding,Timonthy Hodges

DOI: https://doi.org/10.1142/S0219498804000861

2011-01-01

Journal of Algebra and Its Applications

Abstract:A Tamed Transformation Method (TTM) cryptosystem was proposed by T. T. Moh in 1999. We describe how the first implementation scheme of the TTM system can be defeated. The computational complexity of our attack is 2(33) computations on the finite field with 2(8) elements. The cipher of the TTM systems are degree 2 polynomial maps derived from composition of invertible maps of either total degree 2 or linear maps which can be easily calculated and can be easily inverted. To ensure the system to be of degree two, the key construction of the implementation schemes of the TTM systems is a multi-variable polynomial Q(8)(x(1),..., x(n)) and a set of linearly independent quadratic polynomials q(i)(x(1),..., x(m)), i = 1,..., n such that Q(8)(q(1),..., q(n)) is again a degree 2 polynomials of x(1),..., x(m). In this paper, we study the first implementation scheme of the TTM systems [6]. We discovered that in this implementation scheme the specific polynomial Q(8) can be decomposed further into a factorization in terms of composition. By taking powers of the equality satisfied by the new composition factors, we can actually derive a set of equations, that can produce linear equations satisfied by the plaintext. These linear equations lead us to find a way to defeat this implementation scheme.

Xuyun Nie,Xin Jiang,Lei Hu,Jintai Ding

2007-01-01

Abstract:In 2006, Nie et al proposed an attack to break an instance of TTM cryptosystems. However, the inventor of TTM disputed this attack and he proposed two new instances of TTM to support his viewpoint. At this time, he did not give the detail of key construction — the construction of the lock polynomials in these instances which would be used in decryption. The two instances are claimed to achieve a security of 2 against Nie et al attack. In this paper, we show that these instances are both still insecure, and in fact, they do not achieve a better design in the sense that we can find a ciphertext-only attack utilizing the First Order Linearization Equations while for the previous version of TTM, only Second Order Linearization Equations can be used in the beginning stage of the previous attack. Different from previous attacks, we use an iterated linearization method to break these two instances. For any given valid ciphertext, we can find its corresponding plaintext within 2 F28 computations after performing once for any public key a computation of complexity less than 2. Our experiment result shows we have unlocked the lock polynomials after several iterations, though we do not know the detailed construction of lock polynomials. Keyword: multivariate public key cryptosystem, TTM, algebraic attack, linearization equation, triangular cryptosystem.

Xuyun Nie,Xin Jiang,Lei Hu,Jintai Ding,Fengli Zhang

DOI: https://doi.org/10.1109/iih-msp.2008.246

2008-01-01

Abstract:TTM (tame transformation method) is a type of multivariate public key cryptosystem. In 2007, the inventor of TTM proposed two new instances of TTM to resist the existing attacks, in particular, the Nie et al attack. The two instances are claimed to achieve a security of 2109 against Nie et al attack. Through computation, we found that the instance II satisfied First Order Linearization Equations. After finding all linearization equations, we can perform a ciphertext-only attack to break it.

Jintai Ding,Dieter Schmidt,Zhijun Yin

DOI: https://doi.org/10.1007/s10207-006-0003-9

2006-01-01

International Journal of Information Security

Abstract:We combine the method of searching for an invariant subspace of the unbalanced Oil and Vinegar signature scheme and the Minrank method to defeat the new TTS signature scheme, which was suggested for low-cost smart card applications at CHES 2004. We show that the attack complexity is less than 250.

Xuyun Nie,Lei Hu,Jintai Ding,Jianyu Li,John Wagner

DOI: https://doi.org/10.1007/978-3-540-72738-5_7

2007-01-01

Abstract:In 2006, the inventors of TRMC public key cryptosystem proposed a new variant of TRMC, TRMC-4, which can resist the existing attack, in particular, the Joux et al attack. In this paper, we show that the new version is vulnerable to attack via the linearization equations (LE) method. For any given valid ciphertext and its corresponding TRMC-4 public key, we can derive the corresponding plaintext within 224$\mathbb{F}_{2^8}$-operations, after performing once for the public key a computation of complexity less than 234. Our results are confirmed by computer experiments.

Albrecht Petzoldt,Jintai Ding,Lih-chung Wang

2016-01-01

Abstract:The SimpleMatrix encryption scheme as proposed by Tao et al. [16] is one of the very few existing approaches to create a secure and efficient encryption scheme on the basis of multivariate polynomials. However, in its basic version, decryption failures occur with non-negligible probability. Although this problem has been addressed in several papers [5,17], a general solution to it is still missing. In this paper we propose an improved version of the SimpleMatrix scheme, which eliminates decryption failures completely and therefore solves the biggest problem of the SimpleMatrix encryption scheme. Additionally, we propose a second version of the scheme, which reduces the blow-up factor between plain and ciphertext size to a value arbitrary close to 1.

Adama Diene,Jintai Ding,Jason E. Gower,Timothy J. Hodges,Zhijun Yin

DOI: https://doi.org/10.1007/11779360_20

2006-01-01

Abstract:The Matsumoto-Imai (MI) cryptosystem was the first multivariate public key cryptosystem proposed for practical use. Though MI is now considered insecure due to Patarin's linearization attack, the core idea of MI has been used to construct many variants such as Sflash, which has recently been accepted for use in the New European Schemes for Signatures, Integrity, and Encryption project. Linearization attacks take advantage of the algebraic structure of MI to produce a set of equations that can be used to recover the plaintext from a given ciphertext. In our paper, we present a solution to the problem of finding the dimension of the space of linearization equations, a measure of how much work the attack will require.

Jintai Ding

DOI: https://doi.org/10.1007/978-3-540-24632-9_22

2004-01-01

Abstract:Though the multivariable cryptosystems first suggested by Matsumoto and Imai was defeated by the linearization method of Patarin due to the special properties of the Matsumoto-Imai (MI) cryptosystem, many variants and extensions of the MI system were suggested mainly by Patarin and his collaborators. In this paper, we propose a new variant of the MI system, which was inspired by the idea of "perturbation". This method uses a set of r (a small number) linearly independent linear functions z(i) = Sigma(j)(n) = alpha(ij)x(j) + beta(i), i=1,..,r, over the variables x(i), which are variables of the MI system. The perturbation is performed by adding random quadratic function of z(i) to the MI systems. The difference between our idea and a very similar idea of the Hidden Field Equation and Oil-Vinegar system is that our perturbation is internal, where we do not introduce any new variables, while the Hidden Field Equation and Oil-Vinegar system is an "external" perturbation of the HFE system, where a few extra (external) new variables are introduced to perform the perturbation. A practical implementation example of 136 bits, its security analysis and efficiency analysis axe presented. The attack complexity of this perturbed Matsumoto-Imai cryptosystem is estimated.

WU Zhi-ping,Jíntai Ding,Jason E. Gower,Dingfeng Ye

DOI: https://doi.org/10.1007/11424826_63

2005-01-01

Abstract:We apply internal perturbation [3] to the matrix-type cryptosystems [C n ] and HM constructed in [9]. Using small instances of these variants, we investigate the existence of linearization equations and degree 2 equations that could be used in a XL attack. Our results indicate that these new variants may be suitable for use in practical implementations. We propose a specific instance for practical implementation, and estimate its performance and security.

X Deng,CH Lee,H Zhu

DOI: https://doi.org/10.1049/ip-cdt:20010207

2001-01-01

IEE Proceedings - Computers and Digital Techniques

Abstract:Two deniable authentication schemes have been developed. One is based on the intractability of the factoring problem, and the other is based on the intractability of the discrete logarithm problem. The computation cost of the first scheme is about (t+2)/2s. The second scheme requires about (2t+3)/4s of a previous scheme; s is the length of a message block and t is the cost of multiplication mod N operations. It is shown that both protocols reserve all cryptographic characterisations of the previous scheme.

Prasanna Ravi,Bolin Yang,Shivam Bhasin,Fan Zhang,Anupam Chattopadhyay

DOI: https://doi.org/10.46586/tches.v2023.i2.447-481

2023-01-01

Abstract:In this work, we present the first fault injection analysis of the Number Theoretic Transform (NTT). The NTT is an integral computation unit, widely used for polynomial multiplication in several structured lattice-based key encapsulation mechanisms (KEMs) and digital signature schemes. We identify a critical single fault vulnerability in the NTT, which severely reduces the entropy of its output. This in turn enables us to perform a wide-range of attacks applicable to lattice-based KEMs as well as signature schemes. In particular, we demonstrate novel key recovery and message recovery attacks targeting the key generation and encryption procedure of Kyber KEM. We also propose novel existential forgery attacks targeting deterministic and probabilistic signing procedure of Dilithium, followed by a novel verification bypass attack targeting its verification procedure. All proposed exploits are demonstrated with high success rate using electromagnetic fault injection on optimized implementations of Kyber and Dilithium, from the open-source pqm4 library on the ARM Cortex-M4 microcontroller. We also demonstrate that our proposed attacks are capable of bypassing concrete countermeasures against existing fault attacks on lattice-based KEMs and signature schemes. We believe our work motivates the need for more research towards development of countermeasures for the NTT against fault injection attacks.

Jintai Ding,Bo-Yin Yang,Chen-Mou Cheng,Chia-Hsin Owen Chen,Vivien Dubois

2007-01-01

Abstract:sflash had recently been broken by Dubois, Stern, Shamir, etc., using a differential attack on the public key. The C∗− signature schemes are hence no longer practical. In this paper, we will study the new attack from the point view of symmetry, then (1) present a simple concept (projection) to modify several multivariate schemes to resist the new attacks; (2) demonstrate with practical examples that this simple method could work well; and (3) show that the same discussion of attack-and-defence applies to other big-field multivariates. The speed of encryption schemes is not affected, and we can still have a big-field multivariate signatures resisting the new differential attacks with speeds comparable to sflash.

Weiwei Cao,Xiuyun Nie,Lei Hu,Xiling Tang,Jintai Ding

DOI: https://doi.org/10.1007/978-3-642-12929-2_4

2010-01-01

Abstract:MFE, a multivariate public key encryption scheme proposed by Wang et al in CT-RSA 2006, was conquered by second order linearization equation (SOLE) attack by Ding et al in PKC 2007. To resist this attack, many improved schemes were proposed. Wang et al in [WFW09 and Wang in [Wan07] both modified MFE and raised the public key from quadratic to quartic equations. We call the two quartic schemes Quartic-1 and Quartic-2 respectively for convenience. They are indeed immune to the SOLE attack. However, we find that there exist many quadratization equations (QEs), which are quadratic in plaintext variables and linear in ciphertext variables and can be derived from the public keys of Quartic-1 and Quartic-2. In this paper, we utilize QEs to recover the corresponding plaintext for a given ciphertext. For Quartic-1, we firstly find there are at least 2r SOLEs, which was regarded as impossible by the original authors, furthermore, we can find at least 35r QEs with a complexity $\mathcal {O}((90r^2(15r+1)+180r^2+15r(15r+1)/2+27r+1)^w)$, where r is a small number denoting the degree of extension of finite fields and w≈2.732. The computational complexity of deriving these equations is about 237. But to find the original plaintext, there still needs 240 times Gröbner basis computations, which needs practically 1.328 seconds each time. For Quartic-2, we make a theoretical analysis and find 18r QEs with a computational complexity $\mathcal {O}((15r+1)6r(12r+1)+180r^2+27r+1)^w$. The complexity is 236 for the parameter proposed in [Wan07], and we can break the scheme practically in 3110.734 seconds. Finally, we show that another improved version of MFE in [WZY07] is insecure against the linearization equation attack although its authors claimed it is secure against high order linearization equation attack. Our attack on the two quartic schemes illustrates that non-linearization equations like quadratization equations which are not degree one in plaintext variables can also be used efficiently to analyze multivariate cryptosystems.

Jintai Ding,Joshua Deaton,Kurt Schmidt,Vishakha,Zheng Zhang

2019-01-01

Abstract:In 1998, Jeffrey Hoffstein, Jill Pipher, and Joseph H. Silverman introduced the famous NTRU cryptosystem, and called it "A ring-based public key cryptosystem". Actually, it turns out to be a lattice based cryptosystem that is resistant to Shor’s algorithm. There are several modifications to the original NTRU and two of them are selected as round 2 candidates of NIST post quantum public key scheme standardization. In this paper, we present a simple attack on the original NTRU scheme. The idea comes from Ding et al.’s key mismatch attack. Essentially, an adversary can find information on the private key of a KEM by not encrypting a message as intended but in a manner which will cause a failure in decryption if the private key is in a certain form. In the present, NTRU has the encrypter generating a random polynomial with "small" coefficients, but we will have the coefficients be "large". After this, some further work will create an equivalent key.

Ayoub Otmani,Jean-Pierre Tillich,Leonard Dallot

DOI: https://doi.org/10.48550/arXiv.0804.0409

2010-01-04

Abstract:We cryptanalyse here two variants of the McEliece cryptosystem based on quasi-cyclic codes. Both aim at reducing the key size by restricting the public and secret generator matrices to be in quasi-cyclic form. The first variant considers subcodes of a primitive BCH code. We prove that this variant is not secure by finding and solving a linear system satisfied by the entries of the secret permutation matrix. The other variant uses quasi-cyclic low density parity-check codes. This scheme was devised to be immune against general attacks working for McEliece type cryptosystems based on low density parity-check codes by choosing in the McEliece scheme more general one-to-one mappings than permutation matrices. We suggest here a structural attack exploiting the quasi-cyclic structure of the code and a certain weakness in the choice of the linear transformations that hide the generator matrix of the code. Our analysis shows that with high probability a parity-check matrix of a punctured version of the secret code can be recovered in cubic time complexity in its length. The complete reconstruction of the secret parity-check matrix of the quasi-cyclic low density parity-check codes requires the search of codewords of low weight which can be done with about $2^{37}$ operations for the specific parameters proposed.

Cryptography and Security,Discrete Mathematics

Haina Zhangi,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-540-76788-6_18

2007-01-01

Abstract:TSC-4 is a T-function based stream cipher with. 80-bit key, and proposed as a candidate for ECRYPT eStream project. In this paper, we introduce a differential method to analyze TSC-4. Our attack is based on the vulnerable differential characteristics in the state initialization of TSC-4, and for the chosen IV pairs, the differential probability is up to 2(-15.40) in the case of weak keys. We show that there are about 2(72) weak keys among the total 2(80) keys. To recover 8 bits of a weak key needs about 2(40.53) chosen IV pairs. After that, we can search the other 72 key bits by an exhaustive attack.

Crystal Lee Clough,Jintai Ding

2010-01-01

Abstract:This paper discusses two encryption schemes to fix the Square scheme. Square+ uses the Plus modification of appending randomly chosen polynomials. Double-Layer Square uses a construction similar to some signature schemes, splitting the variables into two layers, one of which depends on the other.

Jintai Ding,Albrecht Petzoldt,Dieter S. Schmidt

DOI: https://doi.org/10.1007/978-1-0716-0987-3_3

2020-01-01

Abstract:This chapter describes the Matsumoto-Imai cryptosystem, which is one of the oldest multivariate public key cryptosystems. After introducing the plain scheme, we discuss its cryptanalysis by the linearization equations attack of Patarin. We then consider variants of the basic scheme which are immune against this attack. In the area of encryption schemes, these are the PMI and PMI+ schemes, which are obtained by a concept named internal perturbation and the plus modifier. In the area of signature schemes based on MI, we present the MI-Minus or SFlash scheme and its extension PFlash.

Zhenbin Zhang,Liji Wu,Zhaoli Mu,Xiangmin Zhang

DOI: https://doi.org/10.1109/CIS.2014.66

2014-01-01

Abstract:Template attack is more powerful than SPA and CPA in some situations. In this paper, a novel template attack named DTTA is proposed to attack the wNAF algorithm of ECC. SM2 is the Chinese public key cryptosystem standard issued in 2010. Few results of side channel attack on SM2 have been found so far. We exploit the Riscure platform to analyze decryption of SM2 in a smart IC card. We also compare 3 kinds of method which used in template matching phase. Experiment results show that template matching method of multivariate normal distribution is superior to correlation method or LSM. The maximum success rate of template matching can be 88%. That means a 256-bit private key of SM2 can be recovered 225 bits by only acquiring one measurement of SM2 decryption in average. Some general countermeasures is not safe enough for DTTA. Defensive strategy should exploit the combination of multiple countermeasures to resist DTTA.