Jintai Ding,Bo-Yin Yang,Chia-Hsin Owen Chen,Ming-Shing Chen,Chen-Mou Cheng

DOI: https://doi.org/10.1007/978-3-540-68914-0_15

2008-01-01

Abstract:A recently proposed class of multivariate Public-Key Cryptosystems, the Rainbow-Like Digital Signature Schemes, in which successive sets of central variables are obtained from previous ones by solving linear equations, seem to lead to efficient schemes (TTS, TRMS, and Rainbow) that perform well on systems of low computational resources. Recently SFLASH (C*-) was broken by Dubois, Fouque, Shamir, and Stern via a differential attack. In this paper, we exhibit similar algebraic and diffential attacks, that will reduce published Rainbow-like schemes below their security levels. We will also discuss how parameters for Rainbow and TTS schemes should be chosen for practical applications.

Jintai Ding,Vivien Dubois,Bo-Yin Yang,Owen Chia-Hsin Chen,Chen-Mou Cheng

DOI: https://doi.org/10.1007/978-3-540-70583-3_56

2009-01-01

Abstract:The SFLASH signature scheme stood for a decade as the most successful cryptosystem based on multivariate polynomials, before an efficient attack was finally found in 2007. In this paper, we review its recent cryptanalysis and we notice that its weaknesses can all be linked to the fact that the cryptosystem is built on the structure of a large field. As the attack demonstrates, this richer structure can be accessed by an attacker by using the specific symmetry of the core function being used. Then, we investigate the effect of restricting this large field to a purely linear subset and we find that the symmetries exploited by the attack are no longer present. At a purely defensive level, this defines a countermeasure which can be used at a moderate overhead. On the theoretical side, this informs us of limitations of the recent attack and raises interesting remarks about the design itself of multivariate schemes.

A. A. Chilikov

DOI: https://doi.org/10.24108/mathm.0122.0000262

2022-09-24

Mathematics and Mathematical Modeling

Abstract:A problem of great importance that arises in designing and implementation of a cryptosystem is countering side channel attacks. Often an appropriate mathematical algorithm, implemented on a specific physical device to work in the physical environment, becomes vulnerable to such attacks. The “function sharing” technique is a prospective and efficient way to avoid this problem. In the paper we investigate “non-complete sharing” of Boolean functions and mappings, and functions and mappings over finite fields and provide a complete description of the set of functions with n variables, which have sharing. The main findings are the following: introducing and investigating a new concept of “weak” non-complete n -sharing, establishing its connection with “weak” and “classical” n- sharing, and substantiating its advantages from the algebraic point-of-view as well as establishing and proving a criterion for the existence of weak non-complete n -sharing for an arbitrary function. The results also include an explicit description of a set of functions which have weak sharing in terms of algebraic normal form, obtaining the precise and simple descriptions for the boundary (“border”) cases: n = 2, n=m and binary fields. Applying these results to the AES S-box allows complete solving the problem, i.e. a complete answer to the question of a representability of the S-box of the AES cipher as a sharing is available. We believe that the same way can be successful for other cryptographic algorithms.

Jintai Ding,Jason E. Gower

DOI: https://doi.org/10.1007/11745853_19

2006-01-01

Abstract:We demonstrate how to prevent differential attacks on multivariate public key cryptosystems using the Plus (+) method of external perturbation. In particular, we prescribe adding as few as 10 Plus polynomials to the Perturbed Matsumoto-Imai (PMI) cryptosystem when g=1 and r=6, where θ is the Matsumoto-Imai exponent, n is the message length, g=gcd(θ,n), and r is the internal perturbation dimension; or as few as g+10 when g ≠ 1. The external perturbation does not significantly decrease the efficiency of the system, and in fact has the additional benefit of resolving the problem of finding the true plaintext among several preimages of a given ciphertext. We call this new scheme the Perturbed Matsumoto-Imai-Plus (PMI+) cryptosystem.

Marc Kaplan,Gaëtan Leurent,Anthony Leverrier,María Naya-Plasencia

DOI: https://doi.org/10.13154/tosc.v2016.i1.71-94

2017-03-07

Abstract:Quantum computers, that may become available one day, would impact many scientific fields, most notably cryptography since many asymmetric primitives are insecure against an adversary with quantum capabilities. Cryptographers are already anticipating this threat by proposing and studying a number of potentially quantum-safe alternatives for those primitives. On the other hand, symmetric primitives seem less vulnerable against quantum computing: the main known applicable result is Grover's algorithm that gives a quadratic speed-up for exhaustive search. In this work, we examine more closely the security of symmetric ciphers against quantum attacks. Since our trust in symmetric ciphers relies mostly on their ability to resist cryptanalysis techniques, we investigate quantum cryptanalysis techniques. More specifically, we consider quantum versions of differential and linear cryptanalysis. We show that it is usually possible to use quantum computations to obtain a quadratic speed-up for these attack techniques, but the situation must be nuanced: we don't get a quadratic speed-up for all variants of the attacks. This allows us to demonstrate the following non-intuitive result: the best attack in the classical world does not necessarily lead to the best quantum one. We give some examples of application on ciphers LAC and KLEIN. We also discuss the important difference between an adversary that can only perform quantum computations, and an adversary that can also make quantum queries to a keyed primitive.

Quantum Physics,Cryptography and Security

Jintai Ding,Ai Ren,Chengdong Tao

DOI: https://doi.org/10.1007/978-3-642-38519-3_9

2012-01-01

Abstract:Let X = (x 1,.;x n ) and Y = (y 1,.;y m ) be a pair of corresponding plaintext and ciphertext for a cryptosystem. We define an embedded surface of this cryptosystem as any polynomial equation: which is satisfied by all such pairs. In this paper, we present a new attack on the multivariate public key cryptosystems from Diophantine equations developed by Gao and Heindl by using the embedded surfaces associated to this family of multivariate cryptosystems. © 2013 Springer-Verlag Berlin Heidelberg.

Duo Liu,Ping Luo,Yi-Qi Dai

DOI: https://doi.org/10.1007/s11390-007-9005-y

2007-01-01

Abstract:The concept of multisignature, in which multiple signers can cooperate to sign the same message and any verifier can verify the validity of the multi-signature, was first introduced by Itakura and Nakamura. Several multisignature schemes have been proposed since. Chen et al. proposed a new digital multi-signature scheme based on the elliptic curve cryptosystem recently. In this paper, we show that their scheme is insecure, for it is vulnerable to the so-called active attacks, such as the substitution of a “false” public key to a “true” one in a key directory or during transmission. And then the attacker can sign a legal signature which other users have signed and forge a signature himself which can be accepted by the verifier.

Jintai Ding,John Wagner

DOI: https://doi.org/10.1007/978-3-540-88403-3_9

2008-01-01

Abstract:In 1989, Tsujii, Fujioka, and Hirayama proposed a family of multivariate public key cryptosystems, where the public key is given as a set of multivariate rational functions of degree 4. These cryptosystems are constructed via composition of two quadratic rational maps. In this paper, we present the cryptanalysis of this family of cryptosystems. The key point of our attack is to transform a problem of decomposition of two rational maps into a problem of decomposition of two polynomial maps. We develop a new improved 2R decomposition method and other new techniques, which allows us to find an equivalent decomposition of the rational maps to break the system completely. For the example suggested for practical applications, it is very fast to derive an equivalent private key, and it requires only a few seconds on a standard PC.

Xiaoyang Dong,Bingyou Dong,Xiaoyun Wang

DOI: https://doi.org/10.1007/s10623-020-00741-y

2020-03-09

Abstract:Post-quantum cryptography has attracted much attention from worldwide cryptologists. However, most research works are related to public-key cryptosystem due to Shor's attack on RSA and ECC ciphers. At CRYPTO 2016, Kaplan et al. showed that many secret-key (symmetric) systems could be broken using a quantum period finding algorithm, which encouraged researchers to evaluate symmetric systems against quantum attackers. In this paper, we continue to study symmetric ciphers against quantum attackers. First, we convert the classical advanced slide attacks (introduced by Biryukov and Wagner) to a quantum one, that gains an exponential speed-up in time complexity. Thus, we could break 2/4K-Feistel and 2/4K-DES in polynomial time. Second, we give a new quantum key-recovery attack on full-round GOST, which is a Russian standard, with <span class="mathjax-tex">\(2^{114.8}\)</span> quantum queries of the encryption process, faster than a quantum brute-force search attack by a factor of <span class="mathjax-tex">\(2^{13.2}\)</span>.

Huiqin Xie,Li Yang

DOI: https://doi.org/10.48550/arXiv.1712.06997

2018-07-23

Abstract:Traditional cryptography is suffering a huge threat from the development of quantum computing. While many currently used public-key cryptosystems would be broken by Shor's algorithm, the effect of quantum computing on symmetric ones is still unclear. The security of symmetric ciphers relies heavily on the development of cryptanalytic tools. Thus, in order to accurately evaluate the security of symmetric primitives in the post-quantum world, it is significant to improve classical cryptanalytic methods using quantum algorithms. In this paper, we focus on two variants of differential cryptanalysis: truncated differential cryptanalysis and impossible differential cryptanalysis. Based on the fact that Bernstein-Vazirani algorithm can be used to find the linear structures of Boolean functions, we propose two quantum algorithms that can be used to find high-probability truncated differentials and impossible differentials of block ciphers, respectively. We rigorously prove the validity of the algorithms and analyze their complexity. Our algorithms treat all rounds of the reduced cipher as a whole and only concerns the input and output differences at its both ends, instead of specific differential characteristics. Therefore, to a certain extent, they alleviate the weakness of conventional differential cryptanalysis, namely the difficulties in finding differential characteristics as the number of rounds increases.

Quantum Physics,Cryptography and Security

Kexin Qiao,Zhiyu Zhang,Zhongfeng Niu,Liehuang Zhu,Jianfeng Ma

DOI: https://doi.org/10.23919/cje.2023.00.008

IF: 1.019

2024-01-01

Chinese Journal of Electronics

Abstract:Recent results show that the differential properties within quadruples boom as a new inspiration in cryptanalysis of Advanced Encryption Standard (AES)-like constructions. These methods include the exchange attack proposed in Asiacrypt&#x27;19, the mixture differential attack proposed in ToSC&#x27;18, etc., where the essential properties are obtained by manually scrutinizing the structures of the AES-like constructions. This paper presents a novel framework and an automatic tool based on mixed integer linear programming to search for mixture differential distinguishers for general constructions. This framework considers what equality patterns among quadruples can make a distinguisher and traces how the patterns propagate through cipher components with accurate probability estimation. With this tool, a 5-round AES distinguishing attack with lower complexity and more 6-round distinguishing attacks in the chosen plaintext scenarios are deduced. We prove that no exchange-type or mixture differential distinguisher exists for 7 and above rounds AES if the details of the Sbox and MixColumns matrix are not taken into account.

engineering, electrical & electronic

Sitao Wang,Yao Zhang,Xiao Zhang,Zhiming Zheng

DOI: https://doi.org/10.2991/jimet-15.2015.71

2015-01-01

Abstract:Block ciphers serve as the core of the modern cryptography, with a continuing study of cryptanalysis never stopped. Recently, a specific cryptographic structure, namely Even-Mansour scheme, has been widely revisited and discussed due to its well relevance to most block ciphers. In this paper, we have proposed MB+, a novel and effective solution to key-recovery issue especially for 4 round Even-Mansour schemes. Our method is inspired by a multibridge attack that uses two round keys alternately. Specifically, based on a thorough analysis on the properties of the fixed points, we have observed the existence of invalid keys that can not be disclosed by the multibridge attack. Targeting at the reduction of invalid-key set, we obtain the MB+ method by introducing XOR-parameters in a flexible fashion. With the theoretical analysis and extensive experiments against popular block ciphers, we confirm the effectiveness of our approach systematically.

Nicolas David,María Naya-Plasencia,André Schrottenloher,David, Nicolas,Naya-Plasencia, María,Schrottenloher, André

DOI: https://doi.org/10.1007/s10623-023-01280-y

2023-08-18

Abstract:In this paper we propose the first efficient quantum version of key-recovery attacks on block ciphers based on impossible differentials, which was left as an open problem in previous work. These attacks work in two phases. First, a large number of differential pairs are collected, by solving a limited birthday problem with the attacked block cipher considered as a black box. Second, these pairs are filtered with respect to partial key candidates. We show how to translate the pair filtering step into a quantum procedure, and provide a complete analysis of its complexity. If the path of the attack can be properly reoptimized, this procedure can reach a significant speedup with respect to classical attacks. We provide two applications on SKINNY -128-256 and AES-192/256. These results do not threaten the security of these ciphers but allow us to better understand their (post-quantum) security margin.

mathematics, applied,computer science, theory & methods

Alain Couvreur,Philippe Gaborit,Valérie Gauthier-Umaña,Ayoub Otmani,Jean-Pierre Tillich

DOI: https://doi.org/10.48550/arXiv.1307.6458

2014-03-28

Abstract:Because of their interesting algebraic properties, several authors promote the use of generalized Reed-Solomon codes in cryptography. Niederreiter was the first to suggest an instantiation of his cryptosystem with them but Sidelnikov and Shestakov showed that this choice is insecure. Wieschebrink proposed a variant of the McEliece cryptosystem which consists in concatenating a few random columns to a generator matrix of a secretly chosen generalized Reed-Solomon code. More recently, new schemes appeared which are the homomorphic encryption scheme proposed by Bogdanov and Lee, and a variation of the McEliece cryptosystem proposed by Baldi et \textit{al.} which hides the generalized Reed-Solomon code by means of matrices of very low rank. In this work, we show how to mount key-recovery attacks against these public-key encryption schemes. We use the concept of distinguisher which aims at detecting a behavior different from the one that one would expect from a random code. All the distinguishers we have built are based on the notion of component-wise product of codes. It results in a powerful tool that is able to recover the secret structure of codes when they are derived from generalized Reed-Solomon codes. Lastly, we give an alternative to Sidelnikov and Shestakov attack by building a filtration which enables to completely recover the support and the non-zero scalars defining the secret generalized Reed-Solomon code.

Cryptography and Security,Information Theory

Lin Jiao,Yongqiang Li,Yonglin Hao,Xinxin Gong

DOI: https://doi.org/10.1049/2024/7457517

2024-03-27

IET Information Security

Abstract:As the practical applications of fully homomorphic encryption (FHE), secure multi-party computation (MPC) and zero-knowledge (ZK) proof continue to increase, so does the need to design and analyze new symmetric-key primitives that can adapt to these privacy-preserving protocols. These designs typically have low multiplicative complexity and depth with the parameter domain adapted to their application protocols, aiming to minimize the cost associated with the number of nonlinear operations or the multiplicative depth of their representation as circuits. In this paper, we propose two differential fault attacks against a one-way function RAIN used for Rainier (CCS 2022), a signature scheme based on the MPC-in-the-head approach and an FHE-friendly cipher HERA used for the RtF framework (Eurocrypt 2022), respectively. We show that our attacks can recover the keys for both ciphers by only injecting a fault into the internal state and requiring only one normal and one faulty ciphertext blocks. Thus, we can use only the practical complexity of 2 26.6 / 2 28.8 / 2 30.4 bit operations to break the full-round RAIN with 128/192/256-bit keys. For full-round HERA with 80/128-bit key, our attack is practical with complexity the complexity of 2 20 encryptions with about 2 16 memory.

computer science, information systems, theory & methods

Morten Øygarden,Patrick Felke,Håvard Raddum

DOI: https://doi.org/10.1007/s00145-024-09501-w

2024-04-20

Journal of Cryptology

Abstract:A common strategy for constructing multivariate encryption schemes is to use a central map that is easy to invert over an extension field, along with a small number of modifications to thwart potential attacks. In this work, we study the effectiveness of these modifications, by deriving estimates for the number of degree fall polynomials. After developing the necessary tools, we focus on encryption schemes using the and Dobbertin central maps, with the internal perturbation ( ip ), and modifications. For these constructions, we are able to accurately predict the number of degree fall polynomials produced in a Gröbner basis attack, up to and including degree 5 for the Dob encryption scheme and four for . The predictions remain accurate even when fixing variables. Based on this new theory, we design a novel attack on Dob, which completely recovers the secret key for the parameters suggested by its designers. Due to the generality of the presented techniques, we also believe that they are of interest to the analysis of other big-field schemes.

computer science, theory & methods,engineering, electrical & electronic,mathematics, applied

Ting Cui,Yi Zhang,Jiyan Zhang,Chenhui Jin,Shiwei Chen

DOI: https://doi.org/10.1109/jiot.2024.3358346

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:This paper considers a new cryptanalysis called differential invariant subspace cryptanalysis, which can be used to evaluate the security of IoT-friendly word-based block ciphers. This cryptanalysis estimates the behavior of differential propagation for particularly chosen input differences, and applies to the ciphers contain only the word-based components, e.g., word-based S-boxes, word-based linear mappings, etc. Firstly, this paper proves that, for any word-based block cipher, if the S-box causes the differential invariant subspace property, it then indicates a full-round distinguisher with probability 1, even if the target cipher is believed to be resistant enough against traditional differential or linear cryptanalysis. Secondly, a class of linear-equivalent S-boxes meeting the differential invariant subspace property are constructed as L∘S∘L-1, where L is any invertible linear mapping and S is a group of S-boxes in parallel. Finally, as application, we provide a full-round differential invariant subspace distinguisher for the variant Midori128 (the only difference is that the variant version utilizes only one single type S-box instead of four types). This distinguishing is experimentally verified and could be executed within negligible time.

computer science, information systems,telecommunications,engineering, electrical & electronic

Jintai Ding,Dieter Schmidt

DOI: https://doi.org/10.1007/978-1-0716-0987-3

2020-01-01

Abstract:Although RSA is a very successful public key cryptosystem, efforts are under way to find alternative systems, which are computationally more efficient, and which would remain secure even when a big enough quantum computer becomes operational. Multivariable polynomials over a finite field have been used to build new public key cryptosystems. Some of these constructions are not as secure as was claimed initially, but others are still viable. The paper gives on overview over this field and discusses the status of many systems, which have been proposed in the last 20 years.

孙维东,俞军,沈磊

DOI: https://doi.org/10.15943/j.cnki.fdxb-jns.2013.03.003

2013-01-01

Abstract:The ability of symmetric encryption algorithm AES and DES against the differential fault analysis is examined.Two kinds of differential fault analysis on AES are described,and the initial key is recovered by software emulation.The result shows that the attack on AES can be realized by 20 times of fault-inductions.Then a new differential fault analysis on DES is described.The principle of this attack is analogous to differential fault analysis on AES.Result shows that attack on DES needs more fault-inductions.Therefore symmetric encryption algorithm AES and DES without any protection are vulnerable to differential fault analysis.It is presented that such attacks can be resisted by fault-detection.

Amparo Fúster-Sabater,M. E. Pazo-Robles

DOI: https://doi.org/10.3390/sym16040440

2024-04-06

Symmetry

Abstract:Symmetric cryptography provides the best examples of cryptosystems to be applied in lightweight environments (e.g., IoT). A representative example is the cryptosystem TinyJambu, one of the ten finalists in the NIST Lightweight Cryptography Standardization Project. It is an authentication encryption with associated data scheme that is extremely lightweight and fast. In this work, we analyze the security of TinyJambu from two distinct and non-symmetric points of view: (1) the improvement of the best cryptanalytical attack found in the literature and (2) a randomness analysis of the generated sequences. Concerning item (1), we launched a differential forgery attack with probability 2−65.9487, which was improved considerably compared with previous numerical results. Concerning item (2), we analyzed the degree of randomness of the TinyJambu keystream sequences with a complete and powerful battery of statistical tests. This non-symmetric study shows the weakness of TinyJambu against cryptanalytic attacks as well as the strength of TinyJambu against statistical analysis.

multidisciplinary sciences