Xianhui Lu,Jiang Zhang

DOI: https://doi.org/10.1093/nsr/nwab090

IF: 20.6

2021-05-24

National Science Review

Abstract:The invention of public-key cryptography (PKC) by Diffie and Hellman in 1976 is one of two milestones marking the beginning of modern cryptography. The security of a PKC system requires that it should be infeasible to compute the private key from a given public key, which in turn is typically guaranteed by the difficulty in solving some cryptographic-friendly mathematical problems. Among those problems, the integer factorization and discrete logarithm problems play pivotal roles in the development of public-key cryptography. In particular, the assumption that there is no polynomial time (classical) algorithm that solves the above two problems constitutes the basis for the security of almost all currently used public-key cryptosystems, such as RSA and ElGamal. However, Shor [1] found an efficient quantum solving algorithm for the integer factorization and discrete logarithm problems in 1994, which would destroy the security basis for most real deployed PKC systems if large-scale quantum computers become available. The rapid development of quantum technology in recent years suggests that we are getting closer to the quantum crisis of current PKC systems.

multidisciplinary sciences

Ziqing Wang,Dianhua Tang,Haomiao Yang,Fagen Li

DOI: https://doi.org/10.1016/j.sysarc.2021.102165

IF: 5.836

2021-01-01

Journal of Systems Architecture

Abstract:The lattice cryptosystem is considered to be able to resist the attacks of quantum computers. Lattice-based Public Key Encryption (PKE) schemes have attracted the interest of many researchers. In lattice-based cryptography, Learning With Errors (LWE) problem is a hard problem usually used to construct PKE scheme. To ensure the correctness of decryption, LWE-based schemes have a large ciphertext size. This makes these encryption schemes not practical enough when the communication bandwidth is limited. We propose a new variant of LWE, named Learning With Modulus (LWM) and prove that the new problem can be reduced from LWE problem. The proof idea of our reduction is similar to the reduction of LWR problem. We also construct a new PKE scheme based on the proposed LWM and LWE, which has small ciphertext size. For a 128 bits plaintext, the ciphertext size of our scheme is 53.57% of Lindner–Peikert’s (LP) scheme under the same security level. We use python to test the performance of our scheme. The results show that our scheme is only about 0.015 ms slower than LP in the decryption. The performance of our scheme for generating keys and encrypting messages is similar to LP.

Xia Liu,Huan Yang,Li Yang

DOI: https://doi.org/10.1186/s42400-023-00181-w

2023-01-01

Abstract:The elliptic curve discrete logarithm problem (ECDLP) is a popular choice for cryptosystems due to its high level of security. However, with the advent of the extended Shor's algorithm, there is concern that ECDLP may soon be vulnerable. While the algorithm does offer hope in solving ECDLP, it is still uncertain whether it can pose a real threat in practice. From the perspective of the quantum circuits of the algorithm, this paper analyzes the feasibility of cracking ECDLP using an ion trap quantum computer with improved quantum circuits for the extended Shor's algorithm. We give precise quantum circuits for extended Shor's algorithm to calculate discrete logarithms on elliptic curves over prime fields, including modular subtraction, three different modular multiplication, and modular inverse. Additionally, we incorporate and improve upon windowed arithmetic in the circuits to reduce the CNOT-counts. Whereas previous studies mostly focused on minimizing the number of qubits or the depth of the circuit, we focus on minimizing the number of CNOT gates in the circuit, which greatly affects the running time of the algorithm on an ion trap quantum computer. Specifically, we begin by presenting implementations of basic arithmetic operations with the lowest known CNOT-counts, along with improved constructions for modular inverse, point addition, and windowed arithmetic. Next, we precisely estimate that, to execute the extended Shor's algorithm with the improved circuits to factor an n-bit integer, the CNOT-count required is 1237n(3)/ log n + 2n(2) + n. Finally, we analyze the running time and feasibility of the extended Shor's algorithm on an ion trap quantum computer.

Jintai Ding,Daniel Smith-Tone

DOI: https://doi.org/10.1090/noti1546

2017-01-01

Notices of the American Mathematical Society

Abstract:Over the past three decades, the family of public-key cryptosystems, a fundamental breakthrough in modern cryptography in the late 1970s, has become an increasingly integral part of our communication networks. The Internet, as well as other communication systems, relies principally on the Diffie-Hellman key exchange, RSA encryption, and digital signatures using DSA, ECDSA, or related algorithms. The security of these cryptosystems depends on the difficulty of certain number-theoretic problems, such as integer factorization or the discrete log problem. In 1994 Peter Shor showed that quantum computers can solve each of these problems in polynomial time, thus rendering the security of all cryptosystems based on such assumptions impotent. A large international community has emerged to address this issue in the hope that our public-key infrastructure may remain intact by utilizing new quantum-resistant primitives. In the academic world, this new science bears the moniker Post-Quantum Cryptography (PQC).

Paolo Santini,Marco Baldi,Franco Chiaraluce

DOI: https://doi.org/10.48550/arXiv.1808.01945

2018-08-06

Abstract:Code-based public-key cryptosystems based on QC-LDPC and QC-MDPC codes are promising post-quantum candidates to replace quantum vulnerable classical alternatives. However, a new type of attacks based on Bob's reactions have recently been introduced and appear to significantly reduce the length of the life of any keypair used in these systems. In this paper we estimate the complexity of all known reaction attacks against QC-LDPC and QC-MDPC code-based variants of the McEliece cryptosystem. We also show how the structure of the secret key and, in particular, the secret code rate affect the complexity of these attacks. It follows from our results that QC-LDPC code-based systems can indeed withstand reaction attacks, on condition that some specific decoding algorithms are used and the secret code has a sufficiently high rate.

Cryptography and Security,Information Theory

Xiaoyang Dong,Bingyou Dong,Xiaoyun Wang

DOI: https://doi.org/10.1007/s10623-020-00741-y

2020-03-09

Abstract:Post-quantum cryptography has attracted much attention from worldwide cryptologists. However, most research works are related to public-key cryptosystem due to Shor's attack on RSA and ECC ciphers. At CRYPTO 2016, Kaplan et al. showed that many secret-key (symmetric) systems could be broken using a quantum period finding algorithm, which encouraged researchers to evaluate symmetric systems against quantum attackers. In this paper, we continue to study symmetric ciphers against quantum attackers. First, we convert the classical advanced slide attacks (introduced by Biryukov and Wagner) to a quantum one, that gains an exponential speed-up in time complexity. Thus, we could break 2/4K-Feistel and 2/4K-DES in polynomial time. Second, we give a new quantum key-recovery attack on full-round GOST, which is a Russian standard, with <span class="mathjax-tex">\(2^{114.8}\)</span> quantum queries of the encryption process, faster than a quantum brute-force search attack by a factor of <span class="mathjax-tex">\(2^{13.2}\)</span>.

Mohamed Saied Emam Mohamed,Jintai Ding,Johannes Buchmann,Fabian Werner

DOI: https://doi.org/10.1007/978-3-642-10433-6_26

2009-01-01

Abstract:In this paper, we present an efficient attack on the multivariate Quadratic Quasigroups (MQQ) public key cryptosystem. Our cryptanalysis breaks the MQQ cryptosystem by solving a system of multivariate quadratic polynomial equations using both the MutantXL algorithm and the F4 algorithm. We present the experimental results that show that MQQ systems is broken up to size n equal to 300. Based on these results we show also that MutantXL solves MQQ systems with much less memory than the F4 algorithm implemented in Magma.

Marc Kaplan,Gaëtan Leurent,Anthony Leverrier,María Naya-Plasencia

DOI: https://doi.org/10.13154/tosc.v2016.i1.71-94

2017-03-07

Abstract:Quantum computers, that may become available one day, would impact many scientific fields, most notably cryptography since many asymmetric primitives are insecure against an adversary with quantum capabilities. Cryptographers are already anticipating this threat by proposing and studying a number of potentially quantum-safe alternatives for those primitives. On the other hand, symmetric primitives seem less vulnerable against quantum computing: the main known applicable result is Grover's algorithm that gives a quadratic speed-up for exhaustive search. In this work, we examine more closely the security of symmetric ciphers against quantum attacks. Since our trust in symmetric ciphers relies mostly on their ability to resist cryptanalysis techniques, we investigate quantum cryptanalysis techniques. More specifically, we consider quantum versions of differential and linear cryptanalysis. We show that it is usually possible to use quantum computations to obtain a quadratic speed-up for these attack techniques, but the situation must be nuanced: we don't get a quadratic speed-up for all variants of the attacks. This allows us to demonstrate the following non-intuitive result: the best attack in the classical world does not necessarily lead to the best quantum one. We give some examples of application on ciphers LAC and KLEIN. We also discuss the important difference between an adversary that can only perform quantum computations, and an adversary that can also make quantum queries to a keyed primitive.

Quantum Physics,Cryptography and Security

Yu-Ao Chen,Xiao-Shan Gao,Chun-Ming Yuan

DOI: https://doi.org/10.48550/arXiv.1802.03856

2018-10-07

Abstract:In this paper, we give quantum algorithms for two fundamental computation problems: solving polynomial systems over finite fields and optimization where the arguments of the objective function and constraints take values from a finite field or a bounded interval of integers. The quantum algorithms can solve these problems with any given success probability and have polynomial runtime complexities in the size of the input, the degree of the inequality constraints, and the condition number of certain matrices derived from the problem. So, we achieved exponential speedup for these problems when their condition numbers are small. As applications, quantum algorithms are given to three basic computational problems in cryptography: the polynomial system with noise problem, the short integer solution problem, the shortest vector problem, as well as the cryptanalysis for the lattice based NTRU cryptosystem. It is shown that these problems and NTRU can against quantum computer attacks only if their condition numbers are large, so the condition number could be used as a new criterion for the lattice based post-quantum cryptosystems.

Symbolic Computation,Computational Complexity,Cryptography and Security,Quantum Physics

Chaohui Du,Guoqiang Bai,Hongyi Chen

DOI: https://doi.org/10.1109/trustcom.2015.510

2015-01-01

Abstract:Lattice-based cryptography is considered as a main candidate for post-quantum cryptosystems. Its security is based on worst-case computational assumptions in lattices that remain hard even for quantum computers. In this paper, we present an efficient software implementation of lattice based Ring-LWE public key encryption scheme, which optimizes the two basic building blocks: multiplication over polynomial rings and discrete Gaussian sampling. We exploit the number theoretic transform (NTT) to speed up polynomial multiplication over rings and propose an optimized single instruction multiple data (SIMD) based implementation of NTT. It takes 1965/4411 clock cycles to perform a transform with 256/512 elements. Our implementation can save about 75% memory accesses and more than 51% modulo q operations during NTT computation. On the other hand, we propose an efficient implementation of high precision discrete Gaussian sampler, which is based on the inverse of the cumulative distribution function. Our implementation has maximum statistical distance of 2-90 to a theoretical discrete Gaussian distribution. It takes on average 15.4 ns and 9.5 uniformly random bits to generate a Gaussian sample. With these optimizations, our implementation of the public key encryption scheme performs encryption/decryption operations in 15.88/2.37 μs for medium security and 31.30/4.59 μs for high security on one core of an Intel Core i7-4771 processor. Its throughput is higher than the existing software implementation by about two orders of magnitude, and it is even higher than all the hardware implementations.

Yin-Song Xu,Yi-Bo Luo,Zheng Yuan,Xuan Zhou,Qi-di You,Fei Gao,Xiao-Yang Dong

DOI: https://doi.org/10.1007/s10623-024-01526-3

2024-01-01

Abstract:In recent years, it has become a popular trend to propose quantum versions of classical attacks. The rectangle attack as a differential attack is widely used in symmetric cryptanalysis and applied on many block ciphers. To improve its efficiency, we propose a new quantum rectangle attack firstly. In rectangle attack, it counts the number of valid quartets for each guessed subkeys and filters out subkey candidates according to the counter. To speed up this procedure, we propose a quantum key counting algorithm based on parallel amplitude estimation algorithm and amplitude amplification algorithm. Then, we complete with the remaining key bits and search the right full key by nested Grover search. Besides, we give a strategy to find a more suitable distinguisher to make the complexity lower. Finally, to evaluate post-quantum security of the tweakable block cipher Deoxys-BC, we perform automatic search for good distinguishers of Deoxys-BC according to the strategy, and then apply our attack on 9/10-round Deoxys-BC-256 and 12/13/14-round Deoxys-BC-384. The results show that our attack has some improvements than classical attacks and Grover search.

Anna-Lena Horlemann,Karan Khathuria,Marc Newman,Amin Sakzad,Carlos Vela Cabello

2024-10-15

Abstract:Post-quantum cryptography has gained attention due to the need for secure cryptographic systems in the face of quantum computing. Code-based and lattice-based cryptography are two prominent approaches, both heavily studied within the NIST standardization project. Code-based cryptography -- most prominently exemplified by the McEliece cryptosystem -- is based on the hardness of decoding random linear error-correcting codes. Despite the McEliece cryptosystem having been unbroken for several decades, it suffers from large key sizes, which has led to exploring variants using metrics than the Hamming metric, such as the Lee metric. This alternative metric may allow for smaller key sizes, but requires further analysis for potential vulnerabilities to lattice-based attack techniques. In this paper, we consider a generic Lee metric based McEliece type cryptosystem and evaluate its security against lattice-based attacks.

Cryptography and Security,Information Theory

Han Li

DOI: https://doi.org/10.48550/arXiv.1912.07005

2019-12-15

Abstract:The McEliece cryptosystem based on quasi-cyclic moderate-density parity-check (QC-MDPC) codes is first purposed in 2013\cite{QCMDPC} and is considered a promising contender in the post-quantum era. Understanding its security is hence essential. Till now, the most effective attacks are the reaction attack\cite{Reaction} and the timing attack\cite{Timing}. Both of these attacks rely on the decoding performance to recover the private key. The reaction attack relies on the decoding failure rate and the timing attack relies on the iterations during decoding. However, the mechanics behind these attacks remain elusive. In this paper, a mathematical model is proposed to explain both attacks by connecting the spectrum of private key and first-layer performance of the decoder.

Cryptography and Security

Xiaoyun Wang,Guangwu Xu,Yang Yu

DOI: https://doi.org/10.1007/s11401-023-0053-6

2023-12-01

Chinese Annals of Mathematics Series B

Abstract:Most of current public key cryptosystems would be vulnerable to the attacks of the future quantum computers. Post-quantum cryptography offers mathematical methods to secure information and communications against such attacks, and therefore has been receiving a significant amount of attention in recent years. Lattice-based cryptography, built on the mathematical hard problems in (high-dimensional) lattice theory, is a promising post-quantum cryptography family due to its excellent efficiency, moderate size and strong security. This survey aims to give a general overview on lattice-based cryptography. To this end, the authors begin with the introduction of the underlying mathematical lattice problems. Then they introduce the fundamental cryptanalytic algorithms and the design theory of lattice-based cryptography.

mathematics

Ann Dooms,Carlo Emerencia

DOI: https://doi.org/10.1016/j.jisa.2024.103923

IF: 4.96

2024-11-29

Journal of Information Security and Applications

Abstract:The security of widely-used public-key cryptographic protocols like RSA, Diffie–Hellman key exchange and the Digital Signature Algorithm (DSA) is under threat due to the emergence of quantum computers. Shor's groundbreaking quantum algorithm poses a significant risk by efficiently factoring large integers into their prime factors, compromising RSA security. Additionally, it solves the Discrete Logarithm Problem, impacting certain Diffie–Hellman-based cryptosystems and digital signatures. Given this, it is imperative to enhance our current cryptographic tools for the post-quantum era, aiming to make it impractical, even with quantum algorithms, to breach the security of new cryptosystems. Prominent alternatives include elliptic curve and lattice-based cryptography, with exploration into other algebraic systems featuring difficult problems to ensure security. This paper establishes that systems based on the difficulty of inverting group ring elements are not quantum-resistant.

computer science, information systems

Qing Zhou,Songfeng Lu,Zhigang Zhang,Jie Sun

DOI: https://doi.org/10.1007/s11128-015-0983-3

IF: 1.965

2015-01-01

Quantum Information Processing

Abstract:In this paper, we propose a quantum version of the differential cryptanalysis which offers a quadratic speedup over the existing classical one and show the quantum circuit implementing it. The quantum differential cryptanalysis is based on the quantum minimum/maximum-finding algorithm, where the values to be compared and filtered are obtained by calling the quantum counting algorithm. Any cipher which is vulnerable to the classical differential cryptanalysis based on counting procedures can be cracked more quickly under this quantum differential attack.

Yong Wang,Lingyue Li,Ying Zhou,Huili Zhang

DOI: https://doi.org/10.3390/axioms13110741

2024-01-01

Axioms

Abstract:The RSA cryptosystem has been a cornerstone of modern public key infrastructure; however, recent advancements in quantum computing and theoretical mathematics pose significant risks to its security. The advent of fully operational quantum computers could enable the execution of Shor’s algorithm, which efficiently factors large integers and undermines the security of RSA and other cryptographic systems reliant on discrete logarithms. While Grover’s algorithm presents a comparatively lesser threat to symmetric encryption, it still accelerates key search processes, creating potential vulnerabilities. In light of these challenges, there has been an intensified focus on developing quantum-resistant cryptography. Current research is exploring cryptographic techniques based on error-correcting codes, lattice structures, and multivariate public key systems, all of which leverage the complexity of NP-hard problems, such as solving multivariate quadratic equations, to ensure security in a post-quantum landscape. This paper reviews the latest advancements in quantum-resistant encryption methods, with particular attention to the development of robust trapdoor functions. It also provides a detailed analysis of prominent multivariate cryptosystems, including the Matsumoto–Imai, Oil and Vinegar, and Polly Cracker schemes, alongside recent progress in lattice-based systems such as Kyber and Crystals-DILITHIUM, which are currently under evaluation by NIST for potential standardization. As the capabilities of quantum computing continue to expand, the need for innovative cryptographic solutions to secure digital communications becomes increasingly critical.

HaiJian Zhou,Ping Luo,DaoShun Wang,YiQi Dai

DOI: https://doi.org/10.1007/s11432-009-0159-9

2009-01-01

Science in China Series F Information Sciences

Abstract:Finding the solution to a general multivariate modular linear equation plays an important role in cryptanalysis field. Earlier results show that obtaining a relatively short solution is possible in polynomial time. However, one problem arises here that if the equation has a short solution in given bounded range, the results outputted by earlier algorithms are often not the ones we are interested in. In this paper, we present a probability method based on lattice basis reduction to solve the problem. For a general multivariate modular linear equation with short solution in the given bounded range, the new method outputs this short solution in polynomial time, with a high probability. When the number of unknowns is not too large (smaller than 68), the probability is approximating 1. Experimental results show that Knapsack systems and Lu-Lee type systems are easily broken in polynomial time with this new method.

DOI: https://doi.org/10.1007/s11128-024-04424-8

IF: 1.965

2024-06-15

Quantum Information Processing

Abstract:Quantum computing has made many important achievements in the field of cryptanalysis. However, due to the limitations of current physical system and technology, the realization of large-scale universal quantum computers is a long way off. Currently, small-scale quantum computers are easier to implement than large-scale universal quantum computers. Distributed quantum computing proposes an implementation architecture, which attempts to break down large-scale tasks into many sub-tasks distributed across multiple small-scale quantum computers. How to use small-scale quantum computers with fewer qubits and shallower quantum depths to complete large-scale tasks and improve the success rate of attacking symmetric cryptosystems is our concern. In this paper, we propose a distributed exact Simon's algorithm, apply it to achieve quantum key recovery attacks on single-permutation-based pseudorandom cryptographic schemes with classical birthday bound security, and estimate the quantum resources of quantum circuits. Furthermore, we combine distributed exact Grover's algorithm and distributed exact Simon's algorithm to achieve quantum key recovery attacks on two-permutation-based pseudorandom cryptographic schemes with classical beyond birthday bound security and estimate the corresponding quantum resources. Our results show that (1) our algorithms are exact which means that the theoretical success probability of attacking pseudorandom cryptographic schemes is 100%; (2) the depth of circuit is in polynomial time which means that the theoretical depth of attacking symmetric cryptosystems is exponentially accelerated relative to the previous results; (3) the qubits of circuit don't increase significantly. Our work is of great importance. It could lead to the rapid realization of effective quantum attacks against symmetric cryptosystems on small-scale quantum computers.

physics, multidisciplinary,quantum science & technology, mathematical

Jintai Ding,John Wagner

DOI: https://doi.org/10.1007/978-3-540-88403-3_9

2008-01-01

Abstract:In 1989, Tsujii, Fujioka, and Hirayama proposed a family of multivariate public key cryptosystems, where the public key is given as a set of multivariate rational functions of degree 4. These cryptosystems are constructed via composition of two quadratic rational maps. In this paper, we present the cryptanalysis of this family of cryptosystems. The key point of our attack is to transform a problem of decomposition of two rational maps into a problem of decomposition of two polynomial maps. We develop a new improved 2R decomposition method and other new techniques, which allows us to find an equivalent decomposition of the rational maps to break the system completely. For the example suggested for practical applications, it is very fast to derive an equivalent private key, and it requires only a few seconds on a standard PC.