Jíntai Ding,Joshua D. Deaton,Kurt Schmidt,Vishakha ...,Zheng Zhang

DOI: https://doi.org/10.1007/978-3-030-56877-1_10

2020-01-01

Abstract:In 2017, Ward Beullens et al. submitted Lifted Unbalanced Oil and Vinegar (LUOV) [4], a signature scheme based on the famous multivariate public key cryptosystem (MPKC) called Unbalanced Oil and Vinegar (UOV), to NIST for the competition for post-quantum public key scheme standardization. The defining feature of LUOV is that, though the public key $$\mathscr {P}$$ works in the extension field of degree r of $$\mathbb {F}_2$$ , the coefficients of $$\mathscr {P}$$ come from $$\mathbb {F}_2$$ . This is done to significantly reduce the size of $$\mathscr {P}$$ . The LUOV scheme is now in the second round of the NIST PQC standardization process. In this paper we introduce a new attack on LUOV. It exploits the “lifted” structure of LUOV to reduce direct attacks on it to those over a subfield. We show that this reduces the complexity below the targeted security for the NIST post-quantum standardization competition.

Anindya Ganguly,Angshuman Karmakar,Nitin Saxena

2023-12-15

Abstract:Hard lattice problems are predominant in constructing post-quantum cryptosystems. However, we need to continue developing post-quantum cryptosystems based on other quantum hard problems to prevent a complete collapse of post-quantum cryptography due to a sudden breakthrough in solving hard lattice problems. Solving large multivariate quadratic systems is one such quantum hard problem. Unbalanced Oil-Vinegar is a signature scheme based on the hardness of solving multivariate equations. In this work, we present a post-quantum digital signature algorithm VDOO (Vinegar-Diagonal-Oil-Oil) based on solving multivariate equations. We introduce a new layer called the diagonal layer over the oil-vinegar-based signature scheme Rainbow. This layer helps to improve the security of our scheme without increasing the parameters considerably. Due to this modification, the complexity of the main computational bottleneck of multivariate quadratic systems i.e. the Gaussian elimination reduces significantly. Thus making our scheme one of the fastest multivariate quadratic signature schemes. Further, we show that our carefully chosen parameters can resist all existing state-of-the-art attacks. The signature sizes of our scheme for the National Institute of Standards and Technology's security level of I, III, and V are 96, 226, and 316 bytes, respectively. This is the smallest signature size among all known post-quantum signature schemes of similar security.

Cryptography and Security

Jintai Ding,Zheng Zhang,Joshua Deaton,Kurt Schmidt,FNU Vishakha

2019-01-01

Abstract:In 2017, Ward Beullens et al submitted Lifted Unbalanced Oil and Vinegar (LUOV)[1], a signature scheme based on the famous multivariate public key cryptosystem (MPKC) called Unbalanced Oil and Vinegar (UOV), to NIST for the competition for post-quantum public key scheme standardization. The defning feature of LUOV is that, though the public key P works in the extension feld of degree r of F2, the coeffcients of P come from F2. This is done to signifcantly reduce the size of P . This is a totally new design which was not therefore under any scrutiny before the submission. The LUOV scheme is now in the second round of the NIST PQC standardization process. In this paper we introduce a new attack on LUOV. The main idea is to consider some special differentials to develop new approaches to attack the systems.

Jíntai Ding,Zheng Zhang,Joshua D. Deaton,Lih-Chung Wang

DOI: https://doi.org/10.1007/978-3-030-61078-4_24

2020-01-01

Abstract:In 2017 Kyung-Ah Shim et al. proposed a multivariate signature scheme called Himq-3 which is a submission to National Institute of Standards and Technology (NIST) standardization process of post-quantum cryptosystems. The Himq-3 signature scheme can be classified into the oil vinegar signature scheme family. Similar to the rainbow signature scheme, the Himq-3 signature scheme uses a multilayer structure to shorten the signature size. Moreover the signing process is very fast due to a special system called L-inveritble cycle system that is used to invert the central map. In this paper, we provide a complete cryptanalysis to the Himq-3 signature scheme. We describe a new attack method called the singularity attack. This attack is based on the observation that the variables in the L-invertible cycle system are not allowed to be zero in a valid signature. For the completeness, we show step by step how variables and layers can be separated so that signature forgery can be performed. We claim that the complexity of our attack is much lower than the proposed security level.

Mohamed Saied Emam Mohamed,Jintai Ding,Johannes Buchmann,Fabian Werner

DOI: https://doi.org/10.1007/978-3-642-10433-6_26

2009-01-01

Abstract:In this paper, we present an efficient attack on the multivariate Quadratic Quasigroups (MQQ) public key cryptosystem. Our cryptanalysis breaks the MQQ cryptosystem by solving a system of multivariate quadratic polynomial equations using both the MutantXL algorithm and the F4 algorithm. We present the experimental results that show that MQQ systems is broken up to size n equal to 300. Based on these results we show also that MutantXL solves MQQ systems with much less memory than the F4 algorithm implemented in Magma.

Peigen Li,Jintai Ding

DOI: https://doi.org/10.1007/978-3-031-62746-0_4

2024-01-01

Abstract:SNOVA is a variant of a UOV-type signature scheme over a noncommutative ring. In this article, we demonstrate that certain parameters provided by authors in SNOVA fail to meet the NIST security level, and the complexities are lower than those claimed by SNOVA.

HaiJian Zhou,Ping Luo,DaoShun Wang,YiQi Dai

DOI: https://doi.org/10.1007/s11432-009-0159-9

2009-01-01

Science in China Series F Information Sciences

Abstract:Finding the solution to a general multivariate modular linear equation plays an important role in cryptanalysis field. Earlier results show that obtaining a relatively short solution is possible in polynomial time. However, one problem arises here that if the equation has a short solution in given bounded range, the results outputted by earlier algorithms are often not the ones we are interested in. In this paper, we present a probability method based on lattice basis reduction to solve the problem. For a general multivariate modular linear equation with short solution in the given bounded range, the new method outputs this short solution in polynomial time, with a high probability. When the number of unknowns is not too large (smaller than 68), the probability is approximating 1. Experimental results show that Knapsack systems and Lu-Lee type systems are easily broken in polynomial time with this new method.

Jintai Ding,Joshua Deaton,Vishakha,Bo-Yin Yang

DOI: https://doi.org/10.1007/978-3-030-77870-5_12

2021-01-01

Abstract:In 2017, Ward Beullens et al. submitted Lifted Unbalanced Oil and Vinegar [3], which is a modification to the Unbalanced Oil and Vinegar Scheme by Patarin. Previously, Ding et al. proposed the Subfield Differential Attack [22] which prompted a change of parameters by the authors of LUOV for the second round of the NIST post quantum standardization competition [4]. In this paper we propose a modification to the Subfield Differential Attack called the Nested Subset Differential Attack which fully breaks half of the parameter sets put forward. We also show by experimentation that this attack is practically possible to do in under 210 min for the level I security parameters and not just a theoretical attack. The Nested Subset Differential attack is a large improvement of the Subfield differential attack which can be used in real world circumstances. Moreover, we will only use what is called the "lifted" structure of LUOV, and our attack can be thought as a development of solving "lifted" quadratic systems.

Léo Ducas,Maxime Plançon,Benjamin Wesolowski

DOI: https://doi.org/10.1007/978-3-030-26948-7_12

2019-01-01

Abstract:The hardness of finding short vectors in ideals of cyclotomic number fields (hereafter, Ideal-SVP) can serve as a worst-case assumption for numerous efficient cryptosystems, via the average-case problems Ring-SIS and Ring-LWE. For a while, it could be assumed the Ideal-SVP problem was as hard as the analog problem for general lattices (SVP), even when considering quantum algorithms.But in the last few years, a series of works has lead to a quantum algorithm for Ideal-SVP that outperforms what can be done for general SVP in certain regimes. More precisely, it was demonstrated (under certain hypotheses) that one can find in quantum polynomial time a vector longer by a factor at most documentclass[12pt]{minimal}usepackage{amsmath}usepackage{wasysym}usepackage{amsfonts}usepackage{amssymb}usepackage{amsbsy}usepackage{mathrsfs}usepackage{upgreek}setlength{oddsidemargin}{-69pt}egin{document}$$alpha = exp ({widetilde{O}(n^{1/2})})$$end{document} than the shortest non-zero vector in a cyclotomic ideal lattice, where n is the dimension.In this work, we explore the constants hidden behind this asymptotic claim. While these algorithms have quantum steps, the steps that impact the approximation factor documentclass[12pt]{minimal}usepackage{amsmath}usepackage{wasysym}usepackage{amsfonts}usepackage{amssymb}usepackage{amsbsy}usepackage{mathrsfs}usepackage{upgreek}setlength{oddsidemargin}{-69pt}egin{document}$$alpha $$end{document} are entirely classical, which allows us to estimate it experimentally using only classical computing. Moreover, we design heuristic improvements for those steps that significantly decrease the hidden factors in practice. Finally, we derive new provable effective lower bounds based on volumetric arguments.This study allows to predict the crossover point with classical lattice reduction algorithms, and thereby determine the relevance of this quantum algorithm in any cryptanalytic context. For example we predict that this quantum algorithm provides shorter vectors than BKZ-300 (roughly the weakest security level of NIST lattice-based candidates) for cyclotomic rings of rank larger than about 24000.

Tairong Shi,Wenling Wu,Bin Hu,Jie Guan,Han Sui,Senpeng Wang,Mengyuan Zhang

DOI: https://doi.org/10.1109/tifs.2024.3402970

IF: 7.231

2024-06-07

IEEE Transactions on Information Forensics and Security

Abstract:A lot of work in the field of quantum cryptanalysis is currently devoted to finding applications of Grover-meets-Simon algorithm and its complexity is given in the form of , but research on how to implement the attack efficiently is still insufficient. After all, it is crucial to study quantum attacks in resource-limited situations, according to NIST's guidance on circuit depth. This work first evaluates the parallelization of Grover-meets-Simon by drawing on the Grover's parallel approach and shows that as the width increases by , the depth decreases by a factor of . Further, the first dedicated quantum attack on a class of functions that appear in cryptographic scheme applications (so-called XOR-type function) is proposed. The depth, width, and the number of gates required for the attack are greatly reduced compared to the general parallelization. Then we apply the attack to various Beyond-Birthday-Bound (BBB) MACs, where the XOR function can be constructed, including SUM-ECBC and its variants (2K-SUM-ECBC, 2K-ECBC_Plus), and GCM-SIV2. In the typical case where SUM-ECBC is based on AES-128, our attack saves at least 62.3% in depth, 19.5% in width and 22.2% in gate count simultaneously. The impact on some lightweight ciphers is further explored, and it is interesting to note that the lighter the quantum circuit implementation of the cipher is, the greater the possible impact of an attack will be. This observation may provide new insights into quantum cryptanalysis.

computer science, theory & methods,engineering, electrical & electronic

PQCrypto,Johannes Buchmann,Jintai Ding

2008-01-01

Abstract:A New Efficient Threshold Ring Signature Scheme Based on Coding Theory.- Square-Vinegar Signature Scheme.- Attacking and Defending the McEliece Cryptosystem.- McEliece Cryptosystem Implementation: Theory and Practice.- Merkle Tree Traversal Revisited.- Explicit Hard Instances of the Shortest Vector Problem.- Practical-Sized Instances of Multivariate PKCs: Rainbow, TTS, and ?IC-Derivatives.- Digital Signatures Out of Second-Preimage Resistant Hash Functions.- Cryptanalysis of Rational Multivariate Public Key Cryptosystems.- Syndrome Based Collision Resistant Hashing.- Nonlinear Piece In Hand Perturbation Vector Method for Enhancing Security of Multivariate Public Key Cryptosystems.- On the Power of Quantum Encryption Keys.- Secure PRNGs from Specialized Polynomial Maps over Any .- MXL2: Solving Polynomial Equations over GF(2) Using an Improved Mutant Strategy.- Side Channels in the McEliece PKC.

Alan Szepieniec,Jintai Ding,Bart Preneel

DOI: https://doi.org/10.1007/978-3-319-29360-8_12

2016-01-01

Abstract:This paper introduces a new central trapdoor for multivariate quadratic (MQ) public-key cryptosystems that allows for encryption, in contrast to time-tested MQ primitives such as Unbalanced Oil and Vinegar or Hidden Field Equations which only allow for signatures. Our construction is a mixed-field scheme that exploits the commutativity of the extension field to dramatically reduce the complexity of the extension field polynomial implicitly present in the public key. However, this reduction can only be performed by the user who knows concise descriptions of two simple polynomials, which constitute the private key. After applying this transformation, the plaintext can be recovered by solving a linear system. We use the minus and projection modifiers to inoculate our scheme against known attacks. A straightforward C++ implementation confirms the efficient operation of the public key algorithms.

David Gross,Dominik Hangleiter

2023-12-16

Abstract:Quantum computing devices can now perform sampling tasks which, according to complexity-theoretic and numerical evidence, are beyond the reach of classical computers. This raises the question of how one can efficiently verify that a quantum computer operating in this regime works as intended. In 2008, Shepherd and Bremner proposed a protocol in which a verifier constructs a unitary from the comparatively easy-to-implement family of so-called IQP circuits, and challenges a prover to execute it on a quantum computer. The challenge problem is designed to contain an obfuscated secret, which can be turned into a statistical test that accepts samples from a correct quantum implementation. It was conjectured that extracting the secret from the challenge problem is NP-hard, so that the ability to pass the test constitutes strong evidence that the prover possesses a quantum device and that it works as claimed. Unfortunately, about a decade later, Kahanamoku-Meyer found an efficient classical secret extraction attack. Bremner, Cheng, and Ji very recently followed up by constructing a wide-ranging generalization of the original protocol. Their IQP Stabilizer Scheme has been explicitly designed to circumvent the known weakness. They also suggested that the original construction can be made secure by adjusting the problem parameters. In this work, we develop a number of secret extraction attacks which are effective against both new approaches in a wide range of problem parameters. The important problem of finding an efficient and reliable verification protocol for sampling-based proofs of quantum supremacy thus remains open.

Quantum Physics,Cryptography and Security

Wenjie Liu,Mengting Wang,Zixian Li

DOI: https://doi.org/10.1142/s021773232350092x

2023-10-01

Abstract:Classical forgery attacks against Offset Two-round (OTR) structures require some harsh conditions, such as some plaintext and ciphertext pairs need to be known, and the success probability is not too high. To solve these problems, a quantum forgery attack on OTR structure using Simon's algorithm is proposed. The attacker intercept the ciphertext-tag pair $(C,T)$ between the sender and receiver, while Simon's algorithm is used to find the period of the tag generation function in OTR, then we can successfully forge new ciphertext $C'$ ($C'\ne C$) for intercepted tag $T$. For a variant of OTR structure (Pr{/o}st-OTR-Even-Mansour structure), a universal forgery attack, in which it is easy to generate the correct tag of any given message if the attacker is allowed to change a single block in it, is proposed. It first obtains the secret parameter L using Simon's algorithm, then the secret parameter L is used to find the keys $k_1$ and $k_2$, so that an attacker can forge the changed messages. It only needs several plaintext blocks to help obtain the keys to forge any messages. Performance analysis shows that the query complexity of our attack is $O(n)$, and its success probability is very close to 1.

Quantum Physics,Cryptography and Security,Emerging Technologies

G.A. Maleeva

DOI: https://doi.org/10.30837/rt.2022.2.209.06

2022-06-24

Radiotekhnika

Abstract:The Rainbow signature scheme, proposed by Ding and Schmidt in 2005, is one of the oldest and most studied signature schemes in multidimensional cryptography. The Rainbow, based on the unbalanced Oil and Vinegar signature scheme, has the necessary cryptocurrency since 1999 with the right parameters. Interest in multivariate cryptography has increased in the last decade, as it is considered to be quantum-stable. Cryptanalysis of the Rainbow and its predecessors was actively developed in the early 2000s. Attacks from this era include the MinRank attack, the HighRank attack, the Bill-Gilbert attack, the UOV agreement attack, and the Rainbow bandwidth attack. After 2008, cryptanalysis seemed to have stopped, until the Rainbow's participation in the NIST PQC project, which motivated the continuation of cryptanalysis. During the second round of NIST, Bardett and others proposed a new algorithm for solving the MinRank problem. This dramatically increased the effectiveness of MinRank's attack, although not enough to threaten the parameters provided to NIST. A less memory-intensive version of this algorithm was suggested by Baena et al. Perlner and Smith-Tone analyzed the Rainbow bandwidth attack in depth, which showed that the attack was more effective than previously thought. This prompted the Rainbow team to increase slightly the parameters for the third round. During the third round, Bellens introduced a new attack that reduced the Rainbow's security by 220 times for SL 1. The Rainbow team claimed that despite the new attacks, the Rainbow's parameters still met NIST requirement. The purpose of this article is to present two new (partial) key recovery attacks on multivariate cryptographic transformations using rank systems.

Yin-Song Xu,Yi-Bo Luo,Zheng Yuan,Xuan Zhou,Qi-di You,Fei Gao,Xiao-Yang Dong

DOI: https://doi.org/10.1007/s10623-024-01526-3

2024-01-01

Abstract:In recent years, it has become a popular trend to propose quantum versions of classical attacks. The rectangle attack as a differential attack is widely used in symmetric cryptanalysis and applied on many block ciphers. To improve its efficiency, we propose a new quantum rectangle attack firstly. In rectangle attack, it counts the number of valid quartets for each guessed subkeys and filters out subkey candidates according to the counter. To speed up this procedure, we propose a quantum key counting algorithm based on parallel amplitude estimation algorithm and amplitude amplification algorithm. Then, we complete with the remaining key bits and search the right full key by nested Grover search. Besides, we give a strategy to find a more suitable distinguisher to make the complexity lower. Finally, to evaluate post-quantum security of the tweakable block cipher Deoxys-BC, we perform automatic search for good distinguishers of Deoxys-BC according to the strategy, and then apply our attack on 9/10-round Deoxys-BC-256 and 12/13/14-round Deoxys-BC-384. The results show that our attack has some improvements than classical attacks and Grover search.

Jintai Ding,Momonari Kudo,Shinya Okumura,Tsuyoshi Takagi,Chengdong Tao

DOI: https://doi.org/10.1007/s13160-018-0316-x

2018-01-01

Japan Journal of Industrial and Applied Mathematics

Abstract:Researching post-quantum cryptography is now an important task in cryptography. Although various candidates of post-quantum cryptosystems (PQC) have been constructed, sizes of their public keys are large. Okumura constructed a candidate of PQC whose security is expected to be based on certain Diophantine equations (DEC). Okumura analysis suggests that DEC achieves the high security with small public key sizes. This paper proposes a polynomial time-attack on the one-way property of DEC. We reduce the security of DEC to finding special short lattice points of some low-rank lattices derived from public data. The usual LLL algorithm could not find the most important lattice point in our experiments because of certain properties of the lattice point. Our heuristic analysis leads us to using a variant of the LLL algorithm, called a weighted LLL algorithm by us. Our experiments suggest that DEC with 128 bit security becomes insecure by our attack.

Jintai Ding,Zheng Zhang,Joshua Deaton

DOI: https://doi.org/10.3934/amc.2020043

2019-01-01

Advances in Mathematics of Communications

Abstract:We present a cryptanalysis of a signature scheme HIMQ-3 due to Kyung-Ah Shim et al [10], which is a submission to National Institute of Standards and Technology (NIST) standardization process of post-quantum cryptosystems in 2017. We will show that inherent to the signing process is a leakage of information of the private key. Using this information one can forge a signature.

Chengdong Tao,Hong Xiang,Albrecht Petzoldt,Jintai Ding

DOI: https://doi.org/10.1016/j.ffa.2015.06.001

IF: 1.655

2015-01-01

Finite Fields and Their Applications

Abstract:Multivariate cryptography is one of the main candidates to guarantee the security of communication in the presence of quantum computers. While there exist a large number of secure and efficient multivariate signature schemes, the number of practical multivariate encryption schemes is somewhat limited. In this paper we present our results on creating a new multivariate encryption scheme, which is an extension of the original Simple Matrix encryption scheme of PQCrypto 2013. Our scheme allows fast en- and decryption and resists all known attacks against multivariate cryptosystems. Furthermore, we present a new idea to solve the decryption failure problem of the original Simple Matrix encryption scheme. (C) 2015 Elsevier Inc. All rights reserved.

olivier billet,jintai ding

DOI: https://doi.org/10.1007/978-3-540-93806-4_15

2009-01-01

Abstract:This paper summarizes most of the main developments in the cryptanalysis of multivariate cryptosystems and discuss some problems that remain open. A strong emphasis is put on the symbolic computation tools that have been used to achieve these advances.