Cryptanalysis of the New Multilinear Map over the Integers

2022

This paper presents algorithms for local inversion of maps and shows how several important computational problems such as cryptanalysis of symmetric encryption algorithms, RSA algorithm and solving the elliptic curve discrete log problem (ECDLP) can be addressed as local inversion problems. The methodology is termed as the \emph{Local Inversion Attack}. It utilizes the concept of \emph{Linear Complexity} (LC) of a recurrence sequence generated by the map defined by the cryptanalysis problem and the given data. It is shown that when the LC of the recurrence is bounded by a bound of polynomial order in the bit length of the input to the map, the local inversion can be accomplished in polynomial time. Hence an incomplete local inversion algorithm which searches a solution within a specified bound on computation can estimate the density of weak cases of cryptanalysis defined by such data causing low LC. Such cases can happen accidentally but cannot be avoided in practice and are fatal i...

Lecture Notes in Computer Science, 2015

We extend the recent zeroizing attacks of Cheon, Han, Lee, Ryu and Stehlé (Eurocrypt'15) on multilinear maps to settings where no encodings of zero below the maximal level are available. Some of the new attacks apply to the CLT13 scheme (resulting in a total break) while others apply to (a variant of) the GGH13 scheme (resulting in a weak-DL attack). We also note the limits of these zeroizing attacks.

Information Security and Cryptology, 2021

Isomorphism of polynomials with two secrets (IP2S) problem was proposed by Patarin et al. at Eurocrypt 1996 and the problem is to find two secret linear maps filling in the gap between two polynomial maps over a finite field. At PQC 2020, Santoso proposed a problem originated from IP2S, which is called block isomorphism of polynomials with circulant matrices (BIPC) problem. The BIPC problem is obtained by linearizing IP2S and restricting secret linear maps to linear maps represented by circulant matrices. Using the commutativity of products of circulant matrices, Santoso also proposed an ElGamal-like encryption scheme based on the BIPC problem. In this paper, we give a new security analysis on the ElGamal-like encryption scheme. In particular, we introduce a new attack (called linear stack attack) which finds an equivalent key of the ElGamal-like encryption scheme by using the linearity of the BIPC problem. We see that the attack is a polynomial-time algorithm and can break some 128-bit proposed parameters of the ElGamal-like encryption scheme within 10 h on a standard PC.

2004

The object of this paper is the concrete security of recent multivariate signature schemes. A major challenge is to reconcile some "tricky" ad-hoc constructions that allow to make short signatures, with regular provable security. The paper is composed of two parts. In the first part of this paper we formalize and confront with the most recent attacks the security of several known multivariate trapdoor functions. For example the signature scheme Quartz is based on a trapdoor function G belonging to a family called HFEv-. It has two independent security parameters, and we claim that if d is big enough, no better method to compute an inverse of G than the exhaustive search is known. This will allow us to formulate our key assumption on which the provable security results can be build. In the second part, we study the security concrete security of signature schemes under our assumption. We study some general constructions, that transform a trapdoor function into a short signature scheme, and in particular these designed to obtain short signatures. On the one hand, we present generic attacks on such constructions. On the other hand, we study the possibility to prove or justify the security with some well chosen assumptions. Unfortunately for Quartz, our lower and upper security bounds do not coincide. Still the best attack known for Quartz is our generic attack using O(2 80 ) computations with O(2 80 ) of memory. We will also propose an alternative way of doing short signatures for which both bounds do coincide. Finally we also apply our results for Flash and Sflash.

IACR Cryptology ePrint Archive, 2014

An encryption relation f ⊆ Z×Z with decryption function f -1 is "group-homomorphic" if, for any suitable plaintexts x 1 and x 2 , ). Such relations would support oblivious processing of encrypted data. We propose a simple randomized encryption relation f over the integers, called DoubleMod, which is "bounded ring-homomorphic" or what some call "somewhat homomorphic." Here, "bounded" means that the number of additions and multiplications that can be performed, while not allowing the encrypted values to go out of range, is limited (any pre-specified bound on the operation-count can be accommodated). Let R be any large integer. For any plaintext x ∈ Z R , DoubleMod encrypts x as f (x) = x + au + bv, where a and b are randomly chosen integers in some appropriate interval, while (u, v) is the secret key. Here u > R 2 is a large prime and the smallest prime factor of v exceeds u. With knowledge of the key, but not of a and b, the receiver decrypts the ciphertext by computing f -1 (y) = (y mod v) mod u. DoubleMod generalizes an independent idea of van Dijk et al. 2010. We present and refine a new CCA1 chosen-ciphertext attack that finds the secret key of both systems (ours and van Dijk et al.'s) in linear time in the bit length of the security parameter. Under a known-plaintext attack, breaking DoubleMod is at most as hard as solving the Approximate GCD (AGCD) problem. The complexity of AGCD is not known. We also introduce the SingleMod field-homomorphic cryptosystems. The simplest SingleMod system based on the integers can be broken trivially. We had hoped, that if SingleMod is implemented inside non-Euclidean quadratic or higher-order fields with large discriminants, where GCD computations appear difficult, it may be feasible to achieve a desired level of security. We show, however, that a variation of our chosen-ciphertext attack works against SingleMod even in non-Euclidean fields.

Declaration I, Noel Michael McCullagh, hereby certify that this material, which I now submit for assessment on the programme of study leading to the award of Ph.D. is entirely my own work and has not been taken from the work of others save and to the extent that such work has been cited and acknowledged within the text of my work.

Lecture Notes in Computer Science, 2003

A classical construction of stream ciphers is to combine several LFSRs and a highly non-linear Boolean function f . Their security is usually analysed in terms of correlation attacks, that can be seen as solving a system of multivariate linear equations, true with some probability. At ICISC'02 this approach is extended to systems of higher-degree multivariate equations, and gives an attack in 2 92 for Toyocrypt, a Cryptrec submission. In this attack the key is found by solving an overdefined system of algebraic equations. In this paper we show how to substantially lower the degree of these equations by multiplying them by well-chosen multivariate polynomials. Thus we are able to break Toyocrypt in 2 49 CPU clocks, with only 20 Kbytes of keystream, the fastest attack proposed so far. We also successfully attack the Nessie submission LILI-128, within 2 57 CPU clocks (not the fastest attack known). In general, we show that if the Boolean function uses only a small subset (e.g. 10) of state/LFSR bits, the cipher can be broken, whatever is the Boolean function used (worst case). Our new general algebraic attack breaks stream ciphers satisfying all the previously known design criteria in at most the square root of the complexity of the previously known generic attack.

Annales UMCS, Informatica, 2014

>IJH=?J Let K be a general nite commutative ring. We refer to a family gn, n = 1, 2,. .. of bijective polynomial multivariate maps of K n as a family with invertible decomposition gn = g 1 n g 2 n. .. g k n , such that the knowledge of the composition of g i n allows computation of g i n for O(n s) (s > 0) elementary steps. A polynomial map g is stable if all non-identical elements of kind g t , t > 0 are of the same degree. We construct a new family of stable elements with invertible decomposition. This is the rst construction of the family of maps based on walks on the bipartite algebraic graphs dened over K, which are not edge transitive. We describe the application of the above mentioned construction for the development of stream ciphers, public key algorithms and key exchange protocols. The absence of edge transitive group essentially complicates cryptanalysis.

Progress in Cryptology – INDOCRYPT 2018, 2018

Multilinear maps enable homomorphic computation on encoded values and a public procedure to check if the computation on the encoded values results in a zero. Encodings in known candidate constructions of multilinear maps have a (growing) noise component, which is crucial for security. For example, noise in GGH13 multilinear maps grows with the number of levels that need to be supported and must remain below the maximal noise supported by the multilinear map for correctness. A smaller maximal noise, which must be supported, is desirable both for reasons of security and efficiency. In this work, we put forward new candidate constructions of obfuscation for which the maximal supported noise is polynomial (in the security parameter). Our constructions are obtained by instantiating a modification of Lin's obfuscation construction (EUROCRYPT 2016) with composite order variants of the GGH13 multilinear maps. For these schemes, we show that the maximal supported noise only needs to grow polynomially in the security parameter. We prove the security of these constructions in the weak multilinear map model that captures all known vulnerabilities of GGH13 maps. Finally, we investigate the security of the considered composite order variants of GGH13 multilinear maps from a cryptanalytic standpoint.

2000

The object of this paper is the concrete security of recent multivariate signature schemes. A major challenge is to reconcile some "tricky" ad-hoc constructions that allow to make short signatures, with regular provable security. The paper is composed of two parts. In the first part of this paper we formalize and confront with the most recent attacks the security of

Lecture Notes in Computer Science, 1999

At SAC '97, Itoh, Okamoto and Mambo presented a fast public key cryptosystem. After analyzing several attacks including latticereduction attacks, they claimed that its security was high, although the cryptosystem had some resemblances with the former knapsack cryptosystems, since decryption could be viewed as a multiplicative knapsack problem. In this paper, we show how to recover the private key from a fraction of the public key in less than 10 minutes for the suggested choice of parameters. The attack is based on a systematic use of the notion of the orthogonal lattice which we introduced as a cryptographic tool at Crypto '97. This notion allows us to attack the linearity hidden in the scheme.

Annales UMCS, Informatica, 2013

We say that the sequence gn, n ≥ 3, n → ∞ of polynomial transformation bijective maps of free module K n over commutative ring K is a sequence of stable degree if the order of gn is growing with n and the degree of each nonidentical polynomial map of kind gn k is an independent constant c. Transformation b = τ gn k τ −1 , where τ is the affine bijection, n is large and k is relatively small, can be used as a base of group theoretical Diffie-Hellman key exchange algorithm for the Cremona group C(K n) of all regular automorphisms of K n. The specific feature of this method is that the order of the base may be unknown for the adversary because of the complexity of its computation. The exchange can be implemented by tools of Computer Algebra (symbolic computations). The adversary can not use the degree of righthandside in b x = d to evaluate unknown x in this form for the discrete logarithm problem. In the paper we introduce the explicit constructions of sequences of elements of stable degree for the cases c = 3 and c = n+2 4 for each commutative ring K containing at least 3 regular elements and discuss the implementation of related key exchange and multivariate map algorithms.

2022

We derive a tight upper bound on the probability over x = (x1, . . . , xμ) ∈ Z uniformly distributed in [0, m) that f(x) = 0 mod N for any μ-linear polynomial f ∈ Z[X1, . . . , Xμ] coprime toN . We show that forN = p1 1 , ..., p rl l this probability is bounded by μ m + ∏l i=1 I 1 pi (ri, μ) where I is the regularized beta function. Furthermore, we provide an inverse result that for any target parameter λ bounds the minimum size of N for which the probability that f(x) ≡ 0 mod N is at most 2 + μ m . For μ = 1 this is simply N ≥ 2. For μ ≥ 2, log2(N) ≥ 8μ + log2(2μ) ·λ the probability that f(x) ≡ 0 mod N is bounded by 2 + μ m . We also present a computational method that derives tighter bounds for specific values of μ and λ. For example, our analysis shows that for μ = 20, λ = 120 (values typical in cryptography applications), and log2(N) ≥ 416 the probability is bounded by 2 + 20 m . We provide a table of computational bounds for a large set of μ and λ values.

International Journal of Bifurcation and Chaos, 2006

As a powerful cryptanalysis tool, the method of return-map attacks can be used to extract secret messages masked by chaos in secure communication schemes. Recently, a simple defensive mechanism was presented to enhance the security of chaotic parameter modulation schemes against return-map attacks. Two techniques are combined in the proposed defensive mechanism: multistep parameter modulation and alternative driving of two different transmitter variables. This paper re-studies the security of this proposed defensive mechanism against return-map attacks, and points out that the security was much over-estimated in the original publication for both ciphertext-only attack and known/chosen-plaintext attacks. It is found that a deterministic relationship exists between the shape of the return map and the modulated parameter, and that such a relationship can be used to dramatically enhance return-map attacks thereby making them quite easy to break the defensive mechanism.

Lecture Notes in Computer Science, 1997

Chosen-message attack on RSA is usually considered as an inherent property of its homomorphic structure. In this paper, we show that nonhomomorphic RSA-type cryptosystems are also susceptible to a chosen-message attack. In particular, we prove that only one message is needed to mount a successful chosen-message attack against the Lucas-based systems and Demytko's elliptic curve system.