Attacks on the Mersenne-based AJPS cryptosystem Koen de Boer 1 , L. - - PowerPoint PPT Presentation

Attacks on the Mersenne-based AJPS cryptosystem

Koen de Boer 1, L. Ducas 1, S. Jeffery 1,2, R. de Wolf 1,2,3

1Centrum Wiskunde en Informatica, Amsterdam 2QuSoft, Amsterdam 3University of Amsterdam

April 9, 2018

April 9, PQCrypto, Fort Lauderdale, Florida 1 / 15

Overview

Aggarwal, Joux, Prakash, Santha [AJPS17]

Propose potentially quantum-safe public-key cryptosystem based on Mersenne numbers and NTRU [HPS98]. May ’17

April 9, PQCrypto, Fort Lauderdale, Florida 2 / 15

Overview

Aggarwal, Joux, Prakash, Santha [AJPS17]

Propose potentially quantum-safe public-key cryptosystem based on Mersenne numbers and NTRU [HPS98]. Consider but dismiss Meet-in-the-Middle and lattice attacks. May ’17

April 9, PQCrypto, Fort Lauderdale, Florida 2 / 15

Overview

Aggarwal, Joux, Prakash, Santha [AJPS17]

Propose potentially quantum-safe public-key cryptosystem based on Mersenne numbers and NTRU [HPS98]. Consider but dismiss Meet-in-the-Middle and lattice attacks. Hope that ‘brute force’ is the optimal attack. May ’17

April 9, PQCrypto, Fort Lauderdale, Florida 2 / 15

Overview

Aggarwal, Joux, Prakash, Santha [AJPS17]

Propose potentially quantum-safe public-key cryptosystem based on Mersenne numbers and NTRU [HPS98]. Consider but dismiss Meet-in-the-Middle and lattice attacks. Hope that ‘brute force’ is the optimal attack. May ’17

Beunardeau, Connolly, G´ eraud, Naccache [BCGN17]

Describe an experimental lattice-reduction attack. Jun ’17

April 9, PQCrypto, Fort Lauderdale, Florida 2 / 15

Overview

Aggarwal, Joux, Prakash, Santha [AJPS17]

Propose potentially quantum-safe public-key cryptosystem based on Mersenne numbers and NTRU [HPS98]. Consider but dismiss Meet-in-the-Middle and lattice attacks. Hope that ‘brute force’ is the optimal attack. May ’17

Beunardeau, Connolly, G´ eraud, Naccache [BCGN17]

Describe an experimental lattice-reduction attack. Jun ’17

Our contribution

Meet-in-the-Middle attack Dec ’17

April 9, PQCrypto, Fort Lauderdale, Florida 2 / 15

Overview

Aggarwal, Joux, Prakash, Santha [AJPS17]

Propose potentially quantum-safe public-key cryptosystem based on Mersenne numbers and NTRU [HPS98]. Consider but dismiss Meet-in-the-Middle and lattice attacks. Hope that ‘brute force’ is the optimal attack. May ’17

Beunardeau, Connolly, G´ eraud, Naccache [BCGN17]

Describe an experimental lattice-reduction attack. Jun ’17

Our contribution

Meet-in-the-Middle attack Analysis of the lattice-attack of Beunardeau et al. Dec ’17

April 9, PQCrypto, Fort Lauderdale, Florida 2 / 15

Overview

Aggarwal, Joux, Prakash, Santha [AJPS17]

Propose potentially quantum-safe public-key cryptosystem based on Mersenne numbers and NTRU [HPS98]. Consider but dismiss Meet-in-the-Middle and lattice attacks. Hope that ‘brute force’ is the optimal attack. May ’17

Beunardeau, Connolly, G´ eraud, Naccache [BCGN17]

Describe an experimental lattice-reduction attack. Jun ’17

Our contribution

Meet-in-the-Middle attack ← this talk Analysis of the lattice-attack of Beunardeau et al. Dec ’17

April 9, PQCrypto, Fort Lauderdale, Florida 2 / 15

Table of Contents

1

The Mersenne-number based AJPS-cryptosystem

2

Meet-in-the-Middle attack on the AJPS cryptosystem Example: Subset-sum problem MITM in the AJPS-cryptosystem

April 9, PQCrypto, Fort Lauderdale, Florida 3 / 15

The AJPS cryptosystem

Set R = Z/NZ, where N = 2n − 1 with n prime.

April 9, PQCrypto, Fort Lauderdale, Florida 4 / 15

The AJPS cryptosystem

Set R = Z/NZ, where N = 2n − 1 with n prime. Each element in R can be uniquely identified by its binary representation in {0, 1}n\{1n}. a ∈ R

• bin. rep.

|a| 0...000 1 0...001 1 2 0...010 1 3 0...011 2 . . . . . . . . . 2n − 2 1...110 n − 1

April 9, PQCrypto, Fort Lauderdale, Florida 4 / 15

The AJPS cryptosystem

Set R = Z/NZ, where N = 2n − 1 with n prime. Each element in R can be uniquely identified by its binary representation in {0, 1}n\{1n}. For a ∈ R, set |a| := the Hamming weight of the binary representation of a. a ∈ R

• bin. rep.

|a| 0...000 1 0...001 1 2 0...010 1 3 0...011 2 . . . . . . . . . 2n − 2 1...110 n − 1

April 9, PQCrypto, Fort Lauderdale, Florida 4 / 15

The AJPS cryptosystem

Set R = Z/NZ, where N = 2n − 1 with n prime. Each element in R can be uniquely identified by its binary representation in {0, 1}n\{1n}. For a ∈ R, set |a| := the Hamming weight of the binary representation of a. a ∈ R

• bin. rep.

|a| 0...000 1 0...001 1 2 0...010 1 3 0...011 2 . . . . . . . . . 2n − 2 1...110 n − 1

April 9, PQCrypto, Fort Lauderdale, Florida 4 / 15

The AJPS cryptosystem

Set R = Z/NZ, where N = 2n − 1 with n prime. Each element in R can be uniquely identified by its binary representation in {0, 1}n\{1n}. For a ∈ R, set |a| := the Hamming weight of the binary representation of a. Set w = ⌊√n/2⌋.

April 9, PQCrypto, Fort Lauderdale, Florida 4 / 15

The AJPS cryptosystem

Set R = Z/NZ, where N = 2n − 1 with n prime. Each element in R can be uniquely identified by its binary representation in {0, 1}n\{1n}. For a ∈ R, set |a| := the Hamming weight of the binary representation of a. Set w = ⌊√n/2⌋. Choose f , g ∈ R such that |f | = |g| = w and g invertible.

f = , g =

April 9, PQCrypto, Fort Lauderdale, Florida 4 / 15

The AJPS cryptosystem

Set R = Z/NZ, where N = 2n − 1 with n prime. Each element in R can be uniquely identified by its binary representation in {0, 1}n\{1n}. For a ∈ R, set |a| := the Hamming weight of the binary representation of a. Set w = ⌊√n/2⌋. Choose f , g ∈ R such that |f | = |g| = w and g invertible. Set h = f /g. Public key is h and secret key g.

f = , g = h = f

g =

April 9, PQCrypto, Fort Lauderdale, Florida 4 / 15

The AJPS cryptosystem

Set R = Z/NZ, where N = 2n − 1 with n prime. Each element in R can be uniquely identified by its binary representation in {0, 1}n\{1n}. For a ∈ R, set |a| := the Hamming weight of the binary representation of a. Set w = ⌊√n/2⌋. Choose f , g ∈ R such that |f | = |g| = w and g invertible. Set h = f /g. Public key is h and secret key g.

The Mersenne Low Hamming Ratio Problem

April 9, PQCrypto, Fort Lauderdale, Florida 4 / 15

The AJPS cryptosystem

Set R = Z/NZ, where N = 2n − 1 with n prime. Each element in R can be uniquely identified by its binary representation in {0, 1}n\{1n}. For a ∈ R, set |a| := the Hamming weight of the binary representation of a. Set w = ⌊√n/2⌋. Choose f , g ∈ R such that |f | = |g| = w and g invertible. Set h = f /g. Public key is h and secret key g.

The Mersenne Low Hamming Ratio Problem

Given h ∈ R, which is quotient of two elements of low Hamming wt.

April 9, PQCrypto, Fort Lauderdale, Florida 4 / 15

The AJPS cryptosystem

Set R = Z/NZ, where N = 2n − 1 with n prime. Each element in R can be uniquely identified by its binary representation in {0, 1}n\{1n}. For a ∈ R, set |a| := the Hamming weight of the binary representation of a. Set w = ⌊√n/2⌋. Choose f , g ∈ R such that |f | = |g| = w and g invertible. Set h = f /g. Public key is h and secret key g.

The Mersenne Low Hamming Ratio Problem

Given h ∈ R, which is quotient of two elements of low Hamming wt. Find f , g ∈ R with |f | = |g| = w such that h = f /g.

April 9, PQCrypto, Fort Lauderdale, Florida 4 / 15

The AJPS cryptosystem

Set R = Z/NZ, where N = 2n − 1 with n prime. Each element in R can be uniquely identified by its binary representation in {0, 1}n\{1n}. For a ∈ R, set |a| := the Hamming weight of the binary representation of a. Set w = ⌊√n/2⌋. Choose f , g ∈ R such that |f | = |g| = w and g invertible. Set h = f /g. Public key is h and secret key g.

The Mersenne Low Hamming Ratio Problem

Given h ∈ R, which is quotient of two elements of low Hamming wt. Find f , g ∈ R with |f | = |g| = w such that h = f /g. Brute force attack: Guess a g ∈ R with |g| = w, check whether |gh| = w. time: n

w

• .

April 9, PQCrypto, Fort Lauderdale, Florida 4 / 15

Table of Contents

1

The Mersenne-number based AJPS-cryptosystem

2

Meet-in-the-Middle attack on the AJPS cryptosystem Example: Subset-sum problem MITM in the AJPS-cryptosystem

April 9, PQCrypto, Fort Lauderdale, Florida 5 / 15

Meet-in-the-Middle attack

Improved time complexity, at the cost of greater space complexity.

April 9, PQCrypto, Fort Lauderdale, Florida 6 / 15

MITM in the subset-sum problem

Subset-sum problem

Given z1, . . . , zn ∈ Z Find I ⊆ {1, . . . , n} such that

i∈I zi = 0.

z1 6 z2 2 z3 −1 z4 10 z5 9 z6 −5

April 9, PQCrypto, Fort Lauderdale, Florida 7 / 15

MITM in the subset-sum problem

Subset-sum problem

Given z1, . . . , zn ∈ Z Find I ⊆ {1, . . . , n} such that

i∈I zi = 0.

For all I1 ⊆ {1, . . . , n/2}, store I1 in the bucket L

• i∈I1 zi
• .

z1 6 z2 2 z3 −1 z4 10 z5 9 z4 −5

i L[i]

April 9, PQCrypto, Fort Lauderdale, Florida 7 / 15

MITM in the subset-sum problem

Subset-sum problem

Given z1, . . . , zn ∈ Z Find I ⊆ {1, . . . , n} such that

i∈I zi = 0.

For all I1 ⊆ {1, . . . , n/2}, store I1 in the bucket L

• i∈I1 zi
• .

z1 6 z2 2 z3 −1 z4 10 z5 9 z4 −5

i L[i] 6 {1}

April 9, PQCrypto, Fort Lauderdale, Florida 7 / 15

MITM in the subset-sum problem

Subset-sum problem

Given z1, . . . , zn ∈ Z Find I ⊆ {1, . . . , n} such that

i∈I zi = 0.

For all I1 ⊆ {1, . . . , n/2}, store I1 in the bucket L

• i∈I1 zi
• .

z1 6 z2 2 z3 −1 z4 10 z5 9 z4 −5

i L[i] 6 {1} 8 {1, 2}

April 9, PQCrypto, Fort Lauderdale, Florida 7 / 15

MITM in the subset-sum problem

Subset-sum problem

Given z1, . . . , zn ∈ Z Find I ⊆ {1, . . . , n} such that

i∈I zi = 0.

For all I1 ⊆ {1, . . . , n/2}, store I1 in the bucket L

• i∈I1 zi
• .

z1 6 z2 2 z3 −1 z4 10 z5 9 z4 −5

i L[i] 6 {1} 8 {1, 2} 7 {1, 2, 3}

April 9, PQCrypto, Fort Lauderdale, Florida 7 / 15

MITM in the subset-sum problem

Subset-sum problem

Given z1, . . . , zn ∈ Z Find I ⊆ {1, . . . , n} such that

i∈I zi = 0.

For all I1 ⊆ {1, . . . , n/2}, store I1 in the bucket L

• i∈I1 zi
• .

z1 6 z2 2 z3 −1 z4 10 z5 9 z4 −5

i L[i]

• 1

{3} 1 {2, 3} 2 {2} 5 {1, 3} 6 {1} 7 {1, 2, 3} 8 {1, 2}

April 9, PQCrypto, Fort Lauderdale, Florida 7 / 15

MITM in the subset-sum problem

Subset-sum problem

Given z1, . . . , zn ∈ Z Find I ⊆ {1, . . . , n} such that

i∈I zi = 0.

For all I1 ⊆ {1, . . . , n/2}, store I1 in the bucket L

• i∈I1 zi
• .

For every I2 ⊆ {n/2 + 1, . . . , n} do z1 6 z2 2 z3 −1 z4 10 z5 9 z4 −5

i L[i]

• 1

{3} 1 {2, 3} 2 {2} 5 {1, 3} 6 {1} 7 {1, 2, 3} 8 {1, 2}

April 9, PQCrypto, Fort Lauderdale, Florida 7 / 15

MITM in the subset-sum problem

Subset-sum problem

Given z1, . . . , zn ∈ Z Find I ⊆ {1, . . . , n} such that

i∈I zi = 0.

For all I1 ⊆ {1, . . . , n/2}, store I1 in the bucket L

• i∈I1 zi
• .

For every I2 ⊆ {n/2 + 1, . . . , n} do

Check whether the bucket L

• −

i∈I2 zi

• is non-empty.

z1 6 z2 2 z3 −1 z4 10 z5 9 z4 −5

i L[i]

• 1

{3} 1 {2, 3} 2 {2} 5 {1, 3} 6 {1} 7 {1, 2, 3} 8 {1, 2} −

i∈{4} zi = −10 April 9, PQCrypto, Fort Lauderdale, Florida 7 / 15

MITM in the subset-sum problem

Subset-sum problem

Given z1, . . . , zn ∈ Z Find I ⊆ {1, . . . , n} such that

i∈I zi = 0.

For all I1 ⊆ {1, . . . , n/2}, store I1 in the bucket L

• i∈I1 zi
• .

For every I2 ⊆ {n/2 + 1, . . . , n} do

Check whether the bucket L

• −

i∈I2 zi

• is non-empty.

z1 6 z2 2 z3 −1 z4 10 z5 9 z4 −5

i L[i]

• 1

{3} 1 {2, 3} 2 {2} 5 {1, 3} 6 {1} 7 {1, 2, 3} 8 {1, 2} −

i∈{4} zi = −10

−

i∈{5} zi = −9 April 9, PQCrypto, Fort Lauderdale, Florida 7 / 15

MITM in the subset-sum problem

Subset-sum problem

Given z1, . . . , zn ∈ Z Find I ⊆ {1, . . . , n} such that

i∈I zi = 0.

For all I1 ⊆ {1, . . . , n/2}, store I1 in the bucket L

• i∈I1 zi
• .

For every I2 ⊆ {n/2 + 1, . . . , n} do

Check whether the bucket L

• −

i∈I2 zi

• is non-empty.

If it is, output I2 and a I1 ∈ L

• −

i∈I2 zi

• .

z1 6 z2 2 z3 −1 z4 10 z5 9 z6 −5

i L[i]

• 1

{3} 1 {2, 3} 2 {2} 5 {1, 3} 6 {1} 7 {1, 2, 3} 8 {1, 2} −

i∈{4} zi = −10

−

i∈{5} zi = −9

−

• i∈{6} zi = 5

April 9, PQCrypto, Fort Lauderdale, Florida 7 / 15

MITM in the subset-sum problem

Subset-sum problem

Given z1, . . . , zn ∈ Z Find I ⊆ {1, . . . , n} such that

i∈I zi = 0.

For all I1 ⊆ {1, . . . , n/2}, store I1 in the bucket L

• i∈I1 zi
• .

For every I2 ⊆ {n/2 + 1, . . . , n} do

Check whether the bucket L

• −

i∈I2 zi

• is non-empty.

If it is, output I2 and a I1 ∈ L

• −

i∈I2 zi

• .

z1 6 z2 2 z3 −1 z4 10 z5 9 z6 −5 Output: {1, 3} ∪ {6}

April 9, PQCrypto, Fort Lauderdale, Florida 7 / 15

MITM in the AJPS-cryptosystem

The Mersenne Low Hamming Ratio Problem

Given h ∈ R, which is quotient of two elements of low Hamming wt. Find f , g ∈ R with |f | = |g| = w such that h = f /g.

April 9, PQCrypto, Fort Lauderdale, Florida 8 / 15

MITM in the AJPS-cryptosystem

The Mersenne Low Hamming Ratio Problem

Given h ∈ R, which is quotient of two elements of low Hamming wt. Find f , g ∈ R with |f | = |g| = w such that h = f /g. Split g = g1 + g2. (hg = f )

April 9, PQCrypto, Fort Lauderdale, Florida 8 / 15

MITM in the AJPS-cryptosystem

The Mersenne Low Hamming Ratio Problem

Given h ∈ R, which is quotient of two elements of low Hamming wt. Find f , g ∈ R with |f | = |g| = w such that h = f /g. Split g = g1 + g2. (hg = f ) g = = g1 + g2

April 9, PQCrypto, Fort Lauderdale, Florida 8 / 15

MITM in the AJPS-cryptosystem

The Mersenne Low Hamming Ratio Problem

Given h ∈ R, which is quotient of two elements of low Hamming wt. Find f , g ∈ R with |f | = |g| = w such that h = f /g. Split g = g1 + g2. (hg = f )

April 9, PQCrypto, Fort Lauderdale, Florida 8 / 15

MITM in the AJPS-cryptosystem

The Mersenne Low Hamming Ratio Problem

Given h ∈ R, which is quotient of two elements of low Hamming wt. Find f , g ∈ R with |f | = |g| = w such that h = f /g. Split g = g1 + g2. (hg = f ) Then hg1 = −hg2 + f −hg2 f hg1

April 9, PQCrypto, Fort Lauderdale, Florida 8 / 15

MITM in the AJPS-cryptosystem

The Mersenne Low Hamming Ratio Problem

Given h ∈ R, which is quotient of two elements of low Hamming wt. Find f , g ∈ R with |f | = |g| = w such that h = f /g. Split g = g1 + g2. (hg = f ) Then hg1 = −hg2 + f −hg2 f hg1 Heuristically, assume −hg2 is random.

April 9, PQCrypto, Fort Lauderdale, Florida 8 / 15

MITM in the AJPS-cryptosystem

The Mersenne Low Hamming Ratio Problem

Given h ∈ R, which is quotient of two elements of low Hamming wt. Find f , g ∈ R with |f | = |g| = w such that h = f /g. Split g = g1 + g2. (hg = f ) Then hg1 = −hg2 + f −hg2 f hg1 Heuristically, assume −hg2 is random. Then ∆Hamm(−hg2, hg1) ≤ 2w + c√w with error probability ≤ e−c/8.

April 9, PQCrypto, Fort Lauderdale, Florida 8 / 15

MITM in the AJPS-cryptosystem

The Mersenne Low Hamming Ratio Problem

Given h ∈ R, which is quotient of two elements of low Hamming wt. Find f , g ∈ R with |f | = |g| = w such that h = f /g. Split g = g1 + g2. (hg = f ) Then hg1 = −hg2 + f −hg2 f hg1 Heuristically, assume −hg2 is random. Then ∆Hamm(−hg2, hg1) ≤ 2w + c√w with error probability ≤ e−c/8. Informally: −hg2 ≈ hg1.

April 9, PQCrypto, Fort Lauderdale, Florida 8 / 15

MITM in the AJPS-cryptosystem

Split a possible g = g1 + g2 in two parts, where g1 ∈ {0, 1}n/2 × 0n/2 and g2 ∈ 0n/2 × {0, 1}n/2. g = = g1 + g2

April 9, PQCrypto, Fort Lauderdale, Florida 9 / 15

MITM in the AJPS-cryptosystem

Split a possible g = g1 + g2 in two parts, where g1 ∈ {0, 1}n/2 × 0n/2 and g2 ∈ 0n/2 × {0, 1}n/2. For all g1, store {g1} into the bucket L[hg1].

Hash Table L:

Key Bucket hg1 → {g1} hg′

1 →

{g′

1}

. . . . . . . . . . . .

April 9, PQCrypto, Fort Lauderdale, Florida 9 / 15

MITM in the AJPS-cryptosystem

Split a possible g = g1 + g2 in two parts, where g1 ∈ {0, 1}n/2 × 0n/2 and g2 ∈ 0n/2 × {0, 1}n/2. For all g1, store {g1} into the bucket L[hg1]. For all g2, do

Hash Table L:

Key Bucket hg1 → {g1} hg′

1 →

{g′

1}

. . . . . . . . . . . .

April 9, PQCrypto, Fort Lauderdale, Florida 9 / 15

MITM in the AJPS-cryptosystem

Split a possible g = g1 + g2 in two parts, where g1 ∈ {0, 1}n/2 × 0n/2 and g2 ∈ 0n/2 × {0, 1}n/2. For all g1, store {g1} into the bucket L[hg1]. For all g2, do

Find t ≈ −hg2, such that L[t] is non-empty.

Hash Table L:

Key Bucket hg1 → {g1} hg′

1 →

{g′

1}

. . . . . . . . . . . .

April 9, PQCrypto, Fort Lauderdale, Florida 9 / 15

MITM in the AJPS-cryptosystem

Split a possible g = g1 + g2 in two parts, where g1 ∈ {0, 1}n/2 × 0n/2 and g2 ∈ 0n/2 × {0, 1}n/2. For all g1, store {g1} into the bucket L[hg1]. For all g2, do

Find t ≈ −hg2, such that L[t] is non-empty. If such t exists, pick g1 ∈ L[t] and output g1 + g2.

Hash Table L:

Key Bucket hg1 → {g1} hg′

1 →

{g′

1}

. . . . . . . . . . . .

April 9, PQCrypto, Fort Lauderdale, Florida 9 / 15

MITM in the AJPS-cryptosystem

Split a possible g = g1 + g2 in two parts, where g1 ∈ {0, 1}n/2 × 0n/2 and g2 ∈ 0n/2 × {0, 1}n/2. For all g1, store {g1} into the bucket L[hg1]. For all g2, do

Find t ≈ −hg2, such that L[t] is non-empty. If such t exists, pick g1 ∈ L[t] and output g1 + g2.

Hash Table L:

Key Bucket hg1 → {g1} hg′

1 →

{g′

1}

. . . . . . Problem: There are many t ≈ −hg2, and most of the buckets L[t] are empty

April 9, PQCrypto, Fort Lauderdale, Florida 9 / 15

Locality Sensitive Hashing

hg1 = −hg2 + f −hg2 f hg1

Locality Sensitive Hashing

April 9, PQCrypto, Fort Lauderdale, Florida 10 / 15

Locality Sensitive Hashing

hg1 = −hg2 + f −hg2 f hg1

Locality Sensitive Hashing

Construct the ‘hash’ function H : {0, 1}n → {0, 1}k, sending bn · · · b1 → bk+i · · · bi.

April 9, PQCrypto, Fort Lauderdale, Florida 10 / 15

Locality Sensitive Hashing

hg1 = −hg2 + f −hg2 f hg1

Locality Sensitive Hashing

Construct the ‘hash’ function H : {0, 1}n → {0, 1}k, sending bn · · · b1 → bk+i · · · bi.

April 9, PQCrypto, Fort Lauderdale, Florida 10 / 15

Locality Sensitive Hashing

hg1 = −hg2 + f −hg2 f hg1

Locality Sensitive Hashing

Construct the ‘hash’ function H : {0, 1}n → {0, 1}k, sending bn · · · b1 → bk+i · · · bi.

Hope: H(hg1) = H(−hg2)

April 9, PQCrypto, Fort Lauderdale, Florida 10 / 15

MITM in the AJPS-cryptosystem

Split a possible g = g1 + g2 in two parts, where g1 ∈ {0, 1}n/2 × 0n/2 and g2 ∈ 0n/2 × {0, 1}n/2. g = = g1 + g2

April 9, PQCrypto, Fort Lauderdale, Florida 11 / 15

MITM in the AJPS-cryptosystem

Split a possible g = g1 + g2 in two parts, where g1 ∈ {0, 1}n/2 × 0n/2 and g2 ∈ 0n/2 × {0, 1}n/2. For all g1, {g1} into the bucket L[H(hg1)].

Hash Table L:

Key Bucket H(hg1) → {g′

1, g′′ 1 , g1, . . .}

H(hg′′′

1 ) →

{g′′′

1 , . . .}

. . . . . .

April 9, PQCrypto, Fort Lauderdale, Florida 11 / 15

MITM in the AJPS-cryptosystem

Split a possible g = g1 + g2 in two parts, where g1 ∈ {0, 1}n/2 × 0n/2 and g2 ∈ 0n/2 × {0, 1}n/2. For all g1, {g1} into the bucket L[H(hg1)].

Hash Table L:

Key Bucket H(hg1) → {g′

1, g′′ 1 , g1, . . .}

H(hg′′′

1 ) →

{g′′′

1 , . . .}

. . . . . .

April 9, PQCrypto, Fort Lauderdale, Florida 11 / 15

MITM in the AJPS-cryptosystem

Split a possible g = g1 + g2 in two parts, where g1 ∈ {0, 1}n/2 × 0n/2 and g2 ∈ 0n/2 × {0, 1}n/2. For all g1, {g1} into the bucket L[H(hg1)]. For all g2 do

Hash Table L:

Key Bucket H(hg1) → {g′

1, g′′ 1 , g1, . . .}

H(hg′′′

1 ) →

{g′′′

1 , . . .}

. . . . . .

April 9, PQCrypto, Fort Lauderdale, Florida 11 / 15

MITM in the AJPS-cryptosystem

Split a possible g = g1 + g2 in two parts, where g1 ∈ {0, 1}n/2 × 0n/2 and g2 ∈ 0n/2 × {0, 1}n/2. For all g1, {g1} into the bucket L[H(hg1)]. For all g2 do

Check whether L[H(−hg2)] is non-empty.

Hash Table L:

Key Bucket H(hg1) → {g′

1, g′′ 1 , g1, . . .}

H(hg′′′

1 ) →

{g′′′

1 , . . .}

. . . . . .

April 9, PQCrypto, Fort Lauderdale, Florida 11 / 15

MITM in the AJPS-cryptosystem

Split a possible g = g1 + g2 in two parts, where g1 ∈ {0, 1}n/2 × 0n/2 and g2 ∈ 0n/2 × {0, 1}n/2. For all g1, {g1} into the bucket L[H(hg1)]. For all g2 do

Check whether L[H(−hg2)] is non-empty. If so, then check if some g1 ∈ L[H(−hg2)] satisfies |h(g1 + g2)| = w.

Hash Table L:

Key Bucket H(hg1) → {g′

1, g′′ 1 , g1, . . .}

H(hg′′′

1 ) →

{g′′′

1 , . . .}

. . . . . .

April 9, PQCrypto, Fort Lauderdale, Florida 11 / 15

MITM in the AJPS-cryptosystem

Split a possible g = g1 + g2 in two parts, where g1 ∈ {0, 1}n/2 × 0n/2 and g2 ∈ 0n/2 × {0, 1}n/2. For all g1, {g1} into the bucket L[H(hg1)]. For all g2 do

Check whether L[H(−hg2)] is non-empty. If so, then check if some g1 ∈ L[H(−hg2)] satisfies |h(g1 + g2)| = w. If so, output g1 + g2.

Hash Table L:

Key Bucket H(hg1) → {g′

1, g′′ 1 , g1, . . .}

H(hg′′′

1 ) →

{g′′′

1 , . . .}

. . . . . .

April 9, PQCrypto, Fort Lauderdale, Florida 11 / 15

MITM in the AJPS-cryptosystem

Split a possible g = g1 + g2 in two parts, where g1 ∈ {0, 1}n/2 × 0n/2 and g2 ∈ 0n/2 × {0, 1}n/2. For all g1, {g1} into the bucket L[H(hg1)]. For all g2 do

Check whether L[H(−hg2)] is non-empty. If so, then check if some g1 ∈ L[H(−hg2)] satisfies |h(g1 + g2)| = w. If so, output g1 + g2.

Difficulties:

April 9, PQCrypto, Fort Lauderdale, Florida 11 / 15

MITM in the AJPS-cryptosystem

Split a possible g = g1 + g2 in two parts, where g1 ∈ {0, 1}n/2 × 0n/2 and g2 ∈ 0n/2 × {0, 1}n/2. For all g1, {g1} into the bucket L[H(hg1)]. For all g2 do

Check whether L[H(−hg2)] is non-empty. If so, then check if some g1 ∈ L[H(−hg2)] satisfies |h(g1 + g2)| = w. If so, output g1 + g2.

Difficulties:

‘false positives’: non-close elements in the bucket

April 9, PQCrypto, Fort Lauderdale, Florida 11 / 15

MITM in the AJPS-cryptosystem

Split a possible g = g1 + g2 in two parts, where g1 ∈ {0, 1}n/2 × 0n/2 and g2 ∈ 0n/2 × {0, 1}n/2. For all g1, {g1} into the bucket L[H(hg1)]. For all g2 do

Check whether L[H(−hg2)] is non-empty. If so, then check if some g1 ∈ L[H(−hg2)] satisfies |h(g1 + g2)| = w. If so, output g1 + g2.

Difficulties:

‘false positives’: non-close elements in the bucket ‘false negatives’: close element in ‘wrong’ bucket

April 9, PQCrypto, Fort Lauderdale, Florida 11 / 15

MITM in the AJPS-cryptosystem

Split a possible g = g1 + g2 in two parts, where g1 ∈ {0, 1}n/2 × 0n/2 and g2 ∈ 0n/2 × {0, 1}n/2. For all g1, {g1} into the bucket L[H(hg1)]. For all g2 do

Check whether L[H(−hg2)] is non-empty. If so, then check if some g1 ∈ L[H(−hg2)] satisfies |h(g1 + g2)| = w. If so, output g1 + g2.

Difficulties:

‘false positives’: non-close elements in the bucket ‘false negatives’: close element in ‘wrong’ bucket Solution: Choose the block size of H to be log2 n/2

w/2

• . Repeat algorithm
• ver randomized H.

April 9, PQCrypto, Fort Lauderdale, Florida 11 / 15

MITM in the AJPS-cryptosystem

Split a possible g = g1 + g2 in two parts, where g1 ∈ {0, 1}n/2 × 0n/2 and g2 ∈ 0n/2 × {0, 1}n/2. For all g1, {g1} into the bucket L[H(hg1)]. For all g2 do

Check whether L[H(−hg2)] is non-empty. If so, then check if some g1 ∈ L[H(−hg2)] satisfies |h(g1 + g2)| = w. If so, output g1 + g2.

Difficulties:

‘false positives’: non-close elements in the bucket ‘false negatives’: close element in ‘wrong’ bucket Solution: Choose the block size of H to be log2 n/2

w/2

• . Repeat algorithm
• ver randomized H.

Using a combinatorial heuristic, this works.

April 9, PQCrypto, Fort Lauderdale, Florida 11 / 15

MITM in the AJPS-cryptosystem

Split a possible g = g1 + g2 in two parts, where g1 ∈ {0, 1}n/2 × 0n/2 and g2 ∈ 0n/2 × {0, 1}n/2. For all g1, {g1} into the bucket L[H(hg1)]. For all g2 do

Check whether L[H(−hg2)] is non-empty. If so, then check if some g1 ∈ L[H(−hg2)] satisfies |h(g1 + g2)| = w. If so, output g1 + g2.

Difficulties:

‘false positives’: non-close elements in the bucket ‘false negatives’: close element in ‘wrong’ bucket Solution: Choose the block size of H to be log2 n/2

w/2

• . Repeat algorithm
• ver randomized H.

Using a combinatorial heuristic, this works. This algorithm breaks the AJPS system in time n/2

w/2

• ≈ n

√n/8

April 9, PQCrypto, Fort Lauderdale, Florida 11 / 15

Overview

Attack Authors Running time Classical Quantum

April 9, PQCrypto, Fort Lauderdale, Florida 12 / 15

Overview

Attack Authors Running time Classical Quantum Brute force AJPS n

√n 4

n

√n 8 April 9, PQCrypto, Fort Lauderdale, Florida 12 / 15

Overview

Attack Authors Running time Classical Quantum Brute force AJPS n

√n 4

n

√n 8

Meet in the Middle Our work n

√n 8

n

√n 12 April 9, PQCrypto, Fort Lauderdale, Florida 12 / 15

Overview

Attack Authors Running time Classical Quantum Brute force AJPS n

√n 4

n

√n 8

Meet in the Middle Our work n

√n 8

n

√n 12

Lattice attack BCGN 2

√n ?

2

√n/2 ?

April 9, PQCrypto, Fort Lauderdale, Florida 12 / 15

Overview

Attack Authors Running time Classical Quantum Brute force AJPS n

√n 4

n

√n 8

Meet in the Middle Our work n

√n 8

n

√n 12

Lattice attack BCGN 2

√n ?

2

√n/2 ?

Our analysis 2.01

√n

2.01

√n/2

April 9, PQCrypto, Fort Lauderdale, Florida 12 / 15

Open Questions

We analyzed the lattice attack of Beunardeau et al. over randomly chosen keys.

April 9, PQCrypto, Fort Lauderdale, Florida 13 / 15

Open Questions

We analyzed the lattice attack of Beunardeau et al. over randomly chosen keys. Are there specific ‘weak’ keys for this lattice attack?

April 9, PQCrypto, Fort Lauderdale, Florida 13 / 15

Open Questions

We analyzed the lattice attack of Beunardeau et al. over randomly chosen keys. Are there specific ‘weak’ keys for this lattice attack? Aggarwal et al. improved their cryptosystem [AJPS17], allowing to encrypt more bits.

April 9, PQCrypto, Fort Lauderdale, Florida 13 / 15

Open Questions

We analyzed the lattice attack of Beunardeau et al. over randomly chosen keys. Are there specific ‘weak’ keys for this lattice attack? Aggarwal et al. improved their cryptosystem [AJPS17], allowing to encrypt more bits. What is the security of this improved system?

April 9, PQCrypto, Fort Lauderdale, Florida 13 / 15

Main lesson

April 9, PQCrypto, Fort Lauderdale, Florida 14 / 15

Main lesson

Collisions don’t need to be exact to apply a Meet-in-the-Middle attack

April 9, PQCrypto, Fort Lauderdale, Florida 14 / 15

References

• D. Aggarwal et al. A New Public-Key Cryptosystem via

Mersenne Numbers. Cryptology ePrint Archive, Report 2017/481. http://eprint.iacr.org/2017/481. 2017.

• A. Ambainis. “Quantum Search with Variable Times”. In:

Theory of Computing Systems 47.3 (2010), pp. 786–807. issn: 1433-0490. doi: 10.1007/s00224-009-9219-1.

• M. Beunardeau et al. “On the Hardness of the Mersenne Low

Hamming Ratio Assumption”. In: Progress in Cryptology – LATINCRYPT 2017. Available at http://eprint.iacr.org/2017/522. 2017.

• J. Hoffstein, J. Pipher, and J. H. Silverman. “NTRU: A

ring-based public key cryptosystem”. In: International Algorithmic Number Theory Symposium. Springer. 1998,

• pp. 267–288.

April 9, PQCrypto, Fort Lauderdale, Florida 15 / 15