cryptanalysis of sflash with slightly modified parameters
play

Cryptanalysis of SFLASH with Slightly Modified Parameters Vivien - PowerPoint PPT Presentation

Dec 01, 2022 •181 likes •728 views

Introduction Description Strategy Attack Cryptanalysis of SFLASH with Slightly Modified Parameters Vivien Dubois, Pierre-Alain Fouque and Jacques Stern Ecole normale suprieure, Paris Vivien Dubois, Pierre-Alain Fouque and Jacques Stern

  1. Introduction Description Strategy Attack Cryptanalysis of SFLASH with Slightly Modified Parameters Vivien Dubois, Pierre-Alain Fouque and Jacques Stern Ecole normale supérieure, Paris Vivien Dubois, Pierre-Alain Fouque and Jacques Stern Cryptanalysis of SFLASH with Slightly Modified Parameters

  2. Introduction Description Strategy Attack Multivariate Schemes SFLASH is a multivariate signature scheme designed by Patarin-Goubin-Courtois in 2001 Vivien Dubois, Pierre-Alain Fouque and Jacques Stern Cryptanalysis of SFLASH with Slightly Modified Parameters

  3. Introduction Description Strategy Attack Multivariate Schemes SFLASH is a multivariate signature scheme designed by Patarin-Goubin-Courtois in 2001 It is reputed for being very fast Vivien Dubois, Pierre-Alain Fouque and Jacques Stern Cryptanalysis of SFLASH with Slightly Modified Parameters

  4. Introduction Description Strategy Attack Multivariate Schemes SFLASH is a multivariate signature scheme designed by Patarin-Goubin-Courtois in 2001 It is reputed for being very fast It is reputed for being very light, suitable for low-end smartcards Vivien Dubois, Pierre-Alain Fouque and Jacques Stern Cryptanalysis of SFLASH with Slightly Modified Parameters

  5. Introduction Description Strategy Attack Multivariate Schemes SFLASH is a multivariate signature scheme designed by Patarin-Goubin-Courtois in 2001 It is reputed for being very fast It is reputed for being very light, suitable for low-end smartcards It is recommended by the NESSIE European Consortium since 2003 Vivien Dubois, Pierre-Alain Fouque and Jacques Stern Cryptanalysis of SFLASH with Slightly Modified Parameters

  6. Introduction Description Strategy Attack Multivariate Schemes Topic of the talk We show that slight modifications of the parameters render the scheme insecure Vivien Dubois, Pierre-Alain Fouque and Jacques Stern Cryptanalysis of SFLASH with Slightly Modified Parameters

  7. Introduction Description Strategy Attack Multivariate Schemes Topic of the talk We show that slight modifications of the parameters render the scheme insecure More precisely... SFLASH is some instance of C ∗− schemes [PGC98] All C ∗− schemes are currently considered secure Vivien Dubois, Pierre-Alain Fouque and Jacques Stern Cryptanalysis of SFLASH with Slightly Modified Parameters

  8. Introduction Description Strategy Attack Multivariate Schemes Topic of the talk We show that slight modifications of the parameters render the scheme insecure More precisely... SFLASH is some instance of C ∗− schemes [PGC98] All C ∗− schemes are currently considered secure We show that a large class of C ∗− schemes is insecure This class is defined by the non-coprimality of two parameters The attack does not apply to the parameters of SFLASH, but the choice of SFLASH parameters was not justified Vivien Dubois, Pierre-Alain Fouque and Jacques Stern Cryptanalysis of SFLASH with Slightly Modified Parameters

  9. Introduction Description Strategy Attack Multivariate Schemes Organisation of the talk A few basics about multivariate schemes Description of C ∗− schemes Basic strategy for attacking C ∗− schemes Description of the attack Vivien Dubois, Pierre-Alain Fouque and Jacques Stern Cryptanalysis of SFLASH with Slightly Modified Parameters

  10. Introduction Description Strategy Attack Multivariate Schemes Multivariate Schemes A family of asymmetric schemes Hard problems involve MQ polynomials over a finite field F q e.g. solving an MQ system is NP-hard and currently requires exponential time and memory on average Vivien Dubois, Pierre-Alain Fouque and Jacques Stern Cryptanalysis of SFLASH with Slightly Modified Parameters

  11. Introduction Description Strategy Attack Multivariate Schemes Multivariate Schemes A family of asymmetric schemes Hard problems involve MQ polynomials over a finite field F q e.g. solving an MQ system is NP-hard and currently requires exponential time and memory on average The Generic Multivariate Construction Hiding an easily invertible function using linear transforms P = T ◦ P ◦ S Schemes differ from the type of easy function embedded Vivien Dubois, Pierre-Alain Fouque and Jacques Stern Cryptanalysis of SFLASH with Slightly Modified Parameters

  12. Introduction Description Strategy Attack Multivariate Schemes The C ∗ Scheme C ∗ was proposed by [MI88] and broken by Patarin in 95 Short Description of C ∗ The internal function is a monomial over F q n P ( x ) = x 1 + q θ = x . x q θ F q n is a n -dimension vector space over F q , isomorphic to ( F q ) n Since a q -powering is linear in F q n , P ( x ) is quadratic P ( x ) is an n -tuple of mult. quad. polynomials ( p 1 , . . . , p n ) p k ( x 1 , . . . , x n ) = α 12 x 1 x 2 + α 13 x 1 x 3 + . . . P can be inverted by raising to the inverse power of 1 + q θ P = T ◦ P ◦ S is the public key Vivien Dubois, Pierre-Alain Fouque and Jacques Stern Cryptanalysis of SFLASH with Slightly Modified Parameters

  13. Introduction Description Strategy Attack Multivariate Schemes The attack by Patarin on C ∗ Any element x and y = P ( x ) satisfy x . y q θ − y . x q 2 θ = 0 y q θ − 1 = x ( q θ + 1 )( q θ − 1 ) = ⇒ Consequence : plain and cipher texts are bilinearly related These bilinear equations can be determined using pairs ( x , y ) Then, for any specified value y , x is solution of a system of linear equations Vivien Dubois, Pierre-Alain Fouque and Jacques Stern Cryptanalysis of SFLASH with Slightly Modified Parameters

  14. Introduction Description Strategy Attack Parameters Instantiations C ∗− Schemes C ∗− schemes are C ∗ schemes with a truncated public key [PGC98] Construction of a C ∗− scheme ( n , θ, r ) are the parameters of the scheme 1 Generate a C ∗ with parameters ( n , θ ) : P ( x ) = x 1 + q θ 2 Remove the last r polynomials from the public key  p 1 ( x 1 , . . . , x n )   p 1 ( x 1 , . . . , x n )  .  .   .   . Π . T ◦ P ◦ S = = Π ◦ P �− → . . . .   p n − r ( x 1 , .., x n )     p n ( x 1 , . . . , x n )  Vivien Dubois, Pierre-Alain Fouque and Jacques Stern Cryptanalysis of SFLASH with Slightly Modified Parameters

  15. Introduction Description Strategy Attack Parameters Instantiations Signing with a C ∗− scheme 1 Append r random bits µ to the message m to be signed 2 Find a preimage σ of ( m , µ ) by T ◦ P ◦ S using S , T 3 Such a preimage always exists since a C ∗ monomial is bijective 4 σ is a valid signature since Π ◦ P ( σ ) = m Vivien Dubois, Pierre-Alain Fouque and Jacques Stern Cryptanalysis of SFLASH with Slightly Modified Parameters

  16. Introduction Description Strategy Attack Parameters Instantiations Choosing Parameters Parameters ( n , θ ) must define a bijective C ∗ P ( x ) = x 1 + q θ P is bijective when gcd ( q θ + 1 , q n − 1 ) = 1 ( q even) This condition is equivalent to n / d odd where d = gcd ( n , θ ) Vivien Dubois, Pierre-Alain Fouque and Jacques Stern Cryptanalysis of SFLASH with Slightly Modified Parameters

  17. Introduction Description Strategy Attack Parameters Instantiations Choosing Parameters Parameters ( n , θ ) must define a bijective C ∗ P ( x ) = x 1 + q θ P is bijective when gcd ( q θ + 1 , q n − 1 ) = 1 ( q even) This condition is equivalent to n / d odd where d = gcd ( n , θ ) q r ≥ 2 80 to avoid a possible recomposing attack from [PGC98] Vivien Dubois, Pierre-Alain Fouque and Jacques Stern Cryptanalysis of SFLASH with Slightly Modified Parameters

  18. Introduction Description Strategy Attack Parameters Instantiations Proposed Instantiations The first version of SFLASH was a tweaked C ∗− scheme S , T taken over F 2 rather than F q to make the key smaller This specificity could be exploited for an attack [GM02] Vivien Dubois, Pierre-Alain Fouque and Jacques Stern Cryptanalysis of SFLASH with Slightly Modified Parameters

  19. Introduction Description Strategy Attack Parameters Instantiations Proposed Instantiations The first version of SFLASH was a tweaked C ∗− scheme S , T taken over F 2 rather than F q to make the key smaller This specificity could be exploited for an attack [GM02] Standard Instantiations q n θ d r Length PubKey Size 2 8 FLASH 29 11 1 11 296 bits 18 Ko 2 7 SFLASHv2 [NESSIE] 37 11 1 11 259 bits 15 Ko 2 7 SFLASHv3 67 33 1 11 469 bits 112 Ko Vivien Dubois, Pierre-Alain Fouque and Jacques Stern Cryptanalysis of SFLASH with Slightly Modified Parameters

  20. Introduction Description Strategy Attack Basic Strategy of our Attack Vivien Dubois, Pierre-Alain Fouque and Jacques Stern Cryptanalysis of SFLASH with Slightly Modified Parameters

  21. Introduction Description Strategy Attack Basic Strategy of our Attack Important observation Consider a C ∗ public key P = T ◦ P ◦ S       . . . ( P ◦ S ) 1 p 1 t 11 t 1 n . . . . . . . .       . . . .       = . . . .       . . . .  .   . .   .        p n t n 1 . . . t nn ( P ◦ S ) n Vivien Dubois, Pierre-Alain Fouque and Jacques Stern Cryptanalysis of SFLASH with Slightly Modified Parameters

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A Slightly-modified GI Author-verifier with Lots of Features (ASGALF) Mahmoud Khonji, Youssef

A Slightly-modified GI Author-verifier with Lots of Features (ASGALF) Mahmoud Khonji, Youssef

A Slightly-modified GI Author-verifier with Lots of Features (ASGALF) Mahmoud Khonji, Youssef Iraqi {mkhonji, youssef.iraqi}@ku.ac.ae Khalifa University, UAE Outline General Impostors (quick intro; our imp.) Score aggregation.

487 views • 12 slides
Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Cryptanalysis of Classical Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Models for Cryptanalysis Cryptanalysis of

657 views • 20 slides
[CRI RI299] S SFLASH: Absol olute Measurem emen ent o of Fluor ores escen ence ce Yield

[CRI RI299] S SFLASH: Absol olute Measurem emen ent o of Fluor ores escen ence ce Yield

[CRI RI299] S SFLASH: Absol olute Measurem emen ent o of Fluor ores escen ence ce Yield fro rom Sh Shower P Particles C. Jui 1 , P. Sokolsky 1 , and M. Fukushima 2 . 1 Dept. of Physics and Astronomy, University of Utah, U.S.A. 2

528 views • 21 slides
Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC Outline Outline Distribution of Correlation Data Complexity Linear Hulls Zero

659 views • 30 slides
Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May, 2017 0/35 Cryptanalysis of Affine Cipher Outline Cryptanalysis of Affine Cipher 1 Hypothesis Testing 2 Linear Cryptanalysis 3 0/35

1.52k views • 110 slides
Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential cryptanalysis Linear cryptanalysis Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and Linear Cryptanalysis Differential cryptanalysis Linear cryptanalysis Iterated block ciphers (DES,

910 views • 53 slides
The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas

The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas

Introduction Previous cryptanalysis techniques The Super-Sbox cryptanalysis Results The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas Peyrin Orange Labs and Ingenico FSE 2010 - Seoul - Korea

1.38k views • 19 slides
Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship between the difference of two inputs and the difference of the corresponding two outputs. - the difference M Z of two strings of bits Z and Z

556 views • 10 slides
Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU

Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU

Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU Leuven, and imec, Belgium FSE, March 2017 1 Table of Contents ARX & Rotational Cryptanalysis Rotational cryptanalysis with constants Experiment

1.12k views • 72 slides
Camera Parameters INEL 6088 Computer Vision Camera Parameters Extrinsic parameters: define

Camera Parameters INEL 6088 Computer Vision Camera Parameters Extrinsic parameters: define

Camera Parameters INEL 6088 Computer Vision Camera Parameters Extrinsic parameters: define the location and orientation of the camera with respect to the world reference frame Intrinsic parameters: link the pixel coordinates of an image

498 views • 15 slides
Pretty small This is it! goblet cells & cancer considering in and around the the size of

Pretty small This is it! goblet cells & cancer considering in and around the the size of

5/24/2014 Controversial stuff that occurs slightly above, within or slightly below the gastroesophageal junction, including Barretts mucosa: Henry Moon was one of the What role do we giants in academic pathology pathologists play?

532 views • 41 slides
Differential Cryptanalysis The first method which reduced the complexity of attacking DES below

Differential Cryptanalysis The first method which reduced the complexity of attacking DES below

Differential Cryptanalysis The first method which reduced the complexity of attacking DES below (half of) exhaustive search. Differential Cryptanalysis Note : In all the following discussion we ignore the existence of the initial and the final

330 views • 8 slides
Cryptanalysis of LAC G. Leurent (Inria) Cryptanalysis of LAC DIAC 2014 1 / 9 . . . . . . . .

Cryptanalysis of LAC G. Leurent (Inria) Cryptanalysis of LAC DIAC 2014 1 / 9 . . . . . . . .

Description of LAC Differentials and Characteristics Forgery attack Cryptanalysis of LAC G. Leurent (Inria) Cryptanalysis of LAC DIAC 2014 1 / 9 . . . . . . . . Gatan Leurent Inria, France DIAC 2014 2 / 9 Description of LAC DIAC

1.04k views • 36 slides
Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential

Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential

Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential cryptanalysis David Gerault LIMOS, University Clermont Auvergne This presentation is inspired by 4 papers written with Pascal Lafourcade, Marine Minier,

455 views • 26 slides
Two-Port Networks Definitions Impedance Parameters Admittance Parameters Hybrid

Two-Port Networks Definitions Impedance Parameters Admittance Parameters Hybrid

Two-Port Networks Definitions Impedance Parameters Admittance Parameters Hybrid Parameters Transmission Parameters Cascaded Two-Port Networks Examples Applications J. McNames Portland State University ECE 222

373 views • 33 slides
Probabilistic Slide Cryptanalysis and Its Applications to LED-64 and Zorro Hadi Soleimany

Probabilistic Slide Cryptanalysis and Its Applications to LED-64 and Zorro Hadi Soleimany

Probabilistic Slide Cryptanalysis and Its Applications to LED-64 and Zorro Hadi Soleimany Department of Information and Computer Science, Aalto University School of Science, Finland FSE 2014 1 / 21 Outline Introduction Slide Cryptanalysis

712 views • 49 slides
Different Spirals of Sameness: A Study of Content Sharing in Mainstream and Alternative Media

Different Spirals of Sameness: A Study of Content Sharing in Mainstream and Alternative Media

Different Spirals of Sameness: A Study of Content Sharing in Mainstream and Alternative Media Benjamin D. Horne , Jeppe Nrregaard, and Sibel Adali Rensselaer Polytechnic Institute, Technical University of Denmark Primary focus of this work is

548 views • 29 slides
In-Place Associative Computing Avidan Akerib Ph.D. Vice President Associative Computing BU

In-Place Associative Computing Avidan Akerib Ph.D. Vice President Associative Computing BU

In-Place Associative Computing Avidan Akerib Ph.D. Vice President Associative Computing BU aakerib@gsitechnology.com All Images are Public in the Web 1 Agenda Introduction to associative computing Use case examples Similarity

936 views • 64 slides
WESTERN NC CONVERSION HEALTH FOUNDATION FORUM Kim Stravolo kstravolo@maryblackfoundation.org Vice

WESTERN NC CONVERSION HEALTH FOUNDATION FORUM Kim Stravolo kstravolo@maryblackfoundation.org Vice

8/2/2018 WESTERN NC CONVERSION HEALTH FOUNDATION FORUM Kim Stravolo kstravolo@maryblackfoundation.org Vice President/CFO Mary Black Foundation Todays Discussion Who are we? History Evolvement of Initiatives Collaboration

223 views • 5 slides
Credit Suisse Transportation Conference September 9, 2010 James A. Squires Executive Vice

Credit Suisse Transportation Conference September 9, 2010 James A. Squires Executive Vice

Credit Suisse Transportation Conference September 9, 2010 James A. Squires Executive Vice President Finance and CFO Norfolk Southern Corporation Agenda Recent Financial Results Current Business Environment Productivity Scorecard

353 views • 31 slides
Creating Purchase Requisitions and Receiving As of May 20, 2019 Objectives Identify what a

Creating Purchase Requisitions and Receiving As of May 20, 2019 Objectives Identify what a

Creating Purchase Requisitions and Receiving As of May 20, 2019 Objectives Identify what a Purchase Requisition is and when you need one Set Default Requestor Preferences Create a new Purchase Requisition Manage and edit your

214 views • 4 slides
Agenda What is EA One? How will Online Recruitment impact schools? Tea Break - Interactive

Agenda What is EA One? How will Online Recruitment impact schools? Tea Break - Interactive

Agenda What is EA One? How will Online Recruitment impact schools? Tea Break - Interactive Comments & Networking How will the new HR and Payroll system impact schools? Next Steps & Feedback What is EA One? Who is impacted by EA One?

771 views • 47 slides
The Requirements Model, and The Dynamic Analysis Model Instructor: Dr. Hany H. Ammar Dept. of

The Requirements Model, and The Dynamic Analysis Model Instructor: Dr. Hany H. Ammar Dept. of

UML Diagrams: Sequence Diagrams The Requirements Model, and The Dynamic Analysis Model Instructor: Dr. Hany H. Ammar Dept. of Computer Science and Electrical Engineering, WVU Outline Review of previous Lecture The Requirements Model

1.07k views • 58 slides
IMUNC 2013 2013 Media Team Delegate Briefing | 22 nd May 2013 What are we? Brand- Pioneering

IMUNC 2013 2013 Media Team Delegate Briefing | 22 nd May 2013 What are we? Brand- Pioneering

IMUNC 2013 2013 Media Team Delegate Briefing | 22 nd May 2013 What are we? Brand- Pioneering media for new IMUNC Were taking a fresh Keepin spin on the traditional it fresh Press Corps and making it original Unorthodox,

432 views • 22 slides

More recommend