cryptanalysis via algebraic spans
play

Cryptanalysis via Algebraic Spans Adi Ben-Zvi, Arkadius Kalka, and - PowerPoint PPT Presentation

Feb 08, 2023 •287 likes •614 views

Cryptanalysis via Algebraic Spans Adi Ben-Zvi, Arkadius Kalka, and Boaz Tsaban Bar-Ilan University Crypto 2018 PKC foundations are mainly abelian (and quantum insecure) PKC foundations are mainly abelian (and quantum insecure) DLP in finite

  1. Cryptanalysis via Algebraic Spans Adi Ben-Zvi, Arkadius Kalka, and Boaz Tsaban Bar-Ilan University Crypto 2018

  2. PKC foundations are mainly abelian (and quantum insecure)

  3. PKC foundations are mainly abelian (and quantum insecure) DLP in finite fields (1976); Factorization (RSA, 1978). Poor performance vs security tradeoff; no long-term security. Subexp algorithms for DLP in some elliptic curves. Quantum computers break them all.

  4. PKC foundations are mainly abelian (and quantum insecure) DLP in finite fields (1976); Factorization (RSA, 1978). Poor performance vs security tradeoff; no long-term security. Subexp algorithms for DLP in some elliptic curves. Quantum computers break them all. Options: (0) Abelian (DLP/RSA); (1) Lattices; (2) nonabelian groups/structures.

  5. PKC foundations are mainly abelian (and quantum insecure) DLP in finite fields (1976); Factorization (RSA, 1978). Poor performance vs security tradeoff; no long-term security. Subexp algorithms for DLP in some elliptic curves. Quantum computers break them all. Options: (0) Abelian (DLP/RSA); (1) Lattices; (2) nonabelian groups/structures. The nonablian option must be explored. In particular, we need general cryptanalytic tools for nonabelian crypto.

  6. PKC foundations are mainly abelian (and quantum insecure) DLP in finite fields (1976); Factorization (RSA, 1978). Poor performance vs security tradeoff; no long-term security. Subexp algorithms for DLP in some elliptic curves. Quantum computers break them all. Options: (0) Abelian (DLP/RSA); (1) Lattices; (2) nonabelian groups/structures. The nonablian option must be explored. In particular, we need general cryptanalytic tools for nonabelian crypto. Here: Algebraic Span Cryptanalysis.

  7. Conojugation in nonabelian groups

  8. Conojugation in nonabelian groups For a , c ∈ G (nonabelian group), a c := c − 1 ac (conjugation).

  9. Conojugation in nonabelian groups For a , c ∈ G (nonabelian group), a c := c − 1 ac (conjugation). Conjugation is an isomorphism: ( a − 1 ) c = ( a c ) − 1 ( ab ) c = a c · b c . For a word v ( x 1 , . . . , x k ) in the variables x 1 , . . . , x k (e.g., x 7 x − 1 3 x 5 ): v ( a c 1 , . . . , a c k ) = v ( a 1 , . . . , a k ) c .

  10. Commutator KE (Anshel–Anshel–Goldfeld 1999)

  11. � � Commutator KE (Anshel–Anshel–Goldfeld 1999) Alice Public Bob v ( x 1 , . . . , x k ) � a 1 , . . . , a k � ≤ G w ( x 1 , . . . , x k ) a = v ( a 1 , . . . , a k ) � b 1 , . . . , b k � ≤ G b = w ( b 1 , . . . , b k ) b 1 a , . . . , b ka a 1 b , . . . , a kb a − 1 v ( a b 1 , . . . , a b w ( b a 1 , . . . , b a k ) − 1 b k )

  12. � � Commutator KE (Anshel–Anshel–Goldfeld 1999) Alice Public Bob v ( x 1 , . . . , x k ) � a 1 , . . . , a k � ≤ G w ( x 1 , . . . , x k ) a = v ( a 1 , . . . , a k ) � b 1 , . . . , b k � ≤ G b = w ( b 1 , . . . , b k ) b 1 a , . . . , b ka a 1 b , . . . , a kb a − 1 v ( a b 1 , . . . , a b w ( b a 1 , . . . , b a k ) − 1 b k ) k ) = a − 1 a b = a − 1 b − 1 ab = ( b a ) − 1 b = w ( b a a − 1 v ( a b k ) − 1 b 1 , . . . , a b 1 , . . . , b a

  13. Linear equations from conjugations

  14. Linear equations from conjugations Assume G ≤ GL n ( F ) (matrix representations).

  15. Linear equations from conjugations Assume G ≤ GL n ( F ) (matrix representations). Given c = b a ( a , b ∈ G ): b a = a − 1 ba a · b a = ba Linear equations in the entries of the matrix a .

  16. Linear equations from conjugations Assume G ≤ GL n ( F ) (matrix representations). Given c = b a ( a , b ∈ G ): b a = a − 1 ba a · b a = ba Linear equations in the entries of the matrix a . A solution ˜ a is invertible w.h.p. (Schwartz–Zippel). a · b a = b ˜ ˜ a b a = ˜ a − 1 b ˜ a b a = b ˜ a

  17. Algebraic spans

  18. Algebraic spans G ≤ GL n ( F ) , a , b ∈ G . a with b a = b ˜ a by linear equations. Can find ˜

  19. Algebraic spans G ≤ GL n ( F ) , a , b ∈ G . a with b a = b ˜ a by linear equations. Can find ˜ a / ˜ ∈ G ! We can force a ∈ Alg ( G ) = span F ( G ) ⊆ M n ( F ) , ˜ the algebra generated by G (because that’s a vector space.)

  20. Algebraic spans G ≤ GL n ( F ) , a , b ∈ G . a with b a = b ˜ a by linear equations. Can find ˜ a / ˜ ∈ G ! We can force a ∈ Alg ( G ) = span F ( G ) ⊆ M n ( F ) , ˜ the algebra generated by G (because that’s a vector space.) For G = � g 1 , . . . , g k � ≤ GL n ( F ) , finding a basis for Alg ( G ) by repeated multiplication by generators and Gauss elimination is O ( kn 6 ) .

  21. Algebraic Span Cryptanalysis

  22. Algebraic Span Cryptanalysis G 1 , . . . , G k ≤ GL n ( F ) ; g 1 ∈ G 1 , . . . , g k ∈ G k . Given: linear equations on the entries of g 1 , . . . , g k . Need to find f ( g 1 , . . . , g k ) .

  23. Algebraic Span Cryptanalysis G 1 , . . . , G k ≤ GL n ( F ) ; g 1 ∈ G 1 , . . . , g k ∈ G k . Given: linear equations on the entries of g 1 , . . . , g k . Need to find f ( g 1 , . . . , g k ) . Instead of solving subject to g 1 ∈ G 1 , . . . , g k ∈ G k , (infeasible!) solve subject to the linear constraints g 1 ∈ Alg ( G 1 ) , . . . , g k ∈ Alg ( G k ) . Pray (or prove) that every solution ˜ g 1 , . . . , ˜ g k satisfies f (˜ g 1 , . . . , ˜ g k ) = f ( g 1 , . . . , g k ) .

  24. Application: Commutator KEP

  25. Application: Commutator KEP a ∈ � a 1 , . . . , a k � , b ∈ � b 1 , . . . , b k � ≤ G ≤ GL n ( F ) . Need: ( b 1 a , . . . , b ka , a 1 b , . . . , a kb ) �→ a − 1 b − 1 ab .

  26. Application: Commutator KEP a ∈ � a 1 , . . . , a k � , b ∈ � b 1 , . . . , b k � ≤ G ≤ GL n ( F ) . Need: ( b 1 a , . . . , b ka , a 1 b , . . . , a kb ) �→ a − 1 b − 1 ab . a ∈ Alg ( a 1 , . . . , a k ) , ˜ Solving linear equations, we obtain ˜ b ∈ Alg ( b 1 , . . . , b k ) with ˜ b 1 ˜ a b 1 a b a 1 b = a 1 = . . . . ; . . b k ˜ a b ka ˜ = a kb b a k = a = b a . a ˜ b = ˜ a b . Similarly, b ˜ Since ˜ a ∈ Alg ( a 1 , . . . , a k ) , ˜ b = ˜ a b = ˜ a ˜ a − 1 ˜ a ˜ b − 1 ˜ a − 1 ˜ a − 1 ˜ a − 1 b − 1 ˜ ab = ( b ˜ a ) − 1 b = ( b a ) − 1 b = a − 1 b − 1 ab ! ˜ b = ˜

  27. � � Triple Decomposition KE (Kurt 2005) Alice Public Bob A A 1 A 2 X 1 X 2 a , a 1 , a 2 , x 1 , x 2 | | | | ≤ G y 1 , y 2 , b 1 , b 2 , b Y 1 Y 2 B 1 B 2 B ax 1 , x − 1 1 a 1 x 2 , x − 1 2 a 2 b 1 y 1 , y − 1 1 b 2 y 2 , y − 1 2 b a b 1 y 1 a 1 y − 1 1 b 2 y 2 a 2 y − 1 = ax 1 b 1 x − 1 1 a 1 x 2 b 2 x − 1 2 b = ab 1 a 1 b 2 a 2 b 2 a 2 b � �� � K The triple products do not provide linear equations! (And without them we fail!)

  28. Cryptanalysis of Triple Dec KE Alg ( B 1 ) y 1 = Alg ( B 1 ) · b 1 y 1 − 1 Alg ( B 2 ∪ Y 2 ) y 1 = Alg ( B 2 ∪ Y 2 ) · y − 1 2 b − 1 2 y 1 = Alg ( B 2 ∪ Y 2 ) · y − 1 1 b 2 y 2 − 1 Alg ( A 2 ) x 2 = Alg ( A 2 ) · a − 1 2 x 2 = Alg ( A 2 ) · x − 1 2 a 2 Alg ( A 1 ∪ X 1 ) x 2 = Alg ( A 1 ∪ X 1 ) · x − 1 1 a 1 x 2 Pick invertible ˜ y 1 ∈ Alg ( Y 1 ) ∩ Alg ( B 1 ) y 1 ∩ Alg ( B 2 ∪ Y 2 ) y 1 ; ˜ x 2 ∈ Alg ( X 2 ) ∩ Alg ( A 2 ) x 2 ∩ Alg ( A 1 ∪ X 1 ) x 2 . y 1 − 1 · x − 1 x 2 − 1 · ˜ y 1 · y − 1 x 2 · x − 1 2 a 2 · y − 1 ax 1 · b 1 y 1 · ˜ 1 a 1 x 2 · ˜ 1 b 2 y 2 · ˜ 2 b Gives (intricate proof) ab 1 a 1 b 2 a 2 b = K ! (Alternatively, could check empirically.)

  29. Final comments

  30. Final comments Method also applies to: Nonabelian Diffie–Hellman (Ko–Lee–Cheon–Han–Kang–Park 2000), Centralizer KE (Shpilrain–Ushakov 2006), and some more.

  31. Final comments Method also applies to: Nonabelian Diffie–Hellman (Ko–Lee–Cheon–Han–Kang–Park 2000), Centralizer KE (Shpilrain–Ushakov 2006), and some more. Not the end of nonabelian cryptography: 1. Additional nonabelian proposals (Dehornoy et al., Kalka, . . . ). 2. Additional problems (CSP, Multiple CSP,. . . ) to build upon. 3. Groups with no small-dim representations. 4. The application of this method keeps getting harder as new systems emerge (cf. recent cryptanalysis of Algebraic Eraser).

  32. Final comments Method also applies to: Nonabelian Diffie–Hellman (Ko–Lee–Cheon–Han–Kang–Park 2000), Centralizer KE (Shpilrain–Ushakov 2006), and some more. Not the end of nonabelian cryptography: 1. Additional nonabelian proposals (Dehornoy et al., Kalka, . . . ). 2. Additional problems (CSP, Multiple CSP,. . . ) to build upon. 3. Groups with no small-dim representations. 4. The application of this method keeps getting harder as new systems emerge (cf. recent cryptanalysis of Algebraic Eraser). THANK YOU!

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Algebraic Techniques in Cryptanalysis of Block Ciphers with a bias towards Gr obner bases

Algebraic Techniques in Cryptanalysis of Block Ciphers with a bias towards Gr obner bases

Introduction Equations Solvers Advanced Techniques Algebraic Techniques in Cryptanalysis of Block Ciphers with a bias towards Gr obner bases Martin R. Albrecht Team SALSA, UPMC, Paris 6, . . . June 2nd, 2011 @ ECrypt 2 PhD Summer school,

1.09k views • 46 slides
Evolutionary Computation Techniques for Constructing SAT-based Attacks in Algebraic Cryptanalysis

Evolutionary Computation Techniques for Constructing SAT-based Attacks in Algebraic Cryptanalysis

Evolutionary Computation Techniques for Constructing SAT-based Attacks in Algebraic Cryptanalysis Artem Pavlenko , Alexander Semenov, Vladimir Ulyantsev {alpavlenko,ulyantsev}@corp.ifmo.ru ITMO University, St. Petersburg, Russia ISDCT SB RAS,

431 views • 25 slides
Algebraic Cryptanalysis of STARK-Friendly Designs: Application to MARVELlous and MiMC Martin

Algebraic Cryptanalysis of STARK-Friendly Designs: Application to MARVELlous and MiMC Martin

S C I E N C E P A S S I O N T E C H N O L O G Y Algebraic Cryptanalysis of STARK-Friendly Designs: Application to MARVELlous and MiMC Martin Albrecht Carlos Cid Lorenzo Grassi Dmitry Khovratovich Reinhard Lfenegger

895 views • 61 slides
Cryptanalysis techniques in algebraic codebased cryptography Alain Couvreur 1,2 1 INRIA 2 LIX,

Cryptanalysis techniques in algebraic codebased cryptography Alain Couvreur 1,2 1 INRIA 2 LIX,

Cryptanalysis techniques in algebraic codebased cryptography Alain Couvreur 1,2 1 INRIA 2 LIX, cole polytechnique Nutmic 2019 A. Couvreur Cryptanalysis in codebased crypto Nutmic 2019 1 / 80 History of codebased cryptography 1

1.47k views • 116 slides
Algebraic Cryptanalysis of Round-Reduced Keccak with Linear Structures Meicheng Liu joint work

Algebraic Cryptanalysis of Round-Reduced Keccak with Linear Structures Meicheng Liu joint work

Algebraic Cryptanalysis of Round-Reduced Keccak with Linear Structures Meicheng Liu joint work with Jian Guo and Ling Song ASK 2016, September 2016 1/45 Outline Introduction SHA-3 hash function Specifications of Keccak Main Results

913 views • 65 slides
Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Cryptanalysis of Classical Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Models for Cryptanalysis Cryptanalysis of

657 views • 20 slides
Algebraic Aspects of Symmetric-key Cryptography Carlos Cid (carlos.cid@rhul.ac.uk) Information

Algebraic Aspects of Symmetric-key Cryptography Carlos Cid (carlos.cid@rhul.ac.uk) Information

Algebraic Aspects of Symmetric-key Cryptography Carlos Cid (carlos.cid@rhul.ac.uk) Information Security Group Royal Holloway, University of London 04.May.2007 ECRYPT Summer School 1 Algebraic Techniques in Cryptanalysis Algebra is the

659 views • 61 slides
Subspace Trail Cryptanalysis and its Applications to AES Lorenzo Grassi, Christian Rechberger and

Subspace Trail Cryptanalysis and its Applications to AES Lorenzo Grassi, Christian Rechberger and

Subspace Trail Cryptanalysis and its Applications to AES Lorenzo Grassi, Christian Rechberger and Sondre Rnjom March, 2017 www.iaik.tugraz.at Introduction In the case of AES, several alternative representations (algebraic representation [

627 views • 52 slides
Algebraic and Slide Attacks on KeeLoq Nicolas T. Courtois 1 Gregory V. Bard 2 1 - University

Algebraic and Slide Attacks on KeeLoq Nicolas T. Courtois 1 Gregory V. Bard 2 1 - University

Algebraic and Slide Attacks on KeeLoq Nicolas T. Courtois 1 Gregory V. Bard 2 1 - University College of London, UK 2 - University of Maryland, US KeeLoq and Algebraic Cryptanalysis KeeLoq Block cipher used to unlock doors and the alarm in

171 views • 13 slides
Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC Outline Outline Distribution of Correlation Data Complexity Linear Hulls Zero

659 views • 30 slides
Parallel Framework for Evolutionary Black- box Optimization with Application to Algebraic

Parallel Framework for Evolutionary Black- box Optimization with Application to Algebraic

Parallel Framework for Evolutionary Black- box Optimization with Application to Algebraic Cryptanalysis presenter: Stepan Kochemazov A. Pavlenko, A. Semenov, V. Ulyantsev, O. Zaikin {alpavlenko,ulyantsev}@corp.ifmo.ru biclop.rambler@yandex.ru

313 views • 27 slides
1 BACKGROUND & THEMES ALL TEAMS 1 WHAT WE LEARNED SUMMARY OF SPANS AND LAYERS ANALYSIS A

1 BACKGROUND & THEMES ALL TEAMS 1 WHAT WE LEARNED SUMMARY OF SPANS AND LAYERS ANALYSIS A

1 BACKGROUND & THEMES ALL TEAMS 1 WHAT WE LEARNED SUMMARY OF SPANS AND LAYERS ANALYSIS A Spider Chart is a visualization tool that facilitates the spans and layers assessment. The dot in the center is the head of the organization, and the

569 views • 19 slides
Towards a Characterization of the Double Category of Spans Evangelia Aleiferi Dalhousie

Towards a Characterization of the Double Category of Spans Evangelia Aleiferi Dalhousie

Motivation Cartesian double categories Eilenberg-Moore Objects Towards the characterization of spans Further Questions Towards a Characterization of the Double Category of Spans Evangelia Aleiferi Dalhousie University Category Theory 2017

719 views • 51 slides
Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May, 2017 0/35 Cryptanalysis of Affine Cipher Outline Cryptanalysis of Affine Cipher 1 Hypothesis Testing 2 Linear Cryptanalysis 3 0/35

1.52k views • 110 slides
THIN SHELL STRUCTURES ARCH 2430 Professor Aptekar Farhana Rahman Jonathan Ramirez Michael

THIN SHELL STRUCTURES ARCH 2430 Professor Aptekar Farhana Rahman Jonathan Ramirez Michael

THIN SHELL STRUCTURES ARCH 2430 Professor Aptekar Farhana Rahman Jonathan Ramirez Michael DiCarlo Renee Fayzimatova Thin Shell Structure System spans and effective spans System spans and effective spans Span is the distance between

849 views • 41 slides
Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential cryptanalysis Linear cryptanalysis Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and Linear Cryptanalysis Differential cryptanalysis Linear cryptanalysis Iterated block ciphers (DES,

910 views • 53 slides
Preparing for the Impact of the Alaska False Claims Act Alaska State Hospital and Nursing Home

Preparing for the Impact of the Alaska False Claims Act Alaska State Hospital and Nursing Home

Preparing for the Impact of the Alaska False Claims Act Alaska State Hospital and Nursing Home Association Webinar Presented by Stephen D. Rose| 425.278.9337 | srose@hallrender.com Barbra Z. Nault | 907.258.2587 | bnault@hallrender.com Overview

651 views • 28 slides
Lecture 4.3: The fundamental homomorphism theorem Matthew Macauley Department of Mathematical

Lecture 4.3: The fundamental homomorphism theorem Matthew Macauley Department of Mathematical

Lecture 4.3: The fundamental homomorphism theorem Matthew Macauley Department of Mathematical Sciences Clemson University http://www.math.clemson.edu/~macaule/ Math 4120, Modern Algebra M. Macauley (Clemson) Lecture 4.3: The fundamental

453 views • 10 slides
Imaginary Quadratic Fields With Isomorphic Abelian Galois Groups A. Angelakis , P.

Imaginary Quadratic Fields With Isomorphic Abelian Galois Groups A. Angelakis , P.

Intro Describing the Inertial part Splitting the Sequence Down to Gaia The End Imaginary Quadratic Fields With Isomorphic Abelian Galois Groups A. Angelakis , P. Stevenhagen Universiteit Leiden , Universit e Bordeaux 1

509 views • 28 slides
Mining Potential and Mineral Access in the Bering Strait Region Matt Ganley VP Resources and

Mining Potential and Mineral Access in the Bering Strait Region Matt Ganley VP Resources and

Mining Potential and Mineral Access in the Bering Strait Region Matt Ganley VP Resources and External Affairs Bering Straits Native Corporation Native Corporation Lands in the Bering Strait Region Development on Alaska Native Corporation

341 views • 15 slides
Solving Random Quadratic Systems of Equations Is Nearly as Easy as Solving Linear Systems Yuxin

Solving Random Quadratic Systems of Equations Is Nearly as Easy as Solving Linear Systems Yuxin

Solving Random Quadratic Systems of Equations Is Nearly as Easy as Solving Linear Systems Yuxin Chen (Princeton) Emmanuel Cand` es (Stanford) Y. Chen, E. J. Cand` es, Communications on Pure and Applied Mathematics vol. 70, no. 5, pp. 822-883,

782 views • 62 slides
Human-level control through deep reinforcement learning Volodymyr Mnih, Koray Kavukcuoglu, David

Human-level control through deep reinforcement learning Volodymyr Mnih, Koray Kavukcuoglu, David

Human-level control through deep reinforcement learning Volodymyr Mnih, Koray Kavukcuoglu, David Silver, Andrei A. Rusu, Joel Veness, Marc G. Bellemare, Alex Graves, Martin Riedmiller, Andreas K. Fidjeland, Georg Ostrovski, Stig Petersen, Charles

515 views • 39 slides
Even delta-matroids and the complexity of planar Boolean CSPs Alexandr Kazda, Vladimir

Even delta-matroids and the complexity of planar Boolean CSPs Alexandr Kazda, Vladimir

Even delta-matroids and the complexity of planar Boolean CSPs Alexandr Kazda, Vladimir Kolmogorov, Michal Rol nek A K, V K, M R (IST Austria) Edge CSP for even -matroids 1 / 12 History Our world: CSP( { 0 , 1 } , ) where contains

669 views • 54 slides
Mixed effect model for the spatiotemporal analysis of longitudinal manifold valued data

Mixed effect model for the spatiotemporal analysis of longitudinal manifold valued data

Mixed effect model for the spatiotemporal analysis of longitudinal manifold valued data Stphanie Allassonnire with J.B. Schiratti, J. Chevallier, I. Koval, V. Debavalaere and S. Durrleman Universit Paris Descartes & Ecole

835 views • 37 slides

More recommend