Russian Workshop on Complexity and Model Theory, Russian Workshop on - - PowerPoint PPT Presentation

THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK

Russian Workshop on Complexity and Model Theory, Russian Workshop on Complexity and Model Theory, Algebraic cryptology: methods of cryptanalysis via (non)linear decomposition and new protection against them

Moscow, June 9-11, 2019

Vitaly Roman’kov

THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK

Speaker

Vitaly Roman’kov

DOSTOEVSKY OMSK STATE UNIVERSITY, OMSK, RUSSIA

Vitaly Roman’kov

THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK

Goal of this talk

Attack is the secret of defense; defense is the planning of an attack. – Sun Tzu, The Art of War

We are to present methods of linear and nonlinear algebraic cryptanalysis and show how we can protect against them and other methods based on linear algebra.

Vitaly Roman’kov

THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK

Part I. ALGEBRAIC CRYPTANALYSIS

Vitaly Roman’kov

THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK

THE METHODS OF LINEAR & NONLINEAR DECOMPOSITIONS IN ALGEBRAIC CRYPTANALYSIS

Vitaly Roman’kov

THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK

The linear decomposition attack: invention.

The linear decomposition attack The linear decomposition method in cryptanalysis and corresponding linear decomposition attack have been introduced by VR (2012-13) in: Cryptanalysis of some schemes applying automorphisms, Prikl. Diskr. Mat., 2013, No. 3 (2013), 35-51 (in Russian), Algebraic cryptography, Omsk, 2013 (in Russian), Linear decomposition method in analyzing hidden information protocols

• n algebraic platforms, Algebra and Logic, 54, No.1, (2015),

81-87, and series of lectures at SYBECRYPT’15.

Vitaly Roman’kov

THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK

The linear decomposition attack: development

These method and attack were developed: by VR and A. Myasnikov in A linear decomposition attack, Groups, Complexity, Cryptology, 2015 and in a number of other papers. The results are collected in monograph ”Essays in algebra and

• cryptology. Algebraic cryptanalysis”, published by Dostoevsky

OmSU Publishing House, 2018.

Vitaly Roman’kov

THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK

The linear decomposition attack: applications

These both, method and attack, were applied to the following cryptoschemes: Ko-Lee et al., Markov-Mikhalev et al., Gribov-Zolotykh et al., Rososhek, Harley, Megrelishvili et al., Mahalanobis, Kahrobaei-Shpilrain et al., Shpilrain-Ushakov, Andrecut, Alvares-Martines et al., Sakalauskas-Tvarijonas et al., Romanczuk-Ustimenko, Kurt, Fine-Kahrobaei et al., Stickel, Wang et al., Hecht, and so on.

Vitaly Roman’kov

THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK

General scheme General scheme. Let G be a group, {g1, ..., gs} ⊆ G be a

set of public/private elements. Then Alice and Bob publish sequentially elements of the form φ(f ) where f ∈ G is a chosen or previously built element and φ : G → G is a private map. The exchanged key has the form K = φl(φl−1(...(φ1(g)))), where g is one of the chosen elements. Specifically φ can be: one-side multiplication g → ga or ag, two-side multiplication g → agb, conjugation g → aga−1 = ga, action by (endo)automorphism g → α(g), and so on.

Vitaly Roman’kov

THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK

General scheme using two-side multiplications.

General scheme: version with two-side multiplications. We assume that the platform (semi)group G is a subset of a finitely dimensional linear space V over a constructive field F (finite or infinite). Alice and Bob publish sequentially elements of the form φc,c′(f ) = cfc′; c, c′ ∈ G, where f ∈ G is a given or previously built element. The parameters c, c′ are private. The exchanged key has the form K = φcl,c′

l (φcl−1,c′ l−1(...(φc1,c′ 1(g)))) = clcl−1...c1gc′

1...c′ l−1c′ l .

Vitaly Roman’kov

THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK

General scheme using two-side multiplications.

We suppose that Alice chooses parameters (c, c′) = (a, a′) in a given finitely generated subgroup A, and Bob picks up parameters (c, c′) = (b, b′) in a finitely generated subgroup B of G. Usually A and B are point wise commuting. Then, under some natural assumptions about G, A and B, we show that each intruder can efficiently calculate the exchanged key K without calculation the transformations used in the scheme. Note, that Alice and Bob calculate the exchanged key K basing on public data and one of the two parts of private data. We claim that K under some natural assumptions can be efficiently calculated basing only on public data.

Vitaly Roman’kov

THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK

Cryptanalysis.

Suppose that all main computations over V can be efficiently

• done. Then each finite set of linear equations can be efficiently
• solved. Then we can efficiently construct a basis E = {e1, ..., es}
• f the linear subspace Lin(AhA), generated by all elements of the

form aha′, where a, a′ ∈ A (we can do similarly for B).

Vitaly Roman’kov

THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK

Cryptanalysis.

Let v = φa,a′(u), where a, a′ ∈ A are Alice’s private parameters. Then for every element of the form w = φb,b′(u), where b, b′ ∈ B (in other words w ∈ BuB), we can efficiently construct z = φa,a′(w) based on the structure of V .

Vitaly Roman’kov

THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK

Cryptanalysis.

Theorem v = aua′, w = bub′ ⇒ z = awa′ = abub′a′. Obviously v ∈ AuA = lin(E), E = {d1ud′

1, ..., drud′ r}, di, d′ i ∈ A)}.

By the Gauss elimination process we efficiently obtain the unique expression of the form v =

r

• i=1

αidiud′

i , αi ∈ F.

We substitute to the right hand side of w instead of u. Since elements of A and B are pairwise commuting we obtain

r

• i=1

αidiwd′

i = r

• i=1

αidibub′d′

i = b( r

• i=1

αidiud′

i )b′

= bvb′ = baua′b′ = a(bub′)a′ = awa′ = z.

Vitaly Roman’kov

THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK

Examples.

Example Ko-Lee et al. G = Bn is one of the Artin braid groups (linear by Krammer-Bigelow theorem, with efficient inverse function). Then g ∈ G is a public element, A, B ≤ G are public point wise computing subgroups. Alice chooses a ∈ A and publishes aga−1, Bob picks up b ∈ B and publishes bgb−1. The schared key is K = abga−1b−1 = bagb−1a−1. Oscar constructs a basis E for AgA and then computes K. Nevertheless, he does not compute a or b.

Vitaly Roman’kov

THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK

Examples.

Example Wang et al. Public data: a group G ⊆ V , h ∈ G, f.g, A, B ≤ G (ab = ba, a ∈ A, b ∈ B).

1 Alice chooses: c1, c2, d1, d2 ∈ A, then computes and publishes

x = d1c1hc2d2.

2 Bob chooses: f1, f2, g1, g2, g3, g4 ∈ B, then computes and

publishes y = g1f1hf2g2 and w = g3f1xf2g4,.

3 Alice picks up: d3, d4 ∈ A, then computes and publishes

z = d3c1yc2d4 and u = d−1

1 wd−1 2 ,.

4 Bob computes and publishes v = g−1

1 zg−1 2 .

5 Alice computes KA = d−1

3 vd−1 4

= c1f1hf2c2.

6 Bob computes KB = g−1

3 ug−1 4

= c1f1hf2c2.

7 The shared key: K = KA = KB. Vitaly Roman’kov

THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK

Cryptanalysis.

The following transformations were used in the protocol: φd1c1,c2d2, φg1f1,f2g2, φg3f1,f2g4, φd3c1,c2d4, φ−1

d1,d2, φ−1 g1,g2.

(1) By direct computation we get an expression of K = φc1f1,f2c2(h) = φ−1

d1,d2(φd1c1,c2d2(φ−1 g1,g2(φg1f1,f2g2(h)))).

Vitaly Roman’kov

THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK

The output of the following transformations can be efficiently

• btained by the rule:

1 y = φg1f1,f2g2(h) is public. 2 v = φ−1

g1,g2(z) & y ∈ AzA ⇒ φ−1 g1,g2(y) = f1hf2.

3 x = φd1c1,c2d2(h) & f1hf2 ∈ BhB

⇒ φd1c1,c2d2(f1hf2) = d1c1f1hf2c2d2.

4 u = φ−1

d1,d2(w) &d1c1f1hf2c2d2 ∈ BwB ⇒

φ−1

d1,d2(d1c1f1hf2c2d2) = c1f1hf2c2 = K.

Vitaly Roman’kov

THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK

The nonlinear decomposition attack. The nonlinear decomposition method in cryptanalysis and corresponding nonlinear decomposition attack have been introduced by VR (2016) in: A nonlinear decomposition attack, Groups, Complexity, Cryptology, V. 8, No. 2 (2016), 197-207. The results are collected in monograph ”Essays in algebra and cryptology. Algebraic cryptanalysis”, published by Dostoevsky OmSU Publishing House, 2018.

Vitaly Roman’kov

THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK

The nonlinear decomposition attack: main idea. This attack works when the membership search problem is efficiently solvable in a platform (semi)group G, and when every subgroup H of G is finitely generated. For example, it works for f.g. nilpotent and polycyclic groups under reasonable assumptions.

Vitaly Roman’kov

THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK

Example.

Example Shpilrain et al, Public data: a (semi)group G, g ∈ G, φ ∈ Aut(G) (or End(G)), H = G⋊gp(φ).

1 Alice picks a private m ∈ N, computes (φ, g)m = (φm, gm)

and publishes only the second component: gm = φm−1(g) · ... · φ2(g) · φ(g) · g.

2 Bob picks a private n ∈ N, computes (φ, g)n = (φn, gn and

publishes only the second component gn = φn−1(g) · ... · φ2(g) · φ(g) · g.

3 Alice computes (x, gn) · (φm, gm) = (x · φm, φm(gn) · gm). Her

key is now KA = φm(gn) · gm.

4 Bob computes (y, gm) · (φn, gn) = (y · φn, φn(gm) · gn). His

key is now KB = φn(gm) · gn.

5 KA = KB = K is the shared key. Vitaly Roman’kov

THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK

Cryptanalysis,

Let H = gp(g1, ..., gt). Then one can find a presentation of the Alice’s element gm in the form gm =

k

• j=1

gǫj

ij , ij ∈ {1, ..., t}, ǫj = ±1, j = 1, ..., k.

As φij(gn) · gij = φn(gij) · gn then K = gm+n = φn(gm) · gn = φn(

k

• j=1

gǫj

ij ) · gn = k

• j=1

φn(gij)ǫj · gn =

k

• j=1

(φn(gij) · gn · g−1

n )ǫj · gn = k

• j=1

(φij(gn) · gij · g−1

n )ǫj · gn.

All elements gn, gij, ǫj and φij for ij ∈ {1, ..., t} are known. Hence, K is determined. Note, that we did not compute m, n, φm or φn.

Vitaly Roman’kov

THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK

Part II. PROTECTION AGAINST LINEAR ALGEBRA ATTACKS

Vitaly Roman’kov

THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK

Marginal sets corresponding to elements.

We introduce a new notion that extends the marginality property. Definition Let w = w(x1, ..., xn) be a group word, G be a group and ¯ g = (g1, ..., gn) be a tuple of elements of G. We say that a tuple ¯ c = (c1, ..., cn) ∈ G n is a marginal tuple determined by w and ¯ g if w(c1g1, ..., cngn) = w(g1, ..., gn). We will write ¯ c ⊥ w(¯ g) in this case. A set ¯ C ⊆ G n is said to be marginal with respect to w if ¯ c ⊥ w(¯ g) for every tuple ¯ c ∈ ¯ C.

Vitaly Roman’kov

THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK

Marginal sets: constructing.

We can construct a marginal set C, C ⊥ w(¯ g) very easily. Let w = w(¯ g) = a1g2...gk. Consider equation x1a1x2a2...xkak = w. (2) Every solution of (2) can be included in a marginal set ¯

• C. We can

fix i and choose any values xj = cj, j = i, cj ∈ G. Then we obtain the solution of (2) by setting xi = a−1

i−1c−1 i−1...a−1 1 c−1 1 fa−1 k c−1 k ...a−1 i+1c−1 i+1.

(3)

Vitaly Roman’kov

THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK

Example: version of AAG scheme.

A version of Anshel-Anshel-Goldfield scheme. Alice and Bob, want to exchange a key. They agree about a public platform group G given explicitly by a finite set of generators. Alice chooses a public ¯ a = (a1, ..., ak) ∈ G k. Then she picks up a private group word u = u(x1, ..., xk) and computes u(¯ a) = u(a1, ..., ak). Also she finds a public marginal set ¯ C ⊆ G k, ¯ C ⊥ u(¯ a). Bob chooses a public tuple of elements ¯ b = (b1, ..., bl) ∈ G l. Then he picks up a private group word v = v(y1, ..., yl) and computes v(¯ b) = v(b1, ..., bl). Also he finds a public marginal set ¯ D ⊆ G l, ¯ D ⊥ v(¯ b).

Vitaly Roman’kov

THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK

Algorithm.

1 Alice publishes a1, ..., ak as aπ(1), ..., aπ(k), π ∈ Sk, π is

applied to the tuples ¯ c ∈ ¯ C too.

2 Bob acts in the similar way. 3 Alice picks up a private tuple ¯

d = (d1, ..., dl′) ∈ ¯ D, computes ¯ db = (d1b1, ..., dl′bl′), sends ¯ dbu(¯

a) = ((d1b1)u(¯ a), ..., (dl′bl′)u(¯ a)) to Bob.

4 Bob acts in the similar way. 5 Alice computes u(¯

a)−1u((c1a1)v(¯

b), ..., (ckak)v(¯ b) =

u(¯ a)−1u(c1a1, ..., ckak)v(¯

b) = [u(¯

a), v(¯ b)].

6 Bob acts in the similar way. 7 K = [u(¯

a), v(¯ b)] is the secret exchange key.

Vitaly Roman’kov

THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK

The conjugacy-membership search problem.

Definition The conjugacy-membership problem is solvable for G with respect to ¯ C ⊆ G k if there is an algorithm that decides for any two tuples ¯ a = (a1, ..., ak) and ¯ f = (f1, ..., fk) of elements of G exists or not y ∈ G such that (f y

1 a−1 1 , ..., f y k a−1 k ) ∈ ¯

• C. Shortly, is there y ∈ G

such that ¯ f y ¯ a−1 ∈ ¯ C? The corresponding conjugacy-membership search problem is a question about existence of an algorithm that finds a solution when such solution exists.

Vitaly Roman’kov

THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK

Other applications.

A version of Ko-Lee et als. scheme. Let G is a group, g ∈ G is a public element, A, B ≤ G are public point wise computing subgroups. Alice and Bob choose two private expressions g = u(g1, ..., gn) and g = v(f1, ..., fm), then public {g1, ..., gn} and {f1, ..., fm}

• respectively. They construct two public sets C ⊥ u(g1, ..., gn) and

D ⊥ v(f1, ..., fm) respectively.

1 Alice chooses an element a ∈ A, ¯

d ∈ D and publishes ((d1f1)a, ..., (dmfm)a).

2 Bob picks up b ∈ B and publishes (c1g1)b, ..., (cngn)b. 3 Alice computes u((c1g1)b, ..., cngn)b) = u(g1, ..., gn)b = gb,

then KA = gba.

4 Bob computes v((d1f1)a, ..., (dmfm)b) = v(f1, ..., fm)a = ga,

then KB = gab.

5 The shared key is K = KA = KB. Vitaly Roman’kov

THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK

The end

THANK YOU FOR YOUR ATTENTION!

Vitaly Roman’kov