russian workshop on complexity and model theory russian
play

Russian Workshop on Complexity and Model Theory, Russian Workshop on - PowerPoint PPT Presentation

Dec 01, 2023 •396 likes •699 views

THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK Russian Workshop on Complexity and Model Theory, Russian Workshop on Complexity and Model Theory, Algebraic cryptology: methods of cryptanalysis via (non)linear decomposition

  1. THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK Russian Workshop on Complexity and Model Theory, Russian Workshop on Complexity and Model Theory, Algebraic cryptology: methods of cryptanalysis via (non)linear decomposition and new protection against them Moscow, June 9-11, 2019 Vitaly Roman’kov

  2. THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK Speaker Vitaly Roman’kov DOSTOEVSKY OMSK STATE UNIVERSITY, OMSK, RUSSIA Vitaly Roman’kov

  3. THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK Goal of this talk Attack is the secret of defense; defense is the planning of an attack. – Sun Tzu, The Art of War We are to present methods of linear and nonlinear algebraic cryptanalysis and show how we can protect against them and other methods based on linear algebra. Vitaly Roman’kov

  4. THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK Part I. ALGEBRAIC CRYPTANALYSIS Vitaly Roman’kov

  5. THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK THE METHODS OF LINEAR & NONLINEAR DECOMPOSITIONS IN ALGEBRAIC CRYPTANALYSIS Vitaly Roman’kov

  6. THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK The linear decomposition attack: invention. The linear decomposition attack The linear decomposition method in cryptanalysis and corresponding linear decomposition attack have been introduced by VR (2012-13) in: Cryptanalysis of some schemes applying automorphisms, Prikl. Diskr. Mat., 2013, No. 3 (2013), 35-51 (in Russian) , Algebraic cryptography, Omsk, 2013 (in Russian) , Linear decomposition method in analyzing hidden information protocols on algebraic platforms, Algebra and Logic, 54, No.1, (2015), 81-87 , and series of lectures at SYBECRYPT’15. Vitaly Roman’kov

  7. THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK The linear decomposition attack: development These method and attack were developed : by VR and A. Myasnikov in A linear decomposition attack, Groups, Complexity, Cryptology, 2015 and in a number of other papers. The results are collected in monograph ”Essays in algebra and cryptology. Algebraic cryptanalysis”, published by Dostoevsky OmSU Publishing House, 2018. Vitaly Roman’kov

  8. THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK The linear decomposition attack: applications These both, method and attack, were applied to the following cryptoschemes: Ko-Lee et al., Markov-Mikhalev et al., Gribov-Zolotykh et al., Rososhek, Harley, Megrelishvili et al., Mahalanobis, Kahrobaei-Shpilrain et al., Shpilrain-Ushakov, Andrecut, Alvares-Martines et al., Sakalauskas-Tvarijonas et al., Romanczuk-Ustimenko, Kurt, Fine-Kahrobaei et al., Stickel, Wang et al., Hecht, and so on. Vitaly Roman’kov

  9. THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK General scheme General scheme. Let G be a group, { g 1 , ..., g s } ⊆ G be a set of public/private elements. Then Alice and Bob publish sequentially elements of the form φ ( f ) where f ∈ G is a chosen or previously built element and φ : G → G is a private map. The exchanged key has the form K = φ l ( φ l − 1 ( ... ( φ 1 ( g )))) , where g is one of the chosen elements. Specifically φ can be: one-side multiplication g �→ ga or ag , two-side multiplication g �→ agb , conjugation g �→ aga − 1 = g a , action by (endo)automorphism g �→ α ( g ), and so on. Vitaly Roman’kov

  10. THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK General scheme using two-side multiplications. General scheme: version with two-side multiplications. We assume that the platform (semi)group G is a subset of a finitely dimensional linear space V over a constructive field F (finite or infinite). Alice and Bob publish sequentially elements of the form φ c , c ′ ( f ) = cfc ′ ; c , c ′ ∈ G , where f ∈ G is a given or previously built element. The parameters c , c ′ are private. The exchanged key has the form 1 ( g )))) = c l c l − 1 ... c 1 gc ′ 1 ... c ′ l − 1 c ′ K = φ c l , c ′ l ( φ c l − 1 , c ′ l − 1 ( ... ( φ c 1 , c ′ l . Vitaly Roman’kov

  11. THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK General scheme using two-side multiplications. We suppose that Alice chooses parameters ( c , c ′ ) = ( a , a ′ ) in a given finitely generated subgroup A , and Bob picks up parameters ( c , c ′ ) = ( b , b ′ ) in a finitely generated subgroup B of G . Usually A and B are point wise commuting. Then, under some natural assumptions about G , A and B , we show that each intruder can efficiently calculate the exchanged key K without calculation the transformations used in the scheme. Note, that Alice and Bob calculate the exchanged key K basing on public data and one of the two parts of private data. We claim that K under some natural assumptions can be efficiently calculated basing only on public data. Vitaly Roman’kov

  12. THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK Cryptanalysis. Suppose that all main computations over V can be efficiently done. Then each finite set of linear equations can be efficiently solved. Then we can efficiently construct a basis E = { e 1 , ..., e s } of the linear subspace Lin( AhA ), generated by all elements of the form aha ′ , where a , a ′ ∈ A (we can do similarly for B ). Vitaly Roman’kov

  13. THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK Cryptanalysis. Let v = φ a , a ′ ( u ) , where a , a ′ ∈ A are Alice’s private parameters. Then for every element of the form w = φ b , b ′ ( u ) , where b , b ′ ∈ B (in other words w ∈ BuB ), we can efficiently construct z = φ a , a ′ ( w ) based on the structure of V . Vitaly Roman’kov

  14. THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK Cryptanalysis. Theorem v = aua ′ , w = bub ′ ⇒ z = awa ′ = abub ′ a ′ . Obviously v ∈ AuA = lin ( E ), E = { d 1 ud ′ 1 , ..., d r ud ′ r } , d i , d ′ i ∈ A ) } . By the Gauss elimination process we efficiently obtain the unique expression of the form r � α i d i ud ′ v = i , α i ∈ F . i =1 We substitute to the right hand side of w instead of u . Since elements of A and B are pairwise commuting we obtain r r r � � � α i d i wd ′ α i d i bub ′ d ′ α i d i ud ′ i ) b ′ i = i = b ( i =1 i =1 i =1 = bvb ′ = baua ′ b ′ = a ( bub ′ ) a ′ = awa ′ = z . Vitaly Roman’kov

  15. THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK Examples. Example Ko-Lee et al. G = B n is one of the Artin braid groups (linear by Krammer-Bigelow theorem, with efficient inverse function). Then g ∈ G is a public element, A , B ≤ G are public point wise computing subgroups. Alice chooses a ∈ A and publishes aga − 1 , Bob picks up b ∈ B and publishes bgb − 1 . The schared key is K = abga − 1 b − 1 = bagb − 1 a − 1 . Oscar constructs a basis E for AgA and then computes K . Nevertheless, he does not compute a or b . Vitaly Roman’kov

  16. THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK Examples. Example Wang et al. Public data: a group G ⊆ V , h ∈ G , f.g, A , B ≤ G ( ab = ba , a ∈ A , b ∈ B ) . 1 Alice chooses: c 1 , c 2 , d 1 , d 2 ∈ A , then computes and publishes x = d 1 c 1 hc 2 d 2 . 2 Bob chooses: f 1 , f 2 , g 1 , g 2 , g 3 , g 4 ∈ B , then computes and publishes y = g 1 f 1 hf 2 g 2 and w = g 3 f 1 xf 2 g 4 , . 3 Alice picks up: d 3 , d 4 ∈ A , then computes and publishes z = d 3 c 1 yc 2 d 4 and u = d − 1 1 wd − 1 2 , . 4 Bob computes and publishes v = g − 1 1 zg − 1 2 . 5 Alice computes K A = d − 1 3 vd − 1 = c 1 f 1 hf 2 c 2 . 4 6 Bob computes K B = g − 1 3 ug − 1 = c 1 f 1 hf 2 c 2 . 4 7 The shared key: K = K A = K B . Vitaly Roman’kov

  17. THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK Cryptanalysis. The following transformations were used in the protocol: φ d 1 c 1 , c 2 d 2 , φ g 1 f 1 , f 2 g 2 , φ g 3 f 1 , f 2 g 4 , φ d 3 c 1 , c 2 d 4 , φ − 1 d 1 , d 2 , φ − 1 (1) g 1 , g 2 . By direct computation we get an expression of K = φ c 1 f 1 , f 2 c 2 ( h ) = φ − 1 d 1 , d 2 ( φ d 1 c 1 , c 2 d 2 ( φ − 1 g 1 , g 2 ( φ g 1 f 1 , f 2 g 2 ( h )))) . Vitaly Roman’kov

  18. THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK The output of the following transformations can be efficiently obtained by the rule: 1 y = φ g 1 f 1 , f 2 g 2 ( h ) is public. 2 v = φ − 1 g 1 , g 2 ( z ) & y ∈ AzA ⇒ φ − 1 g 1 , g 2 ( y ) = f 1 hf 2 . 3 x = φ d 1 c 1 , c 2 d 2 ( h ) & f 1 hf 2 ∈ BhB ⇒ φ d 1 c 1 , c 2 d 2 ( f 1 hf 2 ) = d 1 c 1 f 1 hf 2 c 2 d 2 . 4 u = φ − 1 d 1 , d 2 ( w ) & d 1 c 1 f 1 hf 2 c 2 d 2 ∈ BwB ⇒ φ − 1 d 1 , d 2 ( d 1 c 1 f 1 hf 2 c 2 d 2 ) = c 1 f 1 hf 2 c 2 = K . Vitaly Roman’kov

  19. THE LINEAR DECOMPOSITION ATTACK THE NONLINEAR DECOMPOSITION ATTACK The nonlinear decomposition attack. The nonlinear decomposition method in cryptanalysis and corresponding nonlinear decomposition attack have been introduced by VR (2016) in: A nonlinear decomposition attack, Groups, Complexity, Cryptology, V. 8, No. 2 (2016), 197-207. The results are collected in monograph ”Essays in algebra and cryptology. Algebraic cryptanalysis”, published by Dostoevsky OmSU Publishing House, 2018. Vitaly Roman’kov

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Algebraic Geometry over Abelian Groups Evelina Daniyarova Russian Workshop on Complexity and

Algebraic Geometry over Abelian Groups Evelina Daniyarova Russian Workshop on Complexity and

Algebraic Geometry over Abelian Groups Evelina Daniyarova Russian Workshop on Complexity and Model Theory, June 9 11, 2019, Moscow, Russia Sobolev Institute of Mathematics of the SB RAS, Omsk, Russia Universal algebraic geometry =

567 views • 25 slides
FOR RUSSIAN AUDIENCES WORLDWIDE FILMBOX box RUSSIA Created and available for Russian speaking

FOR RUSSIAN AUDIENCES WORLDWIDE FILMBOX box RUSSIA Created and available for Russian speaking

FOR RUSSIAN AUDIENCES WORLDWIDE FILMBOX box RUSSIA Created and available for Russian speaking audience all over the world with exclusively Russian content. 24 HOURS A DAY, 7 DAYS A WEEK! SPIINTL.com FILMBOX box RUSSIA The channel has over

502 views • 11 slides
Russian Nights in Switzerland Concept Russian Nights in Switzerland is a very special

Russian Nights in Switzerland Concept Russian Nights in Switzerland is a very special

Russian Nights in Switzerland Concept Russian Nights in Switzerland is a very special whole-year entertainment project for Russians living and travelling in Switzerland. Russian Nights in Switzerland include six various events leading to

707 views • 39 slides
Russian Annexation of Crimea Class 9 Ukraine through history Kiev is cradle of Russian

Russian Annexation of Crimea Class 9 Ukraine through history Kiev is cradle of Russian

Russian Annexation of Crimea Class 9 Ukraine through history Kiev is cradle of Russian civilization. Then occupied by Mongols, Tatars and Lithuanians. Autonomous part of Russian empire until 1764. Ukraine through history

689 views • 19 slides
Russian Energy Strategy and Modernization of Russian Economy (Oil & Gas as Russias 6 th

Russian Energy Strategy and Modernization of Russian Economy (Oil & Gas as Russias 6 th

Russian Energy Strategy and Modernization of Russian Economy (Oil & Gas as Russias 6 th innovative cluster) Dr. Andrey A.Konoplyanik , Director on Energy Markets Regulations, Project Leader, Foundation Institute for Energy &

593 views • 18 slides
L L C V KC R K Russian Export Company PRESEN TATION INTERNAT IONAL TRADING RUSSIAN AGRICULTURAL

L L C V KC R K Russian Export Company PRESEN TATION INTERNAT IONAL TRADING RUSSIAN AGRICULTURAL

L L C V KC R K Russian Export Company PRESEN TATION INTERNAT IONAL TRADING RUSSIAN AGRICULTURAL PRODUCTS DELIVERY BY CONTAINERS CEREALS, LEGUMES, OIL SEEDS, ANIMAL FEED www.russia-agri-export.ru LLC V KC RK Russian Export Company PRESENTATION

204 views • 8 slides
On the mathematical theory of splitting and Russian roulette techniques Viatcheslav B. Melas

On the mathematical theory of splitting and Russian roulette techniques Viatcheslav B. Melas

7th International Workshop on Rare Event Simulation On the mathematical theory of splitting and Russian roulette techniques Viatcheslav B. Melas St.Petersburg State University, Russia Viatcheslav B. Melas On the mathematical theory of splitting

479 views • 25 slides
EC analysis of the comments raised by the Russian Federation Transport Summary The Russian

EC analysis of the comments raised by the Russian Federation Transport Summary The Russian

EC analysis of the comments raised by the Russian Federation Transport Summary The Russian Federation raises concerns on: Premature adoption of the smart tachograph Inclusion of references to EU legislation (165/2014 and 2016/799)

783 views • 11 slides
Towards an exhaustification analysis of plain disjunction in Russian Formal Approaches to Russian

Towards an exhaustification analysis of plain disjunction in Russian Formal Approaches to Russian

Towards an exhaustification analysis of plain disjunction in Russian Formal Approaches to Russian Linguistics 3 Pavel Rudnev pasha.rudnev@gmail.com 56 April 2019 Disjunction and polarity Focus of this talk syntax and semantics of plain

237 views • 21 slides
Russian Thistle (Tumbleweed) in Volusia County Russian Thistle Facts Scientific name -

Russian Thistle (Tumbleweed) in Volusia County Russian Thistle Facts Scientific name -

Russian Thistle (Tumbleweed) in Volusia County Russian Thistle Facts Scientific name - Salsola kali, Salsola australis, Salsola iberica, Salsola tragus Native to Russia and western Siberia Arrived in U.S. in 1873 in South Dakota

697 views • 15 slides
The Foreign Policy of Modern Russia: The Prospects for Russian British Relations Sergey Lavrov

The Foreign Policy of Modern Russia: The Prospects for Russian British Relations Sergey Lavrov

LSESU Russian Business Society and LSE lecture The Foreign Policy of Modern Russia: The Prospects for Russian British Relations Sergey Lavrov Minister of Foreign Affairs of the Russian Federation London School of Economics and Political Science

626 views • 3 slides
09.2015 RUSSIAN PRIVATE INTERIORS Concept Family values in Russian private interiors The

09.2015 RUSSIAN PRIVATE INTERIORS Concept Family values in Russian private interiors The

09.2015 RUSSIAN PRIVATE INTERIORS Concept Family values in Russian private interiors The SALON-interior magazine was launched in 1994 and from the Number of issue: 210 Number of pages: more then 78 400 very beginning it has published the best

811 views • 13 slides
single information and exhibition space The Russian Health Care Week is firmly on the Russian

single information and exhibition space The Russian Health Care Week is firmly on the Russian

UNIQUE FORMAT: single information and exhibition space The Russian Health Care Week is firmly on the Russian Ministry of Health Care event calendar. Russias key platform showcasing medical equipment, supplies and other health care

274 views • 11 slides
All-Russian Union of Oils and Fats Moscow, 2015 All-Russian Union of Oils and Fats was

All-Russian Union of Oils and Fats Moscow, 2015 All-Russian Union of Oils and Fats was

All-Russian Union of Oils and Fats Moscow, 2015 All-Russian Union of Oils and Fats was established in 1998, and began its activity in 1999. Now the Union has more than 50 members of oils and fats production and related industries plants,

138 views • 13 slides
Outline Exploring inexact rhyme in TradiQons in studying Russian rhyme Russian verse The

Outline Exploring inexact rhyme in TradiQons in studying Russian rhyme Russian verse The

10/17/17 Outline Exploring inexact rhyme in TradiQons in studying Russian rhyme Russian verse The meaning of inexact Methods and direcQons Inexact rhyme ~ non-rhyme Elise Thorsen (enthorsen@gmail.com) David J. Birnbaum

260 views • 3 slides
Pris ison Conditions Norwegian Prison American Prison Cell Russian Prison Cell Russian

Pris ison Conditions Norwegian Prison American Prison Cell Russian Prison Cell Russian

Pris ison Conditions Norwegian Prison American Prison Cell Russian Prison Cell Russian Prison Cell Russian Prison Cell Mount Joy Prison Cell Negotiations The Buyer has a maximum amount they are willing to pay and the Seller has a

383 views • 15 slides
Detecting Faces Marcello Pelillo University of Venice, Italy Image and Video Understanding a.y.

Detecting Faces Marcello Pelillo University of Venice, Italy Image and Video Understanding a.y.

Detecting Faces Marcello Pelillo University of Venice, Italy Image and Video Understanding a.y. 2018/19 Face Detection Identify and locate human faces in images regardless of their: position scale pose (out-of-plane rotation)

936 views • 76 slides
Human Motion Tracking by Registering an Articulated Surface to 3-D Points and Normals 1 Radu

Human Motion Tracking by Registering an Articulated Surface to 3-D Points and Normals 1 Radu

Human Motion Tracking by Registering an Articulated Surface to 3-D Points and Normals 1 Radu Horaud (Radu.Horaud@inrialpes.fr) Matti Niskanen, Guillaume Dewaele, Edmond Boyer. INRIA Grenoble Rhone-Alpes, France

393 views • 20 slides
The ARCHES cross-correlation tool cois-Xavier Pineau 1 Fran 1 Observatoire Astronomique de

The ARCHES cross-correlation tool cois-Xavier Pineau 1 Fran 1 Observatoire Astronomique de

The ARCHES cross-correlation tool cois-Xavier Pineau 1 Fran 1 Observatoire Astronomique de Strasbourg, Universit e de Strasbourg, CNRS Paris, 1 th December, 2015 1 / 36 INTRODUCTION This talk: Cross-correlation tool development &

1.26k views • 76 slides
Metric Learning for Large-Scale Image Classification: Generalizing to New Classes at Near-Zero

Metric Learning for Large-Scale Image Classification: Generalizing to New Classes at Near-Zero

Metric Learning for Large-Scale Image Classification: Generalizing to New Classes at Near-Zero Cost Florent Perronnin 1 work published at ECCV 2012 with: Thomas Mensink 1 , 2 Jakob Verbeek 2 Gabriela Csurka 1 1 Xerox Research Centre Europe, 2

544 views • 38 slides
Convolution in the time domain Multiplication in the frequency domain Matrix-vector

Convolution in the time domain Multiplication in the frequency domain Matrix-vector

Convolution in the time domain Multiplication in the frequency domain Matrix-vector multiplication Convolution Multiplication Toeplitz Block Toeplitz Doubly infinite Doubly infinite Banded Banded Polynomial A( ) Matrix Polynomial A(

439 views • 18 slides
Announcements Wednesday, October 10 The second midterm is on Friday, October 19 . That is

Announcements Wednesday, October 10 The second midterm is on Friday, October 19 . That is

Announcements Wednesday, October 10 The second midterm is on Friday, October 19 . That is one week from this Friday. The exam covers 3.5, 3.6, 3.7, 3.9, 4.1, 4.2, 4.3, 4.4 (through todays material). WeBWorK 4.2, 4.3 are due

613 views • 22 slides
d i E Matrices a l l u d Dr. Abdulla Eid b A College of Science . r D MATHS 103:

d i E Matrices a l l u d Dr. Abdulla Eid b A College of Science . r D MATHS 103:

Section 6.1 d i E Matrices a l l u d Dr. Abdulla Eid b A College of Science . r D MATHS 103: Mathematics for Business I Dr. Abdulla Eid (University of Bahrain) Matrices 1 / 11 Goal d We want to learn i E 1 What a matrix is?

395 views • 11 slides
CPSC 490 DP - Guest Lecture Part 4: DP Optimizations David Zheng 2020/01/30 University of

CPSC 490 DP - Guest Lecture Part 4: DP Optimizations David Zheng 2020/01/30 University of

CPSC 490 DP - Guest Lecture Part 4: DP Optimizations David Zheng 2020/01/30 University of British Columbia Announcements An upsolver for A1 has been released! You can get 25% marks on the questions you didnt solve. 1 Guest Lecturer:

442 views • 41 slides

More recommend