scholarly journals Cryptanalysis of the Legendre PRF and Generalizations

2020 ◽  
pp. 313-330
Author(s):  
Ward Beullens ◽  
Tim Beyne ◽  
Aleksei Udovenko ◽  
Giuseppe Vitto
Keyword(s):  
Large Class ◽  
Time Complexity ◽  
Security Analysis ◽  
Log P ◽  
Multiparty Computation ◽  
Practical Relevance ◽  
Legendre Symbol ◽  
Weak Keys

The Legendre PRF relies on the conjectured pseudorandomness properties of the Legendre symbol with a hidden shift. Originally proposed as a PRG by Damgård at CRYPTO 1988, it was recently suggested as an efficient PRF for multiparty computation purposes by Grassi et al. at CCS 2016. Moreover, the Legendre PRF is being considered for usage in the Ethereum 2.0 blockchain.This paper improves previous attacks on the Legendre PRF and its higher-degree variant due to Khovratovich by reducing the time complexity from O(< (p log p/M) to O(p log2 p/M2) Legendre symbol evaluations when M ≤ 4√ p log2 p queries are available. The practical relevance of our improved attack is demonstrated by breaking three concrete instances of the PRF proposed by the Ethereum foundation. Furthermore, we generalize our attack in a nontrivial way to the higher-degree variant of the Legendre PRF and we point out a large class of weak keys for this construction. Lastly, we provide the first security analysis of two additional generalizations of the Legendre PRF originally proposed by Damgård in the PRG setting, namely the Jacobi PRF and the power residue PRF.

scholarly journals Fast and spectrally accurate evaluation of gyroaverages in non-periodic gyrokinetic-Poisson simulations

2017 ◽  
Vol 83 (4) ◽  
Author(s):  
J. Guadagni ◽  
A. J. Cerfon
Keyword(s):  
Time Complexity ◽  
Numerical Scheme ◽  
Fourier Transforms ◽  
Hankel Transform ◽  
Log P ◽  
Fourier Space ◽  
Compactly Supported ◽  
Geometric Convergence ◽  
Spatial Grid ◽  
Grid Points

We present a fast and spectrally accurate numerical scheme for the evaluation of the gyroaveraged electrostatic potential in non-periodic gyrokinetic-Poisson simulations. Our method relies on a reformulation of the gyrokinetic-Poisson system in which the gyroaverage in Poisson’s equation is computed for the compactly supported charge density instead of the non-periodic, non-compactly supported potential itself. We calculate this gyroaverage with a combination of two Fourier transforms and a Hankel transform, which has the near optimal run-time complexity$O(N_{\unicode[STIX]{x1D70C}}(P+\hat{P})\log (P+\hat{P}))$, where$P$is the number of spatial grid points,$\hat{P}$the number of grid points in Fourier space and$N_{\unicode[STIX]{x1D70C}}$the number of grid points in velocity space. We present numerical examples illustrating the performance of our code and demonstrating geometric convergence of the error.

scholarly journals Integral Distinguishers of the Full-Round Lightweight Block Cipher SAT_Jo

2021 ◽  
Vol 2021 ◽  
pp. 1-9
Author(s):  
Xueying Qiu ◽  
Yongzhuang Wei ◽  
Samir Hodzic ◽  
Enes Pasalic
Keyword(s):  
Linear Programming ◽  
Integer Linear Programming ◽  
Mixed Integer Linear Programming ◽  
Time Complexity ◽  
Block Cipher ◽  
Security Analysis ◽  
Mixed Integer ◽  
Substitution Boxes ◽  
Lightweight Block Cipher ◽  
The One

Integral cryptanalysis based on division property is a powerful cryptanalytic method whose range of successful applications was recently extended through the use of Mixed-Integer Linear Programming (MILP). Although this technique was demonstrated to be efficient in specifying distinguishers of reduced round versions of several families of lightweight block ciphers (such as SIMON, PRESENT, and few others), we show that this method provides distinguishers for a full-round block cipher SAT_Jo. SAT_Jo cipher is very similar to the well-known PRESENT block cipher, which has successfully withstood the known cryptanalytic methods. The main difference compared to PRESENT, which turns out to induce severe weaknesses of SAT_Jo algorithm, is its different choice of substitution boxes (S-boxes) and the bit-permutation layer for the reasons of making the cipher highly resource-efficient. Even though the designers provided a security analysis of this scheme against some major generic cryptanalytic methods, an application of the bit-division property in combination with MILP was not considered. By specifying integral distinguishers for the full-round SAT_Jo algorithm using this method, we essentially disapprove its use in intended applications. Using a 30-round distinguisher, we also describe a subkey recovery attack on the SAT_Jo algorithm whose time complexity is about 2 66 encryptions (noting that SAT_Jo is designed to provide 80 bits of security). Moreover, it seems that the choice of bit-permutation induces weak division properties since replacing the original bit-permutation of SAT_Jo by the one used in PRESENT immediately renders integral distinguishers inefficient.

scholarly journals Weak Keys in Reduced AEGIS and Tiaoxin

2021 ◽  
pp. 104-139
Author(s):  
Fukang Liu ◽  
Takanori Isobe ◽  
Willi Meier ◽  
Kosei Sakamoto
Keyword(s):  
Time Complexity ◽  
High Performance ◽  
Stream Cipher ◽  
Third Party ◽  
Key Recovery ◽  
Weak Keys ◽  
Internal States ◽  
Caesar Competition ◽  
Key Recovery Attack ◽  
Pass Through

AEGIS-128 and Tiaoxin-346 (Tiaoxin for short) are two AES-based primitives submitted to the CAESAR competition. Among them, AEGIS-128 has been selected in the final portfolio for high-performance applications, while Tiaoxin is a third-round candidate. Although both primitives adopt a stream cipher based design, they are quite different from the well-known bit-oriented stream ciphers like Trivium and the Grain family. Their common feature consists in the round update function, where the state is divided into several 128-bit words and each word has the option to pass through an AES round or not. During the 6-year CAESAR competition, it is surprising that for both primitives there is no third-party cryptanalysis of the initialization phase. Due to the similarities in both primitives, we are motivated to investigate whether there is a common way to evaluate the security of their initialization phases. Our technical contribution is to write the expressions of the internal states in terms of the nonce and the key by treating a 128-bit word as a unit and then carefully study how to simplify these expressions by adding proper conditions. As a result, we find that there are several groups of weak keys with 296 keys each in 5-round AEGIS-128 and 8-round Tiaoxin, which allows us to construct integral distinguishers with time complexity 232 and data complexity 232. Based on the distinguisher, the time complexity to recover the weak key is 272 for 5-round AEGIS-128. However, the weak key recovery attack on 8-round Tiaoxin will require the usage of a weak constant occurring with probability 2−32. All the attacks reach half of the total number of initialization rounds. We expect that this work can advance the understanding of the designs similar to AEGIS and Tiaoxin.

scholarly journals Weak Keys in the Rekeying Paradigm: Application to COMET and mixFeed

2020 ◽  
pp. 272-289
Author(s):  
Mustafa Khairallah
Keyword(s):  
Lower Bound ◽  
Security Analysis ◽  
Unified Model ◽  
The State ◽  
Key Recovery ◽  
Key Schedule ◽  
Weak Keys ◽  
Generic Attacks ◽  
State Size ◽  
Online Queries

In this paper, we study a group of AEAD schemes that use rekeying as a technique to increase efficiency by reducing the state size of the algorithm. We provide a unified model to study the behavior of the keys used in these schemes, called Rekey-and-Chain (RaC). This model helps understand the design of several AEAD schemes. We show generic attacks on these schemes based on the existence of certain types of weak keys. We also show that the borderline between multi-key and single-key analyses of these schemes is not solid and the analysis can be performed independent of the master key, leading sometimes to practical attacks in the multi-key setting. More importantly, the multi-key analysis can be applied in the single key setting, since each message is encrypted with a different key. Consequently, we show gaps in the security analysis of COMET and mixFeed in the single key setting, which led the designers to provide overly optimistic security claims. In the case of COMET, full key recovery can be performed with 264 online queries and 264 offline queries in the single-key setting, or 246 online queries per user and 264 offline queries in the multi-key setting with ∼ 0.5 million users. In the case of mixFeed, we enhance the forgery adversarial advantage in the single-key setting with a factor of 267 compared to what the designers claim. More importantly, our result is just a lower bound of this advantage, since we show that the gap in the analysis of mixFeed depends on properties of the AES Key Schedule that are not well understood and require more cryptanalytic efforts to find a more tight advantage. After reporting these findings, the designers updated their security analyses and accommodated the proposed attacks.

scholarly journals A note on secure multiparty computation via higher residue symbols

2021 ◽  
Vol 15 (1) ◽  
pp. 284-297
Author(s):  
Ignacio Cascudo ◽  
Reto Schnyder
Keyword(s):  
Prime Number ◽  
Small Difference ◽  
Secure Multiparty Computation ◽  
Small Subset ◽  
Multiparty Computation ◽  
Legendre Symbol ◽  
Sign Function ◽  
Residue Symbol

Abstract We generalize a protocol by Yu for comparing two integers with relatively small difference in a secure multiparty computation setting. Yu's protocol is based on the Legendre symbol. A prime number p is found for which the Legendre symbol (· | p) agrees with the sign function for integers in a certain range {−N, . . . , N} ⊂ ℤ. This can then be computed efficiently. We generalize this idea to higher residue symbols in cyclotomic rings ℤ[ζr ] for r a small odd prime. We present a way to determine a prime number p such that the r-th residue symbol (· | p) r agrees with a desired function f : A → { ζ r 0 , … , ζ r r − 1 } f:A \to \left\{ {\zeta _r^0, \ldots ,\zeta _r^{r - 1}} \right\} on a given small subset A ⊂ ℤ[ζr ], when this is possible. We also explain how to efficiently compute the r-th residue symbol in a secret shared setting.

SCALABLE ALGORITHMS FOR BICHROMATIC LINE SEGMENT INTERSECTION PROBLEMS ON COARSE GRAINED MULTICOMPUTERS

1996 ◽  
Vol 06 (04) ◽  
pp. 487-506 ◽  
Author(s):  
ANDREAS FABRI ◽  
OLIVIER DEVILLERS
Keyword(s):  
Line Segment ◽  
Time Complexity ◽  
Coarse Grained ◽  
Log P ◽  
Scalable Algorithms ◽  
Interprocessor Communication ◽  
Additional Time ◽  
Sequential Computation ◽  
Communication Time ◽  
Line Segment Intersection

We present output-sensitive scalable parallel algorithms for bichromatic line segment intersection problems for the coarse grained multicomputer model. Under the assumption that n≥p2, where n is the number of line segments and p the number of processors, we obtain an intersection counting algorithm with a time complexity of [Formula: see text], where Ts(m, p) is the time used to sort m items on a p processor machine. The first term captures the time spent in sequential computation performed locally by each processor. The second term captures the interprocessor communication time. An additional [Formula: see text] time in sequential computation is spent on the reporting of the k intersections. As the sequential time complexity is O(n log n) for counting and an additional time O(k) for reporting, we obtain a speedup of [Formula: see text] in the sequential part of the algorithm. The speedup in the communication part obviously depends on the underlying architecture. For example for a hypercube it ranges between [Formula: see text] and [Formula: see text] depending on the ratio of n and p. As the reporting does not involve more interprocessor communication than the counting, the algorithm achieves a full speedup of p for k≥ O( max (n log n log p, n log 3 p)) even on a hypercube.

scholarly journals Parallel Oblivious Array Access for Secure Multiparty Computation and Privacy-Preserving Minimum Spanning Trees

2015 ◽  
Vol 2015 (2) ◽  
pp. 188-205 ◽  
Author(s):  
Peeter Laud
Keyword(s):  
Large Class ◽  
Spanning Tree ◽  
Spanning Trees ◽  
Minimum Spanning Tree ◽  
Black Box ◽  
Secure Multiparty Computation ◽  
Multiparty Computation ◽  
Minimum Spanning Trees ◽  
Asymptotic Performance ◽  
Underlying Graph

AbstractIn this paper, we describe efficient protocols to perform in parallel many reads and writes in private arrays according to private indices. The protocol is implemented on top of the Arithmetic Black Box (ABB) and can be freely composed to build larger privacypreserving applications. For a large class of secure multiparty computation (SMC) protocols, our technique has better practical and asymptotic performance than any previous ORAM technique that has been adapted for use in SMC.Our ORAM technique opens up a large class of parallel algorithms for adoption to run on SMC platforms. In this paper, we demonstrate how the minimum spanning tree (MST) finding algorithm by Awerbuch and Shiloach can be executed without revealing any details about the underlying graph (beside its size). The data accesses of this algorithm heavily depend on the location and weight of edges (which are private) and our ORAM technique is instrumental in their execution. Our implementation is the first-ever realization of a privacypreserving MST algorithm with sublinear round complexity.

scholarly journals Security Analysis of Zipper Hash Against Multicollisions Attacks

2012 ◽  
Vol 2 (3) ◽  
pp. 226-231
Author(s):  
N. Bagheri
Keyword(s):  
Hash Function ◽  
Time Complexity ◽  
Security Analysis ◽  
Birthday Attack

In this paper,  the existence of multicollisions in Zipper Hash structure, a new Hash structure which was introduced to strengthen the iterated Hash structures, is presented. This study shows that finding multicollisions, i.e. 2k-way collision, in this Hash structure is not much harder than finding such  multicollisions in ordinary Merkle  - Damgard (MD)  structure. In fact, the complexity of the attacks is approximately n/2 times harder than what has been found for MD structures. Then, these large multicollisions are used as a tool to find D-way preimage for this structure. The complexity of finding 2K-way multicollisions and 2k-way preimages are  (eq) and (eq) respectively. Similar to what has been proved by Joux for MD, it is shown in this paper that this structure could not be used to create a Hash function with 2n-bit length by concatenating this structure with any other Hash structure by Hash’s output length of n-bite. It is also shown that time complexity of finding a collision for this concatenated structure is (eq)  which is much smaller than what was expected from generic-birthday attack which would be (eq) . In addition, it is shown that increasing the number of rounds of this Hash function can not improve its security against this attack significantly and the attacker can find multicollisions on this Hash function which means that this Hash function has a structural flaw.

scholarly journals Cryptanalysis of GOST2

2017 ◽  
pp. 203-214
Author(s):  
Tomer Ashur ◽  
Achiya Bar-On ◽  
Orr Dunkelman
Keyword(s):  
Fixed Point ◽  
Time Complexity ◽  
Block Cipher ◽  
Exhaustive Search ◽  
National Standard ◽  
Russian Government ◽  
Key Schedule ◽  
Reflection Attack ◽  
Weak Keys

GOST 28147 is a 256-bit key 64-bit block cipher developed by the USSR, later adopted by the Russian government as a national standard. In 2010, GOST was suggested to be included in ISO/IEC 18033-3, but was rejected due to weaknesses found in its key schedule. In 2015, a new version of GOST was suggested with the purpose of mitigating such attacks. In this paper, we show that similar weaknesses exist in the new version as well. More specifically, we present a fixed-point attack on the full cipher with time complexity of 2237 encryptions. We also present a reflection attack with time complexity of 2192 for a key that is chosen from a class of 2224 weak keys. Finally, we discuss an impossible reflection attack which improves on exhaustive search by a factor of 2e, and several possible related-key attacks.

Diving Deep into the Weak Keys of Round Reduced Ascon

2021 ◽  
pp. 74-99
Author(s):  
Raghvendra Rohit ◽  
Santanu Sarkar
Keyword(s):  
Security Analysis ◽  
Theoretical Framework ◽  
Algebraic Degree ◽  
Data Complexity ◽  
Major Result ◽  
Secret Key ◽  
Key Recovery ◽  
Weak Keys ◽  
Key Recovery Attacks

At ToSC 2021, Rohit et al. presented the first distinguishing and key recovery attacks on 7 rounds Ascon without violating the designer’s security claims of nonce-respecting setting and data limit of 264 blocks per key. So far, these are the best attacks on 7 rounds Ascon. However, the distinguishers require (impractical) 260 data while the data complexity of key recovery attacks exactly equals 264. Whether there are any practical distinguishers and key recovery attacks (with data less than 264) on 7 rounds Ascon is still an open problem.In this work, we give positive answers to these questions by providing a comprehensive security analysis of Ascon in the weak key setting. Our first major result is the 7-round cube distinguishers with complexities 246 and 233 which work for 282 and 263 keys, respectively. Notably, we show that such weak keys exist for any choice (out of 64) of 46 and 33 specifically chosen nonce variables. In addition, we improve the data complexities of existing distinguishers for 5, 6 and 7 rounds by a factor of 28, 216 and 227, respectively. Our second contribution is a new theoretical framework for weak keys of Ascon which is solely based on the algebraic degree. Based on our construction, we identify 2127.99, 2127.97 and 2116.34 weak keys (out of 2128) for 5, 6 and 7 rounds, respectively. Next, we present two key recovery attacks on 7 rounds with different attack complexities. The best attack can recover the secret key with 263 data, 269 bits of memory and 2115.2 time. Our attacks are far from threatening the security of full 12 rounds Ascon, but we expect that they provide new insights into Ascon’s security.

Sign in / Sign up

Export Citation Format

Share Document