attacks on the mersenne-based ajps cryptosystem...choose f;g 2r such that jfj= jgj= w and g...
TRANSCRIPT
Attacks on the Mersenne-based AJPS cryptosystem
Koen de Boer 1, L. Ducas 1, S. Jeffery 1,2, R. de Wolf 1,2,3
1Centrum Wiskunde en Informatica, Amsterdam
2QuSoft, Amsterdam
3University of Amsterdam
April 9, 2018
April 9, PQCrypto, Fort Lauderdale, Florida 1 / 15
Overview
Aggarwal, Joux, Prakash, Santha [AJPS17]
Propose potentially quantum-safe public-keycryptosystem based on Mersenne numbers andNTRU [HPS98].
Consider but dismiss Meet-in-the-Middle andlattice attacks.
Hope that ‘brute force’ is the optimal attack.
May ’17
April 9, PQCrypto, Fort Lauderdale, Florida 2 / 15
Overview
Aggarwal, Joux, Prakash, Santha [AJPS17]
Propose potentially quantum-safe public-keycryptosystem based on Mersenne numbers andNTRU [HPS98].
Consider but dismiss Meet-in-the-Middle andlattice attacks.
Hope that ‘brute force’ is the optimal attack.
May ’17
April 9, PQCrypto, Fort Lauderdale, Florida 2 / 15
Overview
Aggarwal, Joux, Prakash, Santha [AJPS17]
Propose potentially quantum-safe public-keycryptosystem based on Mersenne numbers andNTRU [HPS98].
Consider but dismiss Meet-in-the-Middle andlattice attacks.
Hope that ‘brute force’ is the optimal attack.
May ’17
April 9, PQCrypto, Fort Lauderdale, Florida 2 / 15
Overview
Aggarwal, Joux, Prakash, Santha [AJPS17]
Propose potentially quantum-safe public-keycryptosystem based on Mersenne numbers andNTRU [HPS98].
Consider but dismiss Meet-in-the-Middle andlattice attacks.
Hope that ‘brute force’ is the optimal attack.
May ’17
Beunardeau, Connolly, Geraud, Naccache [BCGN17]
Describe an experimental lattice-reduction attack.
Jun ’17
April 9, PQCrypto, Fort Lauderdale, Florida 2 / 15
Overview
Aggarwal, Joux, Prakash, Santha [AJPS17]
Propose potentially quantum-safe public-keycryptosystem based on Mersenne numbers andNTRU [HPS98].
Consider but dismiss Meet-in-the-Middle andlattice attacks.
Hope that ‘brute force’ is the optimal attack.
May ’17
Beunardeau, Connolly, Geraud, Naccache [BCGN17]
Describe an experimental lattice-reduction attack.
Jun ’17
Our contribution
Meet-in-the-Middle attack
Analysis of the lattice-attack of Beunardeau et al.
Dec ’17
April 9, PQCrypto, Fort Lauderdale, Florida 2 / 15
Overview
Aggarwal, Joux, Prakash, Santha [AJPS17]
Propose potentially quantum-safe public-keycryptosystem based on Mersenne numbers andNTRU [HPS98].
Consider but dismiss Meet-in-the-Middle andlattice attacks.
Hope that ‘brute force’ is the optimal attack.
May ’17
Beunardeau, Connolly, Geraud, Naccache [BCGN17]
Describe an experimental lattice-reduction attack.
Jun ’17
Our contribution
Meet-in-the-Middle attack
Analysis of the lattice-attack of Beunardeau et al.Dec ’17
April 9, PQCrypto, Fort Lauderdale, Florida 2 / 15
Overview
Aggarwal, Joux, Prakash, Santha [AJPS17]
Propose potentially quantum-safe public-keycryptosystem based on Mersenne numbers andNTRU [HPS98].
Consider but dismiss Meet-in-the-Middle andlattice attacks.
Hope that ‘brute force’ is the optimal attack.
May ’17
Beunardeau, Connolly, Geraud, Naccache [BCGN17]
Describe an experimental lattice-reduction attack.
Jun ’17
Our contribution
Meet-in-the-Middle attack ← this talk
Analysis of the lattice-attack of Beunardeau et al.Dec ’17
April 9, PQCrypto, Fort Lauderdale, Florida 2 / 15
Table of Contents
1 The Mersenne-number based AJPS-cryptosystem
2 Meet-in-the-Middle attack on the AJPS cryptosystemExample: Subset-sum problemMITM in the AJPS-cryptosystem
April 9, PQCrypto, Fort Lauderdale, Florida 3 / 15
The AJPS cryptosystem
Set R = Z/NZ, where N = 2n − 1 with n prime.
Each element in R can be uniquely identified by its binaryrepresentation in {0, 1}n\{1n}.For a ∈ R, set |a| := the Hamming weight of the binaryrepresentation of a.
Set w = b√n/2c.
Choose f , g ∈ R such that |f | = |g | = w and g invertible.
Set h = f /g . Public key is h and secret key g .
April 9, PQCrypto, Fort Lauderdale, Florida 4 / 15
The AJPS cryptosystem
Set R = Z/NZ, where N = 2n − 1 with n prime.
Each element in R can be uniquely identified by its binaryrepresentation in {0, 1}n\{1n}.
For a ∈ R, set |a| := the Hamming weight of the binaryrepresentation of a.
a ∈ R bin. rep. |a|0 0...000 01 0...001 12 0...010 13 0...011 2...
......
2n − 2 1...110 n − 1
Set w = b√n/2c.
Choose f , g ∈ R such that |f | = |g | = w and g invertible.
Set h = f /g . Public key is h and secret key g .
April 9, PQCrypto, Fort Lauderdale, Florida 4 / 15
The AJPS cryptosystem
Set R = Z/NZ, where N = 2n − 1 with n prime.
Each element in R can be uniquely identified by its binaryrepresentation in {0, 1}n\{1n}.For a ∈ R, set |a| := the Hamming weight of the binaryrepresentation of a.
a ∈ R bin. rep. |a|0 0...000 01 0...001 12 0...010 13 0...011 2...
......
2n − 2 1...110 n − 1
Set w = b√n/2c.
Choose f , g ∈ R such that |f | = |g | = w and g invertible.
Set h = f /g . Public key is h and secret key g .
April 9, PQCrypto, Fort Lauderdale, Florida 4 / 15
The AJPS cryptosystem
Set R = Z/NZ, where N = 2n − 1 with n prime.
Each element in R can be uniquely identified by its binaryrepresentation in {0, 1}n\{1n}.For a ∈ R, set |a| := the Hamming weight of the binaryrepresentation of a.
a ∈ R bin. rep. |a|0 0...000 01 0...001 12 0...010 13 0...011 2...
......
2n − 2 1...110 n − 1
Set w = b√n/2c.
Choose f , g ∈ R such that |f | = |g | = w and g invertible.
Set h = f /g . Public key is h and secret key g .
April 9, PQCrypto, Fort Lauderdale, Florida 4 / 15
The AJPS cryptosystem
Set R = Z/NZ, where N = 2n − 1 with n prime.
Each element in R can be uniquely identified by its binaryrepresentation in {0, 1}n\{1n}.For a ∈ R, set |a| := the Hamming weight of the binaryrepresentation of a.
Set w = b√n/2c.
Choose f , g ∈ R such that |f | = |g | = w and g invertible.
Set h = f /g . Public key is h and secret key g .
April 9, PQCrypto, Fort Lauderdale, Florida 4 / 15
The AJPS cryptosystem
Set R = Z/NZ, where N = 2n − 1 with n prime.
Each element in R can be uniquely identified by its binaryrepresentation in {0, 1}n\{1n}.For a ∈ R, set |a| := the Hamming weight of the binaryrepresentation of a.
Set w = b√n/2c.
Choose f , g ∈ R such that |f | = |g | = w and g invertible.
Set h = f /g . Public key is h and secret key g .
f = , g =
April 9, PQCrypto, Fort Lauderdale, Florida 4 / 15
The AJPS cryptosystem
Set R = Z/NZ, where N = 2n − 1 with n prime.
Each element in R can be uniquely identified by its binaryrepresentation in {0, 1}n\{1n}.For a ∈ R, set |a| := the Hamming weight of the binaryrepresentation of a.
Set w = b√n/2c.
Choose f , g ∈ R such that |f | = |g | = w and g invertible.
Set h = f /g . Public key is h and secret key g .
f = , g =
h = fg =
April 9, PQCrypto, Fort Lauderdale, Florida 4 / 15
The AJPS cryptosystem
Set R = Z/NZ, where N = 2n − 1 with n prime.
Each element in R can be uniquely identified by its binaryrepresentation in {0, 1}n\{1n}.For a ∈ R, set |a| := the Hamming weight of the binaryrepresentation of a.
Set w = b√n/2c.
Choose f , g ∈ R such that |f | = |g | = w and g invertible.
Set h = f /g . Public key is h and secret key g .
The Mersenne Low Hamming Ratio Problem
Given h ∈ R, which is quotient of two elements of low Hamming wt.
Find f , g ∈ R with |f | = |g | = w such that h = f /g .
April 9, PQCrypto, Fort Lauderdale, Florida 4 / 15
The AJPS cryptosystem
Set R = Z/NZ, where N = 2n − 1 with n prime.
Each element in R can be uniquely identified by its binaryrepresentation in {0, 1}n\{1n}.For a ∈ R, set |a| := the Hamming weight of the binaryrepresentation of a.
Set w = b√n/2c.
Choose f , g ∈ R such that |f | = |g | = w and g invertible.
Set h = f /g . Public key is h and secret key g .
The Mersenne Low Hamming Ratio Problem
Given h ∈ R, which is quotient of two elements of low Hamming wt.
Find f , g ∈ R with |f | = |g | = w such that h = f /g .
April 9, PQCrypto, Fort Lauderdale, Florida 4 / 15
The AJPS cryptosystem
Set R = Z/NZ, where N = 2n − 1 with n prime.
Each element in R can be uniquely identified by its binaryrepresentation in {0, 1}n\{1n}.For a ∈ R, set |a| := the Hamming weight of the binaryrepresentation of a.
Set w = b√n/2c.
Choose f , g ∈ R such that |f | = |g | = w and g invertible.
Set h = f /g . Public key is h and secret key g .
The Mersenne Low Hamming Ratio Problem
Given h ∈ R, which is quotient of two elements of low Hamming wt.
Find f , g ∈ R with |f | = |g | = w such that h = f /g .
April 9, PQCrypto, Fort Lauderdale, Florida 4 / 15
The AJPS cryptosystem
Set R = Z/NZ, where N = 2n − 1 with n prime.
Each element in R can be uniquely identified by its binaryrepresentation in {0, 1}n\{1n}.For a ∈ R, set |a| := the Hamming weight of the binaryrepresentation of a.
Set w = b√n/2c.
Choose f , g ∈ R such that |f | = |g | = w and g invertible.
Set h = f /g . Public key is h and secret key g .
The Mersenne Low Hamming Ratio Problem
Given h ∈ R, which is quotient of two elements of low Hamming wt.
Find f , g ∈ R with |f | = |g | = w such that h = f /g .
Brute force attack: Guess a g ∈ R with |g | = w , check whether |gh| = w .time:
(nw
).
April 9, PQCrypto, Fort Lauderdale, Florida 4 / 15
Table of Contents
1 The Mersenne-number based AJPS-cryptosystem
2 Meet-in-the-Middle attack on the AJPS cryptosystemExample: Subset-sum problemMITM in the AJPS-cryptosystem
April 9, PQCrypto, Fort Lauderdale, Florida 5 / 15
Meet-in-the-Middle attack
Improved time complexity, at the cost of greater space complexity.
April 9, PQCrypto, Fort Lauderdale, Florida 6 / 15
MITM in the subset-sum problem
Subset-sum problem
Given z1, . . . , zn ∈ ZFind I ⊆ {1, . . . , n} such that
∑i∈I zi = 0.
For all I1 ⊆ {1, . . . , n/2}, store I1 in the bucket L[∑
i∈I1 zi].
For every I2 ⊆ {n/2 + 1, . . . , n} do
Check whether the bucket L[−∑
i∈I2zi]
is non-empty.
If it is, output I2 and a I1 ∈ L[−∑
i∈I2zi].
z1 6z2 2z3 −1z4 10z5 9z6 −5
April 9, PQCrypto, Fort Lauderdale, Florida 7 / 15
MITM in the subset-sum problem
Subset-sum problem
Given z1, . . . , zn ∈ ZFind I ⊆ {1, . . . , n} such that
∑i∈I zi = 0.
For all I1 ⊆ {1, . . . , n/2}, store I1 in the bucket L[∑
i∈I1 zi].
For every I2 ⊆ {n/2 + 1, . . . , n} do
Check whether the bucket L[−∑
i∈I2zi]
is non-empty.
If it is, output I2 and a I1 ∈ L[−∑
i∈I2zi].
z1 6z2 2z3 −1
z4 10z5 9z4 −5
i L[i ]
April 9, PQCrypto, Fort Lauderdale, Florida 7 / 15
MITM in the subset-sum problem
Subset-sum problem
Given z1, . . . , zn ∈ ZFind I ⊆ {1, . . . , n} such that
∑i∈I zi = 0.
For all I1 ⊆ {1, . . . , n/2}, store I1 in the bucket L[∑
i∈I1 zi].
For every I2 ⊆ {n/2 + 1, . . . , n} do
Check whether the bucket L[−∑
i∈I2zi]
is non-empty.
If it is, output I2 and a I1 ∈ L[−∑
i∈I2zi].
z1 6z2 2z3 −1
z4 10z5 9z4 −5
i L[i ]
6 {1}
April 9, PQCrypto, Fort Lauderdale, Florida 7 / 15
MITM in the subset-sum problem
Subset-sum problem
Given z1, . . . , zn ∈ ZFind I ⊆ {1, . . . , n} such that
∑i∈I zi = 0.
For all I1 ⊆ {1, . . . , n/2}, store I1 in the bucket L[∑
i∈I1 zi].
For every I2 ⊆ {n/2 + 1, . . . , n} do
Check whether the bucket L[−∑
i∈I2zi]
is non-empty.
If it is, output I2 and a I1 ∈ L[−∑
i∈I2zi].
z1 6z2 2z3 −1
z4 10z5 9z4 −5
i L[i ]
6 {1}8 {1, 2}
April 9, PQCrypto, Fort Lauderdale, Florida 7 / 15
MITM in the subset-sum problem
Subset-sum problem
Given z1, . . . , zn ∈ ZFind I ⊆ {1, . . . , n} such that
∑i∈I zi = 0.
For all I1 ⊆ {1, . . . , n/2}, store I1 in the bucket L[∑
i∈I1 zi].
For every I2 ⊆ {n/2 + 1, . . . , n} do
Check whether the bucket L[−∑
i∈I2zi]
is non-empty.
If it is, output I2 and a I1 ∈ L[−∑
i∈I2zi].
z1 6z2 2z3 −1
z4 10z5 9z4 −5
i L[i ]
6 {1}8 {1, 2}7 {1, 2, 3}
April 9, PQCrypto, Fort Lauderdale, Florida 7 / 15
MITM in the subset-sum problem
Subset-sum problem
Given z1, . . . , zn ∈ ZFind I ⊆ {1, . . . , n} such that
∑i∈I zi = 0.
For all I1 ⊆ {1, . . . , n/2}, store I1 in the bucket L[∑
i∈I1 zi].
For every I2 ⊆ {n/2 + 1, . . . , n} do
Check whether the bucket L[−∑
i∈I2zi]
is non-empty.
If it is, output I2 and a I1 ∈ L[−∑
i∈I2zi].
z1 6z2 2z3 −1
z4 10z5 9z4 −5
i L[i ]
-1 {3}1 {2, 3}2 {2}5 {1, 3}6 {1}7 {1, 2, 3}8 {1, 2}
April 9, PQCrypto, Fort Lauderdale, Florida 7 / 15
MITM in the subset-sum problem
Subset-sum problem
Given z1, . . . , zn ∈ ZFind I ⊆ {1, . . . , n} such that
∑i∈I zi = 0.
For all I1 ⊆ {1, . . . , n/2}, store I1 in the bucket L[∑
i∈I1 zi].
For every I2 ⊆ {n/2 + 1, . . . , n} do
Check whether the bucket L[−∑
i∈I2zi]
is non-empty.
If it is, output I2 and a I1 ∈ L[−∑
i∈I2zi].
z1 6z2 2z3 −1
z4 10z5 9z4 −5
i L[i ]
-1 {3}1 {2, 3}2 {2}5 {1, 3}6 {1}7 {1, 2, 3}8 {1, 2}
April 9, PQCrypto, Fort Lauderdale, Florida 7 / 15
MITM in the subset-sum problem
Subset-sum problem
Given z1, . . . , zn ∈ ZFind I ⊆ {1, . . . , n} such that
∑i∈I zi = 0.
For all I1 ⊆ {1, . . . , n/2}, store I1 in the bucket L[∑
i∈I1 zi].
For every I2 ⊆ {n/2 + 1, . . . , n} do
Check whether the bucket L[−∑
i∈I2zi]
is non-empty.
If it is, output I2 and a I1 ∈ L[−∑
i∈I2zi].
z1 6z2 2z3 −1
z4 10z5 9z4 −5
i L[i ]
-1 {3}1 {2, 3}2 {2}5 {1, 3}6 {1}7 {1, 2, 3}8 {1, 2}
−∑
i∈{4} zi = −10
April 9, PQCrypto, Fort Lauderdale, Florida 7 / 15
MITM in the subset-sum problem
Subset-sum problem
Given z1, . . . , zn ∈ ZFind I ⊆ {1, . . . , n} such that
∑i∈I zi = 0.
For all I1 ⊆ {1, . . . , n/2}, store I1 in the bucket L[∑
i∈I1 zi].
For every I2 ⊆ {n/2 + 1, . . . , n} do
Check whether the bucket L[−∑
i∈I2zi]
is non-empty.
If it is, output I2 and a I1 ∈ L[−∑
i∈I2zi].
z1 6z2 2z3 −1
z4 10z5 9z4 −5
i L[i ]
-1 {3}1 {2, 3}2 {2}5 {1, 3}6 {1}7 {1, 2, 3}8 {1, 2}
−∑
i∈{4} zi = −10−∑
i∈{5} zi = −9
April 9, PQCrypto, Fort Lauderdale, Florida 7 / 15
MITM in the subset-sum problem
Subset-sum problem
Given z1, . . . , zn ∈ ZFind I ⊆ {1, . . . , n} such that
∑i∈I zi = 0.
For all I1 ⊆ {1, . . . , n/2}, store I1 in the bucket L[∑
i∈I1 zi].
For every I2 ⊆ {n/2 + 1, . . . , n} do
Check whether the bucket L[−∑
i∈I2zi]
is non-empty.
If it is, output I2 and a I1 ∈ L[−∑
i∈I2zi].
z1 6z2 2z3 −1
z4 10z5 9z6 −5
i L[i ]
-1 {3}1 {2, 3}2 {2}5 {1, 3}6 {1}7 {1, 2, 3}8 {1, 2}
−∑
i∈{4} zi = −10−∑
i∈{5} zi = −9−
∑∑∑i∈{6} zi = 5
April 9, PQCrypto, Fort Lauderdale, Florida 7 / 15
MITM in the subset-sum problem
Subset-sum problem
Given z1, . . . , zn ∈ ZFind I ⊆ {1, . . . , n} such that
∑i∈I zi = 0.
For all I1 ⊆ {1, . . . , n/2}, store I1 in the bucket L[∑
i∈I1 zi].
For every I2 ⊆ {n/2 + 1, . . . , n} do
Check whether the bucket L[−∑
i∈I2zi]
is non-empty.
If it is, output I2 and a I1 ∈ L[−∑
i∈I2zi].
z1 6z2 2z3 −1z4 10z5 9z6 −5
Output: {1, 3} ∪ {6}
April 9, PQCrypto, Fort Lauderdale, Florida 7 / 15
MITM in the AJPS-cryptosystem
The Mersenne Low Hamming Ratio Problem
Given h ∈ R, which is quotient of two elements of low Hamming wt.
Find f , g ∈ R with |f | = |g | = w such that h = f /g .
Split g = g1 + g2. (hg = f )
Then hg1 = −hg2 + f
Heuristically, assume −hg2 is random.
Then ∆Hamm(−hg2, hg1) ≤ 2w + c√w with error probability ≤ e−c/8.
Informally: −hg2 ≈ hg1.
April 9, PQCrypto, Fort Lauderdale, Florida 8 / 15
MITM in the AJPS-cryptosystem
The Mersenne Low Hamming Ratio Problem
Given h ∈ R, which is quotient of two elements of low Hamming wt.
Find f , g ∈ R with |f | = |g | = w such that h = f /g .
Split g = g1 + g2. (hg = f )
Then hg1 = −hg2 + f
Heuristically, assume −hg2 is random.
Then ∆Hamm(−hg2, hg1) ≤ 2w + c√w with error probability ≤ e−c/8.
Informally: −hg2 ≈ hg1.
April 9, PQCrypto, Fort Lauderdale, Florida 8 / 15
MITM in the AJPS-cryptosystem
The Mersenne Low Hamming Ratio Problem
Given h ∈ R, which is quotient of two elements of low Hamming wt.
Find f , g ∈ R with |f | = |g | = w such that h = f /g .
Split g = g1 + g2. (hg = f )
g = =
g1+
g2
Then hg1 = −hg2 + f
Heuristically, assume −hg2 is random.
Then ∆Hamm(−hg2, hg1) ≤ 2w + c√w with error probability ≤ e−c/8.
Informally: −hg2 ≈ hg1.
April 9, PQCrypto, Fort Lauderdale, Florida 8 / 15
MITM in the AJPS-cryptosystem
The Mersenne Low Hamming Ratio Problem
Given h ∈ R, which is quotient of two elements of low Hamming wt.
Find f , g ∈ R with |f | = |g | = w such that h = f /g .
Split g = g1 + g2. (hg = f )
Then hg1 = −hg2 + f
Heuristically, assume −hg2 is random.
Then ∆Hamm(−hg2, hg1) ≤ 2w + c√w with error probability ≤ e−c/8.
Informally: −hg2 ≈ hg1.
April 9, PQCrypto, Fort Lauderdale, Florida 8 / 15
MITM in the AJPS-cryptosystem
The Mersenne Low Hamming Ratio Problem
Given h ∈ R, which is quotient of two elements of low Hamming wt.
Find f , g ∈ R with |f | = |g | = w such that h = f /g .
Split g = g1 + g2. (hg = f )
Then hg1 = −hg2 + f
−hg2f
hg1
Heuristically, assume −hg2 is random.
Then ∆Hamm(−hg2, hg1) ≤ 2w + c√w with error probability ≤ e−c/8.
Informally: −hg2 ≈ hg1.
April 9, PQCrypto, Fort Lauderdale, Florida 8 / 15
MITM in the AJPS-cryptosystem
The Mersenne Low Hamming Ratio Problem
Given h ∈ R, which is quotient of two elements of low Hamming wt.
Find f , g ∈ R with |f | = |g | = w such that h = f /g .
Split g = g1 + g2. (hg = f )
Then hg1 = −hg2 + f
−hg2f
hg1Heuristically, assume −hg2 is random.
Then ∆Hamm(−hg2, hg1) ≤ 2w + c√w with error probability ≤ e−c/8.
Informally: −hg2 ≈ hg1.
April 9, PQCrypto, Fort Lauderdale, Florida 8 / 15
MITM in the AJPS-cryptosystem
The Mersenne Low Hamming Ratio Problem
Given h ∈ R, which is quotient of two elements of low Hamming wt.
Find f , g ∈ R with |f | = |g | = w such that h = f /g .
Split g = g1 + g2. (hg = f )
Then hg1 = −hg2 + f
−hg2f
hg1Heuristically, assume −hg2 is random.
Then ∆Hamm(−hg2, hg1) ≤ 2w + c√w with error probability ≤ e−c/8.
Informally: −hg2 ≈ hg1.
April 9, PQCrypto, Fort Lauderdale, Florida 8 / 15
MITM in the AJPS-cryptosystem
The Mersenne Low Hamming Ratio Problem
Given h ∈ R, which is quotient of two elements of low Hamming wt.
Find f , g ∈ R with |f | = |g | = w such that h = f /g .
Split g = g1 + g2. (hg = f )
Then hg1 = −hg2 + f
−hg2f
hg1Heuristically, assume −hg2 is random.
Then ∆Hamm(−hg2, hg1) ≤ 2w + c√w with error probability ≤ e−c/8.
Informally: −hg2 ≈ hg1.
April 9, PQCrypto, Fort Lauderdale, Florida 8 / 15
MITM in the AJPS-cryptosystem
Split a possible g = g1 + g2 in two parts, where g1 ∈ {0, 1}n/2 × 0n/2
and g2 ∈ 0n/2 × {0, 1}n/2.
For all g1, store {g1} into the bucket L[hg1].
For all g2, do
Find t ≈ −hg2, such that L[t] is non-empty.If such t exists, pick g1 ∈ L[t] and output g1 + g2.
g = =
g1+
g2
April 9, PQCrypto, Fort Lauderdale, Florida 9 / 15
MITM in the AJPS-cryptosystem
Split a possible g = g1 + g2 in two parts, where g1 ∈ {0, 1}n/2 × 0n/2
and g2 ∈ 0n/2 × {0, 1}n/2.
For all g1, store {g1} into the bucket L[hg1].
For all g2, do
Find t ≈ −hg2, such that L[t] is non-empty.If such t exists, pick g1 ∈ L[t] and output g1 + g2.
Hash Table L:Key Bucket
hg1→ {g1}hg ′1 → {g ′1}
......
. . . . . .
April 9, PQCrypto, Fort Lauderdale, Florida 9 / 15
MITM in the AJPS-cryptosystem
Split a possible g = g1 + g2 in two parts, where g1 ∈ {0, 1}n/2 × 0n/2
and g2 ∈ 0n/2 × {0, 1}n/2.
For all g1, store {g1} into the bucket L[hg1].
For all g2, do
Find t ≈ −hg2, such that L[t] is non-empty.If such t exists, pick g1 ∈ L[t] and output g1 + g2.
Hash Table L:Key Bucket
hg1→ {g1}hg ′1 → {g ′1}
......
. . . . . .
April 9, PQCrypto, Fort Lauderdale, Florida 9 / 15
MITM in the AJPS-cryptosystem
Split a possible g = g1 + g2 in two parts, where g1 ∈ {0, 1}n/2 × 0n/2
and g2 ∈ 0n/2 × {0, 1}n/2.
For all g1, store {g1} into the bucket L[hg1].
For all g2, do
Find t ≈ −hg2, such that L[t] is non-empty.
If such t exists, pick g1 ∈ L[t] and output g1 + g2.
Hash Table L:Key Bucket
hg1→ {g1}hg ′1 → {g ′1}
......
. . . . . .
April 9, PQCrypto, Fort Lauderdale, Florida 9 / 15
MITM in the AJPS-cryptosystem
Split a possible g = g1 + g2 in two parts, where g1 ∈ {0, 1}n/2 × 0n/2
and g2 ∈ 0n/2 × {0, 1}n/2.
For all g1, store {g1} into the bucket L[hg1].
For all g2, do
Find t ≈ −hg2, such that L[t] is non-empty.If such t exists, pick g1 ∈ L[t] and output g1 + g2.
Hash Table L:Key Bucket
hg1→ {g1}hg ′1 → {g ′1}
......
. . . . . .
April 9, PQCrypto, Fort Lauderdale, Florida 9 / 15
MITM in the AJPS-cryptosystem
Split a possible g = g1 + g2 in two parts, where g1 ∈ {0, 1}n/2 × 0n/2
and g2 ∈ 0n/2 × {0, 1}n/2.
For all g1, store {g1} into the bucket L[hg1].
For all g2, do
Find t ≈ −hg2, such that L[t] is non-empty.If such t exists, pick g1 ∈ L[t] and output g1 + g2.
Hash Table L:Key Bucket
hg1→ {g1}hg ′1 → {g ′1}
......
Problem: There are many t ≈ −hg2, andmost of the buckets L[t] are empty
April 9, PQCrypto, Fort Lauderdale, Florida 9 / 15
Locality Sensitive Hashing
hg1 = −hg2 + f
−hg2f
hg1
Locality Sensitive Hashing
Construct the ‘hash’ function H : {0, 1}n → {0, 1}k , sendingbn · · · b1 7→ bk+i · · · bi .
Hope: H(hg1) = H(−hg2)
April 9, PQCrypto, Fort Lauderdale, Florida 10 / 15
Locality Sensitive Hashing
hg1 = −hg2 + f
−hg2f
hg1
Locality Sensitive Hashing
Construct the ‘hash’ function H : {0, 1}n → {0, 1}k , sendingbn · · · b1 7→ bk+i · · · bi .
Hope: H(hg1) = H(−hg2)
April 9, PQCrypto, Fort Lauderdale, Florida 10 / 15
Locality Sensitive Hashing
hg1 = −hg2 + f
−hg2f
hg1
Locality Sensitive Hashing
Construct the ‘hash’ function H : {0, 1}n → {0, 1}k , sendingbn · · · b1 7→ bk+i · · · bi .
Hope: H(hg1) = H(−hg2)
April 9, PQCrypto, Fort Lauderdale, Florida 10 / 15
Locality Sensitive Hashing
hg1 = −hg2 + f
−hg2f
hg1
Locality Sensitive Hashing
Construct the ‘hash’ function H : {0, 1}n → {0, 1}k , sendingbn · · · b1 7→ bk+i · · · bi .
Hope: H(hg1) = H(−hg2)
April 9, PQCrypto, Fort Lauderdale, Florida 10 / 15
MITM in the AJPS-cryptosystem
Split a possible g = g1 + g2 in two parts, where g1 ∈ {0, 1}n/2 × 0n/2
and g2 ∈ 0n/2 × {0, 1}n/2.
For all g1, {g1} into the bucket L[H(hg1)].For all g2 do
Check whether L[H(−hg2)] is non-empty.If so, then check if some g1 ∈ L[H(−hg2)] satisfies |h(g1 + g2)| = w .If so, output g1 + g2.
g = =
g1+
g2
April 9, PQCrypto, Fort Lauderdale, Florida 11 / 15
MITM in the AJPS-cryptosystem
Split a possible g = g1 + g2 in two parts, where g1 ∈ {0, 1}n/2 × 0n/2
and g2 ∈ 0n/2 × {0, 1}n/2.For all g1, {g1} into the bucket L[H(hg1)].
For all g2 do
Check whether L[H(−hg2)] is non-empty.If so, then check if some g1 ∈ L[H(−hg2)] satisfies |h(g1 + g2)| = w .If so, output g1 + g2.
Hash Table L:Key Bucket
H(hg1)→ {g ′1, g ′′1 , g1, . . .}H(hg ′′′1 )→ {g ′′′1 , . . .}
......
April 9, PQCrypto, Fort Lauderdale, Florida 11 / 15
MITM in the AJPS-cryptosystem
Split a possible g = g1 + g2 in two parts, where g1 ∈ {0, 1}n/2 × 0n/2
and g2 ∈ 0n/2 × {0, 1}n/2.For all g1, {g1} into the bucket L[H(hg1)].
For all g2 do
Check whether L[H(−hg2)] is non-empty.If so, then check if some g1 ∈ L[H(−hg2)] satisfies |h(g1 + g2)| = w .If so, output g1 + g2.
Hash Table L:Key Bucket
H(hg1)→ {g ′1, g ′′1 , g1, . . .}H(hg ′′′1 )→ {g ′′′1 , . . .}
......
April 9, PQCrypto, Fort Lauderdale, Florida 11 / 15
MITM in the AJPS-cryptosystem
Split a possible g = g1 + g2 in two parts, where g1 ∈ {0, 1}n/2 × 0n/2
and g2 ∈ 0n/2 × {0, 1}n/2.For all g1, {g1} into the bucket L[H(hg1)].For all g2 do
Check whether L[H(−hg2)] is non-empty.If so, then check if some g1 ∈ L[H(−hg2)] satisfies |h(g1 + g2)| = w .If so, output g1 + g2.
Hash Table L:Key Bucket
H(hg1)→ {g ′1, g ′′1 , g1, . . .}H(hg ′′′1 )→ {g ′′′1 , . . .}
......
April 9, PQCrypto, Fort Lauderdale, Florida 11 / 15
MITM in the AJPS-cryptosystem
Split a possible g = g1 + g2 in two parts, where g1 ∈ {0, 1}n/2 × 0n/2
and g2 ∈ 0n/2 × {0, 1}n/2.For all g1, {g1} into the bucket L[H(hg1)].For all g2 do
Check whether L[H(−hg2)] is non-empty.
If so, then check if some g1 ∈ L[H(−hg2)] satisfies |h(g1 + g2)| = w .If so, output g1 + g2.
Hash Table L:Key Bucket
H(hg1)→ {g ′1, g ′′1 , g1, . . .}H(hg ′′′1 )→ {g ′′′1 , . . .}
......
April 9, PQCrypto, Fort Lauderdale, Florida 11 / 15
MITM in the AJPS-cryptosystem
Split a possible g = g1 + g2 in two parts, where g1 ∈ {0, 1}n/2 × 0n/2
and g2 ∈ 0n/2 × {0, 1}n/2.For all g1, {g1} into the bucket L[H(hg1)].For all g2 do
Check whether L[H(−hg2)] is non-empty.If so, then check if some g1 ∈ L[H(−hg2)] satisfies |h(g1 + g2)| = w .
If so, output g1 + g2.
Hash Table L:Key Bucket
H(hg1)→ {g ′1, g ′′1 , g1, . . .}H(hg ′′′1 )→ {g ′′′1 , . . .}
......
April 9, PQCrypto, Fort Lauderdale, Florida 11 / 15
MITM in the AJPS-cryptosystem
Split a possible g = g1 + g2 in two parts, where g1 ∈ {0, 1}n/2 × 0n/2
and g2 ∈ 0n/2 × {0, 1}n/2.For all g1, {g1} into the bucket L[H(hg1)].For all g2 do
Check whether L[H(−hg2)] is non-empty.If so, then check if some g1 ∈ L[H(−hg2)] satisfies |h(g1 + g2)| = w .If so, output g1 + g2.
Hash Table L:Key Bucket
H(hg1)→ {g ′1, g ′′1 , g1, . . .}H(hg ′′′1 )→ {g ′′′1 , . . .}
......
April 9, PQCrypto, Fort Lauderdale, Florida 11 / 15
MITM in the AJPS-cryptosystem
Split a possible g = g1 + g2 in two parts, where g1 ∈ {0, 1}n/2 × 0n/2
and g2 ∈ 0n/2 × {0, 1}n/2.For all g1, {g1} into the bucket L[H(hg1)].For all g2 do
Check whether L[H(−hg2)] is non-empty.If so, then check if some g1 ∈ L[H(−hg2)] satisfies |h(g1 + g2)| = w .If so, output g1 + g2.
Difficulties:
‘false positives’: non-close elements in the bucket‘false negatives’: close element in ‘wrong’ bucket
April 9, PQCrypto, Fort Lauderdale, Florida 11 / 15
MITM in the AJPS-cryptosystem
Split a possible g = g1 + g2 in two parts, where g1 ∈ {0, 1}n/2 × 0n/2
and g2 ∈ 0n/2 × {0, 1}n/2.For all g1, {g1} into the bucket L[H(hg1)].For all g2 do
Check whether L[H(−hg2)] is non-empty.If so, then check if some g1 ∈ L[H(−hg2)] satisfies |h(g1 + g2)| = w .If so, output g1 + g2.
Difficulties:
‘false positives’: non-close elements in the bucket
‘false negatives’: close element in ‘wrong’ bucket
April 9, PQCrypto, Fort Lauderdale, Florida 11 / 15
MITM in the AJPS-cryptosystem
Split a possible g = g1 + g2 in two parts, where g1 ∈ {0, 1}n/2 × 0n/2
and g2 ∈ 0n/2 × {0, 1}n/2.For all g1, {g1} into the bucket L[H(hg1)].For all g2 do
Check whether L[H(−hg2)] is non-empty.If so, then check if some g1 ∈ L[H(−hg2)] satisfies |h(g1 + g2)| = w .If so, output g1 + g2.
Difficulties:
‘false positives’: non-close elements in the bucket‘false negatives’: close element in ‘wrong’ bucket
April 9, PQCrypto, Fort Lauderdale, Florida 11 / 15
MITM in the AJPS-cryptosystem
Split a possible g = g1 + g2 in two parts, where g1 ∈ {0, 1}n/2 × 0n/2
and g2 ∈ 0n/2 × {0, 1}n/2.For all g1, {g1} into the bucket L[H(hg1)].For all g2 do
Check whether L[H(−hg2)] is non-empty.If so, then check if some g1 ∈ L[H(−hg2)] satisfies |h(g1 + g2)| = w .If so, output g1 + g2.
Difficulties:
‘false positives’: non-close elements in the bucket‘false negatives’: close element in ‘wrong’ bucket
Solution: Choose the block size of H to be log2(n/2w/2
). Repeat algorithm
over randomized H.
April 9, PQCrypto, Fort Lauderdale, Florida 11 / 15
MITM in the AJPS-cryptosystem
Split a possible g = g1 + g2 in two parts, where g1 ∈ {0, 1}n/2 × 0n/2
and g2 ∈ 0n/2 × {0, 1}n/2.For all g1, {g1} into the bucket L[H(hg1)].For all g2 do
Check whether L[H(−hg2)] is non-empty.If so, then check if some g1 ∈ L[H(−hg2)] satisfies |h(g1 + g2)| = w .If so, output g1 + g2.
Difficulties:
‘false positives’: non-close elements in the bucket‘false negatives’: close element in ‘wrong’ bucket
Solution: Choose the block size of H to be log2(n/2w/2
). Repeat algorithm
over randomized H. Using a combinatorial heuristic, this works.
April 9, PQCrypto, Fort Lauderdale, Florida 11 / 15
MITM in the AJPS-cryptosystem
Split a possible g = g1 + g2 in two parts, where g1 ∈ {0, 1}n/2 × 0n/2
and g2 ∈ 0n/2 × {0, 1}n/2.For all g1, {g1} into the bucket L[H(hg1)].For all g2 do
Check whether L[H(−hg2)] is non-empty.If so, then check if some g1 ∈ L[H(−hg2)] satisfies |h(g1 + g2)| = w .If so, output g1 + g2.
Difficulties:
‘false positives’: non-close elements in the bucket‘false negatives’: close element in ‘wrong’ bucket
Solution: Choose the block size of H to be log2(n/2w/2
). Repeat algorithm
over randomized H. Using a combinatorial heuristic, this works.
This algorithm breaks the AJPS system in time(n/2w/2
)≈ n
√n/8
April 9, PQCrypto, Fort Lauderdale, Florida 11 / 15
Overview
Attack Authors Running time
Classical Quantum
Brute force AJPS n√n4 n
√n8
Meet in the Middle Our work n√n8 n
√n
12
Lattice attack BCGN 2√n ? 2
√n/2 ?
Our analysis 2.01√n 2.01
√n/2
April 9, PQCrypto, Fort Lauderdale, Florida 12 / 15
Overview
Attack Authors Running time
Classical Quantum
Brute force AJPS n√n4 n
√n8
Meet in the Middle Our work n√n8 n
√n
12
Lattice attack BCGN 2√n ? 2
√n/2 ?
Our analysis 2.01√n 2.01
√n/2
April 9, PQCrypto, Fort Lauderdale, Florida 12 / 15
Overview
Attack Authors Running time
Classical Quantum
Brute force AJPS n√n4 n
√n8
Meet in the Middle Our work n√n8 n
√n
12
Lattice attack BCGN 2√n ? 2
√n/2 ?
Our analysis 2.01√n 2.01
√n/2
April 9, PQCrypto, Fort Lauderdale, Florida 12 / 15
Overview
Attack Authors Running time
Classical Quantum
Brute force AJPS n√n4 n
√n8
Meet in the Middle Our work n√n8 n
√n
12
Lattice attack BCGN 2√n ? 2
√n/2 ?
Our analysis 2.01√n 2.01
√n/2
April 9, PQCrypto, Fort Lauderdale, Florida 12 / 15
Overview
Attack Authors Running time
Classical Quantum
Brute force AJPS n√n4 n
√n8
Meet in the Middle Our work n√n8 n
√n
12
Lattice attack BCGN 2√n ? 2
√n/2 ?
Our analysis 2.01√n 2.01
√n/2
April 9, PQCrypto, Fort Lauderdale, Florida 12 / 15
Open Questions
We analyzed the lattice attack of Beunardeau et al. overrandomly chosen keys.
Are there specific ‘weak’ keys for this lattice attack?
Aggarwal et al. improved their cryptosystem [AJPS17], allowing toencrypt more bits.What is the security of this improved system?
April 9, PQCrypto, Fort Lauderdale, Florida 13 / 15
Open Questions
We analyzed the lattice attack of Beunardeau et al. overrandomly chosen keys.Are there specific ‘weak’ keys for this lattice attack?
Aggarwal et al. improved their cryptosystem [AJPS17], allowing toencrypt more bits.What is the security of this improved system?
April 9, PQCrypto, Fort Lauderdale, Florida 13 / 15
Open Questions
We analyzed the lattice attack of Beunardeau et al. overrandomly chosen keys.Are there specific ‘weak’ keys for this lattice attack?
Aggarwal et al. improved their cryptosystem [AJPS17], allowing toencrypt more bits.
What is the security of this improved system?
April 9, PQCrypto, Fort Lauderdale, Florida 13 / 15
Open Questions
We analyzed the lattice attack of Beunardeau et al. overrandomly chosen keys.Are there specific ‘weak’ keys for this lattice attack?
Aggarwal et al. improved their cryptosystem [AJPS17], allowing toencrypt more bits.What is the security of this improved system?
April 9, PQCrypto, Fort Lauderdale, Florida 13 / 15
Main lesson
Collisions don’t need to be exact to apply aMeet-in-the-Middle attack
April 9, PQCrypto, Fort Lauderdale, Florida 14 / 15
Main lesson
Collisions don’t need to be exact to apply aMeet-in-the-Middle attack
April 9, PQCrypto, Fort Lauderdale, Florida 14 / 15
References
D. Aggarwal et al. A New Public-Key Cryptosystem viaMersenne Numbers. Cryptology ePrint Archive, Report2017/481. http://eprint.iacr.org/2017/481. 2017.
A. Ambainis. “Quantum Search with Variable Times”. In:Theory of Computing Systems 47.3 (2010), pp. 786–807.issn: 1433-0490. doi: 10.1007/s00224-009-9219-1.
M. Beunardeau et al. “On the Hardness of the Mersenne LowHamming Ratio Assumption”. In: Progress in Cryptology –LATINCRYPT 2017. Available athttp://eprint.iacr.org/2017/522. 2017.
J. Hoffstein, J. Pipher, and J. H. Silverman. “NTRU: Aring-based public key cryptosystem”. In: InternationalAlgorithmic Number Theory Symposium. Springer. 1998,pp. 267–288.
April 9, PQCrypto, Fort Lauderdale, Florida 15 / 15