Video Converter
Audio Converter
Image Converter
PDF Converter
File Compressor
cryptanalysis via algebraic spans

Cryptanalysis via Algebraic Spans Adi Ben-Zvi, Arkadius Kalka, and - PowerPoint PPT Presentation

Feb 08, 2023 •287 likes •614 views

Cryptanalysis via Algebraic Spans Adi Ben-Zvi, Arkadius Kalka, and Boaz Tsaban Bar-Ilan University Crypto 2018 PKC foundations are mainly abelian (and quantum insecure) PKC foundations are mainly abelian (and quantum insecure) DLP in finite

  1. Cryptanalysis via Algebraic Spans Adi Ben-Zvi, Arkadius Kalka, and Boaz Tsaban Bar-Ilan University Crypto 2018

  2. PKC foundations are mainly abelian (and quantum insecure)

  3. PKC foundations are mainly abelian (and quantum insecure) DLP in finite fields (1976); Factorization (RSA, 1978). Poor performance vs security tradeoff; no long-term security. Subexp algorithms for DLP in some elliptic curves. Quantum computers break them all.

  4. PKC foundations are mainly abelian (and quantum insecure) DLP in finite fields (1976); Factorization (RSA, 1978). Poor performance vs security tradeoff; no long-term security. Subexp algorithms for DLP in some elliptic curves. Quantum computers break them all. Options: (0) Abelian (DLP/RSA); (1) Lattices; (2) nonabelian groups/structures.

  5. PKC foundations are mainly abelian (and quantum insecure) DLP in finite fields (1976); Factorization (RSA, 1978). Poor performance vs security tradeoff; no long-term security. Subexp algorithms for DLP in some elliptic curves. Quantum computers break them all. Options: (0) Abelian (DLP/RSA); (1) Lattices; (2) nonabelian groups/structures. The nonablian option must be explored. In particular, we need general cryptanalytic tools for nonabelian crypto.

  6. PKC foundations are mainly abelian (and quantum insecure) DLP in finite fields (1976); Factorization (RSA, 1978). Poor performance vs security tradeoff; no long-term security. Subexp algorithms for DLP in some elliptic curves. Quantum computers break them all. Options: (0) Abelian (DLP/RSA); (1) Lattices; (2) nonabelian groups/structures. The nonablian option must be explored. In particular, we need general cryptanalytic tools for nonabelian crypto. Here: Algebraic Span Cryptanalysis.

  7. Conojugation in nonabelian groups

  8. Conojugation in nonabelian groups For a , c ∈ G (nonabelian group), a c := c − 1 ac (conjugation).

  9. Conojugation in nonabelian groups For a , c ∈ G (nonabelian group), a c := c − 1 ac (conjugation). Conjugation is an isomorphism: ( a − 1 ) c = ( a c ) − 1 ( ab ) c = a c · b c . For a word v ( x 1 , . . . , x k ) in the variables x 1 , . . . , x k (e.g., x 7 x − 1 3 x 5 ): v ( a c 1 , . . . , a c k ) = v ( a 1 , . . . , a k ) c .

  10. Commutator KE (Anshel–Anshel–Goldfeld 1999)

  11. � � Commutator KE (Anshel–Anshel–Goldfeld 1999) Alice Public Bob v ( x 1 , . . . , x k ) � a 1 , . . . , a k � ≤ G w ( x 1 , . . . , x k ) a = v ( a 1 , . . . , a k ) � b 1 , . . . , b k � ≤ G b = w ( b 1 , . . . , b k ) b 1 a , . . . , b ka a 1 b , . . . , a kb a − 1 v ( a b 1 , . . . , a b w ( b a 1 , . . . , b a k ) − 1 b k )

  12. � � Commutator KE (Anshel–Anshel–Goldfeld 1999) Alice Public Bob v ( x 1 , . . . , x k ) � a 1 , . . . , a k � ≤ G w ( x 1 , . . . , x k ) a = v ( a 1 , . . . , a k ) � b 1 , . . . , b k � ≤ G b = w ( b 1 , . . . , b k ) b 1 a , . . . , b ka a 1 b , . . . , a kb a − 1 v ( a b 1 , . . . , a b w ( b a 1 , . . . , b a k ) − 1 b k ) k ) = a − 1 a b = a − 1 b − 1 ab = ( b a ) − 1 b = w ( b a a − 1 v ( a b k ) − 1 b 1 , . . . , a b 1 , . . . , b a

  13. Linear equations from conjugations

  14. Linear equations from conjugations Assume G ≤ GL n ( F ) (matrix representations).

  15. Linear equations from conjugations Assume G ≤ GL n ( F ) (matrix representations). Given c = b a ( a , b ∈ G ): b a = a − 1 ba a · b a = ba Linear equations in the entries of the matrix a .

  16. Linear equations from conjugations Assume G ≤ GL n ( F ) (matrix representations). Given c = b a ( a , b ∈ G ): b a = a − 1 ba a · b a = ba Linear equations in the entries of the matrix a . A solution ˜ a is invertible w.h.p. (Schwartz–Zippel). a · b a = b ˜ ˜ a b a = ˜ a − 1 b ˜ a b a = b ˜ a

  17. Algebraic spans

  18. Algebraic spans G ≤ GL n ( F ) , a , b ∈ G . a with b a = b ˜ a by linear equations. Can find ˜

  19. Algebraic spans G ≤ GL n ( F ) , a , b ∈ G . a with b a = b ˜ a by linear equations. Can find ˜ a / ˜ ∈ G ! We can force a ∈ Alg ( G ) = span F ( G ) ⊆ M n ( F ) , ˜ the algebra generated by G (because that’s a vector space.)

  20. Algebraic spans G ≤ GL n ( F ) , a , b ∈ G . a with b a = b ˜ a by linear equations. Can find ˜ a / ˜ ∈ G ! We can force a ∈ Alg ( G ) = span F ( G ) ⊆ M n ( F ) , ˜ the algebra generated by G (because that’s a vector space.) For G = � g 1 , . . . , g k � ≤ GL n ( F ) , finding a basis for Alg ( G ) by repeated multiplication by generators and Gauss elimination is O ( kn 6 ) .

  21. Algebraic Span Cryptanalysis

  22. Algebraic Span Cryptanalysis G 1 , . . . , G k ≤ GL n ( F ) ; g 1 ∈ G 1 , . . . , g k ∈ G k . Given: linear equations on the entries of g 1 , . . . , g k . Need to find f ( g 1 , . . . , g k ) .

  23. Algebraic Span Cryptanalysis G 1 , . . . , G k ≤ GL n ( F ) ; g 1 ∈ G 1 , . . . , g k ∈ G k . Given: linear equations on the entries of g 1 , . . . , g k . Need to find f ( g 1 , . . . , g k ) . Instead of solving subject to g 1 ∈ G 1 , . . . , g k ∈ G k , (infeasible!) solve subject to the linear constraints g 1 ∈ Alg ( G 1 ) , . . . , g k ∈ Alg ( G k ) . Pray (or prove) that every solution ˜ g 1 , . . . , ˜ g k satisfies f (˜ g 1 , . . . , ˜ g k ) = f ( g 1 , . . . , g k ) .

  24. Application: Commutator KEP

  25. Application: Commutator KEP a ∈ � a 1 , . . . , a k � , b ∈ � b 1 , . . . , b k � ≤ G ≤ GL n ( F ) . Need: ( b 1 a , . . . , b ka , a 1 b , . . . , a kb ) �→ a − 1 b − 1 ab .

  26. Application: Commutator KEP a ∈ � a 1 , . . . , a k � , b ∈ � b 1 , . . . , b k � ≤ G ≤ GL n ( F ) . Need: ( b 1 a , . . . , b ka , a 1 b , . . . , a kb ) �→ a − 1 b − 1 ab . a ∈ Alg ( a 1 , . . . , a k ) , ˜ Solving linear equations, we obtain ˜ b ∈ Alg ( b 1 , . . . , b k ) with ˜ b 1 ˜ a b 1 a b a 1 b = a 1 = . . . . ; . . b k ˜ a b ka ˜ = a kb b a k = a = b a . a ˜ b = ˜ a b . Similarly, b ˜ Since ˜ a ∈ Alg ( a 1 , . . . , a k ) , ˜ b = ˜ a b = ˜ a ˜ a − 1 ˜ a ˜ b − 1 ˜ a − 1 ˜ a − 1 ˜ a − 1 b − 1 ˜ ab = ( b ˜ a ) − 1 b = ( b a ) − 1 b = a − 1 b − 1 ab ! ˜ b = ˜

  27. � � Triple Decomposition KE (Kurt 2005) Alice Public Bob A A 1 A 2 X 1 X 2 a , a 1 , a 2 , x 1 , x 2 | | | | ≤ G y 1 , y 2 , b 1 , b 2 , b Y 1 Y 2 B 1 B 2 B ax 1 , x − 1 1 a 1 x 2 , x − 1 2 a 2 b 1 y 1 , y − 1 1 b 2 y 2 , y − 1 2 b a b 1 y 1 a 1 y − 1 1 b 2 y 2 a 2 y − 1 = ax 1 b 1 x − 1 1 a 1 x 2 b 2 x − 1 2 b = ab 1 a 1 b 2 a 2 b 2 a 2 b � �� � K The triple products do not provide linear equations! (And without them we fail!)

  28. Cryptanalysis of Triple Dec KE Alg ( B 1 ) y 1 = Alg ( B 1 ) · b 1 y 1 − 1 Alg ( B 2 ∪ Y 2 ) y 1 = Alg ( B 2 ∪ Y 2 ) · y − 1 2 b − 1 2 y 1 = Alg ( B 2 ∪ Y 2 ) · y − 1 1 b 2 y 2 − 1 Alg ( A 2 ) x 2 = Alg ( A 2 ) · a − 1 2 x 2 = Alg ( A 2 ) · x − 1 2 a 2 Alg ( A 1 ∪ X 1 ) x 2 = Alg ( A 1 ∪ X 1 ) · x − 1 1 a 1 x 2 Pick invertible ˜ y 1 ∈ Alg ( Y 1 ) ∩ Alg ( B 1 ) y 1 ∩ Alg ( B 2 ∪ Y 2 ) y 1 ; ˜ x 2 ∈ Alg ( X 2 ) ∩ Alg ( A 2 ) x 2 ∩ Alg ( A 1 ∪ X 1 ) x 2 . y 1 − 1 · x − 1 x 2 − 1 · ˜ y 1 · y − 1 x 2 · x − 1 2 a 2 · y − 1 ax 1 · b 1 y 1 · ˜ 1 a 1 x 2 · ˜ 1 b 2 y 2 · ˜ 2 b Gives (intricate proof) ab 1 a 1 b 2 a 2 b = K ! (Alternatively, could check empirically.)

  29. Final comments

  30. Final comments Method also applies to: Nonabelian Diffie–Hellman (Ko–Lee–Cheon–Han–Kang–Park 2000), Centralizer KE (Shpilrain–Ushakov 2006), and some more.

  31. Final comments Method also applies to: Nonabelian Diffie–Hellman (Ko–Lee–Cheon–Han–Kang–Park 2000), Centralizer KE (Shpilrain–Ushakov 2006), and some more. Not the end of nonabelian cryptography: 1. Additional nonabelian proposals (Dehornoy et al., Kalka, . . . ). 2. Additional problems (CSP, Multiple CSP,. . . ) to build upon. 3. Groups with no small-dim representations. 4. The application of this method keeps getting harder as new systems emerge (cf. recent cryptanalysis of Algebraic Eraser).

  32. Final comments Method also applies to: Nonabelian Diffie–Hellman (Ko–Lee–Cheon–Han–Kang–Park 2000), Centralizer KE (Shpilrain–Ushakov 2006), and some more. Not the end of nonabelian cryptography: 1. Additional nonabelian proposals (Dehornoy et al., Kalka, . . . ). 2. Additional problems (CSP, Multiple CSP,. . . ) to build upon. 3. Groups with no small-dim representations. 4. The application of this method keeps getting harder as new systems emerge (cf. recent cryptanalysis of Algebraic Eraser). THANK YOU!

Recommend

Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential cryptanalysis Linear cryptanalysis Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and Linear Cryptanalysis Differential cryptanalysis Linear cryptanalysis Iterated block ciphers (DES,

914 views • 53 slides
Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC Outline Outline Distribution of Correlation Data Complexity Linear Hulls Zero

661 views • 30 slides
THIN SHELL STRUCTURES ARCH 2430 Professor Aptekar Farhana Rahman Jonathan Ramirez Michael

THIN SHELL STRUCTURES ARCH 2430 Professor Aptekar Farhana Rahman Jonathan Ramirez Michael

THIN SHELL STRUCTURES ARCH 2430 Professor Aptekar Farhana Rahman Jonathan Ramirez Michael DiCarlo Renee Fayzimatova Thin Shell Structure System spans and effective spans System spans and effective spans Span is the distance between

856 views • 41 slides
Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Cryptanalysis of Classical Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Models for Cryptanalysis Cryptanalysis of

657 views • 20 slides
Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May, 2017 0/35 Cryptanalysis of Affine Cipher Outline Cryptanalysis of Affine Cipher 1 Hypothesis Testing 2 Linear Cryptanalysis 3 0/35

1.53k views • 110 slides
Cryptanalysis techniques in algebraic codebased cryptography Alain Couvreur 1,2 1 INRIA 2 LIX,

Cryptanalysis techniques in algebraic codebased cryptography Alain Couvreur 1,2 1 INRIA 2 LIX,

Cryptanalysis techniques in algebraic codebased cryptography Alain Couvreur 1,2 1 INRIA 2 LIX, cole polytechnique Nutmic 2019 A. Couvreur Cryptanalysis in codebased crypto Nutmic 2019 1 / 80 History of codebased cryptography 1

1.48k views • 116 slides
Improved Cryptanalysis of HFEv- via Projection Jintai Ding, Ray Perlner, Albrecht Petzoldt, Daniel

Improved Cryptanalysis of HFEv- via Projection Jintai Ding, Ray Perlner, Albrecht Petzoldt, Daniel

Improved Cryptanalysis of HFEv- via Projection Jintai Ding, Ray Perlner, Albrecht Petzoldt, Daniel Smith-Tone PQ Crypto 2018 Fort Lauderdale, Florida 04/10/2018 A. Petzoldt Cryptanalysis of HFEv- via Projection PQ Crypto 2018 1 / 25 Outline

910 views • 25 slides
1 BACKGROUND & THEMES ALL TEAMS 1 WHAT WE LEARNED SUMMARY OF SPANS AND LAYERS ANALYSIS A

1 BACKGROUND & THEMES ALL TEAMS 1 WHAT WE LEARNED SUMMARY OF SPANS AND LAYERS ANALYSIS A

1 BACKGROUND & THEMES ALL TEAMS 1 WHAT WE LEARNED SUMMARY OF SPANS AND LAYERS ANALYSIS A Spider Chart is a visualization tool that facilitates the spans and layers assessment. The dot in the center is the head of the organization, and the

574 views • 19 slides
Towards a Characterization of the Double Category of Spans Evangelia Aleiferi Dalhousie

Towards a Characterization of the Double Category of Spans Evangelia Aleiferi Dalhousie

Motivation Cartesian double categories Eilenberg-Moore Objects Towards the characterization of spans Further Questions Towards a Characterization of the Double Category of Spans Evangelia Aleiferi Dalhousie University Category Theory 2017

719 views • 51 slides
Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship between the difference of two inputs and the difference of the corresponding two outputs. - the difference M Z of two strings of bits Z and Z

560 views • 10 slides
The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas

The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas

Introduction Previous cryptanalysis techniques The Super-Sbox cryptanalysis Results The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas Peyrin Orange Labs and Ingenico FSE 2010 - Seoul - Korea

1.38k views • 19 slides
Cryptanalysis of LAC G. Leurent (Inria) Cryptanalysis of LAC DIAC 2014 1 / 9 . . . . . . . .

Cryptanalysis of LAC G. Leurent (Inria) Cryptanalysis of LAC DIAC 2014 1 / 9 . . . . . . . .

Description of LAC Differentials and Characteristics Forgery attack Cryptanalysis of LAC G. Leurent (Inria) Cryptanalysis of LAC DIAC 2014 1 / 9 . . . . . . . . Gatan Leurent Inria, France DIAC 2014 2 / 9 Description of LAC DIAC

1.05k views • 36 slides
Cryptanalysis of RadioGatn Thomas Fuhr 1 Thomas Peyrin 2 1 Direction Centrale de la Scurit

Cryptanalysis of RadioGatn Thomas Fuhr 1 Thomas Peyrin 2 1 Direction Centrale de la Scurit

Cryptanalysis of RadioGatn Cryptanalysis of RadioGatn Thomas Fuhr 1 Thomas Peyrin 2 1 Direction Centrale de la Scurit des Systmes dInformation 2 Ingenico FSE 2009 - February 22-25 - Leuven Thomas Fuhr , Thomas Peyrin Cryptanalysis

569 views • 28 slides
Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU

Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU

Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU Leuven, and imec, Belgium FSE, March 2017 1 Table of Contents ARX & Rotational Cryptanalysis Rotational cryptanalysis with constants Experiment

1.12k views • 72 slides
Correlation of Quadratic Boolean Functions: Cryptanalysis of All Versions of Full MORUS Siwei Sun

Correlation of Quadratic Boolean Functions: Cryptanalysis of All Versions of Full MORUS Siwei Sun

Correlation and Linear Cryptanalysis Correlation of Quadratic Boolean Functions Cryptanalysis of MORUS Conclusion and Discussion Correlation of Quadratic Boolean Functions: Cryptanalysis of All Versions of Full MORUS Siwei Sun Joint work

659 views • 54 slides
A. Operations with algebraic Algebra practice part 1 expressions 3 4 A. Operations with

A. Operations with algebraic Algebra practice part 1 expressions 3 4 A. Operations with

1 2 A. Operations with algebraic Algebra practice part 1 expressions 3 4 A. Operations with algebraic expressions A. Operations with algebraic expressions What is an algebraic expression? What is an algebraic expression? Example: An

462 views • 5 slides
Preparing for the Impact of the Alaska False Claims Act Alaska State Hospital and Nursing Home

Preparing for the Impact of the Alaska False Claims Act Alaska State Hospital and Nursing Home

Preparing for the Impact of the Alaska False Claims Act Alaska State Hospital and Nursing Home Association Webinar Presented by Stephen D. Rose| 425.278.9337 | srose@hallrender.com Barbra Z. Nault | 907.258.2587 | bnault@hallrender.com Overview

655 views • 28 slides
Lecture 4.3: The fundamental homomorphism theorem Matthew Macauley Department of Mathematical

Lecture 4.3: The fundamental homomorphism theorem Matthew Macauley Department of Mathematical

Lecture 4.3: The fundamental homomorphism theorem Matthew Macauley Department of Mathematical Sciences Clemson University http://www.math.clemson.edu/~macaule/ Math 4120, Modern Algebra M. Macauley (Clemson) Lecture 4.3: The fundamental

460 views • 10 slides
Imaginary Quadratic Fields With Isomorphic Abelian Galois Groups A. Angelakis , P.

Imaginary Quadratic Fields With Isomorphic Abelian Galois Groups A. Angelakis , P.

Intro Describing the Inertial part Splitting the Sequence Down to Gaia The End Imaginary Quadratic Fields With Isomorphic Abelian Galois Groups A. Angelakis , P. Stevenhagen Universiteit Leiden , Universit e Bordeaux 1

514 views • 28 slides
Mining Potential and Mineral Access in the Bering Strait Region Matt Ganley VP Resources and

Mining Potential and Mineral Access in the Bering Strait Region Matt Ganley VP Resources and

Mining Potential and Mineral Access in the Bering Strait Region Matt Ganley VP Resources and External Affairs Bering Straits Native Corporation Native Corporation Lands in the Bering Strait Region Development on Alaska Native Corporation

347 views • 15 slides
Solving Random Quadratic Systems of Equations Is Nearly as Easy as Solving Linear Systems Yuxin

Solving Random Quadratic Systems of Equations Is Nearly as Easy as Solving Linear Systems Yuxin

Solving Random Quadratic Systems of Equations Is Nearly as Easy as Solving Linear Systems Yuxin Chen (Princeton) Emmanuel Cand` es (Stanford) Y. Chen, E. J. Cand` es, Communications on Pure and Applied Mathematics vol. 70, no. 5, pp. 822-883,

785 views • 62 slides
Human-level control through deep reinforcement learning Volodymyr Mnih, Koray Kavukcuoglu, David

Human-level control through deep reinforcement learning Volodymyr Mnih, Koray Kavukcuoglu, David

Human-level control through deep reinforcement learning Volodymyr Mnih, Koray Kavukcuoglu, David Silver, Andrei A. Rusu, Joel Veness, Marc G. Bellemare, Alex Graves, Martin Riedmiller, Andreas K. Fidjeland, Georg Ostrovski, Stig Petersen, Charles

516 views • 39 slides
Even delta-matroids and the complexity of planar Boolean CSPs Alexandr Kazda, Vladimir

Even delta-matroids and the complexity of planar Boolean CSPs Alexandr Kazda, Vladimir

Even delta-matroids and the complexity of planar Boolean CSPs Alexandr Kazda, Vladimir Kolmogorov, Michal Rol nek A K, V K, M R (IST Austria) Edge CSP for even -matroids 1 / 12 History Our world: CSP( { 0 , 1 } , ) where contains

670 views • 54 slides
Mixed effect model for the spatiotemporal analysis of longitudinal manifold valued data

Mixed effect model for the spatiotemporal analysis of longitudinal manifold valued data

Mixed effect model for the spatiotemporal analysis of longitudinal manifold valued data Stphanie Allassonnire with J.B. Schiratti, J. Chevallier, I. Koval, V. Debavalaere and S. Durrleman Universit Paris Descartes & Ecole

838 views • 37 slides

More recommend

Explore More Topics

Stay informed with curated content and fresh updates.

animals pets art culture automotive transportation business finance computer internet construction architecture education-career electronics communication

Logo Sambuz

Unleash a World of Digital Possibilities—Browse, Share, and Explore Content Without Boundaries

Useful Links

About Us Privacy Services FAQ's Contact

Newsletter

Stay Informed & Inspired—Subscribe for the Latest Updates, Tips, and Exclusive Content Directly to Your Inbox.

Mail Us

mail@sambuz.com

2026 SAMBUZ, All right reserved.