CC BY
4
8. Semenov A., Otpuschennikov I., Gribanova I., et al. Translation of algorithmic descriptions of discrete functions to SAT with application to cryptanalysis problems // Log. Methods Comput. Sci. 2020. V. 16. Iss. 1. P. 29:1-29:42.
9. Яблонский С. В. Введение в дискретную математику. М.: Наука, 1986.
10. Dowling W. F. and Gallier J. H. Linear-time algorithms for testing the satisfiability of propositional horn formulae //J. Log. Program. 1984. No. 1(3). P. 267-284.
11. Biere A. The AIGER And-Inverter Graph (AIG) format version 20071012. Tech. Report 07/1. Institute for Formal Models and Verification, Johannes Kepler University. 2007.
12. Kipnis A. and Shamir A. Cryptanalysis of the HFE public key cryptosystem by relinearization // LNCS. 1999. V. 1666. P. 19-30.
13. Семёнов А. А., Антонов К. В., Отпущенников И. В. Поиск линеаризующих множеств в алгебраическом криптоанализе как задача псевдобулевой оптимизации // Прикладная дискретная математика. Приложение. 2019. №12. С. 130-134.
14. Антонов К.В., Семёнов А.А. Применение SAT-оракулов для генерации дополнительных линейных ограничений в задачах криптоанализа некоторых легковесных шифров. Прикладная дискретная математика. Приложение. 2020. №13. С. 114-119.
15. Грибанова И. А., Семёнов А.А. Об аргументации отсутствия свойств случайного оракула у некоторых криптографических хеш-функций // Прикладная дискретная математика. Приложение. 2019. №12. С. 95-98.
16. ЦКП Иркутский суперкомпьютерный центр СО РАН. http://hpc.icc.ru.
17. Beaulieu R., Shors D., Smith J., et al. The Simon and Speck lightweight block ciphers // Proc. 52nd Ann. Design Automation Conf. New York, USA, 2015. P. 175:1-175:6.
18. Антонов К. В., Семёнов А. А. Применение метаэвристических алгоритмов псевдобулевой оптимизации к поиску линеаризующих множеств в криптоанализе криптографических генераторов // Материалы 6-й Междунар. школы-семинара «Синтаксис и семантика логических систем». Иркутск: ИГУ, 2019. С. 13-18.
19. Gribanova I. and Semenov A. Using automatic generation of relaxation constraints to improve the preimage attack on 39-step MD4 // Proc. 41st Intern. Convention Inform. Commun. Technol. Electr. Microelectr. (MIPRO). IEEE, 2018. P. 1174-1179.
20. Gribanova I. and Semenov A. Parallel guess-and-determine preimage attack with realistic complexity estimation for MD4-40 cryptographic hash function // Материалы конф. «Параллельные вычислительные технологии (ПаВТ) 2019» (Калининград, 2-4 апреля 2019). C.8-18.
УДК 621.391.7 DOI 10.17223/2226308X/14/24
CHOOSING PARAMETERS FOR ONE IND-CCA2 SECURE McEliece MODIFICATION IN THE STANDARD MODEL
Y. V. Kosolapov, O.Y. Turchenko
The paper is devoted to choosing parameters for one IND-CCA2-secure McEliece modification in the standard model. In particular, the underlying code, plaintext length and one-time strong signature scheme are suggested. The choice of parameters for the scheme was based on efficiency, on the one hand, and security, on the other. Also, experiments for the suggested parameters are provided using the NIST statistical test suite.
Keywords: post-quantum cryptography, McEliece-type cryptosystem, IND-CCA2-security, NIST statistical test suite.
1. Introduction
The development of post-quantum cryptosystems resistant to adaptive chosen ciphertext attacks (IND-CCA2 secure cryptosystems) is currently relevant. In particular, NIST hold competitions for the formation of post-quantum cryptography standards [1]. One of the most successful candidates [2] is based on the idea of random oracle. However, since random oracle is only theoretical function, then the construction of IND-CCA2 secure post-quantum cryptosystems without random oracles (standard model) is also an interesting task. One of the ways to construct such scheme is to modify McEliece cryptosystem [3]. For instance, in [4-6] authors modified McEliece cryptosystem using correlated products method [7]. This paper is devoted to choosing practical parameters for cryptosystem from [5].
2. Cryptosystem from [5]
Let n, t be natural, [n] = {1,...,n}, [ C [n], 2[n] is the set of all subsets of [n], F2 be a Galois field of cardinality 2. The support of the vector v = (v^...,vn) G F^ is the set supp(v) = {i : vi = 0} and the Hamming weight of this vector is a number wt(v) = |supp(v)|. If S is a finite set, then s GR S denotes the operation of picking an element at random and uniformly from S. Denote by £n,t,p the subset of F^ such that any vector e = (e1,..., en) G £n>t,p has Hamming weight t and ei = 0 for any i G [. We will write En,t when [ = 0. For the vector v G F^ and the ordered set u = {u^... ,u{} C [k], where u1 < ... < u, we consider the projection operator n : ^ f2w| acting according to the rule: n(v) = (vWl,... ,Vi ). For u, consider a subset G(u) of symmetric group acting on the elements of the set [k]:
G(u) = {n G Sfc : n(1) = ui,... , n(l) = ui}.
With every permutation n from G(u) we associate a permutation (k x k)-matrix Rn.
Now we consider construction from [5]. Recall that a public key cryptosystem is a triplet of algorithms, i.e., E = (K, E, D), where K is a generation algorithm, E is an encryption algorithm, D is a decryption algorithm. We will write {m}pfc as encryption of the message m with the key pk and {c}sk as decryption of the ciphertext c on the secret key sk. For McEliece cryptosystem, we denote such triplet E as McE.
In the cryptosystem E [5], key generation algorithm Ks takes as input two security parameters N,s G N and outputs a public-key pk and a secret key sk of the form
pk = ((pk0,pk1))S=i, sk = ((sk0, sk1))S=i,
where pkb,skb are generated by KMcE, b G {0,1}, i G [s]. The encryption algorithm Es takes as input a message m = (m1 || ... || ms), where mi G F2, and a public-key pk. Then Es generates two keys dsk, vk for one-time strong unforgeable signature scheme, where vk = (vk1,... ,vks), and outputs ciphertext
C = c || vk || a,
where c = c1 || ... || cs and a is a signature of vector c with the key dsk. Each ci has the form
ci = c1 || c2 = {(mi || ri)Rn}pMfcC]Ei || {(mi || ri © 1)Rn}pMfc<V]Ei, (1)
where mi G F2, u CR [k], |u| = l, ri gr F^-1, n Gr G(u). The error vectors e1 and e2 generated in McE-encryption in the left and right parts, respectively, are chosen such that
e1 Gr e2 Gr En,t,supp(e1). Decryption algorithm Ds takes as input a secret-key sk and
a ciphertext c, and outputs either a message m e F^ or the error symbol On the first step, checks signature of the message. If check fails, then outputs otherwise it computes m = m1 || ... || ms, where
mi = a<({cliMd), n = [k] \ supp({c!}ffcvE - {c2}MkcvE).
If ni = ... = Vs, then outputs m else
Let us introduce additional notions. Denote public key pkvki from (1) as matrix G^ 1 as all-ones vector from {0,1}k-1, and 0 as all-zeroes vector from {0,1}1. Then for matrix Gi and secret permutation (k x k)-matrix Rn, n e G(w), define (Z x n)-matrix G1 and (k — Z x n)-matrix G2 such that
GiN
Gi \ = R G
G2 ' RnGi
Then we can write
1 II „2 _ r^™ II „ \ D ^ m II iY™ II „ m 1 \ D ^ m „1
c c„
{(mi || r,)RGi 0 e1} || {(m, || r, 0 1)RnGi 0 e1}
= {miGi 0 riG? 0 e!} || {miGi 0 (ri 0 1)G,2 0 e,2}. (2)
Now one can suggest security parameters.
3. Security parameters and experiments 3.1. Security parameters Let us consider the general security parameters of the system: underlying linear [n, k, d]-code C, plaintext length l and one-time strong signature scheme. Since (pkb, skb) = = Kmce(N), b e {0,1}, i e [s], then one can use known results of evaluating the code parameters of the original McEliece cryptosystem. In general, in [8] it is recommended to choose cryptosystem parameters with at least 86 security bits (for 2021 year). So, according to table 1.1 from [9] it is suggested to use [4096, 3604,83]-code with 129 security bits. Then to prevent finding w from ci 0 c? = (0 || 1)RnGi 0 ei 0 e? = 1G? 0 ei 0 e? (see (2)) we recommend to choose I with a restriction 14 ^ k — I ^ k — 14. Particularly, if I = 3604 — 14,
/3590\
then the adversary has to enumerate ( I variants (about 129 bits) to find w from 1G2.
3604 i
It is proposed to use an one-time strong signature scheme, on the one hand, resistant to quantum attacks, on the other hand, having a small public key size (since the number of repetitions s is equal to the size of the verification key). In [10] authors compared different signature schemes. So, according to table 2 from [10] we suggest to use Stern signature as a one-time strong signature scheme with a small public key size (347 bits).
3.2. E x p e r i m e n t s
The theoretical proof of the security of the cryptosystem under consideration is based on the randomness of vectors 1G2 0 e! 0 e2 and riG2 0 e!. Thus, the aim of experiments is to find a dependence of randomness of these vectors on the parameter Z. It is important to note that in [11] authors consider similar vector to riG2 0 e!. Based on time complexity for the "low weight codeword" attack, the authors suggest to use specific Z. In our case, to implement such attack, an adversary has to find the set w to determine the matrix G2. For Z proposed above, the time complexity will be at least 2129.
The experiments are carried out as follows. The NIST statistical test suite [12] is used to test the randomness of vectors. The encryption algorithm of our construction is implemented using C# language. To generate random vectors, we use a cryptographic generator from
namespace System.Security.Cryptography of C#. Since the aim of experiments is to find the dependence of randomness of cyphertexts on the parameter l, we generated several sets of random vectors from {0,1}k having special weight. In the case when we test randomness of vector ^G2 © e1, we generate random vectors from {0,1}k having weight less or equal k — l. In case when we test randomness of vector 1G2 © e1 © e2, we generate random vectors from {0,1}k having weight exactly k — l. In particular, we generate 10000 vectors for each message type and parameter l. For the purity of the experiment, we also present the number of test passes for random vectors v from {0,1}k generated by cryptographic generator with fixed weight. The results of experiments are presented in the Table. Symbol "*" means that T have weight exactly 1 (otherwise wt(r^ = 0 and ^G2 © e1 = e1).
Number of tests passed out of 10 000 conducted
k l v, wt(v) = k — l r G e e , wt(rj) < k — l 1G? e e1 e e2
Average Minimum Average Minimum Average Minimum
1 714 0 9850* 9630* 9843 9610
14 1528 0 9852 9626 9852 9648
66 1859 0 9851 9636 9850 9611
112 2097 0 9852 9582 9860 9651
225 2103 0 9854 9625 9854 9650
450 2697 0 9851 9594 9847 9623
901 2756 0 9844 9606 9852 9602
1700 7302 598 9850 9601 9851 9620
1802 9881 9532 9849 9600 9844 9625
2703 2041 0 9848 9613 9853 9620
3604 714 0 9843 9576 9862 9406
Thus, the results obtained show that the considered ciphertexts pass similar number of
tests for all possible values of the parameter l.
REFERENCES
1. NIST. https://csrc.nist.gov/Projects/Post-Quantum-Cryptography.
2. Classic McEliece: conservative code-based cryptography. https://classic.mceliece.org/ nist/mceliece-20171129.pdf.
3. McEliece R. J. A public-key cryptosystem based on algebraic coding theory. DSN Progress Report, 1978, pp. 42-44.
4. Dottling N., Dowsley R., Quade J. M., and Nascimento A. C. A. A CCA2 secure variant of the McEliece cryptosystem. IEEE Trans. Inform. Theory, 2012, vol. 58(10), pp. 6672-6680.
5. Kosolapov Y. V. and Turchenko O. Y. Efficient S-repetition method for constructing an IND-CCA2 secure McEliece modification in the standard model. Prikladnaya Diskretnaya Matematika. Prilozhenie, 2020, vol. 13, pp. 80-84.
6. Persichetti E. On a CCA2-secure variant of McEliece in the standard model. Provable Security, 2018, vol.11192, pp. 165-181.
7. Rosen A. and Segev G. Chosen-ciphertext security via correlated products. Proc. 6th Theory of Cryptography Conf., San Francisco, CA, USA, March 15-17, 2009, pp. 419-436.
8. Lenstra A. K. and VerheulE.R. Selecting cryptographic key sizes //J. Cryptology, 2004, vol. 14, pp. 446-465
9. Bernstein D. J., Chou T., and Schwabe P. McBits: Fast constant-time code-based cryptography. LNCS, 2013, vol.8086, pp. 250-272.
10. Barreto A. and Misoczki R. A New One-Time Signature Scheme from Syndrome Decoding. IACR Cryptology ePrint Archive, 2010.
11. Nojima R., Imai H., Kobara K., et al. Semantic security for the McEliece cryptosystem without random oracles. Designs, Codes, Cryptogr., 2008, vol.49, pp.289-305.
12. A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/ nistspecialpublication800-22r1a.pdf.
UDC 003.26 DOI 10.17223/2226308X/14/25
AN IMPROVEMENT OF CRYPTOGRAPHIC SCHEMES BASED ON THE CONJUGACY SEARCH PROBLEM1
V. A. Roman'kov
The key exchange protocol is a method of securely sharing cryptographic keys over a public channel. It is considered as important part of cryptographic mechanism to protect secure communications between two parties. The Diffie — Hellman protocol, based on the discrete logarithm problem, which is generally difficult to solve, is the most well-known key exchange protocol. One of the possible generalizations of the discrete logarithm problem to arbitrary noncommutative groups is the so-called conjugacy search problem: given two elements g,h of a group G and the information that gx = h for some x e G, find at least one particular element x like that. Here gx stands for x-1gx. This problem is in the core of several known public key exchange protocols, most notably the one due to Anshel et al. and the other due to Ko et al. In recent years, effective algebraic cryptanalysis methods have been developed that have shown the vulnerability of protocols of this type. The main purpose of this short note is to describe a new tool to improve protocols based on the conjugacy search problem. This tool has been introduced by the author in some recent papers. It is based on a new mathematical concept of a marginal set.
Keywords: cryptography, key exchange protocol, conjugacy search problem, marginal set, algorithm.
1. Introduction
The first detailed proposal for a key exchange protocol, due to Diffie and Hellman [1], was based on the discrete logarithm problem for a finite field. This protocol is one of the earliest practical examples of public key exchange implemented within the field of cryptography. It was followed by few alternative proposals for key exchange protocols, all based on commutative algebraic structures.
Noncommutative cryptography is the area of cryptology where the cryptographic primitives, methods, and systems are based on algebraic structures like semigroups, groups and rings which are noncommutative. One of the earliest applications of a noncommutative algebraic structure for cryptographic purposes was the use of braid groups to develop the Commutator key exchange protocol by Anshel, Anshel and Goldfeld (AAG) [2] and the noncommutative key exchange protocol on braids by Ko et al. [3]. Later, several other noncommutative structures like nilpotent and polycyclic groups, and matrix groups have been identified as potential candidates for cryptographic applications.
1The research was supported by a grant from the Russian Science Foundation (project no. 19-71-10017).
