Post-Quantum Cryptography
8th International Workshop, PQCrypto 2017, Utrecht, The Netherlands, June 26-28, 2017, Proceedings
Published on 14. June 2017
XII, 427 pages
978-3-319-59879-6 (ISBN)
Description
This book constitutes the refereed proceedings of the 8th International Workshop on Post-Quantum Cryptography, PQCrypto 2017, held in Utrecht, The Netherlands, in June 2017.
The 23 revised full papers presented were carefully reviewed and selected from 67 submissions. The papers are organized in topical sections on code-based cryptography, isogeny-based cryptography, lattice-based cryptography, multivariate cryptography, quantum algorithms, and security models.
The 23 revised full papers presented were carefully reviewed and selected from 67 submissions. The papers are organized in topical sections on code-based cryptography, isogeny-based cryptography, lattice-based cryptography, multivariate cryptography, quantum algorithms, and security models.
More details
Series
Edition
1st ed. 2017
Language
English
Place of publication
Cham
Switzerland
Publishing group
Springer International Publishing
Product notice
Reflowable
Illustrations
XII, 427 p. 34 illus.
File size
9,92 MB
ISBN-13
978-3-319-59879-6 (9783319598796)
DOI
10.1007/978-3-319-59879-6
Schweitzer Classification
Other editions
Additional editions
Tanja Lange | Tsuyoshi Takagi
Post-Quantum Cryptography
8th International Workshop, PQCrypto 2017, Utrecht, The Netherlands, June 26-28, 2017, Proceedings
Book
06/2017
Springer
€53.49
Shipment within 10-15 days
Content
- Intro
- Preface
- PQCrypto 2017 The 8th International Conference on Post-Quantum Cryptography
- Contents
- Code-Based Cryptography
- A New Rank Metric Codes Based Encryption Scheme
- 1 Introduction
- 2 Rank Metric Decoding Problems
- 2.1 Rank Metric
- 2.2 Decoding Problems
- 2.3 Hamming Metric vs Rank Metric
- 2.4 Post-quantum Security
- 3 Rank Metric Based Cryptography
- 3.1 Algebraic Decoding Based Cryptosystems
- 3.2 Probabilistic Decoding Based Cryptosystems
- 4 The New Cryptosystem
- 4.1 Design of the Encryption Scheme
- 4.2 Security Arguments
- 4.3 Choice of Parameters
- 5 Conclusion
- References
- Ouroboros: A Simple, Secure and Efficient Key Exchange Protocol Based on Coding Theory
- 1 Introduction
- 2 Background
- 2.1 Coding Theory and Syndrome Decoding Problems
- 2.2 HQC Scheme
- 3 The Ouroboros Protocol
- 3.1 Decoding Cyclic Errors
- 3.2 Description of the Ouroboros Protocol
- 3.3 Comparison with HQC and Alekhnovich
- 4 Security of the Protocol
- 5 Parameter Sets
- 5.1 Parameters
- 5.2 Optimized Parameters
- 6 Conclusion
- References
- CCA2 Key-Privacy for Code-Based Encryption in the Standard Model
- 1 Introduction
- 2 Preliminaries
- 3 k-Repetition Paradigm
- 4 Key-Privacy of the k-Repetition Paradigm
- 5 IK-CPA/CCA2 Code-Based Encryption
- 6 Another Instantiation: McEliece
- References
- A Reaction Attack on the QC-LDPC McEliece Cryptosystem
- 1 Introduction
- 2 Preliminaries
- 2.1 The QC-LDPC McEliece Cryptosystem
- 2.2 The QC-MDPC McEliece Cryptosystem
- 2.3 Previous Attack on the QC-MDPC McEliece Cryptosystem
- 3 The Attack
- 3.1 Learning Distances in the Matrix H - Intuition
- 3.2 Learning Distances in the Matrix Q - Intuition
- 3.3 Learning Distances - Experiments
- 3.4 Distance Spectrum Reconstruction Problem
- 3.5 Reconstructing the Matrix H
- 3.6 Reconstructing the Matrix Q
- 3.7 Learning to Decrypt
- 4 Conclusion
- References
- Quantum Information Set Decoding Algorithms
- 1 Introduction
- 2 Quantum Search Algorithms
- 2.1 Grover Search
- 2.2 Quantum Walk
- 3 Generalities on Classical and Quantum Decoding
- 3.1 Prange's Algorithm and Bernstein's Algorithm
- 3.2 Generalised ISD Algorithms
- 4 Solving the Generalised 4-Sum Problem with Quantum Walks and Grover Search
- 4.1 The Shamir-Schroeppel Idea
- 4.2 A Quantum Version of the Shamir-Schroeppel Algorithm
- 4.3 Application to the Decoding Problem
- 5 Improvements Obtained by the Representation Technique and ``1+1=0''
- 6 Computing the Complexity Exponents
- 7 Concluding Remarks
- References
- Isogeny-Based Cryptography
- Loop-Abort Faults on Supersingular Isogeny Cryptosystems
- 1 Introduction
- 2 Cryptosystems from Supersingular Isogenies
- 2.1 Elliptic Curves and Isogenies
- 2.2 Elliptic Curves for Supersingular Isogeny Schemes
- 2.3 Computing Smooth Degree Isogenies
- 2.4 Jao--De Feo Protocols
- 2.5 Validation Methods Against Active Attacks
- 3 Fault Injection Attacks
- 3.1 Tampering with Bits and Bytes
- 3.2 Implementing Loop-Aborts
- 4 The Loop-Abort Fault Attack
- 4.1 Attack Framework
- 4.2 The Attack
- 4.3 Analysis of the Attack
- 4.4 Alternative with Less Faults but Stronger Oracle
- 5 Countermeasures and Conclusion
- References
- A When P and Q Are Not a Basis of the Torsion
- Fault Attack on Supersingular Isogeny Cryptosystems
- 1 Introduction
- 2 Preliminaries
- 2.1 Mathematical Background
- 2.2 Supersingular Isogeny Cryptosystem
- 2.3 The Kirkwood et al. Validation Method
- 3 Fault Attack
- 3.1 Recovery of Isogeny from Image of Random Point
- 3.2 Fault Models
- 3.3 Countermeasures
- 4 Analysis of Attack
- 4.1 Feasibility of Attack Models
- References
- A Signature Schemes in Detail
- A.1 Digital Signature Scheme
- A.2 Undeniable Signature Scheme
- Lattice-Based Cryptography
- Fast Lattice-Based Encryption: Stretching SPRING ????? ? ?????? ??
- 1 Introduction
- 1.1 Related Work
- 1.2 Our Contributions
- 2 The SPRING Family of PRFs and PRGs
- 2.1 SPRING-RS: Rounding with Rejection-Sampling
- 3 Security Analysis
- 3.1 Birthday-Type Attack on SPRING
- 3.2 Lattice Attack
- 3.3 Partially Known Secret Key
- 3.4 Side-Channel Leaks
- 4 Implementation Details
- 5 Conclusion
- References
- Revisiting TESLA in the Quantum Random Oracle Model
- 1 Introduction
- 1.1 Background
- 1.2 Our Contribution
- 1.3 Related Work
- 2 Preliminaries
- 2.1 Notation
- 2.2 The Learning with Errors Problem
- 3 The Signature Scheme TESLA
- 4 Security Reduction for TESLA
- 4.1 Yes-Instances of LWE
- 4.2 No-Instances of LWE
- 5 Selecting Parameters for TESLA
- 5.1 Derivation of System Parameters
- 5.2 Concrete Bit Security of TESLA
- 5.3 Convenient Parameters
- 6 Results and Comparison
- References
- Cryptanalysis of RLWE-Based One-Pass Authenticated Key Exchange
- 1 Introduction
- 2 Preliminaries
- 3 The CRT Basis in the Ring-LWE Setting
- 3.1 The Ring-LWE Problem
- 3.2 The CRT Basis for and Its Properties
- 4 How to Attack 1: A Warm-Up
- 4.1 The One-Pass AKE Scheme 1
- 4.2 Definition of the Oracle M0
- 4.3 The Oracle M1 and Its Associated Attacker A1
- 5 Making Small Field Attack ``Undetectable''
- 5.1 The Improved Attacker A1' Against M1
- 5.2 The ``Undetectable'' Attacker ( V/A1' ) Against M1
- 6 The Small Field Attack Against 1
- References
- A Lemma8 and Its Proof
- B Construction of V
- A Hybrid Lattice Basis Reduction and Quantum Search Attack on LWE
- 1 Introduction
- 1.1 Structure of the Paper
- 2 Preliminaries
- 3 The Classical Hybrid Attack
- 4 The Quantum Hybrid Attack
- 4.1 Amplitude Amplification
- 4.2 The Attack
- 5 Analysis
- 5.1 Success Probability and Number of Function Applications
- 5.2 Total Runtime of the Quantum Hybrid Attack
- 6 Results
- 6.1 New Hope and Frodo
- 6.2 Lindner-Peikert
- 6.3 R-BinLWEenc
- References
- A About the constant in Theorem1
- B Hardness Tables for Lindner/Peikert LWE
- Multivariate Cryptography
- HMFEv - An Efficient Multivariate Signature Scheme
- 1 Introduction
- 2 Multivariate Cryptography
- 3 The MultiHFE Scheme
- 3.1 Efficiency
- 3.2 The Rank Attack Against HFE and MultiHFE
- 4 The New Signature Scheme HMFEv
- 5 Security
- 5.1 Direct and Rank Attacks
- 5.2 Quantum Attacks
- 5.3 Other Attacks and a Remark on the Minus Method
- 6 Parameter Choice
- 6.1 How to Choose the Parameter k?
- 6.2 Experiments with Direct Attacks Against HMFEv Schemes over GF(31) and GF(256)
- 6.3 Parameters
- 7 Comparison
- 8 Implementation
- 8.1 Inversion of the Central Map F
- 8.2 Arithmetic over Finite Fields
- 9 Conclusion
- References
- A Results of Our Computer Experiments with the Direct Attack Against HMFEv Systems over Small Fields
- MQ Signatures for PKI
- 1 Introduction
- 2 Preliminaries
- 3 Multivariate Quadratic Signature Schemes
- 3.1 Approximate MQ
- 4 Construction
- 4.1 Summary
- 5 Security
- 6 Discussion
- References
- A Proofs
- A.1 Proof of Theorem1
- A.2 Proof of Theorem2
- An Updated Security Analysis of PFLASH
- 1 Introduction
- 1.1 Prior Work
- 1.2 Our Contribution
- 1.3 Organization
- 2 Big Field Schemes
- 2.1 C*
- 2.2 PFLASH
- 2.3 HFE
- 3 Cryptanalyses of Big Field Schemes
- 3.1 Differential Techniques
- 3.2 Rank Techniques
- 4 Updated Differential Analysis of Projected Primitive
- 5 Extension to PFLASH
- 5.1 Differential Analysis
- 5.2 Rank Analysis
- 5.3 Security Estimates
- 6 Conclusion
- References
- Improved Attacks for Characteristic-2 Parameters of the Cubic ABC Simple Matrix Encryption Scheme
- 1 Introduction
- 2 The Cubic ABC Matrix Encryption Scheme
- 3 The Structure of the Cubic ABC Scheme
- 3.1 Column Band Spaces
- 4 A Variant of MinRank Exploiting the Column Band Space Structure
- 5 Application to the Quadratic ABC Scheme
- 6 Completing the Key Recovery
- 7 Comparison with Minors Methods
- 8 Experiments
- 9 Conclusion
- References
- Key Recovery Attack for All Parameters of HFE-
- 1 Introduction
- 1.1 Recent History
- 1.2 Previous Analysis
- 1.3 Our Contribution
- 1.4 Organization
- 2 HFE Variants
- 3 Q-Rank
- 4 Previous Cryptanalysis of HFE
- 5 Key Recovery for HFE-
- 5.1 Reduction of HFE- to HFE
- 5.2 Key Recovery
- 6 Complexity of Attack
- 7 Experimental Results
- 8 Conclusion
- References
- A Toy Example
- A.1 Recovering a Related HFE Key
- A.2 Recovery of Equivalent HFE- Key
- Key Recovery Attack for ZHFE
- 1 Introduction
- 2 The ZHFE Encryption Scheme
- 3 Key Recovery Attack for ZHFE
- 3.1 Existence of a Low Rank Equivalent Key
- 3.2 Finding a Low Rank Core Polynomial
- 3.3 Finding Solution from a MinRank Problem
- 4 Experimental Results and Complexity
- 4.1 Comparison to Previous MinRank Analysis
- 5 Conclusion
- References
- A Appendix
- A.1 Toy Example
- A.2 Low Rank Matrix Forms
- Quantum Algorithms
- Post-quantum RSA
- 1 Introduction
- 2 Post-quantum Factorization
- 3 RSA Scalability
- 4 Concrete Parameters and Initial Implementation
- References
- A Appendix: Implementation Barriers and Details
- B Credits for Multi-prime RSA
- A Low-Resource Quantum Factoring Algorithm
- 1 Introduction
- 2 Factoring Integers with NFS
- 3 Accelerating NFS Using Quantum Search
- 4 A Quantum Relation Search
- 5 Shor's Factorization Method in Superposition
- 6 Recognizing Smooth Integers
- References
- A Number of Iterations for the Serial Construction
- Quantum Algorithms for Computing Short Discrete Logarithms and Factoring RSA Integers
- 1 Introduction
- 1.1 Recent Work
- 1.2 Our Contributions
- 1.3 Related Work
- 1.4 Overview
- 2 Notation
- 3 Computing Short Discrete Logarithms
- 3.1 The Discrete Logarithm Problem
- 3.2 Algorithm Overview
- 3.3 The Quantum Algorithm
- 3.4 Analysis of the Probability Distribution
- 3.5 The Notion of Constructive Interference
- 3.6 The Notion of a Good Pair (j, k)
- 3.7 Lower-Bounding the Number of Good Pairs (j, k)
- 3.8 Lower-Bounding the Probability of a Good Pair (j, k)
- 3.9 Computing d from a Set of s Good Pairs
- 3.10 Rationale and Analysis
- 3.11 Building a Set of s Good Pairs
- 3.12 Main Result
- 3.13 The Advantage of Our Algorithm
- 3.14 Implementation Remarks
- 3.15 Applications
- 4 Factoring RSA Integers
- 4.1 The RSA Integer Factoring Problem
- 4.2 The Factoring Algorithm
- 4.3 Generalizations
- 4.4 The Advantage of Our Algorithm
- 5 Order Finding Under Side Information
- 6 Summary and Conclusion
- A Appendix
- References
- Security Models
- XOR of PRPs in a Quantum World
- 1 Introduction
- 2 Preliminaries
- 2.1 Security Notions
- 2.2 XOR of PRPs
- 2.3 Idealized XOR of PRPs
- 2.4 Quantum Claw-Finding
- 3 Modeling Quantum Distinguishers
- 4 Quantum Key-Recovery Attack
- 4.1 Colliding Key Sets
- 4.2 Generic Attack
- 5 Quantum Security Analysis
- 6 Discussion
- References
- Transitioning to a Quantum-Resistant Public Key Infrastructure
- 1 Introduction
- 2 Signature Schemes and Unforgeability
- 2.1 Unforgeability Security Definitions
- 2.2 Separations and Implications
- 3 Separability of Hybrid Signatures
- 4 Combiners
- 4.1 C"026B30D : Concatenation
- 4.2 Cstr-nest: Strong Nesting
- 4.3 Dnest: Dual Message Combiner Using Nesting
- 5 Hybrid Signatures in Standards
- 5.1 X.509v3 Certificates
- 5.2 TLS
- 5.3 CMS and S/MIME
- 5.4 Discussion
- References
- A A Brief Review of Quantum Computation
- B Unforgeability Separations and Implications
- C Proofs for Combiners
- C.1 C"026B30D : Concatenation
- C.2 Cstr-nest: Strong Nesting
- C.3 Dnest: Dual Message Combiner Using Nesting
- ORAMs in a Quantum World
- 1 Introduction
- 2 Preliminaries
- 3 The New ORAM Model
- 3.1 Classical and Post-quantum Security
- 3.2 Comparison with
- 3.3 PathORAM
- 3.4 Post-quantum Security of PathORAM
- 4 Quantum ORAM
- 4.1 QORAM Security
- 4.2 PathQORAM
- References
- Author Index
