Topics in Cryptology - CT-RSA 2022 Cryptographers' Track at the RSA Conference 2022, Virtual Event, March 1-2, 2022, Proceedings

This book constitutes the refereed proceedings of the Cryptographer's Track at the RSA Conference 2022, CT-RSA 2022, held in San Francisco, CA, USA, in February 2022.*The 24 full papers presented in this volume were carefully reviewed and selected from 87 submissions.CT-RSA is the track devoted...

Full description

Saved in:
Bibliographic Details
Main Author Galbraith, Steven D
Format eBook
LanguageEnglish
Published Netherlands Springer Nature 2022
Springer International Publishing AG
Springer International Publishing
Edition1
SeriesLecture Notes in Computer Science
Subjects
Computer programming, programs, data
Cryptography
Data encryption (Computer science)-Congresses
Online AccessGet full text
ISBN9783030953126
3030953122
9783030953119
3030953114

Cover

Table of Contents:
  • Attacks on Pseudo Random Number Generators Hiding a Linear Structure -- 1 Introduction -- 2 Coppersmith Method -- 3 Attacks on the Linear Congruential Generator -- 3.1 Attacks via a Coppersmith Method -- 3.2 Attack 3: With Stern's Algorithm -- 4 Attacks Against the Fast Knapsack Generator -- 4.1 Attack via Coppersmith Method with Consecutive Outputs -- 4.2 Attack via Coppersmith Method Without Consecutive Outputs -- 4.3 Attack via Stern's Attack on the LCG -- 4.4 Summary of Our Results -- 5 Combined Multiple Recursive Generators (CMRG) -- 5.1 Attack on the MRG32 -- 5.2 The MRG32k3a by L'Écuyer -- A Bernoulli Trials -- B Improvement of Coppersmith? -- B.1 Consecutive Outputs -- B.2 Not Consecutive Outputs -- References -- Lattice-Based Fault Attacks on Deterministic Signature Schemes of ECDSA and EdDSA -- 1 Introduction -- 2 Preliminaries -- 2.1 Notations -- 2.2 The Deterministic Signature Algorithms -- 2.3 Problems in Some Lattice -- 3 Adversarial Model -- 3.1 Fault Injection Model -- 3.2 Key Recovery by Solving Problems in Some Lattice -- 4 Concrete Lattice-Based Fault Attacks on Deterministic ECDSA and EdDSA Algorithms -- 4.1 Fault Attacks with Target r During the Calculation of s -- 4.2 Fault Attacks with Target k Before the Calculation of kG -- 4.3 Fault Attacks with the Targets During the Calculation of k -- 5 Experiment and Complexity Discussion -- 6 Countermeasures -- 7 Conclusion -- A Appendix -- A.1 Fault Attacks with Target k During the Calculation of s to Deterministic ECDSA -- A.2 Fault Attacks with Target k-1-5mumod5mu-n During the Calculation of s to Deterministic ECDSA -- A.3 Fault Attacks with Target d During the Calculation of s to Deterministic ECDSA -- A.4 Fault Attacks with Targets e, rd and e+rd During the Calculation of s to Deterministic ECDSA
  • Intro -- Preface -- Organization -- Contents -- Multicast Key Agreement, Revisited -- 1 Introduction -- 1.1 Contributions -- 2 Preliminaries -- 3 Multicast Key Agreement -- 3.1 MKA Syntax -- 3.2 MKA Efficiency Measures -- 3.3 MKA Security -- 4 MKA Construction -- 4.1 MKA Trees -- 4.2 GUS MKA Protocol -- 4.3 Security of GUS MKA Protocol -- 4.4 Comparison of Trees in GUS -- 5 Adding Security for Group Manager Corruptions -- 5.1 Group Manager State Separation and Efficiency Measures -- 5.2 MKA Security with Group Manager FS and Eventual PCS -- References -- A Pairing-Free Signature Scheme from Correlation Intractable Hash Function and Strong Diffie-Hellman Assumption -- 1 Introduction -- 2 Definitions -- 2.1 Signature Schemes -- 2.2 Intractability Assumptions -- 3 Prior Art -- 3.1 The EDL Family of Signatures -- 3.2 Boneh-Boyen Signatures -- 3.3 Existing Pairing-Free Discrete-Log Signature Schemes in the Standard Model -- 3.4 OR-Based Signature Schemes -- 4 Our Signature Scheme -- 4.1 Intuition of the Design -- 4.2 Description -- 4.3 Introducing Discrete-Log Collisions -- 4.4 Security Proof -- 5 Conclusion -- References -- Faster Isogenies for Post-quantum Cryptography: SIKE -- 1 Introduction -- 2 Preliminaries: Isogenies on Elliptic Curves -- 2.1 Isogeny-Based Cryptography -- 2.2 Supersingular Isogeny Key Encapsulation -- 3 Proposed Method for Large-Degree Isogenies of Odd Power Degree -- 3.1 Large-Degree Isogenies -- 3.2 Large-Degree Isogenies of an Odd Power -- 4 Proposed Explicit Formulas for Large-Degree Isogenies -- 4.1 Proposed Efficient Algorithm for Large-Degree Isogenies with a Remainder -- 4.2 Proposed Faster 2-Isogeny Formulas for Large-Degree Isogenies -- 5 Benchmarking and Evaluation -- 6 Conclusion -- References -- Fully Projective Radical Isogenies in Constant-Time -- 1 Introduction -- 2 Preliminaries -- 2.1 CSIDH and Its Surface
  • 2.2 The Group Action of CSIDH and CSURF -- 2.3 The Tate Normal Form -- 2.4 Radical Isogenies -- 3 Fully Projective Radical Isogenies -- 3.1 Efficient Radicals for Projective Coordinates -- 3.2 Explicit Projective Formulas for Low Degrees -- 3.3 Cost of Projective Radical Isogenies per Degree -- 4 Cost Analysis of Constant-Time Radical Isogenies -- 4.1 Analysis of Effectiveness of Radical Isogenies -- 4.2 Further Discussion -- 5 A Hybrid Strategy for Radical Isogenies -- 5.1 A Hybrid Strategy for Integration of Radical Isogenies -- 5.2 Choosing Parameters for Hybrid Strategy -- 5.3 Algorithm for Evaluation of Hybrid Strategy -- 6 Implementation and Performance Benchmark -- 6.1 Performance Benchmark of Radical Isogenies -- 6.2 Performance of Radical Isogenies Using the Hybrid Strategy -- 7 Concluding Remarks and Future Research -- References -- Private Liquidity Matching Using MPC -- 1 Introduction -- 2 Preliminaries -- 2.1 The Gridlock Resolution Problem -- 2.2 Multiparty Computation (MPC) -- 3 The Gridlock Resolution Algorithm with MPC -- 3.1 Leakage -- 3.2 Experiments -- 4 Simulating an RTGS -- References -- Approximate Homomorphic Encryption with Reduced Approximation Error*-8pt -- 1 Introduction -- 2 Preliminaries -- 3 Reducing the Approximation Error in the CKKS Scheme -- 3.1 Approximation Errors in the CKKS Scheme -- 3.2 Eliminating LWE and Encoding Approximation Errors -- 3.3 Theoretical Estimates of Error Reduction -- 4 Reducing the Approximation Error in the RNS Instantiation of CKKS -- 4.1 Eliminating the Scaling Factor Approximation Error in RNS CKKS -- 4.2 Applying the Reduced-Error CKKS Modifications -- 5 Implementation Details and Results -- 5.1 Setting the Parameters -- 5.2 Software Implementation and Experimental Setup -- 5.3 Experimental Results -- 6 Concluding Remarks -- References
  • 1 Introduction -- 2 Preliminaries -- 2.1 Description of SKINNY-AEAD M1/M3 -- 2.2 Specification of the Underlying Primitive of SKINNY-AEAD M1/M3 -- 2.3 Properties of SKINNY -- 2.4 Notations -- 3 Related-Tweakey Impossible Differential Distinguisher -- 3.1 Constraints of Searching for Distinguishers in SKINNY-AEAD M1/M3 -- 3.2 Searching for Related-Tweakey Impossible Differential Distinguisher with STP -- 3.3 14-Round Related-Tweakey Impossible Differential Distinguishers -- 4 Tweakey Recovery Attack on 20-Round SKINNY-AEAD M1/M3 -- 5 Tweakey Recovery Attack on 18-Round SKINNY-AEAD M1/M3 -- 6 Conclusion -- A 18-Round Related-Tweakey Impossible Differential Attack for SKINNY-AEAD M1/M3 -- References -- Side-Channeling the Kalyna Key Expansion -- 1 Introduction -- 1.1 Our Contribution -- 1.2 Paper Outline -- 2 Background -- 2.1 Kalyna -- 2.2 Cache Attacks -- 2.3 Related Work -- 3 Cryptanalysis Overview -- 4 Attacking Kalyna-128/128 -- 4.1 Recover Even Bytes of A0 -- 4.2 Recovering Odd Bytes of A0 -- 4.3 Recovering K -- 4.4 Recovering K -- 5 Attacks on Other Kalyna Variants -- 5.1 Relationship of Ki -- 5.2 Large Constant Ci -- 5.3 Aligning Columns -- 6 The Practical Attack -- 6.1 Instantiating the Oracle -- 6.2 Recovering the First Round Key -- 6.3 Recover the Master Key K of Kalyna-128/128 -- References -- Fake It Till You Make It: Data Augmentation Using Generative Adversarial Networks for All the Crypto You Need on Small Devices -- 1 Introduction -- 2 Preliminaries -- 2.1 Profiled Side-Channel Attacks -- 2.2 Generative Adversarial Networks (GANs) -- 2.3 Conditional Generative Adversarial Networks (cGANs) -- 2.4 Data Augmentation -- 2.5 Deep Learning Algorithms -- 2.6 Siamese Neural Network -- 2.7 Cryptographic Algorithms Under Evaluation -- 3 Related Works -- 4 Proposed Approach -- 4.1 Data Splitting -- 4.2 Siamese-cGAN Model for Data Augmentation
  • A.5 Fault Attacks with Targets During the Calculation of e to Deterministic ECDSA -- A.6 Fault Attacks with targets During the Calculation of r to EdDSA -- References -- More Accurate Geometric Analysis on the Impact of Successful Decryptions for IND-CCA Secure Ring/Mod-LWE/LWR Based Schemes -- 1 Introduction -- 2 Preliminaries -- 2.1 (R/M-)LWE/LWR-Based Public-Key Encryption Scheme -- 2.2 Spherical Cap -- 3 Compression Errors -- 4 The Information Inferred by Successful Decryptions -- 4.1 The Relationship Between Successful Decryptions and Caps -- 4.2 The Range of the Proportion of Excluded Key Candidates -- 5 The Overlaps Among Queries and the Effect of Successful Decryptions on the Failure Probability -- 5.1 The Overlap Between Two Spherical Caps -- 5.2 The Overlaps Among Queries -- 5.3 The Decryption Failure Probability -- 6 (R/M-)LWE-Based Public-Key Encryption Schemes -- 6.1 Saber -- A The Proof of Theorem 1 -- B The Proof of Proposition 2 -- C The Proof of Theorem 2 -- D Some Results about the Overlaps among Different Caps of the Same Query -- E (R/M-)LWE-Based Public-Key Encryption Schemes -- E.1 Kyber -- E.2 Newhope -- E.3 Frodo -- References -- Integral Attacks on Pyjamask-96 and Round-Reduced Pyjamask-128 -- 1 Introduction -- 2 Preliminaries -- 2.1 Pyjamask Block Cipher Family -- 2.2 Notations -- 2.3 Monomial Prediction -- 2.4 MILP Modeling for the Monomial Prediction -- 3 Automatic Search Model for Pyjamask and Integral Distinguishers -- 3.1 MILP Model for Pyjamask-96 and Pyjamask-128 -- 3.2 Integral Distinguishers of Pyjamask-96 and Pyjamask-128 -- 4 Key Recovery Attack on Pyjamask-96 -- 4.1 Attack on 13-Round Pyjamask-96 -- 4.2 Attack on Full-Round Pyjamask-96 -- 5 Integral Attacks on Round-Reduced Pyjamask-128 -- 6 Conclusion -- References -- Related-Tweakey Impossible Differential Attack on Reduced-Round SKINNY-AEAD M1/M3
  • 4.3 cGAN Models for Discriminator and Generator