Key-Recovery Attacks on ASASA

The $$\mathsf {ASASA}$$ construction is a new design scheme introduced at Asiacrypt 2014 by Biruykov, Bouillaguet and Khovratovich. Its versatility was illustrated by building two public-key encryption schemes, a secret-key scheme, as well as super S-box subcomponents of a white-box scheme. However one of the two public-key cryptosystems was recently broken at Crypto 2015 by Gilbert, Plut and Treger. As our main contribution, we propose a new algebraic key-recovery attack able to break at once the secret-key scheme as well as the remaining public-key scheme, in time complexity $$2^{63}$$ and $$2^{39}$$ respectively the security parameter is 128 bits in both cases. Furthermore, we present a second attack of independent interest on the same public-key scheme, which heuristically reduces its security to solving an $$\mathsf {LPN}$$ instance with tractable parameters. This allows key recovery in time complexity $$2^{56}$$ . Finally, as a side result, we outline a very efficient heuristic attack on the white-box scheme, which breaks an instance claiming 64 bits of security under one minute on a single desktop computer.

[1]  Martin R. Albrecht,et al.  Practical Cryptanalysis of a Public-Key Encryption Scheme Based on New Multivariate Quadratic Assumptions , 2014, IACR Cryptol. ePrint Arch..

[2]  Madhur Tulsiani,et al.  Algorithmic regularity for polynomials and applications , 2013, SODA.

[3]  Jacques Stern,et al.  Cryptanalysis of HFE with Internal Perturbation , 2007, Public Key Cryptography.

[4]  Louis Goubin,et al.  Asymmetric cryptography with S-Boxes , 1997, ICICS.

[5]  Louis Goubin,et al.  QUARTZ, 128-Bit Long Digital Signatures , 2001, CT-RSA.

[6]  Jacques Patarin,et al.  Cryptanalysis of the Matsumoto and Imai Public Key Scheme of Eurocrypt'88 , 1995, CRYPTO.

[7]  Jacques Stern,et al.  Practical Cryptanalysis of SFLASH , 2007, CRYPTO.

[8]  Robert H. Deng,et al.  Cryptanalysis of Rijmen-Preneel Trapdoor Ciphers , 1998, ASIACRYPT.

[9]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2005, STOC '05.

[10]  Antoine Joux,et al.  Algebraic Cryptanalysis of Hidden Field Equation (HFE) Cryptosystems Using Gröbner Bases , 2003, CRYPTO.

[11]  Jean-Charles Faugère,et al.  Cryptanalysis of 2R- Schemes , 2006, CRYPTO.

[12]  Alex Biryukov,et al.  Structural Cryptanalysis of SASAS , 2001, Journal of Cryptology.

[13]  Whitfield Diffie,et al.  Analysis of a Public Key Approach Based on Polynomial Substitution , 1985, CRYPTO.

[14]  Jean-Charles Faugère,et al.  An efficient algorithm for decomposing multivariate polynomials and its applications to cryptography , 2009, J. Symb. Comput..

[15]  Alex Biryukov,et al.  Cryptographic Schemes Based on the ASASA Structure: Black-Box, White-Box, and Public-Key (Extended Abstract) , 2014, ASIACRYPT.

[16]  Eli Biham,et al.  Cryptanalysis of Patarin's 2-Round Public Key System with S Boxes (2R) , 2000, EUROCRYPT.

[17]  Henri Gilbert,et al.  Key-Recovery Attack on the ASASA Cryptosystem with Expanding S-Boxes , 2015, CRYPTO.

[18]  Kwok-Yan Lam,et al.  Cryptanalysis of "2 R" Schemes , 1999, CRYPTO.

[19]  Vincent Rijmen,et al.  A Family of Trapdoor Ciphers , 1997, FSE.

[20]  Mitsuru Matsui,et al.  Linear Cryptanalysis Method for DES Cipher , 1994, EUROCRYPT.

[21]  Jean-Charles Faugère,et al.  High order derivatives and decomposition of multivariate polynomials , 2009, ISSAC '09.

[22]  Éric Levieil,et al.  An Improved LPN Algorithm , 2006, SCN.

[23]  Luk Bettale,et al.  Cryptanalysis of Multivariate and Odd-Characteristic HFE Variants , 2011, Public Key Cryptography.

[24]  Itai Dinur,et al.  Decomposing the ASASA Block Cipher Construction , 2015, IACR Cryptol. ePrint Arch..

[25]  Ye Ding-Feng,et al.  Cryptanalysis of 2R schemes , 1999, CRYPTO 1999.

[26]  Jacques Patarin,et al.  Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): Two New Families of Asymmetric Algorithms , 1996, EUROCRYPT.

[27]  Whitfield Diffie,et al.  Multiuser cryptographic techniques , 1976, AFIPS '76.

[28]  Hideki Imai,et al.  Public Quadratic Polynominal-Tuples for Efficient Signature-Verification and Message-Encryption , 1988, EUROCRYPT.

[29]  Alex Biryukov,et al.  Decomposition attack on SASASASAS , 2015, IACR Cryptol. ePrint Arch..

[30]  Jean-Charles Faugère,et al.  Decomposition of generic multivariate polynomials , 2010, ISSAC.

[31]  Adi Shamir,et al.  Cube Attacks on Tweakable Black Box Polynomials , 2009, IACR Cryptol. ePrint Arch..

[32]  Jintai Ding,et al.  A New Variant of the Matsumoto-Imai Cryptosystem through Perturbation , 2004, Public Key Cryptography.

[33]  Feng-Hao Liu,et al.  Public-Key Cryptography from New Multivariate Quadratic Assumptions , 2012, Public Key Cryptography.

[34]  Arnab Bhattacharyya Polynomial Decompositions in Polynomial Time , 2014, ESA.