This document describes a signature scheme based on the finite field isomorphism (FFI) problem and presents an attack on it. It begins by defining notation used, including q as a prime, β as a size parameter, p as a smaller prime, Fq as a finite field, and f(x) and F(y) as irreducible polynomials. It then summarizes the signature scheme and FFI problem. The attack targets the pqFFsign signature scheme, which generates keys using a finite field isomorphism between polynomials f(x) and F(y). The attack aims to recover the secret polynomials a(x) and b(x) used to generate signatures.
Apresentação sobre Criptografia baseada em reticulados (lattices), realizada no contexto da disciplina de Post-Quantum Cryptography do PPGCC da UFSC.
Versão odp: http://coenc.td.utfpr.edu.br/~giron/presentations/aula_lattice.odp
Lattice-Based Cryptography: CRYPTANALYSIS OF COMPACT-LWEPriyanka Aash
Destructive and constructive methods in lattice-based cryptography will be discussed. Topic 1: Cryptanalysis of Compact-LWE Authors: Jonathan Bootle; Mehdi Tibouchi; Keita Xagawa Topic 2: Two-message Key Exchange with Strong Security from Ideal Lattices Authors: Zheng Yang; Yu Chen; Song Luo
(Source: RSA Conference USA 2018)
Digital Signal Processing using Open Source Scilab. It covers more than 20 experiments. This slide is in PDF format. It gives idea for those who wants to scilab for signal processing applications
Apresentação sobre Criptografia baseada em reticulados (lattices), realizada no contexto da disciplina de Post-Quantum Cryptography do PPGCC da UFSC.
Versão odp: http://coenc.td.utfpr.edu.br/~giron/presentations/aula_lattice.odp
Lattice-Based Cryptography: CRYPTANALYSIS OF COMPACT-LWEPriyanka Aash
Destructive and constructive methods in lattice-based cryptography will be discussed. Topic 1: Cryptanalysis of Compact-LWE Authors: Jonathan Bootle; Mehdi Tibouchi; Keita Xagawa Topic 2: Two-message Key Exchange with Strong Security from Ideal Lattices Authors: Zheng Yang; Yu Chen; Song Luo
(Source: RSA Conference USA 2018)
Digital Signal Processing using Open Source Scilab. It covers more than 20 experiments. This slide is in PDF format. It gives idea for those who wants to scilab for signal processing applications
Introduction of info theory basis for image/video coding, especially, entropy, rate-distortion theory,
entropy coding, huffman coding, arithmetic coding
Justesen codes are created by tilting (n,k) Reed Solomon codes over GF(2^m) into (mn,mk) binary codes for multiple burst error correction. They are very good for long block lengths. Alternant codes are variation of BCH codes with fixed rate and large minimum distance.They are subfield-subcode of a Reed-Solomon codes over GF(q^m).Goppa codes are designed distance d have additional property over Alternant codes that inverse frequency template has width d...
This week, Luke Pearson (Polychain Capital) and Joshua Fitzgerald (Anoma) present their work on Plonkup, a protocol that combines Plookup and PLONK into a single, efficient protocol. The protocol relies on a new hash function, called Reinforced Concrete, written by Dmitry Khovratovich. The three of them will present their work together at this week's edition of zkStudyClub!
Slides:
---
To Follow the Zero Knowledge Podcast us at https://www.zeroknowledge.fm
To the listeners of Zero Knowledge Podcast, if you like what we do:
- Follow us on Twitter - @zeroknowledgefm
- Join us on Telegram - https://t.me/joinchat/TORo7aknkYNLHmCM
- Support our Gitcoin Grant - https://gitcoin.co/grants/329/zero-knowledge-podcast-2
- Support us on Patreon - https://www.patreon.com/zeroknowledge
Cryptography, Classical Encryption
Breaking the Cryptosystem
Review the Simple attack to break the cryptosystem
Modular Arithmetic, Groups and Rings
One example each in classical substitutive and transposition ciphering.
Caesar/Affine Cipher –Worksheet and Lab Program
Introduction of info theory basis for image/video coding, especially, entropy, rate-distortion theory,
entropy coding, huffman coding, arithmetic coding
Justesen codes are created by tilting (n,k) Reed Solomon codes over GF(2^m) into (mn,mk) binary codes for multiple burst error correction. They are very good for long block lengths. Alternant codes are variation of BCH codes with fixed rate and large minimum distance.They are subfield-subcode of a Reed-Solomon codes over GF(q^m).Goppa codes are designed distance d have additional property over Alternant codes that inverse frequency template has width d...
This week, Luke Pearson (Polychain Capital) and Joshua Fitzgerald (Anoma) present their work on Plonkup, a protocol that combines Plookup and PLONK into a single, efficient protocol. The protocol relies on a new hash function, called Reinforced Concrete, written by Dmitry Khovratovich. The three of them will present their work together at this week's edition of zkStudyClub!
Slides:
---
To Follow the Zero Knowledge Podcast us at https://www.zeroknowledge.fm
To the listeners of Zero Knowledge Podcast, if you like what we do:
- Follow us on Twitter - @zeroknowledgefm
- Join us on Telegram - https://t.me/joinchat/TORo7aknkYNLHmCM
- Support our Gitcoin Grant - https://gitcoin.co/grants/329/zero-knowledge-podcast-2
- Support us on Patreon - https://www.patreon.com/zeroknowledge
Cryptography, Classical Encryption
Breaking the Cryptosystem
Review the Simple attack to break the cryptosystem
Modular Arithmetic, Groups and Rings
One example each in classical substitutive and transposition ciphering.
Caesar/Affine Cipher –Worksheet and Lab Program
Two further methods for obtaining post-quantum security are discussed, namely code-based and isogeny-based cryptography. Topic 1: Revocable Identity-based Encryption from Codes with Rank Metric (will be presented by Dr. Reza Azarderakhsh) Authors: Donghoon Chang; Amit Kumar Chauhan; Sandeep Kumar; Somitra Kumar Sanadhya Topic 2: An Exposure Model for Supersingular Isogeny Diffie-Hellman Key Exchange Authors: Brian Koziel; Reza Azarderakhsh; David Jao
(Source: RSA Conference USA 2018)
1
ECONOMICS 581: LECTURE NOTES
CHAPTER 4: MICROECONOMIC THEORY: A DUAL APPROACH
W. Erwin Diewert March 2011.
1. Introduction
In this chapter, we will show how the theory of convex sets and concave and convex
functions can be useful in deriving some theorems in microeconomics. Section 2 starts
off by developing the properties of cost functions. It is shown that without assuming any
regularity properties on an underlying production function, the corresponding function
satisfies a large number of regularity properties. Section 3 shows how the cost function
can be used to determine a production function that is consistent with a given cost
function satisfying the appropriate regularity conditions. Section 4 establishes the
derivative property of the cost function: it is shown that the first order partial derivatives
of the cost function generate the firm’s system of cost minimizing input demand
functions. Section 5 shows how the material in the previous sections can be used to
derive the comparative statics properties of the producer’s system of cost minimizing
input demand functions. Section 6 asks under what conditions can we assume that the
technology exhibits constant returns to scale. Section 7 indicates that price elasticities of
demand will tend to decrease in magnitude as a production model becomes more
aggregated.
Section 8 notes that the duality between cost and production functions is isomorphic or
identical to the duality between utility and expenditure functions. In this extension of the
previous theory, the output level of the producer is replaced with the utility level of the
consumer, the production function of the producer is replaced with the utility function of
the consumer and the producer’s cost minimization problem is replaced by the problem
of the consumer minimizing the expenditure required to attain a target utility level. Thus
the results in the first 5 sections have an immediate application to the consumer’s system
of Hicksian demand functions.
The final sections of the chapter return to producer theory but it is no longer assumed that
only one output is produced; we extend the earlier analysis to the case of multiple output
and multiple input technologies.
2. Properties of Cost Functions
The production function and the corresponding cost function play a central role in many
economic applications. In this section, we will show that under certain conditions, the
cost function is a sufficient statistic for the corresponding production function; i.e., if we
know the cost function of a producer, then this cost function can be used to generate the
underlying production function.
2
Let the producer’s production function f(x) denote the maximum amount of output that
can be produced in a given time period, given that the producer has access to the
nonnegative vector ...
This paper presents a design and implementation of FPGA based Bose, Chaudhuri and Hocquenghem (BCH) codes for wireless communication applications. The codes are written in VHDL (Very High Speed Hardware Description Language). Here BCH decoder (15, 5, and 3) is implemented and discussed. And decoder uses serial input and serial output architecture. BCH code forms a large class of powerful random error correcting cyclic codes. BCH operates over algebraic structure called finite fields and they are binary multiple error correcting codes. BCH decoder is implemented by syndrome calculation circuit, the BMA (Berlekamp-Massey algorithm) and Chien search circuit. The codecs are implemented over cyclone FPGA device.
R exam (B) given in Paris-Dauphine, Licence Mido, Jan. 11, 2013Christian Robert
This is one of two exams given to our students this year. They had two hours to solve three problems and had to return R codes as well as handwritten explanations.
ON RUN-LENGTH-CONSTRAINED BINARY SEQUENCESijitjournal
A class of binary sequences, constrained with respect to the length of zero runs, is considered.
For such sequences, termed (d, k)-sequences, new combinatorial and computational results
are established. Explicit expressions for enumerating (d, k)-sequences of finite length are
obtained. Efficient computational procedures for calculating the capacity of a (d, k)-code are
given. A simple method for constructing a near-optimal (d, k)-code is proposed. Illustrative
numerical examples demonstrate further the theoretical results.
Multiple Dimensional Fault Tolerant Schemes for Crypto Stream CiphersIJNSA Journal
To enhance the security and reliability of the widely-used stream ciphers, a 2-D and a 3-D mesh-knight Algorithm Based Fault Tolerant (ABFT) schemes for stream ciphers are developed which can be universally applied to RC4 and other stream ciphers. Based on the ready-made arithmetic unit in stream ciphers, the proposed 2-D ABFT scheme is able to detect and correct any simple error, and the 3-D meshknight ABFT scheme is capable of detecting and correcting up to three errors in an n2 -data matrix with liner computation and bandwidth overhead. The proposed schemes provide one-to-one mapping between data index and check sum group so that error can be located and recovered by easier logic and simple operations.
Multiple Dimensional Fault Tolerant Schemes for Crypto Stream CiphersIJNSA Journal
To enhance the security and reliability of the widely-used stream ciphers, a 2-D and a 3-D mesh-knight Algorithm Based Fault Tolerant (ABFT) schemes for stream ciphers are developed which can be universally applied to RC4 and other stream ciphers. Based on the ready-made arithmetic unit in stream ciphers, the proposed 2-D ABFT scheme is able to detect and correct any simple error, and the 3-D meshknight ABFT scheme is capable of detecting and correcting up to three errors in an n2 -data matrix with liner computation and bandwidth overhead. The proposed schemes provide one-to-one mapping between data index and check sum group so that error can be located and recovered by easier logic and simple operations.
Low Power FPGA Based Elliptical Curve CryptographyIOSR Journals
Abstract: Cryptography is the study of techniques for ensuring the secrecy and authentication of the information. The development of public-key cryptography is the greatest and perhaps the only true revolution in the entire history of cryptography. Elliptic Curve Cryptography is one of the public-key cryptosystem showing up in standardization efforts, including the IEEE P1363 Standard. The principal attraction of elliptic curve cryptography compared to RSA is that it offers equal security for a smaller key-size, thereby reducing the processing overhead. As a Public-Key Cryptosystem, ECC has many advantages such as fast speed, high security and short key. It is suitable for the hardware of implementation, so ECC has been more and more focused in recent years. The hardware implementation of ECC on FPGA uses the arithmetic unit that has small area, small storage unit and fast speed, and it is an extremely suitable system which has limited computation ability and storage space.[1][2] The modular arithmetic division operations are carried out using conditional successive subtractions, thereby reducing the area. The system is implemented on Vertex-Pro XCV1000 FPGA. Index Terms – VHDL, FSM, FPGA, Elliptic Curve Cryptography.
Low Power FPGA Based Elliptical Curve CryptographyIOSR Journals
Cryptography is the study of techniques for ensuring the secrecy and authentication of the
information. The development of public-key cryptography is the greatest and perhaps the only true revolution in
the entire history of cryptography. Elliptic Curve Cryptography is one of the public-key cryptosystem showing
up in standardization efforts, including the IEEE P1363 Standard. The principal attraction of elliptic curve
cryptography compared to RSA is that it offers equal security for a smaller key-size, thereby reducing the
processing overhead. As a Public-Key Cryptosystem, ECC has many advantages such as fast speed, high
security and short key. It is suitable for the hardware of implementation, so ECC has been more and more
focused in recent years. The hardware implementation of ECC on FPGA uses the arithmetic unit that has small
area, small storage unit and fast speed, and it is an extremely suitable system which has limited computation
ability and storage space.[1][2] The modular arithmetic division operations are carried out using conditional
successive subtractions, thereby reducing the area. The system is implemented on Vertex-Pro XCV1000 FPGA
Similar to Attacks on signature schemes based on the FFI problem (20)
Earliest Galaxies in the JADES Origins Field: Luminosity Function and Cosmic ...Sérgio Sacani
We characterize the earliest galaxy population in the JADES Origins Field (JOF), the deepest
imaging field observed with JWST. We make use of the ancillary Hubble optical images (5 filters
spanning 0.4−0.9µm) and novel JWST images with 14 filters spanning 0.8−5µm, including 7 mediumband filters, and reaching total exposure times of up to 46 hours per filter. We combine all our data
at > 2.3µm to construct an ultradeep image, reaching as deep as ≈ 31.4 AB mag in the stack and
30.3-31.0 AB mag (5σ, r = 0.1” circular aperture) in individual filters. We measure photometric
redshifts and use robust selection criteria to identify a sample of eight galaxy candidates at redshifts
z = 11.5 − 15. These objects show compact half-light radii of R1/2 ∼ 50 − 200pc, stellar masses of
M⋆ ∼ 107−108M⊙, and star-formation rates of SFR ∼ 0.1−1 M⊙ yr−1
. Our search finds no candidates
at 15 < z < 20, placing upper limits at these redshifts. We develop a forward modeling approach to
infer the properties of the evolving luminosity function without binning in redshift or luminosity that
marginalizes over the photometric redshift uncertainty of our candidate galaxies and incorporates the
impact of non-detections. We find a z = 12 luminosity function in good agreement with prior results,
and that the luminosity function normalization and UV luminosity density decline by a factor of ∼ 2.5
from z = 12 to z = 14. We discuss the possible implications of our results in the context of theoretical
models for evolution of the dark matter halo mass function.
Introduction:
RNA interference (RNAi) or Post-Transcriptional Gene Silencing (PTGS) is an important biological process for modulating eukaryotic gene expression.
It is highly conserved process of posttranscriptional gene silencing by which double stranded RNA (dsRNA) causes sequence-specific degradation of mRNA sequences.
dsRNA-induced gene silencing (RNAi) is reported in a wide range of eukaryotes ranging from worms, insects, mammals and plants.
This process mediates resistance to both endogenous parasitic and exogenous pathogenic nucleic acids, and regulates the expression of protein-coding genes.
What are small ncRNAs?
micro RNA (miRNA)
short interfering RNA (siRNA)
Properties of small non-coding RNA:
Involved in silencing mRNA transcripts.
Called “small” because they are usually only about 21-24 nucleotides long.
Synthesized by first cutting up longer precursor sequences (like the 61nt one that Lee discovered).
Silence an mRNA by base pairing with some sequence on the mRNA.
Discovery of siRNA?
The first small RNA:
In 1993 Rosalind Lee (Victor Ambros lab) was studying a non- coding gene in C. elegans, lin-4, that was involved in silencing of another gene, lin-14, at the appropriate time in the
development of the worm C. elegans.
Two small transcripts of lin-4 (22nt and 61nt) were found to be complementary to a sequence in the 3' UTR of lin-14.
Because lin-4 encoded no protein, she deduced that it must be these transcripts that are causing the silencing by RNA-RNA interactions.
Types of RNAi ( non coding RNA)
MiRNA
Length (23-25 nt)
Trans acting
Binds with target MRNA in mismatch
Translation inhibition
Si RNA
Length 21 nt.
Cis acting
Bind with target Mrna in perfect complementary sequence
Piwi-RNA
Length ; 25 to 36 nt.
Expressed in Germ Cells
Regulates trnasposomes activity
MECHANISM OF RNAI:
First the double-stranded RNA teams up with a protein complex named Dicer, which cuts the long RNA into short pieces.
Then another protein complex called RISC (RNA-induced silencing complex) discards one of the two RNA strands.
The RISC-docked, single-stranded RNA then pairs with the homologous mRNA and destroys it.
THE RISC COMPLEX:
RISC is large(>500kD) RNA multi- protein Binding complex which triggers MRNA degradation in response to MRNA
Unwinding of double stranded Si RNA by ATP independent Helicase
Active component of RISC is Ago proteins( ENDONUCLEASE) which cleave target MRNA.
DICER: endonuclease (RNase Family III)
Argonaute: Central Component of the RNA-Induced Silencing Complex (RISC)
One strand of the dsRNA produced by Dicer is retained in the RISC complex in association with Argonaute
ARGONAUTE PROTEIN :
1.PAZ(PIWI/Argonaute/ Zwille)- Recognition of target MRNA
2.PIWI (p-element induced wimpy Testis)- breaks Phosphodiester bond of mRNA.)RNAse H activity.
MiRNA:
The Double-stranded RNAs are naturally produced in eukaryotic cells during development, and they have a key role in regulating gene expression .
THE IMPORTANCE OF MARTIAN ATMOSPHERE SAMPLE RETURN.Sérgio Sacani
The return of a sample of near-surface atmosphere from Mars would facilitate answers to several first-order science questions surrounding the formation and evolution of the planet. One of the important aspects of terrestrial planet formation in general is the role that primary atmospheres played in influencing the chemistry and structure of the planets and their antecedents. Studies of the martian atmosphere can be used to investigate the role of a primary atmosphere in its history. Atmosphere samples would also inform our understanding of the near-surface chemistry of the planet, and ultimately the prospects for life. High-precision isotopic analyses of constituent gases are needed to address these questions, requiring that the analyses are made on returned samples rather than in situ.
Comparing Evolved Extractive Text Summary Scores of Bidirectional Encoder Rep...University of Maribor
Slides from:
11th International Conference on Electrical, Electronics and Computer Engineering (IcETRAN), Niš, 3-6 June 2024
Track: Artificial Intelligence
https://www.etran.rs/2024/en/home-english/
What is greenhouse gasses and how many gasses are there to affect the Earth.moosaasad1975
What are greenhouse gasses how they affect the earth and its environment what is the future of the environment and earth how the weather and the climate effects.
Seminar of U.V. Spectroscopy by SAMIR PANDASAMIR PANDA
Spectroscopy is a branch of science dealing the study of interaction of electromagnetic radiation with matter.
Ultraviolet-visible spectroscopy refers to absorption spectroscopy or reflect spectroscopy in the UV-VIS spectral region.
Ultraviolet-visible spectroscopy is an analytical method that can measure the amount of light received by the analyte.
A brief information about the SCOP protein database used in bioinformatics.
The Structural Classification of Proteins (SCOP) database is a comprehensive and authoritative resource for the structural and evolutionary relationships of proteins. It provides a detailed and curated classification of protein structures, grouping them into families, superfamilies, and folds based on their structural and sequence similarities.
3. Notation
We will follow the following notation -
q - a moderately sized prime
β - size parameter satisfying 1 ≤ β ≤ q/2
4. Notation
We will follow the following notation -
q - a moderately sized prime
β - size parameter satisfying 1 ≤ β ≤ q/2
p - a prime much smaller than q
5. Notation
We will follow the following notation -
q - a moderately sized prime
β - size parameter satisfying 1 ≤ β ≤ q/2
p - a prime much smaller than q
Fq - nite eld containing q elements
6. Notation
We will follow the following notation -
q - a moderately sized prime
β - size parameter satisfying 1 ≤ β ≤ q/2
p - a prime much smaller than q
Fq - nite eld containing q elements
B - a closeness parameter
7. Notation
We will follow the following notation -
q - a moderately sized prime
β - size parameter satisfying 1 ≤ β ≤ q/2
p - a prime much smaller than q
Fq - nite eld containing q elements
B - a closeness parameter
f (x), F(y) - irreducible polynomials in Fq [X] and Fq [Y]
respectively of degree n
8. Notation
We will follow the following notation -
q - a moderately sized prime
β - size parameter satisfying 1 ≤ β ≤ q/2
p - a prime much smaller than q
Fq - nite eld containing q elements
B - a closeness parameter
f (x), F(y) - irreducible polynomials in Fq [X] and Fq [Y]
respectively of degree n
X - the eld Fq [X]/ f (x)
9. Notation
We will follow the following notation -
q - a moderately sized prime
β - size parameter satisfying 1 ≤ β ≤ q/2
p - a prime much smaller than q
Fq - nite eld containing q elements
B - a closeness parameter
f (x), F(y) - irreducible polynomials in Fq [X] and Fq [Y]
respectively of degree n
X - the eld Fq [X]/ f (x)
Y - the eld Fq [Y]/ F(y)
10. Notation
We will follow the following notation -
q - a moderately sized prime
β - size parameter satisfying 1 ≤ β ≤ q/2
p - a prime much smaller than q
Fq - nite eld containing q elements
B - a closeness parameter
f (x), F(y) - irreducible polynomials in Fq [X] and Fq [Y]
respectively of degree n
X - the eld Fq [X]/ f (x)
Y - the eld Fq [Y]/ F(y)
φ - an isomorphism between X and Y
11. Notation
We will follow the following notation -
q - a moderately sized prime
β - size parameter satisfying 1 ≤ β ≤ q/2
p - a prime much smaller than q
Fq - nite eld containing q elements
B - a closeness parameter
f (x), F(y) - irreducible polynomials in Fq [X] and Fq [Y]
respectively of degree n
X - the eld Fq [X]/ f (x)
Y - the eld Fq [Y]/ F(y)
φ - an isomorphism between X and Y
ψ = φ−1
12. Notation
We will follow the following notation -
q - a moderately sized prime
β - size parameter satisfying 1 ≤ β ≤ q/2
p - a prime much smaller than q
Fq - nite eld containing q elements
B - a closeness parameter
f (x), F(y) - irreducible polynomials in Fq [X] and Fq [Y]
respectively of degree n
X - the eld Fq [X]/ f (x)
Y - the eld Fq [Y]/ F(y)
φ - an isomorphism between X and Y
ψ = φ−1
χβ - a distribution that produces samples with bounded length
less than β
13. Preliminaries: Part 1 - Signature Scheme
A signature scheme [2] is a system for securing data that
primarily consists of the following:
14. Preliminaries: Part 1 - Signature Scheme
A signature scheme [2] is a system for securing data that
primarily consists of the following:
A security parameter(k)- chosen by the user to create keys
15. Preliminaries: Part 1 - Signature Scheme
A signature scheme [2] is a system for securing data that
primarily consists of the following:
A security parameter(k)- chosen by the user to create keys
A message space (M) - a set of messages to which the scheme
may be applied
16. Preliminaries: Part 1 - Signature Scheme
A signature scheme [2] is a system for securing data that
primarily consists of the following:
A security parameter(k)- chosen by the user to create keys
A message space (M) - a set of messages to which the scheme
may be applied
A key generation algorithm (G) - to which the user can input k
to generate a pair of public and secret keys (P,S)
17. Preliminaries: Part 1 - Signature Scheme
A signature scheme [2] is a system for securing data that
primarily consists of the following:
A security parameter(k)- chosen by the user to create keys
A message space (M) - a set of messages to which the scheme
may be applied
A key generation algorithm (G) - to which the user can input k
to generate a pair of public and secret keys (P,S)
A signature algorithm ( σ ) - which generates a signature
σ(M, S) for a message M and a secret key S
18. Preliminaries: Part 1 - Signature Scheme
A signature scheme [2] is a system for securing data that
primarily consists of the following:
A security parameter(k)- chosen by the user to create keys
A message space (M) - a set of messages to which the scheme
may be applied
A key generation algorithm (G) - to which the user can input k
to generate a pair of public and secret keys (P,S)
A signature algorithm ( σ ) - which generates a signature
σ(M, S) for a message M and a secret key S
A verication algorithm(V) - that tests whether σ(M, S) is a
valid signature for the message M with public key P
20. Preliminaries: Part 2 - FFI
We now provide some background on the FFI problem.
Let k be a positive integer. Let X, Y, φ, χβ be as previously
dened. Let c1(x), c2(x), . . . , cn (x), b1(x) be samples from
χβ; and Ci (y) = φ(ci (x)) and B1 = φ(b1(x)) be the
corresponding images. Also sample B2 uniformly from Y.
21. Preliminaries: Part 2 - FFI
We now provide some background on the FFI problem.
Let k be a positive integer. Let X, Y, φ, χβ be as previously
dened. Let c1(x), c2(x), . . . , cn (x), b1(x) be samples from
χβ; and Ci (y) = φ(ci (x)) and B1 = φ(b1(x)) be the
corresponding images. Also sample B2 uniformly from Y.
Computational FFI problem : Given Y, C1(y), . . . , Cn (y),
recover f (x) and/or c1(x), . . . , cn (x).
22. Preliminaries: Part 2 - FFI
We now provide some background on the FFI problem.
Let k be a positive integer. Let X, Y, φ, χβ be as previously
dened. Let c1(x), c2(x), . . . , cn (x), b1(x) be samples from
χβ; and Ci (y) = φ(ci (x)) and B1 = φ(b1(x)) be the
corresponding images. Also sample B2 uniformly from Y.
Computational FFI problem : Given Y, C1(y), . . . , Cn (y),
recover f (x) and/or c1(x), . . . , cn (x).
Decisional FFI problem : Given Y, C1(y), . . . , Cn (y), B1, B2
with either B1 or B2 being an image of a sample from χβ;
identify the image with a probability greater than 1/2.
23. Preliminaries: Part 2 - FFI
We now provide some background on the FFI problem.
Let k be a positive integer. Let X, Y, φ, χβ be as previously
dened. Let c1(x), c2(x), . . . , cn (x), b1(x) be samples from
χβ; and Ci (y) = φ(ci (x)) and B1 = φ(b1(x)) be the
corresponding images. Also sample B2 uniformly from Y.
Computational FFI problem : Given Y, C1(y), . . . , Cn (y),
recover f (x) and/or c1(x), . . . , cn (x).
Decisional FFI problem : Given Y, C1(y), . . . , Cn (y), B1, B2
with either B1 or B2 being an image of a sample from χβ;
identify the image with a probability greater than 1/2.
We will assume henceforth that both CFFI and DFFI are
computationally hard to solve.
25. Preliminaries: Part 3 - Some observations
Any norm used refers to the innity norm
a(x) = a0 + a1x + . . . + an−1xn−1
is said to be short if
ai mod q q ∀ i
26. Preliminaries: Part 3 - Some observations
Any norm used refers to the innity norm
a(x) = a0 + a1x + . . . + an−1xn−1
is said to be short if
ai mod q q ∀ i
The following observation requires some proof but we hold it
as evident for the purposes of this talk
27. Preliminaries: Part 3 - Some observations
Any norm used refers to the innity norm
a(x) = a0 + a1x + . . . + an−1xn−1
is said to be short if
ai mod q q ∀ i
The following observation requires some proof but we hold it
as evident for the purposes of this talk
Observation : Fix 1 ≤ β ≤ q/2, and sample f (x), F(y) from
the set of all n degree monic irreducible polynomials mod q.
Then the image in Y of polynomials in X sampled from χβ is
computationally hard to distinguish from a collection of
polynomials sampled uniformly at random from Y.
28. Our scheme of interest
As an instance to demonstrate our attack we will use the pqFFsign
signature scheme due to Hostein et al [3] The algorithms used in
this scheme are as follows:
KEYGEN(λ) → pk, sk, where λ is the bit security parameter.
It works as follows
29. Our scheme of interest
As an instance to demonstrate our attack we will use the pqFFsign
signature scheme due to Hostein et al [3] The algorithms used in
this scheme are as follows:
KEYGEN(λ) → pk, sk, where λ is the bit security parameter.
It works as follows
Generate a set σ = {n, p, q, β, B} each as a function of λ and
with (p, q) = 1
30. Our scheme of interest
As an instance to demonstrate our attack we will use the pqFFsign
signature scheme due to Hostein et al [3] The algorithms used in
this scheme are as follows:
KEYGEN(λ) → pk, sk, where λ is the bit security parameter.
It works as follows
Generate a set σ = {n, p, q, β, B} each as a function of λ and
with (p, q) = 1
Generate a nite eld isomorphism {f , F, φ, ψ}.
31. Our scheme of interest
As an instance to demonstrate our attack we will use the pqFFsign
signature scheme due to Hostein et al [3] The algorithms used in
this scheme are as follows:
KEYGEN(λ) → pk, sk, where λ is the bit security parameter.
It works as follows
Generate a set σ = {n, p, q, β, B} each as a function of λ and
with (p, q) = 1
Generate a nite eld isomorphism {f , F, φ, ψ}.
This is done as follows-First choose f (x) and F(y)
appropriately, this can be done fast [4]
32. Our scheme of interest
As an instance to demonstrate our attack we will use the pqFFsign
signature scheme due to Hostein et al [3] The algorithms used in
this scheme are as follows:
KEYGEN(λ) → pk, sk, where λ is the bit security parameter.
It works as follows
Generate a set σ = {n, p, q, β, B} each as a function of λ and
with (p, q) = 1
Generate a nite eld isomorphism {f , F, φ, ψ}.
This is done as follows-First choose f (x) and F(y)
appropriately, this can be done fast [4]
In order to nd an appropriate isomorphism φ, we nd a root
of f (x) in Y and lift it to a polynomial, which will be the
required isomorphism. [1]
33. Our scheme of interest
As an instance to demonstrate our attack we will use the pqFFsign
signature scheme due to Hostein et al [3] The algorithms used in
this scheme are as follows:
KEYGEN(λ) → pk, sk, where λ is the bit security parameter.
It works as follows
Generate a set σ = {n, p, q, β, B} each as a function of λ and
with (p, q) = 1
Generate a nite eld isomorphism {f , F, φ, ψ}.
This is done as follows-First choose f (x) and F(y)
appropriately, this can be done fast [4]
In order to nd an appropriate isomorphism φ, we nd a root
of f (x) in Y and lift it to a polynomial, which will be the
required isomorphism. [1]
The inverse map ψ is found simply by nding a root of F(y) in
X, there are other faster methods [2]
34. Our scheme of interest
As an instance to demonstrate our attack we will use the pqFFsign
signature scheme due to Hostein et al [3] The algorithms used in
this scheme are as follows:
KEYGEN(λ) → pk, sk, where λ is the bit security parameter.
It works as follows
Generate a set σ = {n, p, q, β, B} each as a function of λ and
with (p, q) = 1
Generate a nite eld isomorphism {f , F, φ, ψ}.
This is done as follows-First choose f (x) and F(y)
appropriately, this can be done fast [4]
In order to nd an appropriate isomorphism φ, we nd a root
of f (x) in Y and lift it to a polynomial, which will be the
required isomorphism. [1]
The inverse map ψ is found simply by nding a root of F(y) in
X, there are other faster methods [2]
Generate short polynomials a(x), b(x) in Fq [x] with
coecients bounded by β
35. Our scheme of interest
As an instance to demonstrate our attack we will use the pqFFsign
signature scheme due to Hostein et al [3] The algorithms used in
this scheme are as follows:
KEYGEN(λ) → pk, sk, where λ is the bit security parameter.
It works as follows
Generate a set σ = {n, p, q, β, B} each as a function of λ and
with (p, q) = 1
Generate a nite eld isomorphism {f , F, φ, ψ}.
Generate short polynomials a(x), b(x) in Fq [x] with
coecients bounded by β
Compute h(x) = (pa(x))−1
b(x)(modf (x))
37. Compute H(y) = h(φ(y)), image of h(x) in Y
Find short polynomials in X, namely c1(x), c2(x) . . . cn (x)
38. Compute H(y) = h(φ(y)), image of h(x) in Y
Find short polynomials in X, namely c1(x), c2(x) . . . cn (x)
We use an invertible matrix U ∈ GLn (Fq ) and the relation
U
c1(x)
c2(x)
...
cn (x)
≡
x
x2
...
xn
(mod q, f (x))
where all the elements are bounded by β.
39. Compute H(y) = h(φ(y)), image of h(x) in Y
Find short polynomials in X, namely c1(x), c2(x) . . . cn (x)
We use an invertible matrix U ∈ GLn (Fq ) and the relation
U
c1(x)
c2(x)
...
cn (x)
≡
x
x2
...
xn
(mod q, f (x))
where all the elements are bounded by β.
Compute the images C1(y), C2(y), . . . Cn (y) of
c1(x), c2(x), . . . cn (x) in Y
40. Compute H(y) = h(φ(y)), image of h(x) in Y
Find short polynomials in X, namely c1(x), c2(x) . . . cn (x)
We use an invertible matrix U ∈ GLn (Fq ) and the relation
U
c1(x)
c2(x)
...
cn (x)
≡
x
x2
...
xn
(mod q, f (x))
where all the elements are bounded by β.
Compute the images C1(y), C2(y), . . . Cn (y) of
c1(x), c2(x), . . . cn (x) in Y
Output the signing key sk and verication key pk as follows
pk = {σ, F(y), H(y), C1(y), C2(y), . . . Cn (y)}
sk = {σ, f (x), φ, ψ, U, a(x), b(x), c1(x), c2(x), . . . cn (x)}
41. Our scheme of interest
SIGN(µ, sk) → σ, this takes the message µ
and the secret key sk as input and outputs the signature
42. Our scheme of interest
SIGN(µ, sk) → σ, this takes the message µ
and the secret key sk as input and outputs the signature
We rst hash the message and public key to form a pair of
n-dimensional mod p vectors
Hash(µ, pk) = (δ, ) = (δ1, . . . , δn , 1, . . . , n )
43. Our scheme of interest
SIGN(µ, sk) → σ, this takes the message µ
and the secret key sk as input and outputs the signature
We rst hash the message and public key to form a pair of
n-dimensional mod p vectors
Hash(µ, pk) = (δ, ) = (δ1, . . . , δn , 1, . . . , n )
Now we generate (δ, ) as follows
δ ≡ δ mod p, ||δ|| ≤ q
2
− B
≡ mod p, || || ≤ q
2
− B and with the property that the
polynomials
s(x) =
n
i =1
δi ci (x)andt(x) =
n
i =1
i ci (x) (0.1)
satisfy the relation
s(x)h(x) ≡ t(x) (mod q, f (x))
44. Our scheme of interest
SIGN(µ, sk) → σ, this takes the message µ
and the secret key sk as input and outputs the signature
We rst hash the message and public key to form a pair of
n-dimensional mod p vectors
Hash(µ, pk) = (δ, ) = (δ1, . . . , δn , 1, . . . , n )
Now we generate (δ, ) as follows
δ ≡ δ mod p, ||δ|| ≤ q
2
− B
≡ mod p, || || ≤ q
2
− B and with the property that the
polynomials
s(x) =
n
i =1
δi ci (x)andt(x) =
n
i =1
i ci (x) (0.1)
satisfy the relation
s(x)h(x) ≡ t(x) (mod q, f (x))
Finally output the signature pair σ = (δ, )
45. A long short-cut
Before looking at the next algorithm of the scheme we take a
detour through the construction of the signature as this will be
paramount to our attack.
We know that the signature's structure is determined by (0.1),
in order to increase security the polynomials are written as
follows -
s(x) = s0(x) + u(x), t(x) = t0(x) + v(x) (0.2)
where, s0(x) = n
j =1
δ
(0)
j
cj (x) and t0(x) = n
j =1
η
(0)
j
cj (x)
u(x) = n
j =1
δ
(u)
j
cj (x) and v(x) = n
j =1
δ
(v )
j
cj (x)
46. A long short-cut
Before looking at the next algorithm of the scheme we take a
detour through the construction of the signature as this will be
paramount to our attack.
We know that the signature's structure is determined by (0.1),
in order to increase security the polynomials are written as
follows -
s(x) = s0(x) + u(x), t(x) = t0(x) + v(x) (0.2)
where, s0(x) = n
j =1
δ
(0)
j
cj (x) and t0(x) = n
j =1
η
(0)
j
cj (x)
u(x) = n
j =1
δ
(u)
j
cj (x) and v(x) = n
j =1
δ
(v )
j
cj (x)
Now we provide an algorithm ( AL1 ) to nd the coecients
of s0(x), t0(x)
47. A long short-cut : AL1
For j = 1, . . . , n, choose δ
(0)
j
randomly such that
|δ
(0)
j
| q
2
− B, δ
(0)
j
≡ δj ( mod p)
48. A long short-cut : AL1
For j = 1, . . . , n, choose δ
(0)
j
randomly such that
|δ
(0)
j
| q
2
− B, δ
(0)
j
≡ δj ( mod p)
Dene t0(x) ≡ s0(x)h(x) mod( q, f (x)), where s0(x) is
dened as previously mentioned
49. A long short-cut : AL1
For j = 1, . . . , n, choose δ
(0)
j
randomly such that
|δ
(0)
j
| q
2
− B, δ
(0)
j
≡ δj ( mod p)
Dene t0(x) ≡ s0(x)h(x) mod( q, f (x)), where s0(x) is
dened as previously mentioned
Rewrite t0(x) = n
j =1
ηj cj (x), where
−q
2
≤ ηj ≤ q
2
∀j = 1, . . . n.
If all ηj ∈ (−q
2
+ B, q
2
− B], then we are nished; else return to
the previous steps and choose another set of random δ
(0)
j
's.
50. A long short-cut : AL1
For j = 1, . . . , n, choose δ
(0)
j
randomly such that
|δ
(0)
j
| q
2
− B, δ
(0)
j
≡ δj ( mod p)
Dene t0(x) ≡ s0(x)h(x) mod( q, f (x)), where s0(x) is
dened as previously mentioned
Rewrite t0(x) = n
j =1
ηj cj (x), where
−q
2
≤ ηj ≤ q
2
∀j = 1, . . . n.
If all ηj ∈ (−q
2
+ B, q
2
− B], then we are nished; else return to
the previous steps and choose another set of random δ
(0)
j
's.
It has been shown that this algorithm has a high conclusion
rate for appropriately chosen parameters [3]
51. A long short-cut
We must now construct u(x), v(x) appropriately, i.e
u(x) = n
j =1
δ
(u)
j
cj (x) and v(x) = n
j =1
δ
(v )
j
cj (x) where
δ
(u)
j
≡ 0 mod p and δ
(v )
j
+ ηj ≡ j mod p ∀ j = 1, . . . , n, with all
coecients bounded by B.
We will provide the method only for u(x) since this is not
important to our attack and the method for v(x) is similar.
52. A long short-cut
We must now construct u(x), v(x) appropriately, i.e
u(x) = n
j =1
δ
(u)
j
cj (x) and v(x) = n
j =1
δ
(v )
j
cj (x) where
δ
(u)
j
≡ 0 mod p and δ
(v )
j
+ ηj ≡ j mod p ∀ j = 1, . . . , n, with all
coecients bounded by B.
We will provide the method only for u(x) since this is not
important to our attack and the method for v(x) is similar.
Construct a short polynomial r(x) ∈ Fq [x], and set
u(x) = pr(x)a(x), v(x) = r(x)b(x)
53. A long short-cut
We must now construct u(x), v(x) appropriately, i.e
u(x) = n
j =1
δ
(u)
j
cj (x) and v(x) = n
j =1
δ
(v )
j
cj (x) where
δ
(u)
j
≡ 0 mod p and δ
(v )
j
+ ηj ≡ j mod p ∀ j = 1, . . . , n, with all
coecients bounded by B.
We will provide the method only for u(x) since this is not
important to our attack and the method for v(x) is similar.
Construct a short polynomial r(x) ∈ Fq [x], and set
u(x) = pr(x)a(x), v(x) = r(x)b(x)
Write r(x)a(x) = n
1
di xi
, note that these di 's are short.
Then, since pr(x)a(x) = n
j =1
δ
(u)
j
cj (x), (δ
(u)
1
, . . . , δ
(u)
1
) =
p(d1, . . . , dn )U.
54. A long short-cut
We must now construct u(x), v(x) appropriately, i.e
u(x) = n
j =1
δ
(u)
j
cj (x) and v(x) = n
j =1
δ
(v )
j
cj (x) where
δ
(u)
j
≡ 0 mod p and δ
(v )
j
+ ηj ≡ j mod p ∀ j = 1, . . . , n, with all
coecients bounded by B.
We will provide the method only for u(x) since this is not
important to our attack and the method for v(x) is similar.
Construct a short polynomial r(x) ∈ Fq [x], and set
u(x) = pr(x)a(x), v(x) = r(x)b(x)
Write r(x)a(x) = n
1
di xi
, note that these di 's are short.
Then, since pr(x)a(x) = n
j =1
δ
(u)
j
cj (x), (δ
(u)
1
, . . . , δ
(u)
1
) =
p(d1, . . . , dn )U.
Since all the terms involved are suciently short, we will have
|δ
(u)
j
| B and δ
(u)
j
≡ 0 mod p ∀j = 1, . . . , n. If not, simply
contruct another r(x) until this happens.
55. A long short-cut
We must now construct u(x), v(x) appropriately, i.e
u(x) = n
j =1
δ
(u)
j
cj (x) and v(x) = n
j =1
δ
(v )
j
cj (x) where
δ
(u)
j
≡ 0 mod p and δ
(v )
j
+ ηj ≡ j mod p ∀ j = 1, . . . , n, with all
coecients bounded by B.
We will provide the method only for u(x) since this is not
important to our attack and the method for v(x) is similar.
Construct a short polynomial r(x) ∈ Fq [x], and set
u(x) = pr(x)a(x), v(x) = r(x)b(x)
Write r(x)a(x) = n
1
di xi
, note that these di 's are short.
Then, since pr(x)a(x) = n
j =1
δ
(u)
j
cj (x), (δ
(u)
1
, . . . , δ
(u)
1
) =
p(d1, . . . , dn )U.
Since all the terms involved are suciently short, we will have
|δ
(u)
j
| B and δ
(u)
j
≡ 0 mod p ∀j = 1, . . . , n. If not, simply
contruct another r(x) until this happens.
Note that this method converges for the same reason that AL1
converges.
56. A long short-cut
We must now construct u(x), v(x) appropriately, i.e
u(x) = n
j =1
δ
(u)
j
cj (x) and v(x) = n
j =1
δ
(v )
j
cj (x) where
δ
(u)
j
≡ 0 mod p and δ
(v )
j
+ ηj ≡ j mod p ∀ j = 1, . . . , n, with all
coecients bounded by B.
We will provide the method only for u(x) since this is not
important to our attack and the method for v(x) is similar.
Construct a short polynomial r(x) ∈ Fq [x], and set
u(x) = pr(x)a(x), v(x) = r(x)b(x)
Write r(x)a(x) = n
1
di xi
, note that these di 's are short.
Then, since pr(x)a(x) = n
j =1
δ
(u)
j
cj (x), (δ
(u)
1
, . . . , δ
(u)
1
) =
p(d1, . . . , dn )U.
Since all the terms involved are suciently short, we will have
|δ
(u)
j
| B and δ
(u)
j
≡ 0 mod p ∀j = 1, . . . , n. If not, simply
contruct another r(x) until this happens.
Note that this method converges for the same reason that AL1
converges.
Hence we have constructed the required signature (δ, )
57. Our chosen scheme
We now return to our initial scheme to outline the VERIFY
algorithm.
58. Our chosen scheme
We now return to our initial scheme to outline the VERIFY
algorithm.
VERIFY(µ, σ, pk) → ACCEPT/REJECT, the algorithm
takes the message µ, signature σ and public key pk to check
the validity of the signature being provided.
59. Our chosen scheme
We now return to our initial scheme to outline the VERIFY
algorithm.
VERIFY(µ, σ, pk) → ACCEPT/REJECT, the algorithm
takes the message µ, signature σ and public key pk to check
the validity of the signature being provided.
First Hash(µ, pk) = (α, τ) is computed.
60. Our chosen scheme
We now return to our initial scheme to outline the VERIFY
algorithm.
VERIFY(µ, σ, pk) → ACCEPT/REJECT, the algorithm
takes the message µ, signature σ and public key pk to check
the validity of the signature being provided.
First Hash(µ, pk) = (α, τ) is computed.
Then the following three conditions are checked-
α ≡ α ( mod p) , ||α|| ≤ q
2
− B
τ ≡ τ ( mod p) , ||τ|| ≤ q
2
− B
( n
1
αi Ci (y))H(y) = n
1
τi Ci (y) in Y
61. Our chosen scheme
We now return to our initial scheme to outline the VERIFY
algorithm.
VERIFY(µ, σ, pk) → ACCEPT/REJECT, the algorithm
takes the message µ, signature σ and public key pk to check
the validity of the signature being provided.
First Hash(µ, pk) = (α, τ) is computed.
Then the following three conditions are checked-
α ≡ α ( mod p) , ||α|| ≤ q
2
− B
τ ≡ τ ( mod p) , ||τ|| ≤ q
2
− B
( n
1
αi Ci (y))H(y) = n
1
τi Ci (y) in Y
If all the three conditions are met the algorithm outputs
ACCEPT, else the output is REJECT
62. Our attack on the signature scheme
Our point of attack is the signature that the scheme generates.
63. Our attack on the signature scheme
Our point of attack is the signature that the scheme generates.
Specically we want to be able to forge any signature
σ = (δ, ) without any knowledge of the private key sk.
64. Our attack on the signature scheme
Our point of attack is the signature that the scheme generates.
Specically we want to be able to forge any signature
σ = (δ, ) without any knowledge of the private key sk.
Our method centres around the reconstruction of s(x), t(x)
using only the public key pk.
65. Our attack on the signature scheme
Our point of attack is the signature that the scheme generates.
Specically we want to be able to forge any signature
σ = (δ, ) without any knowledge of the private key sk.
Our method centres around the reconstruction of s(x), t(x)
using only the public key pk.
Recall that s(x) = s0(x) + u(x), t(x) = t0(x) + v(x). We rst
give a method to retrieve s0(x), t0(x).
66. Our attack on the signature scheme
Our point of attack is the signature that the scheme generates.
Specically we want to be able to forge any signature
σ = (δ, ) without any knowledge of the private key sk.
Our method centres around the reconstruction of s(x), t(x)
using only the public key pk.
Recall that s(x) = s0(x) + u(x), t(x) = t0(x) + v(x). We rst
give a method to retrieve s0(x), t0(x).
First we note the following relations that follow trivially
φ(s0(x)) = n
1
δ
(0)
j
Cj (y)
φ(t0(x)) = φ(s0(x))H(y) mod( q, F(y) )
φ(t0(x)) = n
1
ηj Cj (y),
with the coecients satisying the same inequalities.
67. Our attack on the signature scheme
Our point of attack is the signature that the scheme generates.
Specically we want to be able to forge any signature
σ = (δ, ) without any knowledge of the private key sk.
Our method centres around the reconstruction of s(x), t(x)
using only the public key pk.
Recall that s(x) = s0(x) + u(x), t(x) = t0(x) + v(x). We rst
give a method to retrieve s0(x), t0(x).
First we note the following relations that follow trivially
φ(s0(x)) = n
1
δ
(0)
j
Cj (y)
φ(t0(x)) = φ(s0(x))H(y) mod( q, F(y) )
φ(t0(x)) = n
1
ηj Cj (y),
with the coecients satisying the same inequalities.
We will now outline an algorithm to nd these coecients:
68. Attack on signature scheme : Algorithm to nd coecients
Step 1: For j = 1, . . . , n. Randomly choose δ
(0)
j
such that
|δ
(0)
j
| q
2
− B and δ
(0)
j
≡ δj ( mod p).
69. Attack on signature scheme : Algorithm to nd coecients
Step 1: For j = 1, . . . , n. Randomly choose δ
(0)
j
such that
|δ
(0)
j
| q
2
− B and δ
(0)
j
≡ δj ( mod p).
Step 2: Use the above relations to nd φ(t0(x)), and write it
as φ(t0(x)) = n
1
ti yi
(mod q, F(y))
70. Attack on signature scheme : Algorithm to nd coecients
Step 1: For j = 1, . . . , n. Randomly choose δ
(0)
j
such that
|δ
(0)
j
| q
2
− B and δ
(0)
j
≡ δj ( mod p).
Step 2: Use the above relations to nd φ(t0(x)), and write it
as φ(t0(x)) = n
1
ti yi
(mod q, F(y))
Step 3: Rewrite φ(t0(x)) in terms of C1(y), . . . , Cn (y), say
φ(t0(x)) = n
1
ηj Cj (y) where −q
2
≤ ηj ≤ q
2
.
71. Attack on signature scheme : Algorithm to nd coecients
Step 1: For j = 1, . . . , n. Randomly choose δ
(0)
j
such that
|δ
(0)
j
| q
2
− B and δ
(0)
j
≡ δj ( mod p).
Step 2: Use the above relations to nd φ(t0(x)), and write it
as φ(t0(x)) = n
1
ti yi
(mod q, F(y))
Step 3: Rewrite φ(t0(x)) in terms of C1(y), . . . , Cn (y), say
φ(t0(x)) = n
1
ηj Cj (y) where −q
2
≤ ηj ≤ q
2
.
Step 4: If all ηj lie in the interval (−q
2
+ B, q
2
− B] we are
done. Else, go back to Step 1 and pick another set of δ
(0)
j
's.
72. Attack on signature scheme : Algorithm to nd coecients
Step 1: For j = 1, . . . , n. Randomly choose δ
(0)
j
such that
|δ
(0)
j
| q
2
− B and δ
(0)
j
≡ δj ( mod p).
Step 2: Use the above relations to nd φ(t0(x)), and write it
as φ(t0(x)) = n
1
ti yi
(mod q, F(y))
Step 3: Rewrite φ(t0(x)) in terms of C1(y), . . . , Cn (y), say
φ(t0(x)) = n
1
ηj Cj (y) where −q
2
≤ ηj ≤ q
2
.
Step 4: If all ηj lie in the interval (−q
2
+ B, q
2
− B] we are
done. Else, go back to Step 1 and pick another set of δ
(0)
j
's.
Note that this algorithm converges at a high rate for similar
conditions as AL1 [3] Since we are working in a eld
isomorphic to the one in which AL1 was applied, the requisite
conditions remain the same and our algorithm also converges
with high probability.
73. Attack on signature scheme
Now that s0(x), t0(x) are found, it only remains to nd
u(x), v(x)
74. Attack on signature scheme
Now that s0(x), t0(x) are found, it only remains to nd
u(x), v(x)
Before we give an algorithm u(x), v(x), we write down some
relations between the two polynomials.
75. Attack on signature scheme
Now that s0(x), t0(x) are found, it only remains to nd
u(x), v(x)
Before we give an algorithm u(x), v(x), we write down some
relations between the two polynomials.
Note that u(x) = pr(x)a(x), v(x) = r(x)b(x).
u(x)h(x) = pr(x)a(x)[pa(x)]−1
b(x)
= r(x)b(x)
= v(x)
u(x)h(x) = v(x)
φ(u(x))H(y) = φ(v(x))
76. Attack on signature scheme
Now that s0(x), t0(x) are found, it only remains to nd
u(x), v(x)
Before we give an algorithm u(x), v(x), we write down some
relations between the two polynomials.
Note that u(x) = pr(x)a(x), v(x) = r(x)b(x).
u(x)h(x) = pr(x)a(x)[pa(x)]−1
b(x)
= r(x)b(x)
= v(x)
u(x)h(x) = v(x)
φ(u(x))H(y) = φ(v(x))
Now we have a relation between u(x) and v(x), we can write
this explicitly as follows :
(
n
1
δ
(u)
j
Cj (y))H(y) =
n
1
δ
(v )
j
Cj (y) (0.3)
77. Attack on signature scheme : AL2
We now give AL2- an algorithm to nd u(x), v(x). Note that
we can start with either one, for convenience we start with
u(x).
78. Attack on signature scheme : AL2
We now give AL2- an algorithm to nd u(x), v(x). Note that
we can start with either one, for convenience we start with
u(x).
Step 1: Randomly choose (δ
(u)
1
, . . . , δ
(u)
n ) such that |δ
(u)
j
| B
and δ
(u)
j
≡ 0 (mod p).
79. Attack on signature scheme : AL2
We now give AL2- an algorithm to nd u(x), v(x). Note that
we can start with either one, for convenience we start with
u(x).
Step 1: Randomly choose (δ
(u)
1
, . . . , δ
(u)
n ) such that |δ
(u)
j
| B
and δ
(u)
j
≡ 0 (mod p).
Step 2: Substitute the values of δ
(u)
j
in (0.3) and read o the
coecients of φ(v(x)) after changing basis to
C1(y), . . . , Cn (y)
80. Attack on signature scheme : AL2
We now give AL2- an algorithm to nd u(x), v(x). Note that
we can start with either one, for convenience we start with
u(x).
Step 1: Randomly choose (δ
(u)
1
, . . . , δ
(u)
n ) such that |δ
(u)
j
| B
and δ
(u)
j
≡ 0 (mod p).
Step 2: Substitute the values of δ
(u)
j
in (0.3) and read o the
coecients of φ(v(x)) after changing basis to
C1(y), . . . , Cn (y)
Step 3: If |δ
(v )
j
| B and δ
(v )
j
+ ηj ≡ j (mod p) for all j, we
are done. Else go back to Step 1 and choose another set of
values.
81. Attack on signature scheme : AL2
We now give AL2- an algorithm to nd u(x), v(x). Note that
we can start with either one, for convenience we start with
u(x).
Step 1: Randomly choose (δ
(u)
1
, . . . , δ
(u)
n ) such that |δ
(u)
j
| B
and δ
(u)
j
≡ 0 (mod p).
Step 2: Substitute the values of δ
(u)
j
in (0.3) and read o the
coecients of φ(v(x)) after changing basis to
C1(y), . . . , Cn (y)
Step 3: If |δ
(v )
j
| B and δ
(v )
j
+ ηj ≡ j (mod p) for all j, we
are done. Else go back to Step 1 and choose another set of
values.
Note that this algorithm converges with a high probability for
appropriately chosen parameters, i.e if |B − pK
√
n| ∼ 0 where
K = max|aij |, aij are entries in the matrix U. [3]
82. Attack on signature scheme : AL2
We now give AL2- an algorithm to nd u(x), v(x). Note that
we can start with either one, for convenience we start with
u(x).
Step 1: Randomly choose (δ
(u)
1
, . . . , δ
(u)
n ) such that |δ
(u)
j
| B
and δ
(u)
j
≡ 0 (mod p).
Step 2: Substitute the values of δ
(u)
j
in (0.3) and read o the
coecients of φ(v(x)) after changing basis to
C1(y), . . . , Cn (y)
Step 3: If |δ
(v )
j
| B and δ
(v )
j
+ ηj ≡ j (mod p) for all j, we
are done. Else go back to Step 1 and choose another set of
values.
Note that this algorithm converges with a high probability for
appropriately chosen parameters, i.e if |B − pK
√
n| ∼ 0 where
K = max|aij |, aij are entries in the matrix U. [3]
We expect however that it will also converge for a wider range
of parameters, since we have a convergence probability of
∼ 0.835 for toy examples.
83. Attack on signature scheme
Therefore we have successfully forged the signature σ = (δ, )
with no prior knowledge of the secret key sk.
84. Attack on signature scheme
Therefore we have successfully forged the signature σ = (δ, )
with no prior knowledge of the secret key sk.
Hence we can construct an appropriate message µ, sign it with
a forged signature σ and the recepient cannot know the
dierence.
85. Future directions
The FFI problem's hardness has not been classied yet and it
appears to have a worst to average case reduction [3]
86. Future directions
The FFI problem's hardness has not been classied yet and it
appears to have a worst to average case reduction [3]
The scheme used as the example here can be modied to be
secure against this attack
87. Future directions
The FFI problem's hardness has not been classied yet and it
appears to have a worst to average case reduction [3]
The scheme used as the example here can be modied to be
secure against this attack
The scheme has also not been implemented yet
88. Future directions
The FFI problem's hardness has not been classied yet and it
appears to have a worst to average case reduction [3]
The scheme used as the example here can be modied to be
secure against this attack
The scheme has also not been implemented yet
Schemes based on FFI appear to have the property of
homomorphic encryption [1] and this is precisely what our
attack relies on, the connection between homomorphic
encryption and susceptibility to this sort of attack can be
further explored.
89. References
Doröz, Y., Hostein, J., Pipher, J., Silverman, J. H., Sunar, B.,
Whyte, W., Zhang, Z. (2018, March). Fully homomorphic
encryption from the nite eld isomorphism problem. In IACR
International Workshop on Public Key Cryptography (pp.
125-155). Springer, Cham.
Goldwasser, S., Micali, S., Rivest, R. L. (1988). A digital
signature scheme secure against adaptive chosen-message
attacks. SIAM Journal on Computing, 17(2), 281-308..
Hostein, J., Silverman, J. H., Whyte, W., Zhang, Z.
(2018). A signature scheme from the nite eld isomorphism
problem. IACR Cryptology ePrint Archive, 2018, 675.
Couveignes, J. M., Lercier, R. (2013). Fast construction of
irreducible polynomials over nite elds. Israel Journal of
Mathematics, 194(1), 77-105.
90. References
Lenstra, H. W. (1991). Finding isomorphisms between nite
elds.
Brieulle, L., De Feo, L., Doliskani, J., Flori, J. P., Schost, É.
(2019). Computing isomorphisms and embeddings of nite
elds. Mathematics of Computation, 88(317), 1391-1426.
Hostein, J., Pipher, J., Schanck, J. M., Silverman, J. H.,
Whyte, W. (2014, October). Transcript secure signatures based
on modular lattices. In International Workshop on
Post-Quantum Cryptography (pp. 142-159). Springer, Cham.