那些遇到过的问题

在NTRU私钥上遇见中间Atack

Ele*_*ova 3 ntruencrypt private-key

我想知道是否有人可以告诉我如何在NTRU私钥上的中间会合攻击中表示私有密钥f的向量枚举.我无法理解这个例子,这里给出http://securityinnovation.com/cryptolab/pdf/NTRUTech004v2.pdf 如果有人能详细展示一个例子,我将非常感激.

Wil*_*yte 6

(完全披露:我为安全创新工作并为NTRU工作,直到SI收购我们)

警告:答案很长!

让我们看一个玩具示例:N = 11,q = 29.让我们取df = 3,所以f由3个系数组成,等于1,8个系数等于0.取dg = 5.并假设h = g*f ^ { - 1} mod p,而不是使用f = 1 + pF的优化.然后我们可能会

f = [1, 0, 1, 0, 0, 0, 0, 1, 0, 0, 0]
finv = [16, 12, 4, 18, 17, 14, 9, 28, 8, 26, 3]
g = [1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0]
h = [15, 20, 1, 21, 4, 26, 14, 17, 25, 11, 12]
Run Code Online (Sandbox Code Playgroud)

你可以在这里检查f*h = g.

攻击者想要找到f,所以他们可以进行强力搜索df = 3.他们可以通过利用f在第一个位置有一个1的旋转来加速这个,所以他们只需搜索其他两个非零系数f的(10个选择2)可能位置.他们执行的完整搜索是这样的:

           f*h (=g)                                       f
[9, 18, 7, 13, 26, 22, 15, 28, 27, 24, 19]; [1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0]
[23, 17, 4, 8, 16, 2, 3, 6, 10, 21, 11]; [1, 1, 0, 1, 0, 0, 0, 0, 0, 0, 0]
[15, 2, 3, 5, 11, 21, 12, 23, 17, 4, 8]; [1, 1, 0, 0, 1, 0, 0, 0, 0, 0, 0]
[12, 23, 17, 4, 8, 16, 2, 3, 5, 11, 20]; [1, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0]
[24, 20, 9, 18, 7, 13, 26, 22, 14, 28, 27]; [1, 1, 0, 0, 0, 0, 1, 0, 0, 0, 0]
[2, 3, 6, 10, 21, 12, 23, 17, 4, 8, 15]; [1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0]
[19, 10, 18, 7, 13, 26, 22, 14, 28, 27, 24]; [1, 1, 0, 0, 0, 0, 0, 0, 1, 0, 0]
[28, 27, 25, 19, 10, 18, 7, 13, 25, 22, 14]; [1, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0]
[18, 7, 13, 26, 22, 15, 28, 27, 24, 19, 9]; [1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 1]
[22, 14, 28, 27, 25, 19, 10, 18, 7, 13, 25]; [1, 0, 1, 1, 0, 0, 0, 0, 0, 0, 0]
[14, 28, 27, 24, 20, 9, 19, 6, 14, 25, 22]; [1, 0, 1, 0, 1, 0, 0, 0, 0, 0, 0]
[11, 20, 12, 23, 17, 4, 9, 15, 2, 3, 5]; [1, 0, 1, 0, 0, 1, 0, 0, 0, 0, 0]
[23, 17, 4, 8, 16, 1, 4, 5, 11, 20, 12]; [1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0]
[1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0]; [1, 0, 1, 0, 0, 0, 0, 1, 0, 0, 0]
[18, 7, 13, 26, 22, 14, 0, 26, 25, 19, 9]; [1, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0]
[27, 24, 20, 9, 19, 6, 14, 25, 22, 14, 28]; [1, 0, 1, 0, 0, 0, 0, 0, 0, 1, 0]
[17, 4, 8, 16, 2, 3, 6, 10, 21, 11, 23]; [1, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1]
[28, 27, 24, 19, 10, 18, 7, 13, 26, 22, 14]; [1, 0, 0, 1, 1, 0, 0, 0, 0, 0, 0]
[25, 19, 9, 18, 7, 13, 26, 22, 14, 0, 26]; [1, 0, 0, 1, 0, 1, 0, 0, 0, 0, 0]
[8, 16, 1, 3, 6, 10, 21, 12, 23, 17, 4]; [1, 0, 0, 1, 0, 0, 1, 0, 0, 0, 0]
[15, 28, 27, 24, 20, 9, 18, 7, 13, 26, 21]; [1, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0]
[3, 6, 10, 21, 12, 23, 17, 4, 8, 16, 1]; [1, 0, 0, 1, 0, 0, 0, 0, 1, 0, 0]
[12, 23, 17, 4, 9, 15, 2, 3, 5, 11, 20]; [1, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0]
[2, 3, 5, 11, 21, 12, 23, 17, 4, 8, 15]; [1, 0, 0, 1, 0, 0, 0, 0, 0, 0, 1]
[17, 4, 8, 15, 2, 3, 6, 10, 21, 12, 23]; [1, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0]
[0, 1, 0, 0, 1, 0, 1, 0, 1, 0, 1]; [1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 0]
[7, 13, 26, 21, 15, 28, 27, 24, 20, 9, 18]; [1, 0, 0, 0, 1, 0, 0, 1, 0, 0, 0]
[24, 20, 9, 18, 7, 13, 26, 21, 15, 28, 27]; [1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0]
[4, 8, 16, 1, 4, 5, 11, 20, 12, 23, 17]; [1, 0, 0, 0, 1, 0, 0, 0, 0, 1, 0]
[23, 17, 4, 8, 16, 2, 3, 5, 11, 20, 12]; [1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1]
[26, 22, 14, 28, 27, 24, 20, 9, 18, 7, 13]; [1, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0]
[4, 5, 11, 20, 12, 23, 17, 4, 8, 16, 1]; [1, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0]
[21, 12, 23, 17, 4, 8, 16, 1, 3, 6, 10]; [1, 0, 0, 0, 0, 1, 0, 0, 1, 0, 0]
[1, 0, 1, 0, 1, 0, 1, 0, 0, 1, 0]; [1, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0]
[20, 9, 18, 7, 13, 26, 22, 14, 28, 27, 24]; [1, 0, 0, 0, 0, 1, 0, 0, 0, 0, 1]
[16, 2, 3, 5, 11, 20, 12, 23, 17, 4, 8]; [1, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0]
[4, 9, 15, 2, 3, 5, 11, 20, 12, 23, 17]; [1, 0, 0, 0, 0, 0, 1, 0, 1, 0, 0]
[13, 26, 22, 14, 0, 26, 25, 19, 9, 18, 7]; [1, 0, 0, 0, 0, 0, 1, 0, 0, 1, 0]
[3, 6, 10, 21, 12, 23, 17, 4, 8, 15, 2]; [1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1]
[11, 21, 12, 23, 17, 4, 8, 15, 2, 3, 5]; [1, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0]
[20, 9, 19, 6, 14, 25, 22, 14, 28, 27, 24]; [1, 0, 0, 0, 0, 0, 0, 1, 0, 1, 0]
[10, 18, 7, 13, 26, 22, 14, 28, 27, 24, 19]; [1, 0, 0, 0, 0, 0, 0, 1, 0, 0, 1]
[8, 16, 2, 3, 6, 10, 21, 11, 23, 17, 4]; [1, 0, 0, 0, 0, 0, 0, 0, 1, 1, 0]
[27, 25, 19, 10, 18, 7, 13, 25, 22, 14, 28]; [1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1]
[7, 13, 26, 22, 15, 28, 27, 24, 19, 9, 18]; [1, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1]
Run Code Online (Sandbox Code Playgroud)

向下扫描,你可以看到g出现在45行的第14,26和34行中.(g出现三次,因为f中有三个1,所以有三个旋转的f,其中1位于前导位置).

现在让我们来看看中间相遇的攻击.攻击者使用该公式

(f1+f2) * h = g
Run Code Online (Sandbox Code Playgroud)

所以

f1*h = g - f2*h
Run Code Online (Sandbox Code Playgroud)

使用e [i]表示e的第i个系数,这意味着攻击者知道这一点

(f1*h)[i] = - (f2*h)[i] + 0 or 1
Run Code Online (Sandbox Code Playgroud)

因此攻击者计算f1*h的所有可能值.调用结果列表{g1}.然后,他们计算-f2*h,并且对于每个结果g2,他们看到g2是否与现有的g1相同,或者g2是否与任何g1相差不超过每个系数中的1.换一种说法,

[3, 10, 12, 7]
Run Code Online (Sandbox Code Playgroud)

会匹配

[4, 10, 12, 8]
Run Code Online (Sandbox Code Playgroud)

这样做,攻击者只需要通过以下方式工作:

  • 所有10个f1,其中1位于领先位置,1位于其他位置
  • 所有10个f2,其中一个1位于除前导位置之外的任何位置

这给出了以下内容.我已经对列表进行了排序,以便更容易发现匹配.

          f1*h = g1                                           f1
[00, 08, 26, 03, 16, 12, 05, 18, 17, 15, 09]     [1, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0]
[03, 16, 12, 04, 19, 17, 15, 09, 00, 08, 26]     [1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0]
[06, 21, 22, 25, 01, 11, 02, 13, 07, 23, 27]     [1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1]
[07, 24, 27, 06, 21, 22, 25, 00, 11, 02, 13]     [1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0]
[11, 02, 13, 07, 24, 27, 06, 21, 22, 25, 00]     [1, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0]
[12, 05, 18, 17, 15, 09, 00, 08, 26, 03, 16]     [1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0]
[16, 12, 05, 18, 18, 14, 10, 28, 08, 26, 03]     [1, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0]
[19, 17, 15, 09, 00, 08, 26, 03, 16, 12, 04]     [1, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0]
[26, 03, 16, 12, 05, 18, 18, 14, 10, 28, 08]     [1, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0]
[27, 06, 21, 22, 25, 01, 11, 02, 13, 07, 23]     [1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0]

         -f2*h = g2                                          f2
[03, 15, 12, 04, 18, 17, 14, 09, 28, 08, 25]     [0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0]
[04, 18, 17, 14, 09, 28, 08, 25, 03, 15, 12]     [0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0]
[08, 25, 03, 15, 12, 04, 18, 17, 14, 09, 28]     [0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0]
[09, 28, 08, 25, 03, 15, 12, 04, 18, 17, 14]     [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1]
[12, 04, 18, 17, 14, 09, 28, 08, 25, 03, 15]     [0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0]
[15, 12, 04, 18, 17, 14, 09, 28, 08, 25, 03]     [0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0]
[17, 14, 09, 28, 08, 25, 03, 15, 12, 04, 18]     [0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0]
[18, 17, 14, 09, 28, 08, 25, 03, 15, 12, 04]     [0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0]
[25, 03, 15, 12, 04, 18, 17, 14, 09, 28, 08]     [0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0]
[28, 08, 25, 03, 15, 12, 04, 18, 17, 14, 09]     [0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0]
Run Code Online (Sandbox Code Playgroud)

你可以看到:

  • g1的第1行与g2的第10行匹配,给出[1,0,0,0,0,1,0,0,0,1,0]
  • g1的第2行与g2的第1行匹配,给出[1,0,0,0,1,0,1,0,0,0,0]
  • g1的第6行与g2的第5行匹配,给出[1,0,0,0,1,0,1,0,0,0,0]
  • g1的第7行与g2的第6行匹配,给出[1,0,0,0,0,1,0,0,0,1,0]
  • g1的第8行与g2的第8行匹配,给出[1,0,1,0,0,0,0,1,0,0,0]
  • g1的第9行与g2的第9行匹配,给出[1,0,1,0,0,0,0,1,0,0,0]

这里有6次碰撞,因为有3次旋转,其中1位于前导位置,每次旋转有两种方法可以选择其他两个系数.

因此,攻击者必须做大约45/3 = 15的工作才能通过强力搜索找到密钥,并且大约10个工作用于找到具有中间相遇攻击的密钥(由于轮换而略低于10) ,但我手上没有干净的配方.

有各种优化,但这应该足以给你这个想法.

到目前为止我还没有处理的一件事是如何缩短搜索时间.一种直接的方法就是在你进行时对结果进行排序.插入或查找与条目冲突的时间大约是log_2(搜索空间的大小).或者,以使用更多存储器为代价,通过为g1的前几个系数的每个可能值保留块,可以将该搜索时间降低到常数.

希望这可以帮助.如果您还有其他问题,请与我们联系.

归档时间:

查看次数:

908 次

最近记录:

12 年,2 月 前
相关归档
SSH 坚持 client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0 11
通过bouncycastle读取PKCS#8格式的加密私钥,Java在docker容器中失败 9
RSA - bouncycastle PEMReader返回PEMKeyPair而不是AsymmetricCipherKeyPair来读取私钥 7
从PFX文件读取私钥 7
SSH.NET仅通过私钥进行身份验证(公钥身份验证) 6
访问PFX文件ECC PrivateKey用于Java中的对称密钥生成 5
在python中相当于什么 4
如何从CRT文件生成密钥? 3
notepad ++无法使用SFTP连接 - 身份验证期间出错:无效的私钥文件 1
Swift如何导入rsa密钥 1
难疑归档
如何将空目录添加到Git存储库? 4039
如何在Java中读取/转换InputStream为String? 3864
什么是Android上的"上下文"? 1872
如何检查变量是否是JavaScript中的数组? 1713
Java内部类和静态嵌套类 1691
JavaScript中==和===之间的区别 1592
单击div到底层元素 1500
如何以CSV格式输出MySQL查询结果? 1118
Objective-C中的typedef枚举是什么? 1081
angular-route和angular-ui-router之间有什么区别? 1064