Willy Susilo (Eds.) Guomin Yang Information Security

  LNCS 10946 and Privacy 23rd Australasian Conference, ACISP 2018 Wollongong, NSW, Australia, July 11–13, 2018 Proceedings

  

Lecture Notes in Computer Science 10946

  Commenced Publication in 1973 Founding and Former Series Editors: Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen

  Editorial Board

  David Hutchison Lancaster University, Lancaster, UK

  Takeo Kanade Carnegie Mellon University, Pittsburgh, PA, USA

  Josef Kittler University of Surrey, Guildford, UK

  Jon M. Kleinberg Cornell University, Ithaca, NY, USA

  Friedemann Mattern ETH Zurich, Zurich, Switzerland

  John C. Mitchell Stanford University, Stanford, CA, USA

  Moni Naor Weizmann Institute of Science, Rehovot, Israel

  C. Pandu Rangan Indian Institute of Technology Madras, Chennai, India

  Bernhard Steffen TU Dortmund University, Dortmund, Germany

  Demetri Terzopoulos University of California, Los Angeles, CA, USA

  Doug Tygar University of California, Berkeley, CA, USA

  Gerhard Weikum Max Planck Institute for Informatics, Saarbrücken, Germany More information about this series at http://www.springer.com/series/7410

• ^• Willy Susilo Guomin Yang (Eds.)

  Information Security and Privacy 23rd Australasian Conference, ACISP 2018

Wollongong, NSW, Australia, July 11–13, 2018 Proceedings Editors Willy Guomin Yang University of Wollongong University of Wollongong Wollongong, NSW Wollongong, NSW Australia Australia

ISSN 0302-9743

  ISSN 1611-3349 (electronic) Lecture Notes in Computer Science

ISBN 978-3-319-93637-6

  ISBN 978-3-319-93638-3 (eBook) https://doi.org/10.1007/978-3-319-93638-3 Library of Congress Control Number: 2018947318 _© LNCS Sublibrary: SL4 – Security and Cryptology Springer International Publishing AG, part of Springer Nature 2018

This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the

material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation,

broadcasting, reproduction on microfilms or in any other physical way, and transmission or information

storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now

known or hereafter developed.

The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication

does not imply, even in the absence of a specific statement, that such names are exempt from the relevant

protective laws and regulations and therefore free for general use.

The publisher, the authors and the editors are safe to assume that the advice and information in this book are

believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors

give a warranty, express or implied, with respect to the material contained herein or for any errors or

omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in

published maps and institutional affiliations. Printed on acid-free paper This Springer imprint is published by the registered company Springer International Publishing AG part of Springer Nature The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland

  

Preface

  This volume contains the papers presented at ACISP 2018 – the 23rd Australasian Conference on Information Security and Privacy held during July 11–13, 2018, in Wollongong, Australia. The conference was organized by the Institute of Cybersecurity and Cryptology at the University of Wollongong, which provided wonderful facilities and support.

  This year we received 136 submissions of excellent quality from 23 countries around the world. Each submission was allocated to at least three Program Committee members and each paper received on average 2.8 reviews. The submission and review process was supported by the EasyChair conference submission server. In the first stage of the review process, the submitted papers were evaluated by the Program Committee members. In the second stage, the papers were scrutinized during an extensive dis- cussion. Finally, the committee decided to accept 41 regular papers and ten short papers.

  Among the accepted regular papers, four papers were nominated as candidates for the Best Paper Award and five papers were nominated as candidates for the Best Student Paper Award. The Program Committee voted for both awards. For the Best Paper Award, two papers were the preferred options with no clear winner and we decided to award the Best Paper to both papers:

• “Secure Publicly Verifiable Computation with Polynomial Commitment in Cloud Computing” by Jian Shen, Dengzhi Liu, Xiaofeng Chen, Xinyi Huang, Jiageng Chen, and Mingwu Zhang • “Decentralized Blacklistable Anonymous Credentials with Reputation” by Rupeng Yang, Man Ho Au, Qiuliang Xu, and Zuoxia Yu The Best Student Paper was awarded to the paper:
• “Asymmetric Subversion Attacks on Signature Schemes” by Chi Liu, Rongmao Chen, Yi Wang, and Yongjun Wang The Jennifer Seberry Lecture this year was delivered by Prof. Wanlei Zhou from the

  University of Technology Sydney, Australia. The program also included three invited talks presented by Prof. Robert Deng from Singapore Management University, Sin- gapore; Prof. Patrizio Campisi from the Roma Tre University, Italy; and Dr. Surya Nepal from CSIRO/Data61, Australia.

  We would like to thank the Program Committee members and the external reviewers for their effort and time to evaluate the submissions, and our sponsors — School of Computing and Information Technology at the University of Wollongong, Springer, DATA61, Australian Government Department of Defence Science and Technology VI Preface

  (DST), Cryptography - Open Access Journal by MDPI, and New South Wales (NSW) Cyber Security Network, Australia, NSW Office of the Chief Scientist and Engineer, iTree and Thinking Studio — for their generous support to the conference.

  We are indebted to the team at Springer for their continuous support of the conference and for their help in the production of the conference proceedings. July 2018

  Willy Susilo Guomin Yang ACISP 2018

  The 23rd Australasian Conference on Information Security and Privacy University of Wollongong, Australia

  July 11–13, 2018

  Program Chairs

  Willy Susilo University of Wollongong, Australia Guomin Yang University of Wollongong, Australia

  General Chairs

  Yi Mu University of Wollongong, Australia Fuchun Guo University of Wollongong, Australia

  Publication Chairs

  Joonsang Baek University of Wollongong, Australia Yang-Wai Chow University of Wollongong, Australia

  Organization Chair

  Jianchang Lai University of Wollongong, Australia

  Program Committee

  Masayuki Abe NTT, Japan Cristina Alcaraz University of Malaga, Spain Man Ho Au Hong Kong Polytechnic University, SAR China Shi Bai Florida Atlantic University, USA Zubair Baig Edith Cowan University, Australia Paulo Barreto University of Washington, USA Colin Boyd Norwegian University of Science and Technology,

  Norway Aniello Castiglione University of Salerno, Italy Jinjun Chen Swinburne University of Technology, Australia Liqun Chen University of Surrey, UK Rongmao Chen National University of Defense Technology, China Xiaofeng Chen Xidian University, China Kim-Kwang Raymond University of Texas at San Antonio, USA

  Choo

VIII ACISP 2018

  Ernesto Damiani University of Milan, Italy Naccache David Ecole Normale Suprieure, France Yvo Desmedt University of Texas at Dallas, USA Josep Domingo-Ferrer Universitat Rovira i Virgili, Spain Ernest Foo Queensland University of Technology, Australia David Galindo University of Birmingham, UK Jian Guo Nanyang Technological University, Singapore Gerhard Hancke City University of Hong Kong, SAR China Qiong Huang South China Agricultural University, China Xinyi Huang Fujian Normal University, China Dong Seong Kim University of Canterbury, New Zealand Jongkil Kim University of Wollongong, Australia Noboru Kunihiro The University of Tokyo, Japan Fabien Laguillaumie Université de Lyon 1/LIP, France Dongxi Liu CSIRO/Data61, Australia Joseph Liu Monash University, Australia Zhe Liu Nanjing University of Aeronautics and Astronautics,

  China Zhen Liu Shanghai Jiao Tong University, China Javier Lopez University of Malaga, Spain Hui Ma Chinese Academy of Sciences, China Mark Manulis University of Surrey, UK Mitsuru Matsui Mitsubishi Electric, Japan Kazuhiko Minematsu NEC Corporation, Japan Chris Mitchell Royal Holloway, University of London, UK Khoa Nguyen Nanyang Technological University, Singapore Thomas Peyrin Nanyang Technological University, Singapore Duong Hieu Phan

  XLIM (Limoges University), France Josef Pieprzyk CSIRO/Data61, Australia Reza Reyhanitabar Katholieke Universiteit Leuven, Belgium Reyhaneh Safavi-Naini University of Calgary, Canada Pierangela Samarati University of Milan, Italy Marcos Simplicio University of São Paulo, Brazil Leonie Simpson Queensland University of Technology, Australia Ron Steinfeld Monash University, Australia Atsushi Takayasu University of Tokyo, Japan Qiang Tang Cornell University, USA Damien Vergnaud Université Pierre et Marie Curie/Institut Universitaire de France, France Huaxiong Wang Nanyang Technological University, Singapore Qianhong Wu Beihang University, China Yu Yu Shanghai Jiao Tong University, China Jiang Zhang Chinese Academy of Sciences, China Mingwu Zhang Hubei University of Technology, China Rui Zhang Chinese Academy of Sciences, China Additional Reviewers

  Acien, Antonio Al Maqbali, Fatma Andrade, Ewerton Anglès-Tafalla, Carles Avizheh, Sepideh Baek, Joonsang Banik, Subhadeep Bao, Zhenzhen Bert, Pauline Blanco-Justicia, Alberto Bouvier, Cyril Chen, Haixia Chen, Long Chengjun Lin Chotard, Jérémy Cominetti, Eduardo Cui, Yuzhao Dragan, Constantin Catalin Du, Jiangyi Duong, Tuyet Gaborit, Philippe Germouty, Paul Gong, Junqing Guo, Chun Guo, Fuchun Guo, Qingwen Haitao, Xie Han, Jinguang Han, Shangbin Hauteville, Adrien Herold, Gottfried Herranz, Javier Hu, Kexin Hu, Zhi Huang, Jianye Isshiki, Toshiyuki Jha, Sonu Jiang, Linzhi Jiang, Shaoquan Jiang, Yan Jiao, Lin Karati, Sabyasachu Katsumata, Shuichi

  Kim, Jongkil Kito, Keisuke Lai, Jianchang Leontiadis, Iraklis Li, Hongbo Li, Shuai Li, Sujuan Li, Xiangxue Li, Yalan Li, Yannan Lin, Changlu Lin, Cheng-Jun Lin, Fuchun Liu, Guozhen Liu, Hanlin Liu, Yihuan Liu, Zhiqiang Lu, Xingye Lu, Yuan Murilo, Cezar Naito, Yusuke Nitaj, Abderrahmane Ohigashi, Toshihiro Pan, Yanbin Parra-Arnau, Javier Parry, Jack Qin, Baodong Ribes-González, Jordi Ricardini, Jefferson E.

  Ricci, Sara Rios, Ruben Rossetti, Jonatas Ruan, Ou Rubio, Juan E.

  Sakai, Yusuke Sakzad, Amin Sehrawat, Vipin Sen Gupta, Sourav Sharifian, Setareh Shen, Hua Shuangyu, He Silva, Marcos Soria-Comas, Jordi

  ACISP 2018

  IX Sriskandarajah, Shriparen Sun, Shuo Suzuki, Daisuke Takahashi, Akira Takashima, Katsuyuki Tan, Benjamin Hong Meng Tan, Gaosheng Tang, Wenyi Tao, Yang Thorncharoensri, Pairat Tomida, Junichi Trinh, Viet Cuong Wang, Binfeng Wang, Hao Wang, Haoyang Wang, Weijia Wang, Xi

  Wang, Yi Wu, Ge Wu, Tong Xu, Yanhong Yamada, Shota Yamamoto, Takumi Yang, Kang Yang, Rupeng Yang, Shao-Jun Yu, Zuoxia Zhang, Kai Zhang, Ren Zhang, Yanhua Zhang, Yuexin Zhao, Lan Zhou, Sufang

  X ACISP 2018

  

Contents

  . . .

   Liqiang Peng, Yao Lu, Noboru Kunihiro, Rui Zhang, and Lei Hu . . .

   Yunhua Wen and Shengli Liu

  . . . Jung Hee Cheon, Jinhyuck Jeong, Dongwoo Kim, and Jongchan Lee . . .

   Bernardo David, Rafael Dowsley, and Mario Larangeira . . .

   Ryo Kikuchi, Dai Ikarashi, Takahiro Matsuda, Koki Hamada, and Koji Chida . . .

   Zhe Xia, Liuying Sun, Bo Yang, Yanwei Zhou, and Mingwu Zhang

  Eunkyung Kim, Hyang-Sook Lee, and Jeongeun Park

  Souradyuti Paul and Ananya Shrivastava

  Howard M. Heys

  Ryoma Ito and Atsuko Miyaji XII Contents

  

  Chendong Ye and Tian Tian

  Nicolas Marrière, Valérie Nachef, and Emmanuel Volte

  Sumanta Sarkar and Habeeb Syed

  Yusuke Naito

  Xavier Boyen and Thomas Haines

  Ziyuan Hu, Shengli Liu, Kefei Chen, and Joseph K. Liu

  Shimin Li, Bei Liang, and Rui Xue

  Haibin Zheng, Qianhong Wu, Bo Qin, Lin Zhong, Shuangyu He, and Jianwei Liu

  Lin Zhong, Qianhong Wu, Bo Qin, Haibin Zheng, and Jianwei Liu

  Hiroaki Anada, Akira Kanaoka, Natsume Matsuzaki, and Yohei Watanabe

  Xuecheng Ma, Xin Wang, and Dongdai Lin

  Chi Liu, Rongmao Chen, Yi Wang, and Yongjun Wang

  Contents

  XIII

  

  Yan Xu, Ran Ding, Jie Cui, and Hong Zhong

  Jian Shen, Dengzhi Liu, Xiaofeng Chen, Xinyi Huang, Jiageng Chen, and Mingwu Zhang

  Lin Liu, Jinshu Su, Rongmao Chen, Ximeng Liu, Xiaofeng Wang, Shuhui Chen, and Hofung Leung

  

  . . . Haoyu Li, Renzhang Liu, Abderrahmane Nitaj, and Yanbin Pan

  

  Jintai Ding, Scott Fluhrer, and Saraswathy Rv

  Yacheng Wang, Yasuhiko Ikematsu, Dung Hoang Duong, and Tsuyoshi Takagi

  Zuoxia Yu, Man Ho Au, Rupeng Yang, Junzuo Lai, and Qiuliang Xu

  Daode Zhang, Kai Zhang, Bao Li, Xianhui Lu, Haiyang Xue, and Jie Li

  Qiqi Lai, Bo Yang, Yong Yu, Yuan Chen, and Liju Dong

  Veronika Kuchta, Nandita Bhattacharjee, Man Ho Au, and Jacob Cheng XIV Contents

  

  Handan Kılınç and Serge Vaudenay

  Ahmad Ahmadi, Reihaneh Safavi-Naini, and Mamunur Akand

  Deqing Zou, Zhijun Deng, Zhen Li, and Hai Jin

  Yali Zeng, Xu Li, Xu Yang, Qikui Xu, and Dongcheng Wang

  Jie Cui, Jiantao He, Yan Xu, and Hong Zhong

  Kexin Hu and Zhenfeng Zhang

  Yuncong Zhang, Yu Long, Zhen Liu, Zhiqiang Liu, and Dawu Gu

  Jiayuan Yin, Changren Wang, Zongyang Zhang, and Jianwei Liu

  Rupeng Yang, Man Ho Au, Qiuliang Xu, and Zuoxia Yu

  Yinxia Sun, Futai Zhang, and Anmin Fu

  Terry Shue Chien Lau and Chik How Tan

  Contents

  XV

  

  Weizhi Meng, Yu Wang, Wenjuan Li, Zhe Liu, Jin Li, and Christian W. Probst

  Mohamad Barbar, Yulei Sui, Hongyu Zhang, Shiping Chen, and Jingling Xue

  Hyung Tae Lee, Huaxiong Wang, and Kai Zhang

  Yuntao Wang and Tsuyoshi Takagi

  Yeali S. Sun, Chien-Chun Chen, Shun-Wen Hsiao, and Meng Chang Chen

  Junzuo Lai, Zhengan Huang, Man Ho Au, and Xianping Mao

  Xingye Lu, Zhenfei Zhang, and Man Ho Au

  Pinaki Sarkar, Mayank Baranwal, and Sukumar Nandi

  Foundation

  

A Deterministic Algorithm

for Computing Divisors in an Interval

1,2 1,2,3( )

  3 1 1,2 B

  Liqiang Peng , Yao Lu , Noboru Kunihiro , Rui Zhang , and Lei Hu ₁ State Key Laboratory of Information Security,

  

Institute of Information Engineering, Chinese Academy of Sciences,

Beijing 100 093, China

₂

{pengliqiang,r-zhang}@iie.ac.cn, hu@is.ac.cn

Data Assurance and Communication Security Research Center,

Chinese Academy of Sciences, Beijing 100 093, China

₃ The University of Tokyo, Tokyo, Japan Abstract.

  We revisit the problem of finding a nontrivial divisor of a

composite integer when it has a divisor in an interval [α, β]. We use

Strassen’s algorithm to solve this problem. Compared with Kim-Cheon’s

algorithms (Math Comp 84(291): 339–354, 2015), our method is a deter-

ministic algorithm but with the same complexity as Kim-Cheon’s prob-

abilistic algorithm, and our algorithm does not need to impose that the

divisor is prime. In addition, we can further speed up the theoretical com-

plexity of Kim-Cheon’s algorithms and our algorithm by a logarithmic

term log(β − α) based on the peculiar property of polynomial arithmetic

we consider.

  Keywords:

Integer factorization Divisors in an interval

·

  Polynomial arithmetic

1 Introduction

  RSA is the most widely deployed public-key cryptosystem. Its security relies on the difficulty of factoring large composite integer: if integer factorization is solved then RSA is broken. Factoring large numbers is long been believed as a math- ematical hard problem in computational number theory. Now it is conjectured that integer factorization cannot be solved in polynomial-time without quantum computers.

  However, even if integer factorization is indeed difficult to solve, one has to be very careful against the side-channel attacks, which is any attack based on information gained from the physical implementation of cryptosystems.

  In this paper, we focus on the problem of integer factorization given the approximation of divisors. More precisely, we mainly focus on finding a nontrivial divisor of a composite integer N when it has a divisor in an interval [α, β].

  It is clear that this problem can be solved in O(β −α) time with trial division. However, based on the bit-size of parameters α and β, more efficient algorithms exist.

4 L. Peng et al.

• – For sufficiently small interval bit-size β − α: Using Coppersmith’s method

   ]

  of finding small roots of modular polynomial equations, we can recover all divisors in the interval in polynomial time in log N .

• – For relatively small α and large β: Using Pollard’s rho method

  , we can 1/2 find a nontrivial divisor in O(β ) time.

• – For large α and large β − α: Using Kim-Cheon’s algorithms

  , we can 1/2 recover a nontrivial divisor in O((β − α) ) time.

  Specifically, in

  , Kim and Cheon proposed two algorithms, one is prob-

  abilistic and the other is its deterministic version, for achieving birthday com- plexity in finding a divisor in an interval. Using their proposed algorithms, one can check the existence of prime divisors in the interval, and if they exist, one can find all such prime divisors.

  Compared with Kim-Cheon’s probabilistic algorithm, their deterministic algorithm is more complex, difficult to understand, and needs more time com- plexity. Besides, for the case of composite divisors, their probabilistic algorithm works well, but their deterministic algorithm fails. Therefore, Kim and Cheon posted as an open problem to design a deterministic algorithm for composite divisors.

  1.1 Our Contributions In this paper, we propose a deterministic algorithm to find a nontrivial divisor of a composite integer N when it has a divisor in an interval [α, β]. Our deter- ministic algorithm has the same time complexity as Kim-Cheon’s probabilistic algorithm, and also works for the case of composite divisors. In addition, we can further speed up the theoretical complexity of Kim-Cheon’s algorithms and our algorithm by a logarithmic term log(β − α) based on the peculiar property of polynomial arithmetic we consider.

  Technically, recall that Kim-Cheon’s algorithm reduces the target problem _∗ to solving a discrete logarithm problem over (Z/nZ) , where n is an unknown divisor of the known integer N . We view the original problem from a dif- ferent perspective: we relate the original problem to a variant of determin- istic integer factorization problem, and then use Strassen’s algorithm

   ]

  to solve it. More precisely, let p = β − x be a divisor of N in the inter- val [α, β], where x ∈ [0, β − α] is unknown. Then the problem of finding p can be transformed to computing gcd(N, β − x). Although x is unknown, we

  β−α

  can use gcd N, (β − i) (modN ) to find p. Therefore, how to calculate

  i=0 β−α

  (β − i) (modN ) efficiently becomes the key point of the complexity.

  i=0

  Moreover, recently Chen and Nguyen

   ] used a similar algorithm as

  Strassen’s algorithm to solve Approximate Common Divisor Problem, the later was introduced by Howgrave-Graham

   ] in CaLC 2001. A Deterministic Algorithm for Computing Divisors in an Interval

  5

  2 Preliminaries

  Let a and b be integers. Let ν (b) denote the nonnegative integer such that _{a a} a ν (b) ν (b)+1 a | b and a ∤ b. Denote [α, β] as the set of all integers α ≤ i ≤ β. Let |β − α| denote the bit-size of β − α. We will use log for the binary (base 2)

  2

  logarithm. Let M (d) be the complexity of the multiplication of two polynomial with degree d

  : M (d) = O(d log d log log d).

  In this paper, we consider the univariate polynomial f (x) ∈ Z [x] with N an

  N

  arbitrary integer. We will use two polynomial arithmetic algorithms, Alg

  P oly

  (compute a polynomial given as a product of d terms) and Alg (evaluate a

  M P E

  univariate polynomial with degree d at d points), as subroutines. It is clear that

  2

  we can solve them using O(d ) additions and multiplications in Z N . However, there are classic algorithms with quasi-linear complexity operations in Z N using a divide-and-conquer approach. Recently these two algorithms have been used in various area of public-key cryptanalysis

  . We give the basic information

  of these two algorithms as follows: Alg : Takes integer N and d points (suppose that a , . . . , a ) as inputs;

  d−1 P oly

  outputs a monic degree d polynomial over Z having d points as roots: f (X) =

  N d−1

  (X − a i )(mod N ). According to a classic result

   ], the time complexity is i=0

  O(log dM (d)) operations modulo N , and the storage requirement is O(d log d) elements in Z N .

  Alg : Takes integer N , a polynomial f (x) with degree d over Z N and

  M P E

  d points (suppose that c , . . . , c d−1 ) as inputs; outputs the evaluation of f (x) at d input points: f (c ), . . . , f (c )(mod N ). According to a classic result

  , d−1

  the time complexity is O(log dM (d)) operations modulo N , and the storage requirement is O(d log d) elements in Z .

  

N

  3 Review Kim-Cheon’s Algorithms

  In this section, we will review Kim-Cheon’s two algorithms: one is probabilistic and the other is its deterministic version. Their algorithms essentially work by _∗ solving the discrete logarithm problem over (Z/nZ) , where n is an unknown divisor of the target composite integer N . Before given the full description of Kim-Cheon’s algorithms, we would like to introduce a lemma from

  : Lemma 1.

  There exists an algorithm FINDING which, given as input positive integers N, g, h, and δ with 1 < g, h < N , gcd(gh, N ) = 1, outputs an integer

  x

  x ∈ [1, δ] with gcd(g − h, N ) > 1 or shows that no such x exists in

  

1/2

  O M (δ ) log δ

  1/2 operations modulo N by using storage O(δ log δ) elements in Z .

  N

6 L. Peng et al.

  We recall the FINDING algorithm, given as Algortihm Algorithm 1. x ← FINDING(N, g, h, δ)

  Input: Positive integers N, g, h and δ with 1 < g, h < N , gcd(gh, N ) = 1. _x Output: An integer x ∈ [1, δ] satisfying gcd(g − h, N ) > 1. _1/2 1: Set L := ⌈δ ⌉.

  2: Compute the polynomial _i F (X) = (X − hg ) mod N _{0≤i≤L−1} using Algorithm Alg . _{P oly jL} 3: Evaluate F (X) at multiple points g for all 1 ≤ j ≤ L using Algorithm Alg _{M P E} 4: j := 1 5: while j ≤ L do _jL 6: d j = gcd(F (g ), N ) if 7: d j > 1 then _{jL u} 8: Find the great u satisfying gcd(g − hg , N ) > 1.

9: Output x := jL − u and stop.

  end if 10: 11: j := j + 1 12: end while 13: Output “there is no such x” and stop.

  The complexity of Algorithm FINDING mainly relies on the complexity of

  1/2

  Alg and Alg , thus the overall complexity is O log δM (δ ) opera-

  P oly M P E 1/2

  tions modulo N with using storage O(δ log δ) elements in Z .

  N

  Now we review Kim-Cheon’s probabilistic algorithm for computing a non- trivial divisor of a composite integer N , given as Algortihm

  

  1/2

  Algortihm

   takes O M ((β − α) ) log(β − α) operations modulo N . The 1/2

  storage requirement is O((β − α) log(β − α)) elements in Z . In

  , Kim N

  and Cheon showed that Algortihm succeeds with a probability of at least 1/2. Kim-Cheon’s Deterministic Algorithm. Since we do not know exactly how many a’s are to be tested or how to choose a to split N in Algortihm

  hence, the

  algorithm works probabilistically. Therefore, Kim and Cheon proposed a deter- ministic algorithm to overcome this problem, the key tool of their deterministic algorithm was the distribution of smooth numbers, which was originally used for devising a deterministic primality test under some condition by Konyagin and Pomerance

  . We omit the details of their algorithm here, instead, we refer

  to

  . Obviously, Kim-Cheon’s probabilistic algorithm performs better than their deterministic algorithm.

  4 Our Deterministic Algorithm

  In this section, we propose a deterministic algorithm to find a nontrivial divisor of a composite integer N when it has a divisor in an interval [α, β]. Our algorithm

  A Deterministic Algorithm for Computing Divisors in an Interval

  7

  Algorithm 2.

  Kim-Cheon’s probabilistic algorithm for computing a nontrivial divisor of a composite integer N

  Input: A composite integer N with unknown factorization and an interval [α, β]. Output:

A nontrivial divisor of N when it has a divisor in an interval [α, β].

1: Choose an integer a uniformly at random in {2, . . . , N − 1}.

  2: if gcd(a, N ) > 1 then 3: output gcd(a, N ) and stop. 4: end if _{x a β−1}

5: Compute x ∈ [1, β −α] such that d = gcd(a −a mod N, N ) > 1 by applying

_a subalgorithm FINDING (Alg.1). 6: if there is no such x then _a 7: output “N has no prime divisor in the interval [α, β])” and stop. 8: end if 9: if d < N then

  10: output d and stop. 11: end if 12: if d = N and y a := β − 1 − x a is even then 13: i := 1 while 14: i ≤ ν ^{2 (y a ) do} _{y a /2 i} 15: compute d i = gcd(a − 1, N ) if 16: 1 < d i < N then

  17: output d i and stop end if 18: 19: i := i + 1 end while 20:

  21: end if 22: Output “failure” and stop.

  has the same time complexity as Kim-Cheon’s probabilistic algorithm, and also works for the case of composite divisors.

  4.1 Algorithmic Details Now we show how to reduce the target problem to a variant of integer factor- ization problem. Let p be the divisor of N in the interval [α, β]. At first, we can write p as p = β − x where x is an unknown variable satisfying 0 ≤ x ≤ β − α. Then in this case, we are given one exact multiple N (N ≡ 0 mod p) and one integer β = p + x, and the goal is to learn the divisor p. Here, we do not require that p is prime.

  Next we give our algorithm based on Strassen’s algorithm

   ] for solving

  the integer factorization problem. It is clear that

  β−α

  p = gcd N, (β − i) (modN )

  i=0

8 L. Peng et al.

  β−α The key problem is how to calculate (β − i) (modN ) faster. i=0 To calculate faster, we require the degree of polynomial be a power of two.

  Let |β − α| = l. Therefore, we focus on

  2

  ⎛ ⎞ _{l −}

  2

  

1

  ⎠ p = gcd ⎝N, (β − i) (modN ) _∗ i=0 Set l = ⌈l/2⌉, we can rewrite it as _{l l∗ − − − l∗ −(l mod 2)}

  2

  1

  2

  1

  2

  1 _∗ l

  (β − i) (modN ) = (β − 2 i − j) (modN )

  i=0 i=0 j=0

  We define the polynomial f j (x) of degree j modulo integer N :

  j−1

  f (x) = (β − x − k) (modN )

  j k=0

  Therefore, we have _{l l∗ −(l mod 2)}

  2 −

  1 2 −

  1 _{∗ l∗} l

  (β − i) (modN ) = f (2 i) (modN )

  2 i=0 i=0

  which means ⎛ ⎞ _{l∗ −(l mod 2) −}

  2

  1 _{∗ l∗} l

  ⎠ p = gcd ⎝N, f (2 i) (modN )

  2 i=0

_l∗

  We need to compute the polynomial f (x) explicitly and evaluate this polyno- _∗

  2 l − (l mod 2)

  mial at 2 points, which can fortunately be done using Alg and

  P oly

  Alg . We give a full description of our algorithm as follows.

  M P E

  In our algorithm, the condition d = 1 means that there is no divisor in the interval [α, β] and if 1 < d ≤ β, d is the divisor what we want. However, if there are more than one divisors in the interval [α, β], we will obtain that d > β. According to the Strassen’s algorithm, for this case we can use a trick of computing greatest common divisor based on a product tree to determine which _{∗ ∗ − l∗} l l (l mod 2) f (2 k), where 1 ≤ k ≤ 2 has only one divisor. Algorithm

   gives a

  2 _{∗ l∗} l

  brief description of this trick. Note that, if it is still that gcd(N, f (2 k)) > β

  2

  which means there are still more than one divisors of N fall in the same interval _{∗ ∗}

  l l

  [β − 2 (k + 1) + 1, β − 2 k], we can further use same trick as Algorithm

   to

  construct a product tree based on the following expression _{l∗ − ∗ ∗}

  2

  1 _l∗ l l f (2 k) = (β − 2 k − i) (mod N ).

  2 i=0 A Deterministic Algorithm for Computing Divisors in an Interval

  9

  Algorithm 3.

  Our deterministic algorithm for computing a nontrivial divisor of a composite integer N

  Input: A composite integer N with unknown factorization and an interval [α, β]. Output: _∗

A nontrivial divisor of N when it has a divisor in an interval [α, β].

  1: Set l = ⌈|β − α| ^{2 /2⌉.} _l∗ 2: Compute the polynomial f (x) using Alg . _{l∗ 2 P oly l l (l mod 2) ∗ ∗ −} 3: Evaluate f (x) at multiple points 2 k for all 1 ≤ k ≤ 2 using ₂ Alg _{M P E} . _{l∗ l∗ l∗ l (l mod 2) ∗ −} 4: Compute d = gcd(N, f (1)f (2) · · · f (2 ) mod N ). _{2 2}

₂

5: if d = 1 then 6: output “there is no divisor in interval [α, β]” and stop. 7: end if 8: if 1 < d ≤ β then 9: output d and stop. 10: end if 11: if β < d ≤ N then 12: compute a divisor in an interval [α, β], using Algorithm 13: end if Then the divisor in the interval [α, β] can be finally determined.

  Now, we analyze the complexity of Algorithm

  The complexity of Alg P oly 1/2

  and Alg takes O log(β − α)M ((β − α) ) operations modulo N and the

  M P E 1/2

  storage requirement is O((β − α) log(β − α)) elements in Z . In addition, we

  N 1/2 1/2

  need GCD computations at most 2 log(β − α) times and O((β − α) ) multi- plications on modulo N . Therefore, the complexity of our algorithm mainly relies on the complexity of Alg and Alg , just like Kim-Cheon’s probabilistic

  P oly M P E 1/2

  algorithm our deterministic algorithm takes O log(β − α)M ((β − α) ) oper- ations modulo N .

  4.2 Logarithmic Speedup The complexity of Kim-Cheon’s algorithms and our algorithm mainly relies on Alg and Alg . However, since the peculiar property of these polynomi-

  P oly M P E

  als we consider, hence more efficient algorithms exist. Thus, we can speed up the theoretical complexity of Kim-Cheon’s algorithms and our algorithm by a logarithmic term log(β − α).

  Revisiting Kim-Cheon’s Algorithms. In Algortihm

  they want to com- i

  pute the polynomial F (X) = (X − hg ) mod N and evaluate F (x) at ₂ 0≤i≤L−1 L

  2L L i iL

  points g , g , . . . , g . Notice that both (hg ) and (g ) are geometric progres- sions, hence we can use more efficient algorithm of Bostan et al.

   ] to compute polynomial interpolation and polynomial evaluation at a geometric progression.

  Bostan gave his pseudocode in

  . This technique can speed up the overall com- plexity of Kim-Cheon’s algorithms by a logarithmic term log(β − α).

10 L. Peng et al.

  Algorithm 4. RecursiveFinding(N , A)

  Input: A composite integer N and a set of numbers {a ^{1 , . . . , a n }.}

  Output: _′ A nontrivial divisor of N in the interval [α, β].

  1: n := ⌈n/2⌉ _{n ′} 2: Compute d = gcd(N, a i ) _i=1 3: if 1 < d ≤ β then 4: output d and stop. 5: end if 6: if d = 1 then 7: RecursiveFinding(N , {a ′ , . . . , a }) _{n +1 n} 8: end if 9: if β < d ≤ N then 10: RecursiveFinding(N , {a ^{1 , . . . , a ′ })} _n 11: end if

  Revisiting Our Algorithm. Likewise, our deterministic algorithm can also been improved by using a smarter way to calculate the evaluation of function _{∗ − l∗} l (l mod 2) f (x) at 2 points. We use Chen-Nguyen’s technique, which based

  2

  on Bostan, Gaudry and Schost’s result

  

  More specifically, Bostan, Gaudry and Schost’s result can be described as follows: Theorem 1

  (Theorem 5 of

  ). Let a, b be in ring R and d be in N such

  that d(a, b, d) is invertible, with d(a, b, d) = b · 2 · · · d · (a − db) · · · (a + db), and suppose that the inverse of d(a, b, d) is known. Let F (x) be in R[X] of degree at most d and r ∈ R. Given F (r), F (r + b), . . . , F (r + db), one can compute F (r + a), F (r + a + b), . . . , F (r + a + db) in time 2M (d) + O(d) time and space O(d). Here, M (d) is the time of multiplying two polynomial of degree at most d.

  j

k i

  Define set S(k , . . . , k ) := { p i 2 | p i ∈ {0, 1}}. Suppose that we already

  1 j k k _j i=1

  have the evaluation of f (x) at points S(k , . . . , k ), if we can calculate the _{j +1}

2 l−j+1 l

evaluation of f (x) at points S(k l−j , . . . , k l ), then with each iteration, we can

  2 _{∗ ∗ l∗} l − (l mod 2) l evaluate the f (x) at 2 points closer until j = 2 .

  2 _{j +1}

  The key technique is how to calculate the evaluation of f (x) at points

  2 S(k l−j , . . . , k l ) using Theorem For every X ∈ S(k l−j , . . . , k l ), we have _{j j j +1} j+1

  f (X) = f (X) · f (X + 2 )

  2

  2

  2 _{j j} j+1

  We can easily calculate f (X) and f (X +2 ) using Theorem

  and evaluate _{j +1}

  2

  2 f (x) at points S(k , . . . , k ). l−j l

2 Note that, our algorithm does not need to impose that the divisor in the

  interval is prime. However, if we impose that the divisor is prime, we can use the method of

   ], proposed by Costa and Harvey, to further speed up the theoretical

  complexity by removing some elements in the interval that do not contribute any useful information.

  A Deterministic Algorithm for Computing Divisors in an Interval

  11

5 Conclusion

  In this paper we revisit the problem of finding a nontrivial divisor of a composite integer N when it has a divisor in an interval [α, β]. We present a deterministic algorithm to solve this problem, and our algorithm has the same complexity with Kim-Cheon’s probabilistic algorithm. Besides, based on the special structure of polynomial, we give a method to speed up the theoretical complexity of Kim- Cheon’s algorithm and our algorithm by a logarithmic term log(β − α).

  

Acknowledgements. This research was supported the National Natural Science

Foundation of China (Grants 61702505, 61472417, 61732021, 61772520), National

Cryptography Development Fund (MMJJ20170115, MMJJ20170124) and the Funda-

mental Theory and Cutting Edge Technology Research Program of Institute of Informa-

tion Engineering, CAS (Grants Y7Z0341103, Y7Z0321102), JST CREST Grant Num-

ber JPMJCR14D6, JSPS KAKENHI Grant Number 16H02780.

  References

  

1. Bluestein, L.I.: A linear filtering approach to the computation of the discrete fourier

transform. IEEE Trans. Electroacoust. 18, 451–466 (1970)

  

2. Bostan, A.: Algorithmique efficace pour des op´erations de base en calcul formel.

  Ph.D. thesis (2003). ´ Ecole polytechnique (in English)

  

3. Bostan, A., Gaudry, P., Schost, E.: Linear recurrences with polynomial coefficients

and application to integer factorization and Cartier-Manin operator. SIAM J. Com- put. 36(6), 1777–1806 (2007)

  

4. Chen, Y., Nguyen, P.Q.: Faster algorithms for approximate common divi-

sors: breaking fully-homomorphic-encryption challenges over the integers. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 502–519. Springer, Heidelberg (2012).

  

5. Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA

vulnerabilities. J. Cryptol. 10(4), 233–260 (1997)

  

6. Coron, J.-S., Joux, A., Mandal, A., Naccache, D., Tibouchi, M.: Cryptanalysis

of the RSA subgroup assumption from TCC 2005. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 147–155. Springer, Heidelberg (2011).

  

7. Costa, E., Harvey, D.: Faster deterministic integer factorization. Math. Comput.

  83 (285), 339–345 (2014)

  

8. Fouque, P.-A., Tibouchi, M., Zapalowicz, J.-C.: Recovering private keys generated

with weak PRNGs. In: Stam, M. (ed.) IMACC 2013. LNCS, vol. 8308, pp. 158–172.

  Springer, Heidelberg (2013).

9. Howgrave-Graham, N.: Approximate integer common divisors. In: Silverman, J.H.

(ed.) CaLC 2001. LNCS, vol. 2146, pp. 51–66. Springer, Heidelberg (2001).

10. Kim, M., Cheon, J.H.: Computing prime divisors in an interval. Math. Comp.

  84 (291), 339–354 (2015)

11. Konyagin, S., Pomerance, C.: On primes recognizable in deterministic polyno- mial time. In: Graham, R.L., Neˇsetˇril, J. (eds.) The mathematics of Paul Erd˝ os I.

  Springer, Heidelberg (1997)

  12 L. Peng et al.

  

12. Pollard, J.M.: Monte Carlo methods for index computation (mod p). Math. Comp.

  32 (143), 918–928 (1978)

  

13. Pollard, J.M.: Theorems on factorization and primality testing. In: Proceedings of

the Cambridge Philosophical Society, vol. 76, pp. 521–528 (1974)

  

14. Strassen, V.: Einige Resultate ¨ uber Berechnungskomplexit¨ at. Jber. Deutsh. Math.

• Verein. 78(1), 1–8 (1976/1977)

  

Reusable Fuzzy Extractor from LWE

1,2 1,2,3( )

  B ₁ Yunhua Wen and Shengli Liu

Department of Computer Science and Engineering, Shanghai Jiao Tong University,

Shanghai 200240, China

₂

{happyle8,slliu}@sjtu.edu.cn

State Key Laboratory of Cryptology, P.O. Box 5159, Beijing 100878, China

₃ Westone Cryptologic Research Center, Beijing 100070, China Abstract.

  Fuzzy extractor converts the reading of a noisy non-uniform

source to a reproducible and almost uniform output R. The output R in

turn is used in some cryptographic system as a secret key. To enable mul-

_{1 , , . . . , ρ from the same noisy non-uniform 2} tiple extractions of keys R R R _{i , the concept of reusable fuzzy} source and applications of different R _{i even} extractor is proposed to guarantee the pseudorandomness of R _{j (from the same source).} conditioned on other extracted keys R In this work, we construct a reusable fuzzy extractor from the

Learning With Errors (LWE) assumption. Our reusable fuzzy extractor

provides resilience to linear fraction of errors. Moreover, our construc-

tion is simple and efficient and imposes no special requirement on the

statistical structure of the multiple readings of the source.

  Keywords: Fuzzy extractor Reusability The LWE assumption

· ·

1 Introduction

  In a cryptographic system, it is assumed that the secret key is sampled from a random source and uniformly distributed, since the security of the system heavily relies on the uniformity of the secret key. In reality, such a uniform secret key is hard to create, remember or store by users of the system. On the other hand, there are lots of random sources available like biometric data (fingerprint, iris, etc.), physical unclonable function (PUF)

   ], or quantum information