Information Security and Privacy 2018 pdf pdf
Willy Susilo (Eds.) Guomin Yang Information Security
LNCS 10946 and Privacy 23rd Australasian Conference, ACISP 2018 Wollongong, NSW, Australia, July 11–13, 2018 Proceedings
Lecture Notes in Computer Science 10946
Commenced Publication in 1973 Founding and Former Series Editors: Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen
Editorial Board
David Hutchison Lancaster University, Lancaster, UK
Takeo Kanade Carnegie Mellon University, Pittsburgh, PA, USA
Josef Kittler University of Surrey, Guildford, UK
Jon M. Kleinberg Cornell University, Ithaca, NY, USA
Friedemann Mattern ETH Zurich, Zurich, Switzerland
John C. Mitchell Stanford University, Stanford, CA, USA
Moni Naor Weizmann Institute of Science, Rehovot, Israel
C. Pandu Rangan Indian Institute of Technology Madras, Chennai, India
Bernhard Steffen TU Dortmund University, Dortmund, Germany
Demetri Terzopoulos University of California, Los Angeles, CA, USA
Doug Tygar University of California, Berkeley, CA, USA
Gerhard Weikum Max Planck Institute for Informatics, Saarbrücken, Germany More information about this series at http://www.springer.com/series/7410
- • Willy Susilo Guomin Yang (Eds.)
Information Security and Privacy 23rd Australasian Conference, ACISP 2018
Wollongong, NSW, Australia, July 11–13, 2018 Proceedings Editors Willy Guomin Yang University of Wollongong University of Wollongong Wollongong, NSW Wollongong, NSW Australia Australia
ISSN 0302-9743
ISSN 1611-3349 (electronic) Lecture Notes in Computer Science
ISBN 978-3-319-93637-6
ISBN 978-3-319-93638-3 (eBook) https://doi.org/10.1007/978-3-319-93638-3 Library of Congress Control Number: 2018947318 © LNCS Sublibrary: SL4 – Security and Cryptology Springer International Publishing AG, part of Springer Nature 2018
This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the
material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation,
broadcasting, reproduction on microfilms or in any other physical way, and transmission or information
storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now
known or hereafter developed.The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication
does not imply, even in the absence of a specific statement, that such names are exempt from the relevant
protective laws and regulations and therefore free for general use.The publisher, the authors and the editors are safe to assume that the advice and information in this book are
believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors
give a warranty, express or implied, with respect to the material contained herein or for any errors or
omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in
published maps and institutional affiliations. Printed on acid-free paper This Springer imprint is published by the registered company Springer International Publishing AG part of Springer Nature The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland
Preface
This volume contains the papers presented at ACISP 2018 – the 23rd Australasian Conference on Information Security and Privacy held during July 11–13, 2018, in Wollongong, Australia. The conference was organized by the Institute of Cybersecurity and Cryptology at the University of Wollongong, which provided wonderful facilities and support.
This year we received 136 submissions of excellent quality from 23 countries around the world. Each submission was allocated to at least three Program Committee members and each paper received on average 2.8 reviews. The submission and review process was supported by the EasyChair conference submission server. In the first stage of the review process, the submitted papers were evaluated by the Program Committee members. In the second stage, the papers were scrutinized during an extensive dis- cussion. Finally, the committee decided to accept 41 regular papers and ten short papers.
Among the accepted regular papers, four papers were nominated as candidates for the Best Paper Award and five papers were nominated as candidates for the Best Student Paper Award. The Program Committee voted for both awards. For the Best Paper Award, two papers were the preferred options with no clear winner and we decided to award the Best Paper to both papers:
- “Secure Publicly Verifiable Computation with Polynomial Commitment in Cloud Computing” by Jian Shen, Dengzhi Liu, Xiaofeng Chen, Xinyi Huang, Jiageng Chen, and Mingwu Zhang • “Decentralized Blacklistable Anonymous Credentials with Reputation” by Rupeng Yang, Man Ho Au, Qiuliang Xu, and Zuoxia Yu The Best Student Paper was awarded to the paper:
- “Asymmetric Subversion Attacks on Signature Schemes” by Chi Liu, Rongmao Chen, Yi Wang, and Yongjun Wang The Jennifer Seberry Lecture this year was delivered by Prof. Wanlei Zhou from the
University of Technology Sydney, Australia. The program also included three invited talks presented by Prof. Robert Deng from Singapore Management University, Sin- gapore; Prof. Patrizio Campisi from the Roma Tre University, Italy; and Dr. Surya Nepal from CSIRO/Data61, Australia.
We would like to thank the Program Committee members and the external reviewers for their effort and time to evaluate the submissions, and our sponsors — School of Computing and Information Technology at the University of Wollongong, Springer, DATA61, Australian Government Department of Defence Science and Technology VI Preface
(DST), Cryptography - Open Access Journal by MDPI, and New South Wales (NSW) Cyber Security Network, Australia, NSW Office of the Chief Scientist and Engineer, iTree and Thinking Studio — for their generous support to the conference.
We are indebted to the team at Springer for their continuous support of the conference and for their help in the production of the conference proceedings. July 2018
Willy Susilo Guomin Yang ACISP 2018
The 23rd Australasian Conference on Information Security and Privacy University of Wollongong, Australia
July 11–13, 2018
Program Chairs
Willy Susilo University of Wollongong, Australia Guomin Yang University of Wollongong, Australia
General Chairs
Yi Mu University of Wollongong, Australia Fuchun Guo University of Wollongong, Australia
Publication Chairs
Joonsang Baek University of Wollongong, Australia Yang-Wai Chow University of Wollongong, Australia
Organization Chair
Jianchang Lai University of Wollongong, Australia
Program Committee
Masayuki Abe NTT, Japan Cristina Alcaraz University of Malaga, Spain Man Ho Au Hong Kong Polytechnic University, SAR China Shi Bai Florida Atlantic University, USA Zubair Baig Edith Cowan University, Australia Paulo Barreto University of Washington, USA Colin Boyd Norwegian University of Science and Technology,
Norway Aniello Castiglione University of Salerno, Italy Jinjun Chen Swinburne University of Technology, Australia Liqun Chen University of Surrey, UK Rongmao Chen National University of Defense Technology, China Xiaofeng Chen Xidian University, China Kim-Kwang Raymond University of Texas at San Antonio, USA
Choo
VIII ACISP 2018
Ernesto Damiani University of Milan, Italy Naccache David Ecole Normale Suprieure, France Yvo Desmedt University of Texas at Dallas, USA Josep Domingo-Ferrer Universitat Rovira i Virgili, Spain Ernest Foo Queensland University of Technology, Australia David Galindo University of Birmingham, UK Jian Guo Nanyang Technological University, Singapore Gerhard Hancke City University of Hong Kong, SAR China Qiong Huang South China Agricultural University, China Xinyi Huang Fujian Normal University, China Dong Seong Kim University of Canterbury, New Zealand Jongkil Kim University of Wollongong, Australia Noboru Kunihiro The University of Tokyo, Japan Fabien Laguillaumie Université de Lyon 1/LIP, France Dongxi Liu CSIRO/Data61, Australia Joseph Liu Monash University, Australia Zhe Liu Nanjing University of Aeronautics and Astronautics,
China Zhen Liu Shanghai Jiao Tong University, China Javier Lopez University of Malaga, Spain Hui Ma Chinese Academy of Sciences, China Mark Manulis University of Surrey, UK Mitsuru Matsui Mitsubishi Electric, Japan Kazuhiko Minematsu NEC Corporation, Japan Chris Mitchell Royal Holloway, University of London, UK Khoa Nguyen Nanyang Technological University, Singapore Thomas Peyrin Nanyang Technological University, Singapore Duong Hieu Phan
XLIM (Limoges University), France Josef Pieprzyk CSIRO/Data61, Australia Reza Reyhanitabar Katholieke Universiteit Leuven, Belgium Reyhaneh Safavi-Naini University of Calgary, Canada Pierangela Samarati University of Milan, Italy Marcos Simplicio University of São Paulo, Brazil Leonie Simpson Queensland University of Technology, Australia Ron Steinfeld Monash University, Australia Atsushi Takayasu University of Tokyo, Japan Qiang Tang Cornell University, USA Damien Vergnaud Université Pierre et Marie Curie/Institut Universitaire de France, France Huaxiong Wang Nanyang Technological University, Singapore Qianhong Wu Beihang University, China Yu Yu Shanghai Jiao Tong University, China Jiang Zhang Chinese Academy of Sciences, China Mingwu Zhang Hubei University of Technology, China Rui Zhang Chinese Academy of Sciences, China Additional Reviewers
Acien, Antonio Al Maqbali, Fatma Andrade, Ewerton Anglès-Tafalla, Carles Avizheh, Sepideh Baek, Joonsang Banik, Subhadeep Bao, Zhenzhen Bert, Pauline Blanco-Justicia, Alberto Bouvier, Cyril Chen, Haixia Chen, Long Chengjun Lin Chotard, Jérémy Cominetti, Eduardo Cui, Yuzhao Dragan, Constantin Catalin Du, Jiangyi Duong, Tuyet Gaborit, Philippe Germouty, Paul Gong, Junqing Guo, Chun Guo, Fuchun Guo, Qingwen Haitao, Xie Han, Jinguang Han, Shangbin Hauteville, Adrien Herold, Gottfried Herranz, Javier Hu, Kexin Hu, Zhi Huang, Jianye Isshiki, Toshiyuki Jha, Sonu Jiang, Linzhi Jiang, Shaoquan Jiang, Yan Jiao, Lin Karati, Sabyasachu Katsumata, Shuichi
Kim, Jongkil Kito, Keisuke Lai, Jianchang Leontiadis, Iraklis Li, Hongbo Li, Shuai Li, Sujuan Li, Xiangxue Li, Yalan Li, Yannan Lin, Changlu Lin, Cheng-Jun Lin, Fuchun Liu, Guozhen Liu, Hanlin Liu, Yihuan Liu, Zhiqiang Lu, Xingye Lu, Yuan Murilo, Cezar Naito, Yusuke Nitaj, Abderrahmane Ohigashi, Toshihiro Pan, Yanbin Parra-Arnau, Javier Parry, Jack Qin, Baodong Ribes-González, Jordi Ricardini, Jefferson E.
Ricci, Sara Rios, Ruben Rossetti, Jonatas Ruan, Ou Rubio, Juan E.
Sakai, Yusuke Sakzad, Amin Sehrawat, Vipin Sen Gupta, Sourav Sharifian, Setareh Shen, Hua Shuangyu, He Silva, Marcos Soria-Comas, Jordi
ACISP 2018
IX Sriskandarajah, Shriparen Sun, Shuo Suzuki, Daisuke Takahashi, Akira Takashima, Katsuyuki Tan, Benjamin Hong Meng Tan, Gaosheng Tang, Wenyi Tao, Yang Thorncharoensri, Pairat Tomida, Junichi Trinh, Viet Cuong Wang, Binfeng Wang, Hao Wang, Haoyang Wang, Weijia Wang, Xi
Wang, Yi Wu, Ge Wu, Tong Xu, Yanhong Yamada, Shota Yamamoto, Takumi Yang, Kang Yang, Rupeng Yang, Shao-Jun Yu, Zuoxia Zhang, Kai Zhang, Ren Zhang, Yanhua Zhang, Yuexin Zhao, Lan Zhou, Sufang
X ACISP 2018
Contents
. . .
Liqiang Peng, Yao Lu, Noboru Kunihiro, Rui Zhang, and Lei Hu . . .
Yunhua Wen and Shengli Liu
. . . Jung Hee Cheon, Jinhyuck Jeong, Dongwoo Kim, and Jongchan Lee . . .
Bernardo David, Rafael Dowsley, and Mario Larangeira . . .
Ryo Kikuchi, Dai Ikarashi, Takahiro Matsuda, Koki Hamada, and Koji Chida . . .
Zhe Xia, Liuying Sun, Bo Yang, Yanwei Zhou, and Mingwu Zhang
Eunkyung Kim, Hyang-Sook Lee, and Jeongeun Park
Souradyuti Paul and Ananya Shrivastava
Howard M. Heys
Ryoma Ito and Atsuko Miyaji XII Contents
Chendong Ye and Tian Tian
Nicolas Marrière, Valérie Nachef, and Emmanuel Volte
Sumanta Sarkar and Habeeb Syed
Yusuke Naito
Xavier Boyen and Thomas Haines
Ziyuan Hu, Shengli Liu, Kefei Chen, and Joseph K. Liu
Shimin Li, Bei Liang, and Rui Xue
Haibin Zheng, Qianhong Wu, Bo Qin, Lin Zhong, Shuangyu He, and Jianwei Liu
Lin Zhong, Qianhong Wu, Bo Qin, Haibin Zheng, and Jianwei Liu
Hiroaki Anada, Akira Kanaoka, Natsume Matsuzaki, and Yohei Watanabe
Xuecheng Ma, Xin Wang, and Dongdai Lin
Chi Liu, Rongmao Chen, Yi Wang, and Yongjun Wang
Contents
XIII
Yan Xu, Ran Ding, Jie Cui, and Hong Zhong
Jian Shen, Dengzhi Liu, Xiaofeng Chen, Xinyi Huang, Jiageng Chen, and Mingwu Zhang
Lin Liu, Jinshu Su, Rongmao Chen, Ximeng Liu, Xiaofeng Wang, Shuhui Chen, and Hofung Leung
. . . Haoyu Li, Renzhang Liu, Abderrahmane Nitaj, and Yanbin Pan
Jintai Ding, Scott Fluhrer, and Saraswathy Rv
Yacheng Wang, Yasuhiko Ikematsu, Dung Hoang Duong, and Tsuyoshi Takagi
Zuoxia Yu, Man Ho Au, Rupeng Yang, Junzuo Lai, and Qiuliang Xu
Daode Zhang, Kai Zhang, Bao Li, Xianhui Lu, Haiyang Xue, and Jie Li
Qiqi Lai, Bo Yang, Yong Yu, Yuan Chen, and Liju Dong
Veronika Kuchta, Nandita Bhattacharjee, Man Ho Au, and Jacob Cheng XIV Contents
Handan Kılınç and Serge Vaudenay
Ahmad Ahmadi, Reihaneh Safavi-Naini, and Mamunur Akand
Deqing Zou, Zhijun Deng, Zhen Li, and Hai Jin
Yali Zeng, Xu Li, Xu Yang, Qikui Xu, and Dongcheng Wang
Jie Cui, Jiantao He, Yan Xu, and Hong Zhong
Kexin Hu and Zhenfeng Zhang
Yuncong Zhang, Yu Long, Zhen Liu, Zhiqiang Liu, and Dawu Gu
Jiayuan Yin, Changren Wang, Zongyang Zhang, and Jianwei Liu
Rupeng Yang, Man Ho Au, Qiuliang Xu, and Zuoxia Yu
Yinxia Sun, Futai Zhang, and Anmin Fu
Terry Shue Chien Lau and Chik How Tan
Contents
XV
Weizhi Meng, Yu Wang, Wenjuan Li, Zhe Liu, Jin Li, and Christian W. Probst
Mohamad Barbar, Yulei Sui, Hongyu Zhang, Shiping Chen, and Jingling Xue
Hyung Tae Lee, Huaxiong Wang, and Kai Zhang
Yuntao Wang and Tsuyoshi Takagi
Yeali S. Sun, Chien-Chun Chen, Shun-Wen Hsiao, and Meng Chang Chen
Junzuo Lai, Zhengan Huang, Man Ho Au, and Xianping Mao
Xingye Lu, Zhenfei Zhang, and Man Ho Au
Pinaki Sarkar, Mayank Baranwal, and Sukumar Nandi
Foundation
A Deterministic Algorithm
for Computing Divisors in an Interval
1,2 1,2,3( )3 1 1,2 B
Liqiang Peng , Yao Lu , Noboru Kunihiro , Rui Zhang , and Lei Hu 1 State Key Laboratory of Information Security,
Institute of Information Engineering, Chinese Academy of Sciences,
Beijing 100 093, China
2{pengliqiang,r-zhang}@iie.ac.cn, hu@is.ac.cn
Data Assurance and Communication Security Research Center,
Chinese Academy of Sciences, Beijing 100 093, China
3 The University of Tokyo, Tokyo, Japan Abstract.We revisit the problem of finding a nontrivial divisor of a
composite integer when it has a divisor in an interval [α, β]. We use
Strassen’s algorithm to solve this problem. Compared with Kim-Cheon’s
algorithms (Math Comp 84(291): 339–354, 2015), our method is a deter-
ministic algorithm but with the same complexity as Kim-Cheon’s prob-
abilistic algorithm, and our algorithm does not need to impose that the
divisor is prime. In addition, we can further speed up the theoretical com-
plexity of Kim-Cheon’s algorithms and our algorithm by a logarithmic
term log(β − α) based on the peculiar property of polynomial arithmetic
we consider.Keywords:
Integer factorization Divisors in an interval
·Polynomial arithmetic
1 Introduction
RSA is the most widely deployed public-key cryptosystem. Its security relies on the difficulty of factoring large composite integer: if integer factorization is solved then RSA is broken. Factoring large numbers is long been believed as a math- ematical hard problem in computational number theory. Now it is conjectured that integer factorization cannot be solved in polynomial-time without quantum computers.
However, even if integer factorization is indeed difficult to solve, one has to be very careful against the side-channel attacks, which is any attack based on information gained from the physical implementation of cryptosystems.
In this paper, we focus on the problem of integer factorization given the approximation of divisors. More precisely, we mainly focus on finding a nontrivial divisor of a composite integer N when it has a divisor in an interval [α, β].
It is clear that this problem can be solved in O(β −α) time with trial division. However, based on the bit-size of parameters α and β, more efficient algorithms exist.
4 L. Peng et al.
- – For sufficiently small interval bit-size β − α: Using Coppersmith’s method
]
of finding small roots of modular polynomial equations, we can recover all divisors in the interval in polynomial time in log N .
- – For relatively small α and large β: Using Pollard’s rho method
, we can 1/2 find a nontrivial divisor in O(β ) time.
- – For large α and large β − α: Using Kim-Cheon’s algorithms
, we can 1/2 recover a nontrivial divisor in O((β − α) ) time.
Specifically, in
, Kim and Cheon proposed two algorithms, one is prob-
abilistic and the other is its deterministic version, for achieving birthday com- plexity in finding a divisor in an interval. Using their proposed algorithms, one can check the existence of prime divisors in the interval, and if they exist, one can find all such prime divisors.
Compared with Kim-Cheon’s probabilistic algorithm, their deterministic algorithm is more complex, difficult to understand, and needs more time com- plexity. Besides, for the case of composite divisors, their probabilistic algorithm works well, but their deterministic algorithm fails. Therefore, Kim and Cheon posted as an open problem to design a deterministic algorithm for composite divisors.
1.1 Our Contributions In this paper, we propose a deterministic algorithm to find a nontrivial divisor of a composite integer N when it has a divisor in an interval [α, β]. Our deter- ministic algorithm has the same time complexity as Kim-Cheon’s probabilistic algorithm, and also works for the case of composite divisors. In addition, we can further speed up the theoretical complexity of Kim-Cheon’s algorithms and our algorithm by a logarithmic term log(β − α) based on the peculiar property of polynomial arithmetic we consider.
Technically, recall that Kim-Cheon’s algorithm reduces the target problem ∗ to solving a discrete logarithm problem over (Z/nZ) , where n is an unknown divisor of the known integer N . We view the original problem from a dif- ferent perspective: we relate the original problem to a variant of determin- istic integer factorization problem, and then use Strassen’s algorithm
]
to solve it. More precisely, let p = β − x be a divisor of N in the inter- val [α, β], where x ∈ [0, β − α] is unknown. Then the problem of finding p can be transformed to computing gcd(N, β − x). Although x is unknown, we
β−α
can use gcd N, (β − i) (modN ) to find p. Therefore, how to calculate
i=0 β−α
(β − i) (modN ) efficiently becomes the key point of the complexity.
i=0
Moreover, recently Chen and Nguyen
] used a similar algorithm as
Strassen’s algorithm to solve Approximate Common Divisor Problem, the later was introduced by Howgrave-Graham
] in CaLC 2001. A Deterministic Algorithm for Computing Divisors in an Interval
5
2 Preliminaries
Let a and b be integers. Let ν (b) denote the nonnegative integer such that a a a ν (b) ν (b)+1 a | b and a ∤ b. Denote [α, β] as the set of all integers α ≤ i ≤ β. Let |β − α| denote the bit-size of β − α. We will use log for the binary (base 2)
2
logarithm. Let M (d) be the complexity of the multiplication of two polynomial with degree d
: M (d) = O(d log d log log d).
In this paper, we consider the univariate polynomial f (x) ∈ Z [x] with N an
N
arbitrary integer. We will use two polynomial arithmetic algorithms, Alg
P oly
(compute a polynomial given as a product of d terms) and Alg (evaluate a
M P E
univariate polynomial with degree d at d points), as subroutines. It is clear that
2
we can solve them using O(d ) additions and multiplications in Z N . However, there are classic algorithms with quasi-linear complexity operations in Z N using a divide-and-conquer approach. Recently these two algorithms have been used in various area of public-key cryptanalysis
. We give the basic information
of these two algorithms as follows: Alg : Takes integer N and d points (suppose that a , . . . , a ) as inputs;
d−1 P oly
outputs a monic degree d polynomial over Z having d points as roots: f (X) =
N d−1
(X − a i )(mod N ). According to a classic result
], the time complexity is i=0
O(log dM (d)) operations modulo N , and the storage requirement is O(d log d) elements in Z N .
Alg : Takes integer N , a polynomial f (x) with degree d over Z N and
M P E
d points (suppose that c , . . . , c d−1 ) as inputs; outputs the evaluation of f (x) at d input points: f (c ), . . . , f (c )(mod N ). According to a classic result
, d−1
the time complexity is O(log dM (d)) operations modulo N , and the storage requirement is O(d log d) elements in Z .
N
3 Review Kim-Cheon’s Algorithms
In this section, we will review Kim-Cheon’s two algorithms: one is probabilistic and the other is its deterministic version. Their algorithms essentially work by ∗ solving the discrete logarithm problem over (Z/nZ) , where n is an unknown divisor of the target composite integer N . Before given the full description of Kim-Cheon’s algorithms, we would like to introduce a lemma from
: Lemma 1.
There exists an algorithm FINDING which, given as input positive integers N, g, h, and δ with 1 < g, h < N , gcd(gh, N ) = 1, outputs an integer
x
x ∈ [1, δ] with gcd(g − h, N ) > 1 or shows that no such x exists in
1/2
O M (δ ) log δ
1/2 operations modulo N by using storage O(δ log δ) elements in Z .
N
6 L. Peng et al.
We recall the FINDING algorithm, given as Algortihm Algorithm 1. x ← FINDING(N, g, h, δ)
Input: Positive integers N, g, h and δ with 1 < g, h < N , gcd(gh, N ) = 1. x Output: An integer x ∈ [1, δ] satisfying gcd(g − h, N ) > 1. 1/2 1: Set L := ⌈δ ⌉.
2: Compute the polynomial i F (X) = (X − hg ) mod N 0≤i≤L−1 using Algorithm Alg . P oly jL 3: Evaluate F (X) at multiple points g for all 1 ≤ j ≤ L using Algorithm Alg M P E 4: j := 1 5: while j ≤ L do jL 6: d j = gcd(F (g ), N ) if 7: d j > 1 then jL u 8: Find the great u satisfying gcd(g − hg , N ) > 1.
9: Output x := jL − u and stop.
end if 10: 11: j := j + 1 12: end while 13: Output “there is no such x” and stop.
The complexity of Algorithm FINDING mainly relies on the complexity of
1/2
Alg and Alg , thus the overall complexity is O log δM (δ ) opera-
P oly M P E 1/2
tions modulo N with using storage O(δ log δ) elements in Z .
N
Now we review Kim-Cheon’s probabilistic algorithm for computing a non- trivial divisor of a composite integer N , given as Algortihm
1/2
Algortihm
takes O M ((β − α) ) log(β − α) operations modulo N . The 1/2
storage requirement is O((β − α) log(β − α)) elements in Z . In
, Kim N
and Cheon showed that Algortihm succeeds with a probability of at least 1/2. Kim-Cheon’s Deterministic Algorithm. Since we do not know exactly how many a’s are to be tested or how to choose a to split N in Algortihm
hence, the
algorithm works probabilistically. Therefore, Kim and Cheon proposed a deter- ministic algorithm to overcome this problem, the key tool of their deterministic algorithm was the distribution of smooth numbers, which was originally used for devising a deterministic primality test under some condition by Konyagin and Pomerance
. We omit the details of their algorithm here, instead, we refer
to
. Obviously, Kim-Cheon’s probabilistic algorithm performs better than their deterministic algorithm.
4 Our Deterministic Algorithm
In this section, we propose a deterministic algorithm to find a nontrivial divisor of a composite integer N when it has a divisor in an interval [α, β]. Our algorithm
A Deterministic Algorithm for Computing Divisors in an Interval
7
Algorithm 2.
Kim-Cheon’s probabilistic algorithm for computing a nontrivial divisor of a composite integer N
Input: A composite integer N with unknown factorization and an interval [α, β]. Output:
A nontrivial divisor of N when it has a divisor in an interval [α, β].
1: Choose an integer a uniformly at random in {2, . . . , N − 1}.
2: if gcd(a, N ) > 1 then 3: output gcd(a, N ) and stop. 4: end if x a β−1
5: Compute x ∈ [1, β −α] such that d = gcd(a −a mod N, N ) > 1 by applying
a subalgorithm FINDING (Alg.1). 6: if there is no such x then a 7: output “N has no prime divisor in the interval [α, β])” and stop. 8: end if 9: if d < N then10: output d and stop. 11: end if 12: if d = N and y a := β − 1 − x a is even then 13: i := 1 while 14: i ≤ ν 2 (y a ) do y a /2 i 15: compute d i = gcd(a − 1, N ) if 16: 1 < d i < N then
17: output d i and stop end if 18: 19: i := i + 1 end while 20:
21: end if 22: Output “failure” and stop.
has the same time complexity as Kim-Cheon’s probabilistic algorithm, and also works for the case of composite divisors.
4.1 Algorithmic Details Now we show how to reduce the target problem to a variant of integer factor- ization problem. Let p be the divisor of N in the interval [α, β]. At first, we can write p as p = β − x where x is an unknown variable satisfying 0 ≤ x ≤ β − α. Then in this case, we are given one exact multiple N (N ≡ 0 mod p) and one integer β = p + x, and the goal is to learn the divisor p. Here, we do not require that p is prime.
Next we give our algorithm based on Strassen’s algorithm
] for solving
the integer factorization problem. It is clear that
β−α
p = gcd N, (β − i) (modN )
i=0
8 L. Peng et al.
β−α The key problem is how to calculate (β − i) (modN ) faster. i=0 To calculate faster, we require the degree of polynomial be a power of two.
Let |β − α| = l. Therefore, we focus on
2
⎛ ⎞ l −
2
1
⎠ p = gcd ⎝N, (β − i) (modN ) ∗ i=0 Set l = ⌈l/2⌉, we can rewrite it as l l∗ − − − l∗ −(l mod 2)
2
1
2
1
2
1 ∗ l
(β − i) (modN ) = (β − 2 i − j) (modN )
i=0 i=0 j=0
We define the polynomial f j (x) of degree j modulo integer N :
j−1
f (x) = (β − x − k) (modN )
j k=0
Therefore, we have l l∗ −(l mod 2)
2 −
1 2 −
1 ∗ l∗ l
(β − i) (modN ) = f (2 i) (modN )
2 i=0 i=0
which means ⎛ ⎞ l∗ −(l mod 2) −
2
1 ∗ l∗ l
⎠ p = gcd ⎝N, f (2 i) (modN )
2 i=0
l∗
We need to compute the polynomial f (x) explicitly and evaluate this polyno- ∗
2 l − (l mod 2)
mial at 2 points, which can fortunately be done using Alg and
P oly
Alg . We give a full description of our algorithm as follows.
M P E
In our algorithm, the condition d = 1 means that there is no divisor in the interval [α, β] and if 1 < d ≤ β, d is the divisor what we want. However, if there are more than one divisors in the interval [α, β], we will obtain that d > β. According to the Strassen’s algorithm, for this case we can use a trick of computing greatest common divisor based on a product tree to determine which ∗ ∗ − l∗ l l (l mod 2) f (2 k), where 1 ≤ k ≤ 2 has only one divisor. Algorithm
gives a
2 ∗ l∗ l
brief description of this trick. Note that, if it is still that gcd(N, f (2 k)) > β
2
which means there are still more than one divisors of N fall in the same interval ∗ ∗
l l
[β − 2 (k + 1) + 1, β − 2 k], we can further use same trick as Algorithm
to
construct a product tree based on the following expression l∗ − ∗ ∗
2
1 l∗ l l f (2 k) = (β − 2 k − i) (mod N ).
2 i=0 A Deterministic Algorithm for Computing Divisors in an Interval
9
Algorithm 3.
Our deterministic algorithm for computing a nontrivial divisor of a composite integer N
Input: A composite integer N with unknown factorization and an interval [α, β]. Output: ∗
A nontrivial divisor of N when it has a divisor in an interval [α, β].
1: Set l = ⌈|β − α| 2 /2⌉. l∗ 2: Compute the polynomial f (x) using Alg . l∗ 2 P oly l l (l mod 2) ∗ ∗ − 3: Evaluate f (x) at multiple points 2 k for all 1 ≤ k ≤ 2 using 2 Alg M P E . l∗ l∗ l∗ l (l mod 2) ∗ − 4: Compute d = gcd(N, f (1)f (2) · · · f (2 ) mod N ). 2 2
2
5: if d = 1 then 6: output “there is no divisor in interval [α, β]” and stop. 7: end if 8: if 1 < d ≤ β then 9: output d and stop. 10: end if 11: if β < d ≤ N then 12: compute a divisor in an interval [α, β], using Algorithm 13: end if Then the divisor in the interval [α, β] can be finally determined.Now, we analyze the complexity of Algorithm
The complexity of Alg P oly 1/2
and Alg takes O log(β − α)M ((β − α) ) operations modulo N and the
M P E 1/2
storage requirement is O((β − α) log(β − α)) elements in Z . In addition, we
N 1/2 1/2
need GCD computations at most 2 log(β − α) times and O((β − α) ) multi- plications on modulo N . Therefore, the complexity of our algorithm mainly relies on the complexity of Alg and Alg , just like Kim-Cheon’s probabilistic
P oly M P E 1/2
algorithm our deterministic algorithm takes O log(β − α)M ((β − α) ) oper- ations modulo N .
4.2 Logarithmic Speedup The complexity of Kim-Cheon’s algorithms and our algorithm mainly relies on Alg and Alg . However, since the peculiar property of these polynomi-
P oly M P E
als we consider, hence more efficient algorithms exist. Thus, we can speed up the theoretical complexity of Kim-Cheon’s algorithms and our algorithm by a logarithmic term log(β − α).
Revisiting Kim-Cheon’s Algorithms. In Algortihm
they want to com- i
pute the polynomial F (X) = (X − hg ) mod N and evaluate F (x) at 2 0≤i≤L−1 L
2L L i iL
points g , g , . . . , g . Notice that both (hg ) and (g ) are geometric progres- sions, hence we can use more efficient algorithm of Bostan et al.
] to compute polynomial interpolation and polynomial evaluation at a geometric progression.
Bostan gave his pseudocode in
. This technique can speed up the overall com- plexity of Kim-Cheon’s algorithms by a logarithmic term log(β − α).
10 L. Peng et al.
Algorithm 4. RecursiveFinding(N , A)
Input: A composite integer N and a set of numbers {a 1 , . . . , a n }.
Output: ′ A nontrivial divisor of N in the interval [α, β].
1: n := ⌈n/2⌉ n ′ 2: Compute d = gcd(N, a i ) i=1 3: if 1 < d ≤ β then 4: output d and stop. 5: end if 6: if d = 1 then 7: RecursiveFinding(N , {a ′ , . . . , a }) n +1 n 8: end if 9: if β < d ≤ N then 10: RecursiveFinding(N , {a 1 , . . . , a ′ }) n 11: end if
Revisiting Our Algorithm. Likewise, our deterministic algorithm can also been improved by using a smarter way to calculate the evaluation of function ∗ − l∗ l (l mod 2) f (x) at 2 points. We use Chen-Nguyen’s technique, which based
2
on Bostan, Gaudry and Schost’s result
More specifically, Bostan, Gaudry and Schost’s result can be described as follows: Theorem 1
(Theorem 5 of
). Let a, b be in ring R and d be in N such
that d(a, b, d) is invertible, with d(a, b, d) = b · 2 · · · d · (a − db) · · · (a + db), and suppose that the inverse of d(a, b, d) is known. Let F (x) be in R[X] of degree at most d and r ∈ R. Given F (r), F (r + b), . . . , F (r + db), one can compute F (r + a), F (r + a + b), . . . , F (r + a + db) in time 2M (d) + O(d) time and space O(d). Here, M (d) is the time of multiplying two polynomial of degree at most d.
j
k i
Define set S(k , . . . , k ) := { p i 2 | p i ∈ {0, 1}}. Suppose that we already
1 j k k j i=1
have the evaluation of f (x) at points S(k , . . . , k ), if we can calculate the j +1
2 l−j+1 l
evaluation of f (x) at points S(k l−j , . . . , k l ), then with each iteration, we can2 ∗ ∗ l∗ l − (l mod 2) l evaluate the f (x) at 2 points closer until j = 2 .
2 j +1
The key technique is how to calculate the evaluation of f (x) at points
2 S(k l−j , . . . , k l ) using Theorem For every X ∈ S(k l−j , . . . , k l ), we have j j j +1 j+1
f (X) = f (X) · f (X + 2 )
2
2
2 j j j+1
We can easily calculate f (X) and f (X +2 ) using Theorem
and evaluate j +1
2
2 f (x) at points S(k , . . . , k ). l−j l
2 Note that, our algorithm does not need to impose that the divisor in the
interval is prime. However, if we impose that the divisor is prime, we can use the method of
], proposed by Costa and Harvey, to further speed up the theoretical
complexity by removing some elements in the interval that do not contribute any useful information.
A Deterministic Algorithm for Computing Divisors in an Interval
11
5 Conclusion
In this paper we revisit the problem of finding a nontrivial divisor of a composite integer N when it has a divisor in an interval [α, β]. We present a deterministic algorithm to solve this problem, and our algorithm has the same complexity with Kim-Cheon’s probabilistic algorithm. Besides, based on the special structure of polynomial, we give a method to speed up the theoretical complexity of Kim- Cheon’s algorithm and our algorithm by a logarithmic term log(β − α).
Acknowledgements. This research was supported the National Natural Science
Foundation of China (Grants 61702505, 61472417, 61732021, 61772520), National
Cryptography Development Fund (MMJJ20170115, MMJJ20170124) and the Funda-
mental Theory and Cutting Edge Technology Research Program of Institute of Informa-
tion Engineering, CAS (Grants Y7Z0341103, Y7Z0321102), JST CREST Grant Num-
ber JPMJCR14D6, JSPS KAKENHI Grant Number 16H02780.References
1. Bluestein, L.I.: A linear filtering approach to the computation of the discrete fourier
transform. IEEE Trans. Electroacoust. 18, 451–466 (1970)
2. Bostan, A.: Algorithmique efficace pour des op´erations de base en calcul formel.
Ph.D. thesis (2003). ´ Ecole polytechnique (in English)
3. Bostan, A., Gaudry, P., Schost, E.: Linear recurrences with polynomial coefficients
and application to integer factorization and Cartier-Manin operator. SIAM J. Com- put. 36(6), 1777–1806 (2007)
4. Chen, Y., Nguyen, P.Q.: Faster algorithms for approximate common divi-
sors: breaking fully-homomorphic-encryption challenges over the integers. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 502–519. Springer, Heidelberg (2012).
5. Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA
vulnerabilities. J. Cryptol. 10(4), 233–260 (1997)
6. Coron, J.-S., Joux, A., Mandal, A., Naccache, D., Tibouchi, M.: Cryptanalysis
of the RSA subgroup assumption from TCC 2005. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 147–155. Springer, Heidelberg (2011).
7. Costa, E., Harvey, D.: Faster deterministic integer factorization. Math. Comput.
83 (285), 339–345 (2014)
8. Fouque, P.-A., Tibouchi, M., Zapalowicz, J.-C.: Recovering private keys generated
with weak PRNGs. In: Stam, M. (ed.) IMACC 2013. LNCS, vol. 8308, pp. 158–172.Springer, Heidelberg (2013).
9. Howgrave-Graham, N.: Approximate integer common divisors. In: Silverman, J.H.
(ed.) CaLC 2001. LNCS, vol. 2146, pp. 51–66. Springer, Heidelberg (2001).10. Kim, M., Cheon, J.H.: Computing prime divisors in an interval. Math. Comp.
84 (291), 339–354 (2015)
11. Konyagin, S., Pomerance, C.: On primes recognizable in deterministic polyno- mial time. In: Graham, R.L., Neˇsetˇril, J. (eds.) The mathematics of Paul Erd˝ os I.
Springer, Heidelberg (1997)
12 L. Peng et al.
12. Pollard, J.M.: Monte Carlo methods for index computation (mod p). Math. Comp.
32 (143), 918–928 (1978)
13. Pollard, J.M.: Theorems on factorization and primality testing. In: Proceedings of
the Cambridge Philosophical Society, vol. 76, pp. 521–528 (1974)
14. Strassen, V.: Einige Resultate ¨ uber Berechnungskomplexit¨ at. Jber. Deutsh. Math.
- Verein. 78(1), 1–8 (1976/1977)
Reusable Fuzzy Extractor from LWE
1,2 1,2,3( )B 1 Yunhua Wen and Shengli Liu
Department of Computer Science and Engineering, Shanghai Jiao Tong University,
Shanghai 200240, China
2{happyle8,slliu}@sjtu.edu.cn
State Key Laboratory of Cryptology, P.O. Box 5159, Beijing 100878, China
3 Westone Cryptologic Research Center, Beijing 100070, China Abstract.Fuzzy extractor converts the reading of a noisy non-uniform
source to a reproducible and almost uniform output R. The output R in
turn is used in some cryptographic system as a secret key. To enable mul-
1 , , . . . , ρ from the same noisy non-uniform 2 tiple extractions of keys R R R i , the concept of reusable fuzzy source and applications of different R i even extractor is proposed to guarantee the pseudorandomness of R j (from the same source). conditioned on other extracted keys R In this work, we construct a reusable fuzzy extractor from theLearning With Errors (LWE) assumption. Our reusable fuzzy extractor
provides resilience to linear fraction of errors. Moreover, our construc-
tion is simple and efficient and imposes no special requirement on the
statistical structure of the multiple readings of the source.Keywords: Fuzzy extractor Reusability The LWE assumption
· ·
1 Introduction
In a cryptographic system, it is assumed that the secret key is sampled from a random source and uniformly distributed, since the security of the system heavily relies on the uniformity of the secret key. In reality, such a uniform secret key is hard to create, remember or store by users of the system. On the other hand, there are lots of random sources available like biometric data (fingerprint, iris, etc.), physical unclonable function (PUF)
], or quantum information