Vincent Quentin Ulitzsch’s research while affiliated with Technische Universität Berlin and other places

What is this page?


This page lists works of an author who doesn't have a ResearchGate profile or hasn't added the works to their profile yet. It is automatically generated from public (personal) data to further our legitimate goal of comprehensive and accurate scientific recordkeeping. If you are this author and want this page removed, please let us know.

Publications (9)


MAYo or MAY-not: Exploring Implementation Security of the Post-Quantum Signature Scheme MAYO Against Physical Attacks
  • Conference Paper

September 2024

·

4 Reads

Thomas Aulbach

·

·

·

Vincent Quentin Ulitzsch


An in-principle super-polynomial quantum advantage for approximating combinatorial optimization problems via computational learning theory

March 2024

·

24 Reads

·

9 Citations

Science Advances

·

Vincent Ulitzsch

·

Frederik Wilde

·

[...]

·

It is unclear to what extent quantum algorithms can outperform classical algorithms for problems of combinatorial optimization. In this work, by resorting to computational learning theory and cryptographic notions, we give a fully constructive proof that quantum computers feature a super-polynomial advantage over classical computers in approximating combinatorial optimization problems. Specifically, by building on seminal work by Kearns and Valiant, we provide special instances that are hard for classical computers to approximate up to polynomial factors. Simultaneously, we give a quantum algorithm that can efficiently approximate the optimal solution within a polynomial factor. The quantum advantage in this work is ultimately borrowed from Shor’s quantum algorithm for factoring. We introduce an explicit and comprehensive end-to-end construction for the advantage bearing instances. For these instances, quantum computers have, in principle, the power to approximate combinatorial optimization solutions beyond the reach of classical efficient algorithms.


Figure 4: Minimal amount of faulted signatures required to recover s 1 through Algorithm 6 in under 5 minutes, depending on the number zeroed coefficients per signature t and the NIST security level. The amount of required faulted signatures is calculated as described in Algorithm 7.
Figure 6: Experimental workbench used for our fault injection attack; it contains an STM32F4 target board mounted on the UFO board (red), a ChipWhisperer CW308, two SMA cables, and a USB cable.
Loop Aborts Strike Back: Defeating Fault Countermeasures in Lattice Signatures with ILP
  • Article
  • Full-text available

August 2023

·

81 Reads

·

1 Citation

IACR Transactions on Cryptographic Hardware and Embedded Systems

At SAC 2016, Espitau et al. presented a loop-abort fault attack against lattice-based signature schemes following the Fiat–Shamir with aborts paradigm. Their attack recovered the signing key by injecting faults in the sampling of the commitment vector (also called masking vector) y, leaving its coefficients at their initial zero value. As possible countermeasures, they proposed to carry out the sampling of the coefficients of y in shuffled order, or to ensure that the masking polynomials in y are not of low degree. In this paper, we show that both of these countermeasures are insufficient. We demonstrate a new loop-abort fault injection attack against Fiat–Shamir with aborts lattice-based signatures that can recover the secret key from faulty signatures even when the proposed countermeasures are implemented. The key idea of our attack is that faulted signatures give rise to a noisy linear system of equations, which can be solved using integer linear programming. We present an integer linear program that recovers the secret key efficiently in practice, and validate the efficacy of our attack by conducting a practical end-to-end attack against a shuffled version of the Dilithium reference implementation, mounted on an ARM Cortex M4. We achieve a full (equivalent) key recovery in under 3 minutes total execution time (including signature generation), using only 5 faulted signatures. In addition, we conduct extensive theoretical simulations of the attack against Dilithium. We find that our method can achieve key recovery in under 5 minutes given a (sufficiently large) set of signatures where just one of the coefficients of y is zeroed out (or left at its initial value of zero). Furthermore, we find that our attack works against all security levels of Dilithium. Our attack shows that protecting Fiat–Shamir with aborts lattice-based signatures against fault injection attacks cannot be achieved using the simple countermeasures proposed by Espitau et al. and likely requires significantly more expensive countermeasures.

Download

Breaking the Quadratic Barrier: Quantum Cryptanalysis of Milenage, Telecommunications’ Cryptographic Backbone

August 2023

·

49 Reads

·

6 Citations

Lecture Notes in Computer Science

The potential advent of large-scale quantum computers in the near future poses a threat to contemporary cryptography. One ubiquitous usage of cryptography is currently present in the vibrant field of cellular networks. The cryptography of cellular networks is centered around seven secret-key algorithms f1,,f5,f1,f5f_1, \ldots , f_5, f_1^{*}, f_5^{*}, aggregated into an authentication and key agreement algorithm set. Still, to the best of our knowledge, these secret key algorithms have not yet been subject to quantum cryptanalysis. Instead, many quantum security considerations for telecommunication networks argue that the threat posed by quantum computers is restricted to public-key cryptography. However, various recent works have presented quantum attacks on secret key cryptography that exploit quantum period finding to achieve more than a quadratic speedup compared to the best known classical attacks. Motivated by this quantum threat to symmetric cryptography, this paper presents a quantum cryptanalysis for the Milenage algorithm set, the prevalent instantiation of the seven secret-key f1,,f5,f1,f5f_1, \ldots , f_5, f_1^{*}, f_5^{*} algorithms that underpin cellular security. Building upon recent quantum cryptanalytic results, we show attacks that go beyond a quadratic speedup. Concretely, we provide quantum attack scenarios for all Milenage algorithms, including exponential speedups distinguishable by different quantum attack models. Our results do not constitute a quantum break of the Milenage algorithms, but they do show that Milenage suffers from structural weaknesses making it susceptible to quantum attacks.KeywordsQuantum cryptanalysisSimon’s AlgorithmQuantum SecurityMilenageCellular networkAKA protocolPost-quantum cryptography


FIG. 2. Example of a deterministic finite automaton. The DFA is represented as a quintuple (Q, Σ, λ, q0, ω), where Q = {q0, q1, q2}, Σ = {a, b}, λ is defined by the transitions (e.g., λ(q0, a) = q1, λ(q0, b) = q2, etc.), q0 is the initial state, and ω = {q2} is the set of accept states.
FIG. 3. The interplay between representations and concept. The domain X can formally be seen as a set of finite bit strings. Concepts are subsets of the domain, which can be described by representations c ∈ C. Together with the map σ, mapping representations to concepts, the tuple (σ, C) is called a representation class.
FIG. 4. The reduction chain from the consistency problem to combinatorial optimization problems. In Section IV B 1, we introduce Boolean circuits, whose sizes are hard to approximate by |h|, where h is a hypothesis that is consistent with a sample labeled by the circuits. This directly implies the approximation hardness of Con(DFA, DFA). In Section IV B 3, we present an approximation-preserving reduction from Con(DFA, DFA) to formula colouring (21). We then extend the results of Ref. (21) by showing in Section IV B 4 an approximationpreserving reduction from formula colouring to integer linear programming, yielding the approximation hardness for ILP.
An in-principle super-polynomial quantum advantage for approximating combinatorial optimization problems via computational learning theory

December 2022

·

20 Reads

Combinatorial optimization - a field of research addressing problems that feature strongly in a wealth of scientific and industrial contexts - has been identified as one of the core potential fields of applicability of quantum computers. It is still unclear, however, to what extent quantum algorithms can actually outperform classical algorithms for this type of problems. In this work, by resorting to computational learning theory and cryptographic notions, we prove that quantum computers feature an in-principle super-polynomial advantage over classical computers in approximating solutions to combinatorial optimization problems. Specifically, building on seminal work by Kearns and Valiant and introducing a new reduction, we identify special types of problems that are hard for classical computers to approximate up to polynomial factors. At the same time, we give a quantum algorithm that can efficiently approximate the optimal solution within a polynomial factor. The core of the quantum advantage discovered in this work is ultimately borrowed from Shor's quantum algorithm for factoring. Concretely, we prove a super-polynomial advantage for approximating special instances of the so-called integer programming problem. In doing so, we provide an explicit end-to-end construction for advantage bearing instances. This result shows that quantum devices have, in principle, the power to approximate combinatorial optimization solutions beyond the reach of classical efficient algorithms. Our results also give clear guidance on how to construct such advantage-bearing problem instances.



Fig. 1. Mobile Network
Open or not open: Are conventional radio access networks more secure and trustworthy than Open-RAN?

April 2022

·

84 Reads

·

15 Citations

The Open RAN architecture is a promising and future-oriented architecture. It is intended to open up the radio access network (RAN) and enable more innovation and competition in the market. This will lead to RANs for current 5G networks, but especially for future 6G networks, evolving from the current highly integrated, vendor-specific RAN architecture towards disaggregated architectures with open interfaces that will enable to better tailor RAN solutions to the requirements of 5G and 6G applications. However, the introduction of such an open architecture substantially broadens the attack possibilities when compared to conventional RANs. In the past, this has often led to negative headlines that in summary have associated Open RAN with faulty or inadequate security. In this paper, we analyze what components are involved in an Open RAN deployment, how to assess the current state of security, and what measures need to be taken to ensure secure operation.


Fig. 1. Mobile Network
Fig. 2. O-RAN specific interfaces
Open or not open: Are conventional radio access networks more secure and trustworthy than Open-RAN?

April 2022

·

185 Reads

The Open-RAN architecture is a highly promising and future-oriented architecture. It is intended to open up the radio access network and enable more innovation and competition in the market. This will lead to RANs for current 5G networks, but especially for future 6G networks, to move away from the current centralised, provider-specific 3G RAN architecture and therefore even better meet the requirements for future RANs. However, the change in design has also created a drastic shift in the attack surface compared to conventional RANs. In the past, this has often led to negative headlines, which in summary have often associated O-RAN with faulty or inadequate security. In this paper, we analyze what components are involved in an Open-RAN deployment, how the current state of security is to be assessed and what measures need to be taken to ensure secure operation.

Citations (5)


... Marzougui et al. [MUTS22] demonstrates a machine learning-assisted profiled sidechannel attack targeting the nonce y. The attack exploits a leakage in the function ExpandMask which is used for sampling y pseudo-randomly from a seed and a counter. ...

Reference:

Unpacking Needs Protection: A Single-Trace Secret Key Recovery Attack on Dilithium
Profiling Side-Channel Attacks on Dilithium: A Small Bit-Fiddling Leak Breaks It All
  • Citing Chapter
  • May 2024

... On the other hand, quantum computers use quantum algorithms such as QA, variational quantum eigensolver (VQE), and Quantum Approximate Optimization Algorithm (QAOA) to achieve optimal solutions. When it comes to solving combinatorial optimization problems, quantum computing has the potential to outperform classical computing [76]. ...

An in-principle super-polynomial quantum advantage for approximating combinatorial optimization problems via computational learning theory
  • Citing Article
  • March 2024

Science Advances

... Advancements in quantum cryptanalysis have further demonstrated that symmetric-key cryptography can be efficiently compromised or significantly weakened using the capabilities of quantum computers [6][7][8][9][10][11][12] . However, the extent of compromise hinges on the expertise and capabilities of the potential attacker. ...

Breaking the Quadratic Barrier: Quantum Cryptanalysis of Milenage, Telecommunications’ Cryptographic Backbone
  • Citing Chapter
  • August 2023

Lecture Notes in Computer Science

... 5.1 the SUCI mechanism works with elliptic cryptography. In fact, [157] showed that the elliptic cryptography used for SUCI generation can be weak in case of quantum attacks performed by an active adversary, leading to potential SUPI disclosure and identity leakage. This vulnerability has been also discussed by other works [171][172][173][174], meaning that quantum attacks should be taken into consideration in the next mobile generations. ...

A Post-Quantum Secure Subscription Concealed Identifier for 6G
  • Citing Conference Paper
  • May 2022

... From an implementation perspective, our framework necessitates certain hardware and software capabilities. Vehicles must possess computational power to handle local model training, DUs need to be capable of managing communications and encrypting data, and the CU must handle data aggregation and decryption tasks efficiently [14]. While the development of vehicular technology and infrastructure has reached a stage where these requirements are generally feasible, discrepancies in hardware or software capabilities across the network could impact overall performance. ...

Open or not open: Are conventional radio access networks more secure and trustworthy than Open-RAN?