Lattice-Based Cryptography
|
|
- Joanna Virginia Grant
- 5 years ago
- Views:
Transcription
1 Liljana Babinkostova Department of Mathematics Computing Colloquium Series
2 Detecting Sensor-hijack Attacks in Wearable Medical Systems Krishna Venkatasubramanian Worcester Polytechnic Institute
3 Quantum Computing
4 Are Quantum Computers Moving Closer to Reality? March 17, 2017 IBM Q Quantum computing service that runs alongside IBM s other cloud products. September 25, 2017 Topological Qubit New programming language, integrated with Visual Studio and designed to work on both a quantum simulator and a quantum computer.
5 QUANTUM COMPUTERS PUT ALL ENCRYPTED INTERNET COMMUNICATION AT RISK!
6 Status of Cryptography COMSEC & COMPUSEC Limited fraction of traffic is protected.
7 Status of Cryptography COMSEC & COMPUSEC Limited fraction of traffic is protected. Small fraction of traffic is protected end-to-end with a high security level and without a backdoor ( /voice).
8 Status of Cryptography COMSEC & COMPUSEC Limited fraction of traffic is protected. Small fraction of traffic is protected end-to-end with a high security level and without a backdoor ( /voice). Need authenticated encryption/secure channels reordering, replay, deletion of packets.
9 Status of Cryptography COMSEC & COMPUSEC Limited fraction of traffic is protected. Small fraction of traffic is protected end-to-end with a high security level and without a backdoor ( /voice). Need authenticated encryption/secure channels reordering, replay, deletion of packets. Protection of meta-data is very hard.
10 Status of Cryptography COMSEC & COMPUSEC Limited fraction of traffic is protected. Small fraction of traffic is protected end-to-end with a high security level and without a backdoor ( /voice). Need authenticated encryption/secure channels reordering, replay, deletion of packets. Protection of meta-data is very hard. Key management problem.
11 Factoring and Discrete Log Problem All widely used public-key systems rely on three problems from algebraic number theory: Integer factorization: RSA, n = pq Discrete LOGarithm : Diffie-Hellman, DSA: y = g x Elliptic Curve Discrete Logarithm, ECDSA: Q = xp
12 Factoring and Discrete Log Problem All widely used public-key systems rely on three problems from algebraic number theory: Integer factorization: RSA, n = pq Discrete LOGarithm : Diffie-Hellman, DSA: y = g x Elliptic Curve Discrete Logarithm, ECDSA: Q = xp RSA-1024 DLOG-1024 ECC-146 RSA-2048 DLOG-2048 ECC-206 RSA-4096 DLOG-4096 ECC-282
13 Factoring and Discrete Log Problem All widely used public-key systems rely on three problems from algebraic number theory: Integer factorization: RSA, n = pq Discrete LOGarithm : Diffie-Hellman, DSA: y = g x Elliptic Curve Discrete Logarithm, ECDSA: Q = xp RSA-1024 DLOG-1024 ECC-146 RSA-2048 DLOG-2048 ECC-206 RSA-4096 DLOG-4096 ECC-282 Are these problems hard?
14 The Sky is Falling? When will a quantum computer be built?
15 The Sky is Falling? When will a quantum computer be built? 15 years, $1 billion USD nuclear power plant to run the supercomputer (PQCrypto 2014, Matteo Mariantoni)
16 The Sky is Falling? When will a quantum computer be built? 15 years, $1 billion USD nuclear power plant to run the supercomputer (PQCrypto 2014, Matteo Mariantoni) What will be the impact?
17 The Sky is Falling? When will a quantum computer be built? 15 years, $1 billion USD nuclear power plant to run the supercomputer (PQCrypto 2014, Matteo Mariantoni) What will be the impact? Public key cryptosystems RSA Not secure! Elliptic Curve Cryptography (ECDSA) Not secure! Finite Field Cryptography (DSA) Not secure! Diffie-Hellman key exchange Not secure!
18 The Sky is Falling? When will a quantum computer be built? 15 years, $1 billion USD nuclear power plant to run the supercomputer (PQCrypto 2014, Matteo Mariantoni) What will be the impact? Public key cryptosystems RSA Not secure! Elliptic Curve Cryptography (ECDSA) Not secure! Finite Field Cryptography (DSA) Not secure! Diffie-Hellman key exchange Not secure! Symmetric key cryptosystems
19 The Sky is Falling? When will a quantum computer be built? 15 years, $1 billion USD nuclear power plant to run the supercomputer (PQCrypto 2014, Matteo Mariantoni) What will be the impact? Public key cryptosystems RSA Not secure! Elliptic Curve Cryptography (ECDSA) Not secure! Finite Field Cryptography (DSA) Not secure! Diffie-Hellman key exchange Not secure! Symmetric key cryptosystems AES Need larger keys Triple DES Need larger keys
20 The Sky is Falling? When will a quantum computer be built? 15 years, $1 billion USD nuclear power plant to run the supercomputer (PQCrypto 2014, Matteo Mariantoni) What will be the impact? Public key cryptosystems RSA Not secure! Elliptic Curve Cryptography (ECDSA) Not secure! Finite Field Cryptography (DSA) Not secure! Diffie-Hellman key exchange Not secure! Symmetric key cryptosystems AES Need larger keys Triple DES Need larger keys Hash functions
21 The Sky is Falling? When will a quantum computer be built? 15 years, $1 billion USD nuclear power plant to run the supercomputer (PQCrypto 2014, Matteo Mariantoni) What will be the impact? Public key cryptosystems RSA Not secure! Elliptic Curve Cryptography (ECDSA) Not secure! Finite Field Cryptography (DSA) Not secure! Diffie-Hellman key exchange Not secure! Symmetric key cryptosystems AES Need larger keys Triple DES Need larger keys Hash functions SHA-1, SHA-2 and SHA-3 Use longer output
22 Key Exchange Protocols NewHope [ADPS 15]:
23 Key Exchange Protocols NewHope [ADPS 15]: Ring-LWE key exchange with many optimizations and conjectured 200-bit quantum security.
24 Key Exchange Protocols NewHope [ADPS 15]: Ring-LWE key exchange with many optimizations and conjectured 200-bit quantum security. Comparable to or even faster than ECDH with 128-bit (non-quantum) security.
25 Key Exchange Protocols NewHope [ADPS 15]: Ring-LWE key exchange with many optimizations and conjectured 200-bit quantum security. Comparable to or even faster than ECDH with 128-bit (non-quantum) security. Google has experimentally deployed NewHope+ECDH in Chrome Canary and its own web servers.
26 Key Exchange Protocols NewHope [ADPS 15]: Ring-LWE key exchange with many optimizations and conjectured 200-bit quantum security. Comparable to or even faster than ECDH with 128-bit (non-quantum) security. Google has experimentally deployed NewHope+ECDH in Chrome Canary and its own web servers. Frodo [BCDMNNRS 16]: Plain-LWE key exchange, with many tricks and optimizations.
27 Key Exchange Protocols NewHope [ADPS 15]: Ring-LWE key exchange with many optimizations and conjectured 200-bit quantum security. Comparable to or even faster than ECDH with 128-bit (non-quantum) security. Google has experimentally deployed NewHope+ECDH in Chrome Canary and its own web servers. Frodo [BCDMNNRS 16]: Plain-LWE key exchange, with many tricks and optimizations. Conjectured 200-bit quantum security.
28 Key Exchange Protocols NewHope [ADPS 15]: Ring-LWE key exchange with many optimizations and conjectured 200-bit quantum security. Comparable to or even faster than ECDH with 128-bit (non-quantum) security. Google has experimentally deployed NewHope+ECDH in Chrome Canary and its own web servers. Frodo [BCDMNNRS 16]: Plain-LWE key exchange, with many tricks and optimizations. Conjectured 200-bit quantum security. About 10 slower than NewHope, but only 2 slower than ECDH.
29 Lattices and Cryptography Lattice problems
30 Lattices and Cryptography Lattice problems Appear to be very hard (solution takes exponential time)
31 Lattices and Cryptography Lattice problems Appear to be very hard (solution takes exponential time) Have been widely studied by mathematicians since 19th century (Lagrange, Gauss, Dirichlet,... )
32 Lattices and Cryptography Lattice problems Appear to be very hard (solution takes exponential time) Have been widely studied by mathematicians since 19th century (Lagrange, Gauss, Dirichlet,... ) Provably yield hard on average problems, from worst-case complexity assumptions.
33 Lattices and Cryptography Lattice problems Appear to be very hard (solution takes exponential time) Have been widely studied by mathematicians since 19th century (Lagrange, Gauss, Dirichlet,... ) Provably yield hard on average problems, from worst-case complexity assumptions.
34 Lattices and Cryptography Lattice problems Appear to be very hard (solution takes exponential time) Have been widely studied by mathematicians since 19th century (Lagrange, Gauss, Dirichlet,... ) Provably yield hard on average problems, from worst-case complexity assumptions. Lattice related constructions and cryptographic functions
35 Lattices and Cryptography Lattice problems Appear to be very hard (solution takes exponential time) Have been widely studied by mathematicians since 19th century (Lagrange, Gauss, Dirichlet,... ) Provably yield hard on average problems, from worst-case complexity assumptions. Lattice related constructions and cryptographic functions Have many useful features (linearity, trapdoors,...)
36 Lattices and Cryptography Lattice problems Appear to be very hard (solution takes exponential time) Have been widely studied by mathematicians since 19th century (Lagrange, Gauss, Dirichlet,... ) Provably yield hard on average problems, from worst-case complexity assumptions. Lattice related constructions and cryptographic functions Have many useful features (linearity, trapdoors,...) Are efficient and easy to implement (simple arithmetic operations on small numbers).
37 Lattices Definition Given n linearly independent vectors v 1,..., v n R m, the lattice generated by them is defined as { n } L( v 1,..., v n ) = x i v i x i Z i=1
38 Lattices Definition Given n linearly independent vectors v 1,..., v n R m, the lattice generated by them is defined as { n } L( v 1,..., v n ) = x i v i x i Z i=1 We call v 1,..., v n a basis of the lattice.
39 Lattices Definition Given n linearly independent vectors v 1,..., v n R m, the lattice generated by them is defined as { n } L( v 1,..., v n ) = x i v i x i Z We call v 1,..., v n a basis of the lattice.note that the definition requires v 1,..., v n to be linearly independent over R (and not over Z). i=1
40 Lattices We will use a notational short-hand when dealing with bases, denoting them by a matrix B whose columns are the basis vectors v 1,..., v n.
41 Lattices We will use a notational short-hand when dealing with bases, denoting them by a matrix B whose columns are the basis vectors v 1,..., v n. That is, we will write B = v 1... v n
42 Lattices We will use a notational short-hand when dealing with bases, denoting them by a matrix B whose columns are the basis vectors v 1,..., v n. That is, we will write B = v 1... v n and thus, in this notation, L(B) = {B v v Z n }
43 Lattices We will use a notational short-hand when dealing with bases, denoting them by a matrix B whose columns are the basis vectors v 1,..., v n. That is, we will write B = v 1... v n and thus, in this notation, L(B) = {B v v Z n } The determinant of a lattice is the absolute value of the determinant of the basis matrix det(l(b)) = det(b).
44 Lattices - Example The lattice Z 2 with basis vectors (0, 1) and (1, 0). b 2 b 1
45 Lattices - Example The lattice Z 2 with a different basis consisting of vectors (1, 2) and (2, 3). In fact, any lattice has infinitely many bases. b 2 b 1
46 q-ary Lattices Of particular importance in lattice-based cryptography are q-ary lattices.
47 q-ary Lattices Of particular importance in lattice-based cryptography are q-ary lattices. These are lattices L satisfying Z n q L Z for some (possibly prime) integer q. In other words, the membership of a vector x L is determined by x (mod q).
48 Lattice Problems The most well known computational problems on lattices are the following: Shortest Vector Problem (SVP): Given a lattice basis B, find nonzero vector x in L(B) of length (at most) x = λ.
49 Lattice Problems The most well known computational problems on lattices are the following: Shortest Vector Problem (SVP): Given a lattice basis B, find nonzero vector x in L(B) of length (at most) x = λ. Closest Vector Problem (CVP): Given a lattice basis B and a target vector t (not necessarily in the lattice), find the lattice point x L(B) closest to t.
50 Lattice Problems The most well known computational problems on lattices are the following: Shortest Vector Problem (SVP): Given a lattice basis B, find nonzero vector x in L(B) of length (at most) x = λ. Closest Vector Problem (CVP): Given a lattice basis B and a target vector t (not necessarily in the lattice), find the lattice point x L(B) closest to t. Shortest Independent Vectors Problem (SIVP): Given a lattice basis B, find n linearly independent lattice vectors S = [s 1,, s n ], where s i L(B) and max s i < λ i.
51 Complexity of SVP, SIVP,... Best algorithm for exact solution takes time 2 n. [M. Ajtai, R. Kumar, and D. Sivakumar (2001)]
52 Complexity of SVP, SIVP,... Best algorithm for exact solution takes time 2 n. [M. Ajtai, R. Kumar, and D. Sivakumar (2001)] (Almost) NP-hard for factors up to γ = n 1/ log log n. [Ajtai, Haviv and Regev (2006)]
53 Complexity of SVP, SIVP,... Best algorithm for exact solution takes time 2 n. [M. Ajtai, R. Kumar, and D. Sivakumar (2001)] (Almost) NP-hard for factors up to γ = n 1/ log log n. [Ajtai, Haviv and Regev (2006)] Polynomial time for slightly subexponential γ. [LLL, Schnorr, AKS]
54 Complexity of SVP, SIVP,... Best algorithm for exact solution takes time 2 n. [M. Ajtai, R. Kumar, and D. Sivakumar (2001)] (Almost) NP-hard for factors up to γ = n 1/ log log n. [Ajtai, Haviv and Regev (2006)] Polynomial time for slightly subexponential γ. [LLL, Schnorr, AKS] Unlikely to be NP-hard for γ (n/ log n) 1/2. [GG, AR]
55 Short Integer Solution 1 Let (a 1,, a n ) = norm. a a2 n be the standard Euclidean 1 M. Ajtai, Generating hard instances of lattice problems, Quaderni di Matematica, Vol. 13:1 32 (2004)
56 Short Integer Solution 1 Let (a 1,, a n ) = norm. a a2 n be the standard Euclidean SIS problem Given q N, elements g 1,, g m of Z n q, and real number β > 0, find z Z m such that 1 M. Ajtai, Generating hard instances of lattice problems, Quaderni di Matematica, Vol. 13:1 32 (2004)
57 Short Integer Solution 1 Let (a 1,, a n ) = norm. a a2 n be the standard Euclidean SIS problem Given q N, elements g 1,, g m of Z n q, and real number β > 0, find z Z m such that and z 1 g 1 + z 2 g z m g m = 0 (mod q) 1 M. Ajtai, Generating hard instances of lattice problems, Quaderni di Matematica, Vol. 13:1 32 (2004)
58 Short Integer Solution 1 Let (a 1,, a n ) = norm. a a2 n be the standard Euclidean SIS problem Given q N, elements g 1,, g m of Z n q, and real number β > 0, find z Z m such that and z < β. z 1 g 1 + z 2 g z m g m = 0 (mod q) 1 M. Ajtai, Generating hard instances of lattice problems, Quaderni di Matematica, Vol. 13:1 32 (2004)
59 Learning With Errors (LWE) LWE Simplified:
60 Learning With Errors (LWE) LWE Simplified: Given a system of approximate random linear equations, find s Z 4 17 that satisfies the equations with some (negligible) error χ.
61 Learning With Errors (LWE) LWE Simplified: Given a system of approximate random linear equations, find s Z 4 17 that satisfies the equations with some (negligible) error χ. 14s s 2 + 5s 3 + 2s 4 8 (mod 17) 13s s s 3 + 6s 4 16 (mod 17) 6s s s 3 + s 4 3 (mod 17) 10s 1 + 4s s s 4 12 (mod 17) 9s 1 + 5s 2 + 9s 3 + 6s 4 9 (mod 17) 3s 1 + 6s 2 + 4s 3 + 5s 4 16 (mod 17)
62 Learning With Errors (LWE) LWE Distribution Let n be a positive integer, q be an odd prime, and χ be an error distribution on Z q and s be a secret vector in (Z q ) n.
63 Learning With Errors (LWE) LWE Distribution Let n be a positive integer, q be an odd prime, and χ be an error distribution on Z q and s be a secret vector in (Z q ) n. We denote by L s,χ the probability distribution on Z q n Z q obtained by choosing
64 Learning With Errors (LWE) LWE Distribution Let n be a positive integer, q be an odd prime, and χ be an error distribution on Z q and s be a secret vector in (Z q ) n. We denote by L s,χ the probability distribution on Z q n Z q obtained by choosing a (Z q ) n at random,
65 Learning With Errors (LWE) LWE Distribution Let n be a positive integer, q be an odd prime, and χ be an error distribution on Z q and s be a secret vector in (Z q ) n. We denote by L s,χ the probability distribution on Z q n Z q obtained by choosing a (Z q ) n at random, choosing e Z q n according to the probability distribution χ and
66 Learning With Errors (LWE) LWE Distribution Let n be a positive integer, q be an odd prime, and χ be an error distribution on Z q and s be a secret vector in (Z q ) n. We denote by L s,χ the probability distribution on Z q n Z q obtained by choosing a (Z q ) n at random, choosing e Z q n according to the probability distribution χ and returning the pair
67 Learning With Errors (LWE) LWE Distribution Let n be a positive integer, q be an odd prime, and χ be an error distribution on Z q and s be a secret vector in (Z q ) n. We denote by L s,χ the probability distribution on Z q n Z q obtained by choosing a (Z q ) n at random, choosing e Z q n according to the probability distribution χ and returning the pair ( a, c) = ( a, a, s + e (mod q)) (Z q ) n Z q.
68 Learning With Errors (LWE) LWE Distribution Let n be a positive integer, q be an odd prime, and χ be an error distribution on Z q and s be a secret vector in (Z q ) n. We denote by L s,χ the probability distribution on Z q n Z q obtained by choosing a (Z q ) n at random, choosing e Z q n according to the probability distribution χ and returning the pair ( a, c) = ( a, a, s + e (mod q)) (Z q ) n Z q. LWE Problem Find s Z n q given pairs ( a, c) (Z q ) n Z q sampled according to L s,χ.
69 Public-Key Cryptosystem Based on LWE Parameters: Integers n, m, and q, with m n log q and q > 2 prime. Reducing modulo q is done by taking a representative in the range ( q/2, q/2).
70 Public-Key Cryptosystem Based on LWE Parameters: Integers n, m, and q, with m n log q and q > 2 prime. Reducing modulo q is done by taking a representative in the range ( q/2, q/2). Key Generation:
71 Public-Key Cryptosystem Based on LWE Parameters: Integers n, m, and q, with m n log q and q > 2 prime. Reducing modulo q is done by taking a representative in the range ( q/2, q/2). Key Generation: For the private key we select s (Z q ) n.
72 Public-Key Cryptosystem Based on LWE Parameters: Integers n, m, and q, with m n log q and q > 2 prime. Reducing modulo q is done by taking a representative in the range ( q/2, q/2). Key Generation: For the private key we select s (Z q ) n. To create the public key we generate m vectors a i (Z q ) n and
73 Public-Key Cryptosystem Based on LWE Parameters: Integers n, m, and q, with m n log q and q > 2 prime. Reducing modulo q is done by taking a representative in the range ( q/2, q/2). Key Generation: For the private key we select s (Z q ) n. To create the public key we generate m vectors a i (Z q ) n and m error values e i Z q according to the probability distribution χ.
74 Public-Key Cryptosystem Based on LWE Parameters: Integers n, m, and q, with m n log q and q > 2 prime. Reducing modulo q is done by taking a representative in the range ( q/2, q/2). Key Generation: For the private key we select s (Z q ) n. To create the public key we generate m vectors a i (Z q ) n and m error values e i Z q according to the probability distribution χ. We set
75 Public-Key Cryptosystem Based on LWE Parameters: Integers n, m, and q, with m n log q and q > 2 prime. Reducing modulo q is done by taking a representative in the range ( q/2, q/2). Key Generation: For the private key we select s (Z q ) n. To create the public key we generate m vectors a i (Z q ) n and m error values e i Z q according to the probability distribution χ. We set b i = a i, s + 2e i (mod q) and output
76 Public-Key Cryptosystem Based on LWE Parameters: Integers n, m, and q, with m n log q and q > 2 prime. Reducing modulo q is done by taking a representative in the range ( q/2, q/2). Key Generation: For the private key we select s (Z q ) n. To create the public key we generate m vectors a i (Z q ) n and m error values e i Z q according to the probability distribution χ. We set b i = a i, s + 2e i (mod q) and output the public key (( a 1, b 1 ), ( a i, b 2 ),, ( a m, b m )).
77 Public-Key Cryptosystem Based on LWE Encryption:
78 Public-Key Cryptosystem Based on LWE Encryption: The sender picks t i {0, 1} for i = 1, 2,, m and a message M.
79 Public-Key Cryptosystem Based on LWE Encryption: The sender picks t i {0, 1} for i = 1, 2,, m and a message M. The ciphertext is then the pair of values
80 Public-Key Cryptosystem Based on LWE Encryption: The sender picks t i {0, 1} for i = 1, 2,, m and a message M. The ciphertext is then the pair of values m c = t i a i n=1 and
81 Public-Key Cryptosystem Based on LWE Encryption: The sender picks t i {0, 1} for i = 1, 2,, m and a message M. The ciphertext is then the pair of values c = m t i a i and d = M n=1 m t i b i n=1
82 Public-Key Cryptosystem Based on LWE Encryption: The sender picks t i {0, 1} for i = 1, 2,, m and a message M. The ciphertext is then the pair of values Decryption: c = m t i a i and d = M n=1 m t i b i n=1
83 Public-Key Cryptosystem Based on LWE Encryption: The sender picks t i {0, 1} for i = 1, 2,, m and a message M. The ciphertext is then the pair of values c = m t i a i and d = M n=1 m t i b i n=1 Decryption: The decryption of ( c, d) is performed by evaluating ( c, s + d (mod q)) (mod 2)
84 Public-Key Cryptosystem Based on LWE Encryption: The sender picks t i {0, 1} for i = 1, 2,, m and a message M. The ciphertext is then the pair of values c = m t i a i and d = M n=1 m t i b i n=1 Decryption: The decryption of ( c, d) is performed by evaluating ( c, s + d (mod q)) (mod 2) = (( m n=1 t i a i, s m n=1 t i b i ) + M (mod q)) (mod 2)
85 Public-Key Cryptosystem Based on LWE Encryption: The sender picks t i {0, 1} for i = 1, 2,, m and a message M. The ciphertext is then the pair of values c = m t i a i and d = M n=1 m t i b i n=1 Decryption: The decryption of ( c, d) is performed by evaluating ( c, s + d (mod q)) (mod 2) = (( m n=1 t i a i, s m n=1 t i b i ) + M (mod q)) (mod 2) = (( m n=1 2 t i e i ) + M (mod q)) (mod 2)
86 Public-Key Cryptosystem Based on LWE Encryption: The sender picks t i {0, 1} for i = 1, 2,, m and a message M. The ciphertext is then the pair of values c = m t i a i and d = M n=1 m t i b i n=1 Decryption: The decryption of ( c, d) is performed by evaluating ( c, s + d (mod q)) (mod 2) = (( m n=1 t i a i, s m n=1 t i b i ) + M (mod q)) (mod 2) = (( m n=1 2 t i e i ) + M (mod q)) (mod 2) = (2 small + M) (mod 2)
87 Public-Key Cryptosystem Based on LWE Encryption: The sender picks t i {0, 1} for i = 1, 2,, m and a message M. The ciphertext is then the pair of values c = m t i a i and d = M n=1 m t i b i n=1 Decryption: The decryption of ( c, d) is performed by evaluating ( c, s + d (mod q)) (mod 2) = (( m n=1 t i a i, s m n=1 t i b i ) + M (mod q)) (mod 2) = (( m n=1 2 t i e i ) + M (mod q)) (mod 2) = (2 small + M) (mod 2) = M
88 Confidence-Inspiring Cryptography Takes Time to Build
89 Confidence-Inspiring Cryptography Takes Time to Build Many stages of research from cryptographic point of view:
90 Confidence-Inspiring Cryptography Takes Time to Build Many stages of research from cryptographic point of view: Explore the space of cryptosystems.
91 Confidence-Inspiring Cryptography Takes Time to Build Many stages of research from cryptographic point of view: Explore the space of cryptosystems. Focus on secure cryptosystems.
92 Confidence-Inspiring Cryptography Takes Time to Build Many stages of research from cryptographic point of view: Explore the space of cryptosystems. Focus on secure cryptosystems. Study implementations on real hardware.
93 Confidence-Inspiring Cryptography Takes Time to Build Many stages of research from cryptographic point of view: Explore the space of cryptosystems. Focus on secure cryptosystems. Study implementations on real hardware. Study side-channel attacks, fault attacks, etc.
94 Confidence-Inspiring Cryptography Takes Time to Build Many stages of research from cryptographic point of view: Explore the space of cryptosystems. Focus on secure cryptosystems. Study implementations on real hardware. Study side-channel attacks, fault attacks, etc. Focus on secure implementations and performance requirements.
95 Confidence-Inspiring Cryptography Takes Time to Build Many stages of research from cryptographic point of view: Explore the space of cryptosystems. Focus on secure cryptosystems. Study implementations on real hardware. Study side-channel attacks, fault attacks, etc. Focus on secure implementations and performance requirements. Integrate securely into real-world applications.
96 Confidence-Inspiring Cryptography Takes Time to Build Many stages of research from cryptographic point of view: Explore the space of cryptosystems. Focus on secure cryptosystems. Study implementations on real hardware. Study side-channel attacks, fault attacks, etc. Focus on secure implementations and performance requirements. Integrate securely into real-world applications. THANK YOU!
Lattice-Based Cryptography. Chris Peikert University of Michigan. QCrypt 2016
Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1 Foundations: lattice problems, SIS/LWE and their applications 2 Ring-Based Crypto: NTRU, Ring-SIS/LWE and ideal
More informationPost-quantum key exchange for the Internet based on lattices
Post-quantum key exchange for the Internet based on lattices Craig Costello Talk at MSR India Bangalore, India December 21, 2016 Based on J. Bos, C. Costello, M. Naehrig, D. Stebila Post-Quantum Key Exchange
More informationHOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 1 / 51
HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY Abderrahmane Nitaj Laboratoire de Mathe matiques Nicolas Oresme Universite de Caen Normandie, France Nouakchott, February 15-26, 2016 Abderrahmane
More informationThe Elliptic Curve in https
The Elliptic Curve in https Marco Streng Universiteit Leiden 25 November 2014 Marco Streng (Universiteit Leiden) The Elliptic Curve in https 25-11-2014 1 The s in https:// HyperText Transfer Protocol
More informationL7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015
L7. Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang, 5 March 2015 1 Outline The basic foundation: multiplicative group modulo prime The basic Diffie-Hellman (DH) protocol The discrete logarithm
More informationPost-Quantum Cryptography & Privacy. Andreas Hülsing
Post-Quantum Cryptography & Privacy Andreas Hülsing Privacy? Too abstract? How to achieve privacy? Under the hood... Public-key crypto ECC RSA DSA Secret-key crypto AES SHA2 SHA1... Combination of both
More informationPublic Key Cryptography
Public Key Cryptography Introduction Public Key Cryptography Unlike symmetric key, there is no need for Alice and Bob to share a common secret Alice can convey her public key to Bob in a public communication:
More informationSolving All Lattice Problems in Deterministic Single Exponential Time
Solving All Lattice Problems in Deterministic Single Exponential Time (Joint work with P. Voulgaris, STOC 2010) UCSD March 22, 2011 Lattices Traditional area of mathematics Bridge between number theory
More informationCIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography
CIS 6930/4930 Computer and Network Security Topic 5.2 Public Key Cryptography 1 Diffie-Hellman Key Exchange 2 Diffie-Hellman Protocol For negotiating a shared secret key using only public communication
More informationPost-Quantum Cryptography
Post-Quantum Cryptography Sebastian Schmittner Institute for Theoretical Physics University of Cologne 2015-10-26 Talk @ U23 @ CCC Cologne This work is licensed under a Creative Commons Attribution-ShareAlike
More informationChapter 8 Public-key Cryptography and Digital Signatures
Chapter 8 Public-key Cryptography and Digital Signatures v 1. Introduction to Public-key Cryptography 2. Example of Public-key Algorithm: Diffie- Hellman Key Exchange Scheme 3. RSA Encryption and Digital
More informationPost-Quantum Cryptography & Privacy. Andreas Hülsing
Post-Quantum Cryptography & Privacy Andreas Hülsing Privacy? Too abstract? How to achieve privacy? Under the hood... Asymmetric Crypto ECC RSA DSA Symmetric Crypto AES SHA2 SHA1... Combination of both
More informationMATH 158 FINAL EXAM 20 DECEMBER 2016
MATH 158 FINAL EXAM 20 DECEMBER 2016 Name : The exam is double-sided. Make sure to read both sides of each page. The time limit is three hours. No calculators are permitted. You are permitted one page
More informationNotes for Lecture 16
COS 533: Advanced Cryptography Lecture 16 (11/13/2017) Lecturer: Mark Zhandry Princeton University Scribe: Boriana Gjura Notes for Lecture 16 1 Lattices (continued) 1.1 Last time. We defined lattices as
More informationAsymmetric Encryption
-3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function
More informationCryptography IV: Asymmetric Ciphers
Cryptography IV: Asymmetric Ciphers Computer Security Lecture 7 David Aspinall School of Informatics University of Edinburgh 31st January 2011 Outline Background RSA Diffie-Hellman ElGamal Summary Outline
More informationBackground: Lattices and the Learning-with-Errors problem
Background: Lattices and the Learning-with-Errors problem China Summer School on Lattices and Cryptography, June 2014 Starting Point: Linear Equations Easy to solve a linear system of equations A s = b
More informationFrom NewHope to Kyber. Peter Schwabe April 7, 2017
From NewHope to Kyber Peter Schwabe peter@cryptojedi.org https://cryptojedi.org April 7, 2017 In the past, people have said, maybe it s 50 years away, it s a dream, maybe it ll happen sometime. I used
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationLattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.
Lattices A Lattice is a discrete subgroup of the additive group of n-dimensional space R n. Lattices have many uses in cryptography. They may be used to define cryptosystems and to break other ciphers.
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationPublic Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy
Symmetric Cryptography Review Alice Bob Public Key x e K (x) y d K (y) x K K Instructor: Dr. Wei (Lisa) Li Department of Computer Science, GSU Two properties of symmetric (secret-key) crypto-systems: The
More informationSecurity Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography
Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography Peter Schwabe October 21 and 28, 2011 So far we assumed that Alice and Bob both have some key, which nobody else has. How
More informationIntroduction to Elliptic Curve Cryptography. Anupam Datta
Introduction to Elliptic Curve Cryptography Anupam Datta 18-733 Elliptic Curve Cryptography Public Key Cryptosystem Duality between Elliptic Curve Cryptography and Discrete Log Based Cryptography Groups
More informationOther Public-Key Cryptosystems
Other Public-Key Cryptosystems Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-11/
More informationCosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks
1 Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks Michael Albert michael.albert@cs.otago.ac.nz 2 This week Arithmetic Knapsack cryptosystems Attacks on knapsacks Some
More informationCIS 551 / TCOM 401 Computer and Network Security
CIS 551 / TCOM 401 Computer and Network Security Spring 2008 Lecture 15 3/20/08 CIS/TCOM 551 1 Announcements Project 3 available on the web. Get the handout in class today. Project 3 is due April 4th It
More informationPublic-key Cryptography and elliptic curves
Public-key Cryptography and elliptic curves Dan Nichols nichols@math.umass.edu University of Massachusetts Oct. 14, 2015 Cryptography basics Cryptography is the study of secure communications. Here are
More informationIntroduction to Elliptic Curve Cryptography
Indian Statistical Institute Kolkata May 19, 2017 ElGamal Public Key Cryptosystem, 1984 Key Generation: 1 Choose a suitable large prime p 2 Choose a generator g of the cyclic group IZ p 3 Choose a cyclic
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More information8 Elliptic Curve Cryptography
8 Elliptic Curve Cryptography 8.1 Elliptic Curves over a Finite Field For the purposes of cryptography, we want to consider an elliptic curve defined over a finite field F p = Z/pZ for p a prime. Given
More informationPublic-key Cryptography and elliptic curves
Public-key Cryptography and elliptic curves Dan Nichols University of Massachusetts Amherst nichols@math.umass.edu WINRS Research Symposium Brown University March 4, 2017 Cryptography basics Cryptography
More information9 Knapsack Cryptography
9 Knapsack Cryptography In the past four weeks, we ve discussed public-key encryption systems that depend on various problems that we believe to be hard: prime factorization, the discrete logarithm, and
More informationPublic Key Algorithms
Public Key Algorithms Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-09/
More informationClassical hardness of the Learning with Errors problem
Classical hardness of the Learning with Errors problem Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé August 12, 2013 Adeline Langlois Hardness
More informationCryptography and Security Final Exam
Cryptography and Security Final Exam Serge Vaudenay 17.1.2017 duration: 3h no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices are not
More informationTi Secured communications
Ti5318800 Secured communications Pekka Jäppinen September 20, 2007 Pekka Jäppinen, Lappeenranta University of Technology: September 20, 2007 Relies on use of two keys: Public and private Sometimes called
More informationDefinition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University
Number Theory, Public Key Cryptography, RSA Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr The Euler Phi Function For a positive integer n, if 0
More informationLecture 7: ElGamal and Discrete Logarithms
Lecture 7: ElGamal and Discrete Logarithms Johan Håstad, transcribed by Johan Linde 2006-02-07 1 The discrete logarithm problem Recall that a generator g of a group G is an element of order n such that
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 11 February 21, 2013 CPSC 467b, Lecture 11 1/27 Discrete Logarithm Diffie-Hellman Key Exchange ElGamal Key Agreement Primitive Roots
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationInformation Security
SE 4472 / ECE 9064 Information Security Week 12: Random Number Generators and Picking Appropriate Key Lengths Fall 2015 Prof. Aleksander Essex Random Number Generation Where do keys come from? So far we
More informationOverview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017
CSC 580 Cryptography and Computer Security Math for Public Key Crypto, RSA, and Diffie-Hellman (Sections 2.4-2.6, 2.8, 9.2, 10.1-10.2) March 21, 2017 Overview Today: Math needed for basic public-key crypto
More informationDigital Signatures. Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay
Digital Signatures Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical Engineering Indian Institute of Technology Bombay July 24, 2018 1 / 29 Group Theory Recap Groups Definition A set
More informationMathematics of Public Key Cryptography
Mathematics of Public Key Cryptography Eric Baxter April 12, 2014 Overview Brief review of public-key cryptography Mathematics behind public-key cryptography algorithms What is Public-Key Cryptography?
More informationHigh-speed cryptography, part 3: more cryptosystems. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven
High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Cryptographers Working systems Cryptanalytic algorithm designers
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationLecture V : Public Key Cryptography
Lecture V : Public Key Cryptography Internet Security: Principles & Practices John K. Zao, PhD (Harvard) SMIEEE Amir Rezapoor Computer Science Department, National Chiao Tung University 2 Outline Functional
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationShortest Vector Problem (1982; Lenstra, Lenstra, Lovasz)
Shortest Vector Problem (1982; Lenstra, Lenstra, Lovasz) Daniele Micciancio, University of California at San Diego, www.cs.ucsd.edu/ daniele entry editor: Sanjeev Khanna INDEX TERMS: Point lattices. Algorithmic
More informationLecture 11: Key Agreement
Introduction to Cryptography 02/22/2018 Lecture 11: Key Agreement Instructor: Vipul Goyal Scribe: Francisco Maturana 1 Hardness Assumptions In order to prove the security of cryptographic primitives, we
More informationThe quantum threat to cryptography
The quantum threat to cryptography Ashley Montanaro School of Mathematics, University of Bristol 20 October 2016 Quantum computers University of Bristol IBM UCSB / Google University of Oxford Experimental
More informationQuestion: Total Points: Score:
University of California, Irvine COMPSCI 134: Elements of Cryptography and Computer and Network Security Midterm Exam (Fall 2016) Duration: 90 minutes November 2, 2016, 7pm-8:30pm Name (First, Last): Please
More informationHow to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions
Presentation Article presentation, for the ENS Lattice Based Crypto Workgroup http://www.di.ens.fr/~pnguyen/lbc.html, 30 September 2009 How to Use Short Basis : Trapdoors for http://www.cc.gatech.edu/~cpeikert/pubs/trap_lattice.pdf
More informationCryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97
Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97 Phong Nguyen and Jacques Stern École Normale Supérieure, Laboratoire d Informatique 45, rue d Ulm, F 75230 Paris Cedex 05 {Phong.Nguyen,Jacques.Stern}@ens.fr
More informationWeaknesses in Ring-LWE
Weaknesses in Ring-LWE joint with (Yara Elias, Kristin E. Lauter, and Ekin Ozman) and (Hao Chen and Kristin E. Lauter) ECC, September 29th, 2015 Lattice-Based Cryptography Post-quantum cryptography Ajtai-Dwork:
More informationPublic-Key Cryptosystems CHAPTER 4
Public-Key Cryptosystems CHAPTER 4 Introduction How to distribute the cryptographic keys? Naïve Solution Naïve Solution Give every user P i a separate random key K ij to communicate with every P j. Disadvantage:
More informationIntro to Public Key Cryptography Diffie & Hellman Key Exchange
Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie & Hellman Key Exchange Course Summary - Math Part
More informationLattice Cryptography
CSE 206A: Lattice Algorithms and Applications Winter 2016 Lattice Cryptography Instructor: Daniele Micciancio UCSD CSE Lattice cryptography studies the construction of cryptographic functions whose security
More informationLECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS
LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS Modular arithmetics that we have discussed in the previous lectures is very useful in Cryptography and Computer Science. Here we discuss several
More informationNumber Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers
Number Theory: Applications Number Theory Applications Computer Science & Engineering 235: Discrete Mathematics Christopher M. Bourke cbourke@cse.unl.edu Results from Number Theory have many applications
More informationDigital Signatures. Adam O Neill based on
Digital Signatures Adam O Neill based on http://cseweb.ucsd.edu/~mihir/cse207/ Signing by hand COSMO ALICE ALICE Pay Bob $100 Cosmo Alice Alice Bank =? no Don t yes pay Bob Signing electronically SIGFILE
More informationNotes for Lecture 17
U.C. Berkeley CS276: Cryptography Handout N17 Luca Trevisan March 17, 2009 Notes for Lecture 17 Scribed by Matt Finifter, posted April 8, 2009 Summary Today we begin to talk about public-key cryptography,
More informationFundamentals of Modern Cryptography
Fundamentals of Modern Cryptography BRUCE MOMJIAN This presentation explains the fundamentals of modern cryptographic methods. Creative Commons Attribution License http://momjian.us/presentations Last
More informationOther Public-Key Cryptosystems
Other Public-Key Cryptosystems Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: 10-1 Overview 1. How to exchange
More information2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms
CRYPTOGRAPHY 19 Cryptography 5 ElGamal cryptosystems and Discrete logarithms Definition Let G be a cyclic group of order n and let α be a generator of G For each A G there exists an uniue 0 a n 1 such
More informationElliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.
Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem. Elisa Lorenzo García Université de Rennes 1 14-09-2017 Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 1 /
More informationElliptic Curves and an Application in Cryptography
Parabola Volume 54, Issue 1 (2018) Elliptic Curves and an Application in Cryptography Jeremy Muskat 1 Abstract Communication is no longer private, but rather a publicly broadcast signal for the entire
More informationCRYSTALS Kyber and Dilithium. Peter Schwabe February 7, 2018
CRYSTALS Kyber and Dilithium Peter Schwabe peter@cryptojedi.org https://cryptojedi.org February 7, 2018 Crypto today 5 building blocks for a secure channel Symmetric crypto Block or stream cipher (e.g.,
More informationTopics in Cryptography. Lecture 5: Basic Number Theory
Topics in Cryptography Lecture 5: Basic Number Theory Benny Pinkas page 1 1 Classical symmetric ciphers Alice and Bob share a private key k. System is secure as long as k is secret. Major problem: generating
More informationNetwork Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) Due Date: March 30
Network Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) LIU Zhen Due Date: March 30 Questions: 1. RSA (20 Points) Assume that we use RSA with the prime numbers p = 17 and q = 23. (a) Calculate
More information6.080/6.089 GITCS Apr 15, Lecture 17
6.080/6.089 GITCS pr 15, 2008 Lecturer: Scott aronson Lecture 17 Scribe: dam Rogal 1 Recap 1.1 Pseudorandom Generators We will begin with a recap of pseudorandom generators (PRGs). s we discussed before
More informationChapter 4 Asymmetric Cryptography
Chapter 4 Asymmetric Cryptography Introduction Encryption: RSA Key Exchange: Diffie-Hellman [NetSec/SysSec], WS 2008/2009 4.1 Asymmetric Cryptography General idea: Use two different keys -K and +K for
More informationMy brief introduction to cryptography
My brief introduction to cryptography David Thomson dthomson@math.carleton.ca Carleton University September 7, 2013 introduction to cryptography September 7, 2013 1 / 28 Outline 1 The general framework
More informationAsymmetric Cryptography
Asymmetric Cryptography Chapter 4 Asymmetric Cryptography Introduction Encryption: RSA Key Exchange: Diffie-Hellman General idea: Use two different keys -K and +K for encryption and decryption Given a
More informationOpen problems in lattice-based cryptography
University of Auckland, New Zealand Plan Goal: Highlight some hot topics in cryptography, and good targets for mathematical cryptanalysis. Approximate GCD Homomorphic encryption NTRU and Ring-LWE Multi-linear
More informationLattice-Based Cryptography: Mathematical and Computational Background. Chris Peikert Georgia Institute of Technology.
Lattice-Based Cryptography: Mathematical and Computational Background Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 18 Lattice-Based Cryptography y = g x mod p m e mod N e(g a, g b
More informationLossy Trapdoor Functions and Their Applications
1 / 15 Lossy Trapdoor Functions and Their Applications Chris Peikert Brent Waters SRI International On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information
More informationCRYPTANALYSIS OF COMPACT-LWE
SESSION ID: CRYP-T10 CRYPTANALYSIS OF COMPACT-LWE Jonathan Bootle, Mehdi Tibouchi, Keita Xagawa Background Information Lattice-based cryptographic assumption Based on the learning-with-errors (LWE) assumption
More informationSecurity II: Cryptography exercises
Security II: Cryptography exercises Markus Kuhn Lent 2015 Part II Some of the exercises require the implementation of short programs. The model answers use Perl (see Part IB Unix Tools course), but you
More informationIntroduction to Modern Cryptography. Benny Chor
Introduction to Modern Cryptography Benny Chor RSA: Review and Properties Factoring Algorithms Trapdoor One Way Functions PKC Based on Discrete Logs (Elgamal) Signature Schemes Lecture 8 Tel-Aviv University
More informationRecent Advances in Identity-based Encryption Pairing-free Constructions
Fields Institute Workshop on New Directions in Cryptography 1 Recent Advances in Identity-based Encryption Pairing-free Constructions Kenny Paterson kenny.paterson@rhul.ac.uk June 25th 2008 Fields Institute
More informationThreshold Cryptography
Threshold Cryptography Cloud Security Mechanisms Björn Groneberg - Summer Term 2013 09.07.2013 Threshold Cryptography 1 ? 09.07.2013 Threshold Cryptography 2 Threshold Cryptography Sharing Secrets Treasure
More informationPractice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017
Practice Final Exam Name: Winter 2017, CS 485/585 Crypto March 14, 2017 Portland State University Prof. Fang Song Instructions This exam contains 7 pages (including this cover page) and 5 questions. Total
More informationElliptic Curve Cryptography
AIMS-VOLKSWAGEN STIFTUNG WORKSHOP ON INTRODUCTION TO COMPUTER ALGEBRA AND APPLICATIONS Douala, Cameroon, October 12, 2017 Elliptic Curve Cryptography presented by : BANSIMBA Gilda Rech BANSIMBA Gilda Rech
More informationCandidates must show on each answer book the type of calculator used. Only calculators permitted under UEA Regulations may be used.
UNIVERSITY OF EAST ANGLIA School of Mathematics May/June UG Examination 2010 2011 CRYPTOGRAPHY Time allowed: 2 hours Attempt THREE questions. Candidates must show on each answer book the type of calculator
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationClassical hardness of Learning with Errors
Classical hardness of Learning with Errors Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé Adeline Langlois Classical Hardness of LWE 1/ 13 Our
More informationOutline. Available public-key technologies. Diffie-Hellman protocol Digital Signature. Elliptic curves and the discrete logarithm problem
Outline Public-key cryptography A collection of hard problems Mathematical Background Trapdoor Knapsack Integer factorization Problem Discrete logarithm problem revisited Case of Study: The Sun NFS Cryptosystem
More informationPractical, Quantum-Secure Key Exchange from LWE
Practical, Quantum-Secure Key Exchange from LWE Douglas Stebila 4 th ETSI/IQC Workshop on Quantum-Safe Cryptography September 21, 2016 Acknowledgements Collaborators Joppe Bos Craig Costello and Michael
More informationLecture 6: Cryptanalysis of public-key algorithms.,
T-79.159 Cryptography and Data Security Lecture 6: Cryptanalysis of public-key algorithms. Helsinki University of Technology mjos@tcs.hut.fi 1 Outline Computational complexity Reminder about basic number
More informationPractical Analysis of Key Recovery Attack against Search-LWE Problem
Practical Analysis of Key Recovery Attack against Search-LWE Problem The 11 th International Workshop on Security, Sep. 13 th 2016 Momonari Kudo, Junpei Yamaguchi, Yang Guo and Masaya Yasuda 1 Graduate
More informationAlgorithmic Number Theory and Public-key Cryptography
Algorithmic Number Theory and Public-key Cryptography Course 3 University of Luxembourg March 22, 2018 The RSA algorithm The RSA algorithm is the most widely-used public-key encryption algorithm Invented
More information1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2
Contents 1 Recommended Reading 1 2 Public Key/Private Key Cryptography 1 2.1 Overview............................................. 1 2.2 RSA Algorithm.......................................... 2 3 A Number
More informationLattice-based Cryptography
Lattice-based Cryptography Oded Regev Tel Aviv University, Israel Abstract. We describe some of the recent progress on lattice-based cryptography, starting from the seminal work of Ajtai, and ending with
More informationCOMP424 Computer Security
COMP424 Computer Security Prof. Wiegley jeffw@csun.edu Rivest, Shamir & Adelman (RSA) Implementation 1 Relatively prime Prime: n, is prime if its only two factors are 1 and n. (and n 1). Relatively prime:
More informationPost Quantum Cryptography
Malaysian Journal of Mathematical Sciences 11(S) August: 1-28 (2017) Special Issue: The 5th International Cryptology and Information Security Conference (New Ideas in Cryptology) MALAYSIAN JOURNAL OF MATHEMATICAL
More informationPOST-QUANTUM CRYPTOGRAPHY HOW WILL WE ENCRYPT TOMORROW?
POST-QUANTUM CRYPTOGRAPHY HOW WILL WE ENCRYPT TOMORROW? Hanno Böck https://hboeck.de 1 INTRODUCTION Hanno Böck, freelance journalist and hacker. Writing for Golem.de and others. Fuzzing Project, funded
More informationduring transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL
THE MATHEMATICAL BACKGROUND OF CRYPTOGRAPHY Cryptography: used to safeguard information during transmission (e.g., credit card number for internet shopping) as opposed to Coding Theory: used to transmit
More informationFULLY HOMOMORPHIC ENCRYPTION
FULLY HOMOMORPHIC ENCRYPTION A Thesis Submitted in Partial Fulfilment of the Requirements for the Award of the Degree of Master of Computer Science - Research from UNIVERSITY OF WOLLONGONG by Zhunzhun
More information