Code-based post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago
|
|
- Alicia Green
- 5 years ago
- Views:
Transcription
1 Code-based post-quantum cryptography D. J. Bernstein University of Illinois at Chicago
2 Once the enormous energy boost that quantum computers are expected to provide hits the street, most encryption security standards and any other standard based on computational difficulty will fall, experts believe. (Magiq s web site, 2008; the experts aren t named)
3 Is cryptography dead? Imagine: 15 years from now someone announces successful construction of a large quantum computer. New York Times headline: INTERNET CRYPTOGRAPHY KILLED BY PHYSICISTS. Users panic. What happens to cryptography?
4 RSA: Dead.
5 RSA: Dead. DSA: Dead. ECDSA: Dead.
6 RSA: Dead. DSA: Dead. ECDSA: Dead. ECC in general: Dead. HECC in general: Dead.
7 RSA: Dead. DSA: Dead. ECDSA: Dead. ECC in general: Dead. HECC in general: Dead. Buchmann Williams: Dead. Class groups in general: Dead.
8 RSA: Dead. DSA: Dead. ECDSA: Dead. ECC in general: Dead. HECC in general: Dead. Buchmann Williams: Dead. Class groups in general: Dead. They re all dead, Dave.
9 RSA: Dead. DSA: Dead. ECDSA: Dead. ECC in general: Dead. HECC in general: Dead. Buchmann Williams: Dead. Class groups in general: Dead. They re all dead, Dave. But we have other types of cryptographic systems! Hash-based cryptography. Example: 1979 Merkle hash-tree public-key signature system.
10 Code-based cryptography. Example: 1978 McEliece hidden-goppa-code public-key encryption system. Lattice-based cryptography. Example: 1998 NTRU. Multivariate-quadraticequations cryptography. Example: 1996 Patarin HFE v public-key signature system. Secret-key cryptography. Example: 1998 Daemen Rijmen Rijndael cipher, aka AES.
11
12 Bernstein: Introduction to post-quantum cryptography. Hallgren, Vollmer: Quantum computing. Buchmann, Dahmen, Szydlo: Hash-based digital signature schemes. Overbeck, Sendrier: Code-based cryptography. Micciancio, Regev: Lattice-based cryptography. Ding, Yang: Multivariate public key cryptography.
13 The McEliece cryptosystem Receiver s public key: random matrix à over F 2. Specifies linear F F Messages suitable for encryption: 1024-bit strings of weight 50; i.e., Ñ ¾ F : # : Ñ = 1 = 50. Encryption of Ñ is ÃÑ ¾ F Can use Ñ as secret AES key to encrypt much more data.
14 Attacker, by linear algebra, can easily work backwards from ÃÑ to some Ú ¾ F such that ÃÚ = ÃÑ. i.e. Attacker finds some element Ú ¾ Ñ + KerÃ. Note that #Kerà Attacker wants to decode Ú: to find element of Kerà at distance only 50 from Ú. Presumably unique, revealing Ñ. But decoding isn t easy!
15 Information-set decoding Choose random size-500 subset Ë For typical Ã: Good chance that F Ë 2 F Ã F is invertible. Hope Ñ ¾ F Ë 2 ; chance Apply inverse map to ÃÑ, revealing Ñ if Ñ ¾ F Ë 2. If Ñ ¾ F Ë 2, try again operations overall.
16 Various improvements: 1988 Lee Brickell; 1988 Leon; 1989 Stern; 1990 van Tilburg; 1994 Canteaut Chabanne; 1998 Canteaut Chabaud; 1998 Canteaut Sendrier Alpha cycles Bernstein Lange Peters: further improvements; 2 58 Core 2 Quad cycles; carried out successfully!
17 1988 Lee Brickell idea: Hope that Ñ + ¾ F Ë 2 for some weight-2 vector. Reuse one matrix inversion for all choices of Stern idea: Hope that Ñ + + ¼ ¾ F Ë 2 for low-weight vectors ¼. Search for collision between function of, function of ¼ Bernstein Lange Peters: more reuse, optimization, etc.
18 Modern McEliece Easily rescue system by using a larger public key: random (Ò 2) Ò matrix à over F 2. e.g., Larger weight: Ò (2 lg Ò). e.g. Ñ ¾ F of weight 150. All known attacks scale badly: roughly 2 Ò (2 lg Ò) operations. For much more precise analysis see 2009 Bernstein Lange Peters van Tilborg.
19 Receiver secretly generates public key à with a hidden Goppa-code structure that allows fast decoding. Namely: à = ËÀÈ for secret (Ò 2) (Ò 2) invertible matrix Ë, (Ò 2) Ò Goppa matrix À, Ò Ò permutation matrix È. Detecting this structure seems even more difficult than attacking random Ã.
20 Goppa codes Fix Õ ¾ ; Ø ¾ 2 3 (Õ 1) lg Õ ; Ò ¾ Ø lg Õ + 1 Ø lg Õ + 2 Õ. e.g. Õ = 1024, Ø = 50, Ò = or Õ = 4096, Ø = 150, Ò = Receiver s matrix À is the parity-check matrix for the classical (genus-0) irreducible length-ò degree-ø binary Goppa code defined by a monic degree-ø irreducible polynomial ¾ F Õ [Ü] and distinct 1 2 Ò ¾ F Õ.
21 which means: À = ¼ ½ 1 ( 1 ) 1 ( Ò ) 1 ( 1 )... Ø 1 1 Ò ( Ò ) Ø 1 ( 1 ) Ò ( Ò ) View each element of F Õ here as a column in F lg Õ Then À : F Ò 2 2. FØ lg Õ 2.
22 More useful view: Consider the map Ñ È Ñ (Ü ) from F Ò 2 to F Õ[Ü]. À is the matrix for this map where F Ò 2 has standard basis and F Õ [Ü] has basis Ü, Ü 2,, Ü Ø. One-line proof: In F Õ [Ü] have ( ) = Ü Ü +1. 0
23 Decoding Goppa codes 1975 Patterson: Given ÀÑ, can quickly find Ñ if weight of Ñ is Ø. Given ciphertext ÃÑ = ËÀÈ Ñ: receiver computes ÀÈ Ñ by applying secret Ë 1 ; decodes À to obtain È Ñ by Patterson s algorithm; computes message Ñ by applying secret È 1.
24 Patterson input È is Ö ¾ F Õ [Ü] having form Ñ (Ü ) where Ñ ¾ F Ò 2 has weight Ø. Output will be Ñ. If Ö = 0, output 0 and stop. If Ö = Ô 0: Lift Ö 1 Ü from F Õ [Ü] to ¾ F Õ [Ü] of degree Ø. Consider lattice Ä F Õ [Ü] 2 generated by ( 1) and ( 0). Define length of («) as norm of «2 + Ü 2. Find a minimum-length nonzero vector («0 0 ) ¾ Ä.
25 Monic part of 0 = «2 0 + Ü 2 0 is exactly É :Ñ =1 (Ü ). Factor 0 and print Ñ. Why this works: Define = É :Ñ =1 (Ü ). Write as «2 + Ü 2 in F Õ [Ü]. Have ¼ = Ö in F Õ [Ü] so 2 («2 + Ü 2 ) = 1 ( 2 + Ü) so = «in F Õ [Ü] ; i.e., («) ¾ Ä. Volume of Ä forces («) ¾ («0 0 )F Õ [Ü] so = square 0; is squarefree so square ¾ F Õ.
26 What if Patterson is used for Ñ having weight Ø? Volume argument fails. («) ¾ («0 0 )F Õ [Ü]. But can compute short basis («0 0 ) («1 1 ) of Ä. Then is a linear combination of 0 = «2 0 + Ü 2 0 and 1 = «2 1 + Ü 2 1. Coefficients are small squares; small depends on weight of Ñ.
27 Divisors in residue classes Want all divisors of Ò in Ù + ÚZ, given positive integers Ù Ú Ò with gcd Ú Ò = 1. Easy if Ú Ò Lenstra: polynomial-time algorithm for Ú Ò Konyagin Pomerance: polynomial-time algorithm for Ú Ò Coppersmith Howgrave- Graham Nagaraj: polynomialtime algorithm for Ú Ò 1 4+.
28 2000 Boneh: can view same algorithm as a list-decoding algorithm for CRT codes. Function-field analogue is famous 1999 Guruswami Sudan algorithm for list decoding of Reed Solomon codes. Can build grand unified picture of Coppersmith-type algorithms and Sudan-type algorithms. See, e.g., my survey paper Reducing lattice bases to find small-height values of univariate polynomials.
29 2008 Bernstein: Tweak parameters in the same algorithm to find all divisors of Ò that are linear combinations of Ù Ú with small coprime coefficients.
30 2008 Bernstein: Tweak parameters in the same algorithm to find all divisors of Ò that are linear combinations of Ù Ú with small coprime coefficients. Apply to the Goppa situation: analogous algorithm É finds all divisors of (Ü ) that are linear combinations of 0 1 with small coprime coefficients. Compared to Patterson, pushes allowable weight of Ñ up to Ø + Ø 2 Ò.
31 New algorithm É assumes that 1 is coprime to (Ü ). Easy to achieve by adding a small multiple of 0 to 1. unless Ò = Õ and 1 0 is a permutation function. Can this happen to Patterson? I don t know any examples. Weil forces rather large degree: can show that the curve 0(Ü) 1(Ý) 1(Ü) 0(Ý) Ü Ý = 0 has no points over F Õ.
32 Many other current topics in code-based cryptography. e.g Misoczki Barreto: Hide quasi-dyadic Goppa code as quasi-dyadic public key. Key length only 1+Ó(1). Encryption time lg 3+Ó(1). Decryption time lg 3+Ó(1) Bernstein: easy tweak to Misoczki Barreto algorithms, reducing time to 1+Ó(1).
A brief survey of post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago
A brief survey of post-quantum cryptography D. J. Bernstein University of Illinois at Chicago Once the enormous energy boost that quantum computers are expected to provide hits the street, most encryption
More informationAdvances in code-based public-key cryptography. D. J. Bernstein University of Illinois at Chicago
Advances in code-based public-key cryptography D. J. Bernstein University of Illinois at Chicago Advertisements 1. pqcrypto.org: Post-quantum cryptography hash-based, lattice-based, code-based, multivariate
More informationWild McEliece Incognito
Wild McEliece Incognito Christiane Peters Technische Universiteit Eindhoven joint work with Daniel J. Bernstein and Tanja Lange Seminaire de Cryptographie Rennes April 1, 2011 Bad news Quantum computers
More informationHigh-speed cryptography, part 3: more cryptosystems. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven
High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Cryptographers Working systems Cryptanalytic algorithm designers
More informationAttacking and defending the McEliece cryptosystem
Attacking and defending the McEliece cryptosystem (Joint work with Daniel J. Bernstein and Tanja Lange) Christiane Peters Technische Universiteit Eindhoven PQCrypto 2nd Workshop on Postquantum Cryptography
More informationPost-Quantum Cryptography
Post-Quantum Cryptography Code-Based Cryptography Tanja Lange with some slides by Tung Chou and Christiane Peters Technische Universiteit Eindhoven ASCrypto Summer School: 18 September 2017 Error correction
More informationMcBits: fast constant-time code-based cryptography. (to appear at CHES 2013)
McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou Technische Universiteit
More informationImproving the efficiency of Generalized Birthday Attacks against certain structured cryptosystems
Improving the efficiency of Generalized Birthday Attacks against certain structured cryptosystems Robert Niebuhr 1, Pierre-Louis Cayrel 2, and Johannes Buchmann 1,2 1 Technische Universität Darmstadt Fachbereich
More informationCode Based Cryptology at TU/e
Code Based Cryptology at TU/e Ruud Pellikaan g.r.pellikaan@tue.nl University Indonesia, Depok, Nov. 2 University Padjadjaran, Bandung, Nov. 6 Institute Technology Bandung, Bandung, Nov. 6 University Gadjah
More informationPost-Quantum Cryptography
Post-Quantum Cryptography Sebastian Schmittner Institute for Theoretical Physics University of Cologne 2015-10-26 Talk @ U23 @ CCC Cologne This work is licensed under a Creative Commons Attribution-ShareAlike
More informationQuantum-resistant cryptography
Quantum-resistant cryptography Background: In quantum computers, states are represented as vectors in a Hilbert space. Quantum gates act on the space and allow us to manipulate quantum states with combination
More informationFinding small factors of integers. Speed of the number-field sieve. D. J. Bernstein University of Illinois at Chicago
The number-field sieve Finding small factors of integers Speed of the number-field sieve D. J. Bernstein University of Illinois at Chicago Prelude: finding denominators 87366 22322444 in R. Easily compute
More informationNotes 10: Public-key cryptography
MTH6115 Cryptography Notes 10: Public-key cryptography In this section we look at two other schemes that have been proposed for publickey ciphers. The first is interesting because it was the earliest such
More informationCHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S. Ant nine J aux
CHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S Ant nine J aux (g) CRC Press Taylor 8* Francis Croup Boca Raton London New York CRC Press is an imprint of the Taylor &
More informationPost-Quantum Code-Based Cryptography
Big Data Photonics UCLA Post-Quantum Code-Based Cryptography 03-25-2016 Valérie Gauthier Umaña Assistant Professor valeriee.gauthier@urosario.edu.co Cryptography Alice 1 Cryptography Alice Bob 1 Cryptography
More informationErrors, Eavesdroppers, and Enormous Matrices
Errors, Eavesdroppers, and Enormous Matrices Jessalyn Bolkema September 1, 2016 University of Nebraska - Lincoln Keep it secret, keep it safe Public Key Cryptography The idea: We want a one-way lock so,
More informationCosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks
1 Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks Michael Albert michael.albert@cs.otago.ac.nz 2 This week Arithmetic Knapsack cryptosystems Attacks on knapsacks Some
More informationPost-Quantum Cryptography & Privacy. Andreas Hülsing
Post-Quantum Cryptography & Privacy Andreas Hülsing Privacy? Too abstract? How to achieve privacy? Under the hood... Public-key crypto ECC RSA DSA Secret-key crypto AES SHA2 SHA1... Combination of both
More informationCode-based Cryptography
a Hands-On Introduction Daniel Loebenberger Ηράκλειο, September 27, 2018 Post-Quantum Cryptography Various flavours: Lattice-based cryptography Hash-based cryptography Code-based
More informationA Key Recovery Attack on MDPC with CCA Security Using Decoding Errors
A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors Qian Guo Thomas Johansson Paul Stankovski Dept. of Electrical and Information Technology, Lund University ASIACRYPT 2016 Dec 8th, 2016
More informationLemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).
1 Background 1.1 The group of units MAT 3343, APPLIED ALGEBRA, FALL 2003 Handout 3: The RSA Cryptosystem Peter Selinger Let (R, +, ) be a ring. Then R forms an abelian group under addition. R does not
More informationDecoding One Out of Many
Decoding One Out of Many Nicolas Sendrier INRIA Paris-Rocquencourt, équipe-projet SECRET Code-based Cryptography Workshop 11-12 May 2011, Eindhoven, The Netherlands Computational Syndrome Decoding Problem:
More informationThe quantum threat to cryptography
The quantum threat to cryptography Ashley Montanaro School of Mathematics, University of Bristol 20 October 2016 Quantum computers University of Bristol IBM UCSB / Google University of Oxford Experimental
More informationA FUZZY COMMITMENT SCHEME WITH MCELIECE S CIPHER
Surveys in Mathematics and its Applications ISSN 1842-6298 (electronic), 1843-7265 (print) Volume 5 (2010), 73 82 A FUZZY COMMITMENT SCHEME WITH MCELIECE S CIPHER Deo Brat Ojha and Ajay Sharma Abstract.
More informationOn the Use of Structured Codes in Code Based Cryptography 1. Nicolas Sendrier
On the Use of Structured Codes in Code Based Cryptography 1 Nicolas Sendrier INRIA, CRI Paris-Rocquencourt, Project-Team SECRET Email: Nicolas.Sendrier@inria.fr WWW: http://www-roc.inria.fr/secret/nicolas.sendrier/
More informationBall-collision decoding
Ball-collision decoding Christiane Peters Technische Universiteit Eindhoven joint work with Daniel J. Bernstein and Tanja Lange Oberseminar Cryptography and Computer Algebra TU Darmstadt November 8, 200
More informationCryptography. P. Danziger. Transmit...Bob...
10.4 Cryptography P. Danziger 1 Cipher Schemes A cryptographic scheme is an example of a code. The special requirement is that the encoded message be difficult to retrieve without some special piece of
More informationHow to improve information set decoding exploiting that = 0 mod 2
How to improve information set decoding exploiting that 1 + 1 = 0 mod 2 Anja Becker Postdoc at EPFL Seminar CCA January 11, 2013, Paris Representation Find unique solution to hard problem in cryptography
More informationA Smart Card Implementation of the McEliece PKC
A Smart Card Implementation of the McEliece PKC Falko Strenzke 1 1 FlexSecure GmbH, Germany, strenzke@flexsecure.de 2 Cryptography and Computeralgebra, Department of Computer Science, Technische Universität
More informationIntroduction to Elliptic Curve Cryptography. Anupam Datta
Introduction to Elliptic Curve Cryptography Anupam Datta 18-733 Elliptic Curve Cryptography Public Key Cryptosystem Duality between Elliptic Curve Cryptography and Discrete Log Based Cryptography Groups
More informationAdvanced code-based cryptography. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven
Advanced code-based cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Lattice-basis reduction Define L = (0; 24)Z + (1; 17)Z = {(b; 24a + 17b) : a;
More informationCompact McEliece keys based on Quasi-Dyadic Srivastava codes
Compact McEliece keys based on Quasi-Dyadic Srivastava codes Edoardo Persichetti Department of Mathematics, University of Auckland, New Zealand epersichetti@mathaucklandacnz Abstract The McEliece cryptosystem
More informationCRYPTANALYSE EN TEMPS POLYNOMIAL DU SCHÉMA DE MCELIECE BASÉ SUR LES CODES
POLYNOMIAL DU SCHÉMA CODES GÉOMÉTRIQUES A. COUVREUR 1 I. MÁRQUEZ-CORBELLA 1 R. PELLIKAAN 2 1 INRIA Saclay & LIX 2 Department of Mathematics and Computing Science, TU/e. Journées Codage et Cryptographie
More informationSolving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know?
Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know? Alexander May, Maike Ritzenhofen Faculty of Mathematics Ruhr-Universität Bochum, 44780 Bochum,
More informationDiscrete Mathematics GCD, LCM, RSA Algorithm
Discrete Mathematics GCD, LCM, RSA Algorithm Abdul Hameed http://informationtechnology.pk/pucit abdul.hameed@pucit.edu.pk Lecture 16 Greatest Common Divisor 2 Greatest common divisor The greatest common
More informationCode-Based Cryptography
Code-Based Cryptography Tanja Lange with some slides by Tung Chou and Christiane Peters Technische Universiteit Eindhoven Australian Summer School on Embedded Cryptography 11 December 2018 Error correction
More informationPublic-Key Cryptosystems CHAPTER 4
Public-Key Cryptosystems CHAPTER 4 Introduction How to distribute the cryptographic keys? Naïve Solution Naïve Solution Give every user P i a separate random key K ij to communicate with every P j. Disadvantage:
More informationIn fact, 3 2. It is not known whether 3 1. All three problems seem hard, although Shor showed that one can solve 3 quickly on a quantum computer.
Attacks on RSA, some using LLL Recall RSA: N = pq hard to factor. Choose e with gcd(e,φ(n)) = 1, where φ(n) = (p 1)(q 1). Via extended Euclid, find d with ed 1 (mod φ(n)). Discard p and q. Public key is
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 10 February 19, 2013 CPSC 467b, Lecture 10 1/45 Primality Tests Strong primality tests Weak tests of compositeness Reformulation
More information9 Knapsack Cryptography
9 Knapsack Cryptography In the past four weeks, we ve discussed public-key encryption systems that depend on various problems that we believe to be hard: prime factorization, the discrete logarithm, and
More informationOne can use elliptic curves to factor integers, although probably not RSA moduli.
Elliptic Curves Elliptic curves are groups created by defining a binary operation (addition) on the points of the graph of certain polynomial equations in two variables. These groups have several properties
More informationDistinguishing prime numbers from composite numbers: the state of the art. D. J. Bernstein University of Illinois at Chicago
Distinguishing prime numbers from composite numbers: the state of the art D. J. Bernstein University of Illinois at Chicago Is it easy to determine whether a given integer is prime? If easy means computable
More informationError-correcting codes and Cryptography
Error-correcting codes and Cryptography Henk van Tilborg Code-based Cryptography Workshop Eindhoven, May -2, 2 /45 CONTENTS I II III IV V Error-correcting codes; the basics Quasi-cyclic codes; codes generated
More informationCryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)
Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R) Eli Biham Computer Science Department Technion Israel Institute of Technology Haifa 32000, Israel biham@cs.technion.ac.il http://www.cs.technion.ac.il/~biham/
More informationIntroduction to Quantum Safe Cryptography. ENISA September 2018
Introduction to Quantum Safe Cryptography ENISA September 2018 Introduction This talk will introduce the mathematical background of the most popular PQC primitives Code-based Lattice-based Multivariate
More informationChapter 8 Public-key Cryptography and Digital Signatures
Chapter 8 Public-key Cryptography and Digital Signatures v 1. Introduction to Public-key Cryptography 2. Example of Public-key Algorithm: Diffie- Hellman Key Exchange Scheme 3. RSA Encryption and Digital
More informationThe Support Splitting Algorithm and its Application to Code-based Cryptography
The Support Splitting Algorithm and its Application to Code-based Cryptography Dimitris E. Simos (joint work with Nicolas Sendrier) Project-Team SECRET INRIA Paris-Rocquencourt May 9, 2012 3rd Code-based
More informationPost-quantum RSA. We built a great, great 1-terabyte RSA wall, and we had the university pay for the electricity
We built a great, great 1-terabyte RSA wall, and we had the university pay for the electricity Daniel J. Bernstein Joint work with: Nadia Heninger Paul Lou Luke Valenta The referees are questioning applicability...
More informationDaniel J. Bernstein University of Illinois at Chicago. means an algorithm that a quantum computer can run.
Quantum algorithms 1 Daniel J. Bernstein University of Illinois at Chicago Quantum algorithm means an algorithm that a quantum computer can run. i.e. a sequence of instructions, where each instruction
More information8 Elliptic Curve Cryptography
8 Elliptic Curve Cryptography 8.1 Elliptic Curves over a Finite Field For the purposes of cryptography, we want to consider an elliptic curve defined over a finite field F p = Z/pZ for p a prime. Given
More informationCode Based Cryptography
Code Based Cryptography Alain Couvreur INRIA & LIX, École Polytechnique École de Printemps Post Scryptum 2018 A. Couvreur Code Based Crypto Post scryptum 2018 1 / 66 Outline 1 Introduction 2 A bit coding
More information5199/IOC5063 Theory of Cryptology, 2014 Fall
5199/IOC5063 Theory of Cryptology, 2014 Fall Homework 2 Reference Solution 1. This is about the RSA common modulus problem. Consider that two users A and B use the same modulus n = 146171 for the RSA encryption.
More informationCS 355: Topics in Cryptography Spring Problem Set 5.
CS 355: Topics in Cryptography Spring 2018 Problem Set 5 Due: June 8, 2018 at 5pm (submit via Gradescope) Instructions: You must typeset your solution in LaTeX using the provided template: https://crypto.stanford.edu/cs355/homework.tex
More informationCryptanalysis of the McEliece Public Key Cryptosystem Based on Polar Codes
Cryptanalysis of the McEliece Public Key Cryptosystem Based on Polar Codes Magali Bardet 1 Julia Chaulet 2 Vlad Dragoi 1 Ayoub Otmani 1 Jean-Pierre Tillich 2 Normandie Univ, France; UR, LITIS, F-76821
More informationHidden Field Equations
Security of Hidden Field Equations (HFE) 1 The security of Hidden Field Equations ( H F E ) Nicolas T. Courtois INRIA, Paris 6 and Toulon University courtois@minrank.org Permanent HFE web page : hfe.minrank.org
More informationarxiv: v2 [cs.cr] 14 Feb 2018
Code-based Key Encapsulation from McEliece s Cryptosystem Edoardo Persichetti arxiv:1706.06306v2 [cs.cr] 14 Feb 2018 Florida Atlantic University Abstract. In this paper we show that it is possible to extend
More informationHexi McEliece Public Key Cryptosystem
Appl Math Inf Sci 8, No 5, 2595-2603 (2014) 2595 Applied Mathematics & Information Sciences An International Journal http://dxdoiorg/1012785/amis/080559 Hexi McEliece Public Key Cryptosystem K Ilanthenral
More informationCHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30
CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA35 (Chalmers) - DIT50 (GU) 11 April 017, 8:30-1:30 No extra material is allowed during the exam except for pens and a simple calculator (not smartphones).
More informationPost-Quantum Cryptography & Privacy. Andreas Hülsing
Post-Quantum Cryptography & Privacy Andreas Hülsing Privacy? Too abstract? How to achieve privacy? Under the hood... Asymmetric Crypto ECC RSA DSA Symmetric Crypto AES SHA2 SHA1... Combination of both
More informationSigning with Codes. c Zuzana Masárová 2014
Signing with Codes by Zuzana Masárová A thesis presented to the University of Waterloo in fulfilment of the thesis requirement for the degree of Master of Mathematics in Combinatorics and Optimization
More informationCryptographie basée sur les codes correcteurs d erreurs et arithmétique
with Cryptographie basée sur les correcteurs d erreurs et arithmétique with with Laboratoire Hubert Curien, UMR CNRS 5516, Bâtiment F 18 rue du professeur Benoît Lauras 42000 Saint-Etienne France pierre.louis.cayrel@univ-st-etienne.fr
More informationSide-channel analysis in code-based cryptography
1 Side-channel analysis in code-based cryptography Tania RICHMOND IMATH Laboratory University of Toulon SoSySec Seminar Rennes, April 5, 2017 Outline McEliece cryptosystem Timing Attack Power consumption
More informationTi Secured communications
Ti5318800 Secured communications Pekka Jäppinen September 20, 2007 Pekka Jäppinen, Lappeenranta University of Technology: September 20, 2007 Relies on use of two keys: Public and private Sometimes called
More informationLattice-Based Cryptography
Liljana Babinkostova Department of Mathematics Computing Colloquium Series Detecting Sensor-hijack Attacks in Wearable Medical Systems Krishna Venkatasubramanian Worcester Polytechnic Institute Quantum
More information3. Focus on secure cryptosystems. How do we know what a quantum computer will do?
Cryptographic readiness levels, and the impact of quantum computers Daniel J. Bernstein How is crypto developed? How confident are we that crypto is secure? Many stages of research from cryptographic design
More informationLDPC codes in the McEliece cryptosystem: attacks and countermeasures
arxiv:0710.0142v2 [cs.it] 11 Jan 2009 LDPC codes in the McEliece cryptosystem: attacks and countermeasures Marco BALDI 1 Polytechnic University of Marche, Ancona, Italy Abstract. The McEliece cryptosystem
More informationCode-based cryptography
Code-based graphy Laboratoire Hubert Curien, UMR CNRS 5516, Bâtiment F 18 rue du professeur Benoît Lauras 42000 Saint-Etienne France pierre.louis.cayrel@univ-st-etienne.fr June 4th 2013 Pierre-Louis CAYREL
More informationWhat are we talking about when we talk about post-quantum cryptography?
PQC Asia Forum Seoul, 2016 What are we talking about when we talk about post-quantum cryptography? Fang Song Portland State University PQC Asia Forum Seoul, 2016 A personal view on postquantum cryptography
More informationDouble-Moduli Gaussian Encryption/Decryption with Primary Residues and Secret Controls
Int. J. Communications, Network and System Sciences, 011, 4, 475-481 doi:10.436/ijcns.011.47058 Published Online July 011 (http://www.scirp.org/journal/ijcns) Double-Moduli Gaussian Encryption/Decryption
More informationPoly Dragon: An efficient Multivariate Public Key Cryptosystem
Poly Dragon: An efficient Multivariate Public Key Cryptosystem Rajesh P Singh, A.Saikia, B.K.Sarma Department of Mathematics Indian Institute of Technology Guwahati Guwahati -781039, India May 19, 2010
More informationA Public Key Encryption Scheme Based on the Polynomial Reconstruction Problem
A Public Key Encryption Scheme Based on the Polynomial Reconstruction Problem Daniel Augot and Matthieu Finiasz INRIA, Domaine de Voluceau F-78153 Le Chesnay CEDEX Abstract. The Polynomial Reconstruction
More informationPublic Key Cryptography
Public Key Cryptography Introduction Public Key Cryptography Unlike symmetric key, there is no need for Alice and Bob to share a common secret Alice can convey her public key to Bob in a public communication:
More informationWild McEliece Incognito
Wild McEliece Incognito Daniel J. Bernstein 1, Tanja Lange 2, and Christiane Peters 3 1 Department of Computer Science University of Illinois at Chicago, Chicago, IL 60607 7045, USA djb@cr.yp.to 2 Department
More informationClassic McEliece vs. NTS-KEM
Classic McEliece vs. NTS-KEM Classic McEliece Comparison Task Force 2018.06.29 Contents 1 Introduction 2 2 Ciphertext size: identical 3 3 Ciphertext details: Classic McEliece is better 4 4 Patent status:
More informationCryptanalysis of the TTM Cryptosystem
Cryptanalysis of the TTM Cryptosystem Louis Goubin and Nicolas T Courtois SchlumbergerSema - CP8 36-38 rue de la Princesse BP45 78430 Louveciennes Cedex France LouisGoubin@bullnet,courtois@minrankorg Abstract
More informationA Fast Provably Secure Cryptographic Hash Function
A Fast Provably Secure Cryptographic Hash Function Daniel Augot, Matthieu Finiasz, and Nicolas Sendrier Projet Codes, INRIA Rocquencourt BP 15, 78153 Le Chesnay - Cedex, France [DanielAugot,MatthieuFiniasz,NicolasSendrier]@inriafr
More informationCode-Based Cryptography Error-Correcting Codes and Cryptography
Code-Based Cryptography Error-Correcting Codes and Cryptography I. Márquez-Corbella 0 1. Error-Correcting Codes and Cryptography 1. Introduction I - Cryptography 2. Introduction II - Coding Theory 3. Encoding
More informationCryptanalysis of the Original McEliece Cryptosystem
Cryptanalysis of the Original McEliece Cryptosystem Anne Canteaut and Nicolas Sendrier INRIA - projet CODES BP 105 78153 Le Chesnay, France Abstract. The class of public-ey cryptosystems based on error-correcting
More informationWinter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2
0368.3049.01 Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod Assignment #2 Published Sunday, February 17, 2008 and very slightly revised Feb. 18. Due Tues., March 4, in Rani Hod
More informationPost-quantum cryptography Why? Kristian Gjøsteen Department of Mathematical Sciences, NTNU Finse, May 2017
Post-quantum cryptography Why? Kristian Gjøsteen Department of Mathematical Sciences, NTNU Finse, May 2017 1 Background I will use: Linear algebra. Vectors x. Matrices A, matrix multiplication AB, xa,
More informationBlock vs. Stream cipher
Block vs. Stream cipher Idea of a block cipher: partition the text into relatively large (e.g. 128 bits) blocks and encode each block separately. The encoding of each block generally depends on at most
More informationLattice Reduction of Modular, Convolution, and NTRU Lattices
Summer School on Computational Number Theory and Applications to Cryptography Laramie, Wyoming, June 19 July 7, 2006 Lattice Reduction of Modular, Convolution, and NTRU Lattices Project suggested by Joe
More informationRSA RSA public key cryptosystem
RSA 1 RSA As we have seen, the security of most cipher systems rests on the users keeping secret a special key, for anyone possessing the key can encrypt and/or decrypt the messages sent between them.
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 7, 2015 CPSC 467, Lecture 11 1/37 Digital Signature Algorithms Signatures from commutative cryptosystems Signatures from
More informationComputers and Electrical Engineering
Computers and Electrical Engineering 36 (2010) 56 60 Contents lists available at ScienceDirect Computers and Electrical Engineering journal homepage: wwwelseviercom/locate/compeleceng Cryptanalysis of
More information2 Description of McEliece s Public-Key Cryptosystem
1 A SOFTWARE IMPLEMENTATION OF THE McELIECE PUBLIC-KEY CRYPTOSYSTEM Bart Preneel 1,2, Antoon Bosselaers 1, René Govaerts 1 and Joos Vandewalle 1 A software implementation of the McEliece public-key cryptosystem
More informationLittle Dragon Two: An efficient Multivariate Public Key Cryptosystem
Little Dragon Two: An efficient Multivariate Public Key Cryptosystem Rajesh P Singh, A.Saikia, B.K.Sarma Department of Mathematics Indian Institute of Technology Guwahati Guwahati -781039, India October
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationNumber Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers
Number Theory: Applications Number Theory Applications Computer Science & Engineering 235: Discrete Mathematics Christopher M. Bourke cbourke@cse.unl.edu Results from Number Theory have many applications
More informationConstructive aspects of code-based cryptography
DIMACS Workshop on The Mathematics of Post-Quantum Cryptography Rutgers University January 12-16, 2015 Constructive aspects of code-based cryptography Marco Baldi Università Politecnica delle Marche Ancona,
More informationError-correcting Pairs for a Public-key Cryptosystem
Error-correcting Pairs for a Public-key Cryptosystem Ruud Pellikaan g.r.pellikaan@tue.nl joint work with Irene Márquez-Corbella Code-based Cryptography Workshop 2012 Lyngby, 9 May 2012 Introduction and
More informationRSA. Ramki Thurimella
RSA Ramki Thurimella Public-Key Cryptography Symmetric cryptography: same key is used for encryption and decryption. Asymmetric cryptography: different keys used for encryption and decryption. Public-Key
More informationRSA Cryptosystem and Factorization
RSA Cryptosystem and Factorization D. J. Guan Department of Computer Science National Sun Yat Sen University Kaoshiung, Taiwan 80424 R. O. C. guan@cse.nsysu.edu.tw August 25, 2003 RSA Cryptosystem was
More informationNotes. Number Theory: Applications. Notes. Number Theory: Applications. Notes. Hash Functions I
Number Theory: Applications Slides by Christopher M. Bourke Instructor: Berthe Y. Choueiry Fall 2007 Computer Science & Engineering 235 Introduction to Discrete Mathematics Sections 3.4 3.7 of Rosen cse235@cse.unl.edu
More informationInformation Security
SE 4472 / ECE 9064 Information Security Week 12: Random Number Generators and Picking Appropriate Key Lengths Fall 2015 Prof. Aleksander Essex Random Number Generation Where do keys come from? So far we
More informationMy brief introduction to cryptography
My brief introduction to cryptography David Thomson dthomson@math.carleton.ca Carleton University September 7, 2013 introduction to cryptography September 7, 2013 1 / 28 Outline 1 The general framework
More informationMATH 158 FINAL EXAM 20 DECEMBER 2016
MATH 158 FINAL EXAM 20 DECEMBER 2016 Name : The exam is double-sided. Make sure to read both sides of each page. The time limit is three hours. No calculators are permitted. You are permitted one page
More informationMcEliece and Niederreiter Cryptosystems That Resist Quantum Fourier Sampling Attacks
McEliece and Niederreiter Cryptosystems That Resist Quantum Fourier Sampling Attacks Hang Dinh Indiana Uniersity South Bend joint work with Cristopher Moore Uniersity of New Mexico Alexander Russell Uniersity
More informationSome Notes on Post-Quantum Cryptography
Some Notes on Post-Quantum Cryptography J. Maurice Rojas Texas A&M University October 9, 2013 150 B.C.E.: Reference to Śyena=Garuda =a Bird-like Hindu divinity in India 150 B.C.E.:...Garuda in India 100
More information10 Concrete candidates for public key crypto
10 Concrete candidates for public key crypto In the previous lecture we talked about public key cryptography and saw the Diffie Hellman system and the DSA signature scheme. In this lecture, we will see
More information