A Dierential Power Analysis attack against the Miller's Algorithm
|
|
- Ursula Kennedy
- 5 years ago
- Views:
Transcription
1 A Dierential Power Analysis attack against the Miller's Algorithm Nadia El Mrabet (1), G. Di Natale (2) and M.L. Flottes (2) (1) Team Arith, (2) Team CCSI/LIRMM, Université Montpellier 2 Prime 2009, UCC, Ireland, July 2009
2 Pairings Properties of pairings Pairing based cryptography Identity Based Cryptography Construction Miller's algorithm Properties Construction Outline of the presentation Dierential Power Analysis Attack Denition Against the Miller's algorithm Conclusion
3 Pairings Properties of pairings Pairing based cryptography Identity Based Cryptography Construction Miller's algorithm Properties Construction Outline Dierential Power Analysis Attack Denition Against the Miller's algorithm Conclusion
4 What is a pairing? Let G 1, G 2 and G 3 be three groups with the same order r. A pairing is a map : e : G 1 G 2 G 3 which veries the following properties : Non degenerate ; Bilinearity ;
5 What is a pairing? Let G 1, G 2 and G 3 be three groups with the same order r. A pairing is a map : e : G 1 G 2 G 3 which veries the following properties : Non degenerate ; Bilinearity ; Consequences j N, e([j]p, Q) = e(p, Q) j = e(p, [j]q)
6 Elliptic Curve Cryptography and pairings Part 1 - Cryptanalyse The MOV/Frey Rück attack against the DLP on elliptic curves in 1993, 1994 : using pairings, the DLP on elliptic curves becomes a DLP on nite eld.
7 Elliptic Curve Cryptography and pairings Part 1 - Cryptanalyse The MOV/Frey Rück attack against the DLP on elliptic curves in 1993, 1994 : using pairings, the DLP on elliptic curves becomes a DLP on nite eld. Given P and Q = αp E(F q ), the DLP on E(F q ) consists in nding α.
8 Elliptic Curve Cryptography and pairings Part 1 - Cryptanalyse The MOV/Frey Rück attack against the DLP on elliptic curves in 1993, 1994 : using pairings, the DLP on elliptic curves becomes a DLP on nite eld. Given P and Q = αp E(F q ), the DLP on E(F q ) consists in nding α. Let S E(F q ) be a point such that e(p, S) 1, let e(p, S) = g and e(q, S) = h E(F q ), then the DLP becomes nding α such that h = g α in a nite eld.
9 Elliptic Curve Cryptography and pairings Part 2 - Cryptography Pairings allow the construction of novel protocols and simplication of existing protocols. The tri partite Die Hellman key exchange protocol (Joux 2001) The Identity Based Encryption (Boneh and Franklin 2001) Short signature scheme (Boneh, Lynn, Schackamm 2001) Group signatures schemes (Boneh, Schackamm, 2004)
10 Elliptic Curve Cryptography and pairings Identity Based Cryptography (IBC) An Identity Based protocol is an asymetric system where : The public key of Alice its her identity, her private Key is constructed by a Trusted authority. Example We illustrate the notion of Identity Based Cryptography with the example of a key exchange between Alice and Bob.
11 IBC Secure key exchange between Alice and Bob
12 IBC Secure key exchange between Alice and Bob
13 IBC Secure key exchange between Alice and Bob
14 Elliptic Curve Cryptography and pairings Pairings used Four pairings are principally used in cryptography : the Weil pairing, the Tate pairing, the η T pairing, the Ate pairing. The Miller's algorithm constructing the function f r,p step for the Weil, Tate and Ate pairings. is a central
15 Construction of the pairings Data To compute a pairing, we need the following elements : E an elliptic curve over F q = {0, 1, 2,..., q 1} : E : y 2 = x 3 + ax + b, where a, b F q.
16 Construction of the pairings Data To compute a pairing, we need the following elements : E an elliptic curve over F q = {0, 1, 2,..., q 1} : E : y 2 = x 3 + ax + b, where a, b F q. r a prime dividing card(e(f q )), consider E[r] : E[r] = { P E(F q ), [r]p = P }.
17 Construction of the pairings Data To compute a pairing, we need the following elements : E an elliptic curve over F q = {0, 1, 2,..., q 1} : E : y 2 = x 3 + ax + b, where a, b F q. r a prime dividing card(e(f q )), consider E[r] : E[r] = { P E(F q ), [r]p = P }. The embedding degree k : minimal integer such that r (q k 1) :
18 Construction of the pairings Data To compute a pairing, we need the following elements : E an elliptic curve over F q = {0, 1, 2,..., q 1} : E : y 2 = x 3 + ax + b, where a, b F q. r a prime dividing card(e(f q )), consider E[r] : E[r] = { P E(F q ), [r]p = P }. The embedding degree k : minimal integer such that r (q k 1) : P E(F q )[r] Q E(F q k )[r]
19 Construction of the pairings Data To compute a pairing, we need the following elements : E an elliptic curve over F q = {0, 1, 2,..., q 1} : E : y 2 = x 3 + ax + b, where a, b F q. r a prime dividing card(e(f q )), consider E[r] : E[r] = { P E(F q ), [r]p = P }. The embedding degree k : minimal integer such that r (q k 1) : P E(F q )[r] Q E(F q k )[r] A function f r,p constructed with the Miller's algorithm.
20 Construction of the pairings The Tate pairing Let P E(F q )[r], Q E(F q k )/re(f q k ) and k be the embedding degree of the elliptic curve.
21 Construction of the pairings The Tate pairing Let P E(F q )[r], Q E(F q k )/re(f q k ) and k be the embedding degree of the elliptic curve. The Tate pairing is the bilinear map : e T : E(F q )[r] E(F q k )/re(f q k ) F q k (P, Q) f r,p (Q) q k 1 r
22 Pairings Properties of pairings Pairing based cryptography Identity Based Cryptography Construction Miller's algorithm Properties Construction Outline Dierential Power Analysis Attack Denition Against the Miller's algorithm Conclusion
23 The function f r,p In order to compute the pairings, we need to compute the function f r,p. Victor Miller's established the Miller's equation : f i+j,p = f i,p f j,p l [i]p,[j]p v [i+j]p
24 The function f r,p In order to compute the pairings, we need to compute the function f r,p. Victor Miller's established the Miller's equation : where l [i]p+[j]p f i+j,p = f i,p f j,p l [i]p,[j]p v [i+j]p is the line joining the points [i]p and [j]p,
25 The function f r,p In order to compute the pairings, we need to compute the function f r,p. Victor Miller's established the Miller's equation : f i+j,p = f i,p f j,p l [i]p,[j]p v [i+j]p where l [i]p+[j]p is the line joining the points [i]p and [j]p, and v [i+j]p is the vertical line passing through point [i + j]p.
26 Example We want to compute f 7,P :
27 Example We want to compute f 7,P : 7 = 6 + 1
28 Example We want to compute f 7,P : 7 = f 7,P = f 6,P f 1,P l [6]P,P v [7]P
29 Example We want to compute f 7,P : 7 = f 7,P = f 6,P f 1,P l [6]P,P v [7]P f 1,P = 1 f 7,P = f 6,P l [6]P,P v [7]P
30 Example We want to compute f 7,P : 7 = f 7,P = f 6,P f 1,P l [6]P,P v [7]P f 1,P = 1 f 7,P = f 6,P l [6]P,P v [7]P f 6,P = f 3,P f 3,P l [3]P,[3]P v [6]P when i = j, the line l is the tangent at point [i]p
31 Example We want to compute f 7,P : 7 = f 7,P = f 6,P f 1,P l [6]P,P v [7]P f 1,P = 1 f 7,P = f 6,P l [6]P,P v [7]P f 6,P = f 3,P f 3,P l [3]P,[3]P v [6]P when i = j, the line l is the tangent at point [i]p f 6,P = f 2 3,P l [3]P,[3]P v [6]P f 7,P = f 2 3,P l [3]P,[3]P v [6]P l [6]P,P v [7]P
32 Example We want to compute f 7,P : f 7,P = f 2 3,P l [3]P,[3]P v [6]P l [6]P,P v [7]P
33 Example We want to compute f 7,P : f 7,P = f 2 3,P l [3]P,[3]P v [6]P l [6]P,P v [7]P f 3,P = f 2,P f 1,P l [2]P,P v [3]P f 3,P = f 2,P l [2]P,P v [3]P f 2,P = f 1,P f 1,P l P,P v [2]P
34 Example We want to compute f 7,P : f 7,P = f 2 3,P l [3]P,[3]P v [6]P l [6]P,P v [7]P f 3,P = f 2,P f 1,P l [2]P,P v [3]P f 3,P = f 2,P l [2]P,P v [3]P f 2,P = f 1,P f 1,P l P,P v [2]P f 7,P = ( lp,p v [2]P ) 2 l [2]P,P l v [3]P,[3]P [3]P v [6]P l [6]P,P v [7]P
35 Computation of pairings Data: r = (r n... r 0 ) 2, P E(F q ) and Q E(F q k ) ; Result: f r,p (Q) F q k ; 1 : T P, f 1 1, f 2 1 ; for i = n 1 to 0 do ; end if r i = 1 then end return ; ; ; ; ;
36 Computation of pairings Data: r = (r n... r 0 ) 2, P E(F q ) and Q E(F q k ) ; Result: f r,p (Q) F q k ; 1 : T P, f 1 1, f 2 1 ; for i = n 1 to 0 do 2 : T [2]T ; end if r i = 1 then 5 : T T + P ; ; ; end return ; ;
37 Computation of pairings Data: r = (r n... r 0 ) 2, P E(F q ) and Q E(F q k ) ; Result: f r,p (Q) F q k ; 1 : T P, f 1 1, f 2 1 ; for i = n 1 to 0 do 2 : T [2]T ; 3 : f 1 f 1 2 h 1 (Q) ; 4 : f 2 f 2 2 v 2 (Q) ; end if r i = 1 then 5 : T T + P ; ; ; end return
38 Computation of pairings Data: r = (r n... l 0 ) 2, P E(F q ) and Q E(F q k ) ; Result: f r,p (Q) F q k ; 1 : T P, f 1 1, f 2 1 ; for i = n 1 to 0 do 2 : T [2]T ; 3 : f 1 f 1 2 h d (Q) ; 4 : f 2 f 2 2 v d (Q) ; end if r i = 1 then 5 : T T + P ; 6 : f 1 f 1 h a (Q) ; 7 : f 2 f 2 v a (Q); end return
39 Computation of pairings Data: r = (r n... l 0 ) 2, P E(F q ) and Q E(F q k ) ; Result: f r,p (Q) F q k ; 1 : T P, f 1 1, f 2 1 ; for i = n 1 to 0 do 2 : T [2]T ; 3 : f 1 f 1 2 h 1 (Q) ; 4 : f 2 f 2 2 v 1 (Q) ; end if r i = 1 then 5 : T T + P ; 6 : f 1 f 1 h 2 (Q) ; 7 : f 2 f 2 v 2 (Q); end return f 1 f2
40 Pairings Properties of pairings Pairing based cryptography Identity Based Cryptography Construction Miller's algorithm Properties Construction Outline Dierential Power Analysis Attack Denition Against the Miller's algorithm Conclusion
41 Side Channel Attacks Side Channel Attacks are attacks based on information gained from the physical implementation of a cryptosystem. DPA attacks are such that the pieces of the secret are discovered with the analysis of power consumption. There were rst introduiced for pairing based cryptography in 2006 by Page and Vercauteren against the Duursma and Lee algorithm.
42 Side Channel Attacks In an Identity Based protocol : an attacker knows the algorithm used and the number of iterations. The secret is only one of the arguments of the pairing. The secret key inuences neither the execution time nor the number of iterations of the algorithm.
43 Description of the DPA attack We assume that the pairing is used during an Identity Based Protocol. The secret is the point P, rst argument of the pairing e(p, Q). Aim of the DPA attack We want to recover the value of X P, Y P et Z P. The equation of h 1 is h 1 (Q) = Z 3 Z 2 P y Q 2Y 2 P (3X 2 P az 4 P )(x Q Z 2 P X P)
44 Description of the DPA attack We assume that the pairing is used during an Identity Based Protocol. The secret is the point P, rst argument of the pairing e(p, Q). Aim of the DPA attack We want to recover the value of X P, Y P et Z P. The equation of h 1 is h 1 (Q) = Z 3 Z 2 P y Q 2Y 2 P (3X 2 P az 4 P )(x Q Z 2 P X P) First, we nd Z P using the product x Q Z 2 P.
45 Description of the DPA attack We assume that the pairing is used during an Identity Based Protocol. The secret is the point P, rst argument of the pairing e(p, Q). Aim of the DPA attack We want to recover the value of X P, Y P et Z P. The equation of h 1 is h 1 (Q) = Z 3 Z 2 P y Q 2Y 2 P (3X 2 P az 4 P )(x Q Z 2 P X P) First, we nd Z P using the product x Q Z 2 P. Then, we nd Y P using the product Z 3 Z 2 P y Q = 2Y P Z P Z 2 P y Q.
46 Description of the DPA attack We assume that the pairing is used during an Identity Based Protocol. The secret is the point P, rst argument of the pairing e(p, Q). Aim of the DPA attack We want to recover the value of X P, Y P et Z P. The equation of h 1 is h 1 (Q) = Z 3 Z 2 P y Q 2Y 2 P (3X 2 P az 4 P )(x Q Z 2 P X P) First, we nd Z P using the product x Q Z 2. P Then, we nd Y P using the product Z 3 Z 2 P y Q = 2Y P Z P Z 2 P y Q. Finally, we nd X P using the elliptic curve equation.
47 Implementation We used an integrated simulation environment for the Dierential Power Analysis proposed by Di Natale, Flottes and Rouzeire that returns power consumption traces from transistor level simulations. This DPA suite executes the statistical analysis. For example, this is the curves we obtain for the DPA attack against the product
48 Pairings Properties of pairings Pairing based cryptography Identity Based Cryptography Construction Miller's algorithm Properties Construction Outline Dierential Power Analysis Attack Denition Against the Miller's algorithm Conclusion
49 Conclusion The Miller's algorithm is vulnerable to a DPA attack. Vulnerability of pairings based on the Miller's algorithm We demonstrate that if the secret is the rst parameter in a pairing calculation, then we can nd it. Our attack is also realistic when the secret is the second argument or the pairing. As a consequence Weil, Tate and Ate could not withstand such attacks, even if the secret is the rst parameter.
50 The end Thank you for your attention. Any question?
Implementing the Weil, Tate and Ate pairings using Sage software
Sage days 10, Nancy, France Implementing the Weil, Tate and Ate pairings using Sage software Nadia EL MRABET LIRMM, I3M, Université Montpellier 2 Saturday 11 th October 2008 Outline of the presentation
More informationTampering attacks in pairing-based cryptography. Johannes Blömer University of Paderborn September 22, 2014
Tampering attacks in pairing-based cryptography Johannes Blömer University of Paderborn September 22, 2014 1 / 16 Pairings Definition 1 A pairing is a bilinear, non-degenerate, and efficiently computable
More informationWhat About Vulnerability to a Fault Attack of the Miller s Algorithm during an Identity Based Protocol?
What About Vulnerability to a Fault Attack of the Miller s Algorithm during an Identity Based Protocol? Nadia EL MRABET LIRMM Laboratory, I3M, CNRS, University Montpellier 2, 161, rue Ada, 34 392 Montpellier,
More informationKatherine Stange. ECC 2007, Dublin, Ireland
in in Department of Brown University http://www.math.brown.edu/~stange/ in ECC Computation of ECC 2007, Dublin, Ireland Outline in in ECC Computation of in ECC Computation of in Definition A integer sequence
More informationArithmetic operators for pairing-based cryptography
7. Kryptotag November 9 th, 2007 Arithmetic operators for pairing-based cryptography Jérémie Detrey Cosec, B-IT, Bonn, Germany jdetrey@bit.uni-bonn.de Joint work with: Jean-Luc Beuchat Nicolas Brisebarre
More informationFaster F p -arithmetic for Cryptographic Pairings on Barreto-Naehrig Curves
Faster F p -arithmetic for Cryptographic Pairings on Barreto-Naehrig Curves Junfeng Fan, Frederik Vercauteren and Ingrid Verbauwhede Katholieke Universiteit Leuven, COSIC May 18, 2009 1 Outline What is
More informationMontgomery Algorithm for Modular Multiplication with Systolic Architecture
Montgomery Algorithm for Modular Multiplication with ystolic Architecture MRABET Amine LIAD Paris 8 ENIT-TUNI EL MANAR University A - MP - Gardanne PAE 016 1 Plan 1 Introduction for pairing Montgomery
More informationAn Introduction to Pairings in Cryptography
An Introduction to Pairings in Cryptography Craig Costello Information Security Institute Queensland University of Technology INN652 - Advanced Cryptology, October 2009 Outline 1 Introduction to Pairings
More informationPairings for Cryptography
Pairings for Cryptography Michael Naehrig Technische Universiteit Eindhoven Ñ ÐÖÝÔØÓ ºÓÖ Nijmegen, 11 December 2009 Pairings A pairing is a bilinear, non-degenerate map e : G 1 G 2 G 3, where (G 1, +),
More informationThe Elliptic Curve in https
The Elliptic Curve in https Marco Streng Universiteit Leiden 25 November 2014 Marco Streng (Universiteit Leiden) The Elliptic Curve in https 25-11-2014 1 The s in https:// HyperText Transfer Protocol
More informationIntroduction to Elliptic Curve Cryptography. Anupam Datta
Introduction to Elliptic Curve Cryptography Anupam Datta 18-733 Elliptic Curve Cryptography Public Key Cryptosystem Duality between Elliptic Curve Cryptography and Discrete Log Based Cryptography Groups
More informationrecover the secret key [14]. More recently, the resistance of smart-card implementations of the AES candidates against monitoring power consumption wa
Resistance against Dierential Power Analysis for Elliptic Curve Cryptosystems Jean-Sebastien Coron Ecole Normale Superieure Gemplus Card International 45 rue d'ulm 34 rue Guynemer Paris, F-75230, France
More informationOptimised versions of the Ate and Twisted Ate Pairings
Optimised versions of the Ate and Twisted Ate Pairings Seiichi Matsuda 1, Naoki Kanayama 1, Florian Hess 2, and Eiji Okamoto 1 1 University of Tsukuba, Japan 2 Technische Universität Berlin, Germany Abstract.
More informationElliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.
Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem. Elisa Lorenzo García Université de Rennes 1 14-09-2017 Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 1 /
More informationImplementing Pairing-Based Cryptosystems
Implementing Pairing-Based Cryptosystems Zhaohui Cheng and Manos Nistazakis School of Computing Science, Middlesex University White Hart Lane, London N17 8HR, UK. {m.z.cheng, e.nistazakis}@mdx.ac.uk Abstract:
More informationAsymmetric Pairings. Alfred Menezes (joint work with S. Chatterjee, D. Hankerson & E. Knapp)
Asymmetric Pairings Alfred Menezes (joint work with S. Chatterjee, D. Hankerson & E. Knapp) 1 Overview In their 2006 paper "Pairings for cryptographers", Galbraith, Paterson and Smart identified three
More information[6] was based on the quadratic residuosity problem, whilst the second given by Boneh and Franklin [3] was based on the Weil pairing. Originally the ex
Exponent Group Signature Schemes and Ecient Identity Based Signature Schemes Based on Pairings F. Hess Dept. Computer Science, University of Bristol, Merchant Venturers Building, Woodland Road, Bristol,
More informationConstructing Pairing-Friendly Elliptic Curves for Cryptography
Constructing Pairing-Friendly Elliptic Curves for Cryptography University of California, Berkeley, USA 2nd KIAS-KMS Summer Workshop on Cryptography Seoul, Korea 30 June 2007 Outline 1 Pairings in Cryptography
More informationSome Efficient Algorithms for the Final Exponentiation of η T Pairing
Some Efficient Algorithms for the Final Exponentiation of η T Pairing Masaaki Shirase 1, Tsuyoshi Takagi 1, and Eiji Okamoto 2 1 Future University-Hakodate, Japan 2 University of Tsukuba, Japan Abstract.
More information2.2. The Weil Pairing on Elliptic Curves If A and B are r-torsion points on some elliptic curve E(F q d ), let us denote the r-weil pairing of A and B
Weil Pairing vs. Tate Pairing in IBE systems Ezra Brown, Eric Errthum, David Fu October 10, 2003 1. Introduction Although Boneh and Franklin use the Weil pairing on elliptic curves to create Identity-
More informationReprésentation RNS des nombres et calcul de couplages
Représentation RNS des nombres et calcul de couplages Sylvain Duquesne Université Rennes 1 Séminaire CCIS Grenoble, 7 Février 2013 Sylvain Duquesne (Rennes 1) RNS et couplages Grenoble, 07/02/13 1 / 29
More informationCSC 774 Advanced Network Security
CSC 774 Advanced Network Security Topic 2.6 ID Based Cryptography #2 Slides by An Liu Outline Applications Elliptic Curve Group over real number and F p Weil Pairing BasicIdent FullIdent Extensions Escrow
More informationCSC 774 Advanced Network Security
CSC 774 Advanced Network Security Topic 2.6 ID Based Cryptography #2 Slides by An Liu Outline Applications Elliptic Curve Group over real number and F p Weil Pairing BasicIdent FullIdent Extensions Escrow
More informationOn the complexity of computing discrete logarithms in the field F
On the complexity of computing discrete logarithms in the field F 3 6 509 Francisco Rodríguez-Henríquez CINVESTAV-IPN Joint work with: Gora Adj Alfred Menezes Thomaz Oliveira CINVESTAV-IPN University of
More informationElliptic Curve Cryptography
The State of the Art of Elliptic Curve Cryptography Ernst Kani Department of Mathematics and Statistics Queen s University Kingston, Ontario Elliptic Curve Cryptography 1 Outline 1. ECC: Advantages and
More informationEfficient Tate Pairing Computation Using Double-Base Chains
Efficient Tate Pairing Computation Using Double-Base Chains Chang an Zhao, Fangguo Zhang and Jiwu Huang 1 Department of Electronics and Communication Engineering, Sun Yat-Sen University, Guangzhou 510275,
More informationAspects of Pairing Inversion
Applications of Aspects of ECC 2007 - Dublin Aspects of Applications of Applications of Aspects of Applications of Pairings Let G 1, G 2, G T be groups of prime order r. A pairing is a non-degenerate bilinear
More informationAte Pairing on Hyperelliptic Curves
Ate Pairing on Hyperelliptic Curves R. Granger, F. Hess, R. Oyono, N. Thériault F. Vercauteren EUROCRYPT 2007 - Barcelona Pairings Pairings Let G 1, G 2, G T be groups of prime order l. A pairing is a
More informationDefinition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University
Number Theory, Public Key Cryptography, RSA Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr The Euler Phi Function For a positive integer n, if 0
More informationAn Algorithm for the η T Pairing Calculation in Characteristic Three and its Hardware Implementation
An Algorithm for the η T Pairing Calculation in Characteristic Three and its Hardware Implementation Jean-Luc Beuchat 1 Masaaki Shirase 2 Tsuyoshi Takagi 2 Eiji Okamoto 1 1 Graduate School of Systems and
More information8 Elliptic Curve Cryptography
8 Elliptic Curve Cryptography 8.1 Elliptic Curves over a Finite Field For the purposes of cryptography, we want to consider an elliptic curve defined over a finite field F p = Z/pZ for p a prime. Given
More informationBackground of Pairings
Background of Pairings Tanja Lange Department of Mathematics and Computer Science Technische Universiteit Eindhoven The Netherlands tanja@hyperelliptic.org 04.09.2007 Tanja Lange Background of Pairings
More informationDiscrete Logarithm Computation in Hyperelliptic Function Fields
Discrete Logarithm Computation in Hyperelliptic Function Fields Michael J. Jacobson, Jr. jacobs@cpsc.ucalgary.ca UNCG Summer School in Computational Number Theory 2016: Function Fields Mike Jacobson (University
More informationOne can use elliptic curves to factor integers, although probably not RSA moduli.
Elliptic Curves Elliptic curves are groups created by defining a binary operation (addition) on the points of the graph of certain polynomial equations in two variables. These groups have several properties
More informationL7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015
L7. Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang, 5 March 2015 1 Outline The basic foundation: multiplicative group modulo prime The basic Diffie-Hellman (DH) protocol The discrete logarithm
More informationAn Enhanced ID-based Deniable Authentication Protocol on Pairings
An Enhanced ID-based Deniable Authentication Protocol on Pairings Meng-Hui Lim*, Sanggon Lee**, Youngho Park***, Hoonjae Lee** *Department of Ubiquitous IT, Graduate school of Design & IT, Dongseo University,
More informationArithmetic Operators for Pairing-Based Cryptography
Arithmetic Operators for Pairing-Based Cryptography Jean-Luc Beuchat Laboratory of Cryptography and Information Security Graduate School of Systems and Information Engineering University of Tsukuba 1-1-1
More informationduring transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL
THE MATHEMATICAL BACKGROUND OF CRYPTOGRAPHY Cryptography: used to safeguard information during transmission (e.g., credit card number for internet shopping) as opposed to Coding Theory: used to transmit
More informationPractice Assignment 2 Discussion 24/02/ /02/2018
German University in Cairo Faculty of MET (CSEN 1001 Computer and Network Security Course) Dr. Amr El Mougy 1 RSA 1.1 RSA Encryption Practice Assignment 2 Discussion 24/02/2018-29/02/2018 Perform encryption
More informationPolynomial Interpolation in the Elliptic Curve Cryptosystem
Journal of Mathematics and Statistics 7 (4): 326-331, 2011 ISSN 1549-3644 2011 Science Publications Polynomial Interpolation in the Elliptic Curve Cryptosystem Liew Khang Jie and Hailiza Kamarulhaili School
More informationMATH 158 FINAL EXAM 20 DECEMBER 2016
MATH 158 FINAL EXAM 20 DECEMBER 2016 Name : The exam is double-sided. Make sure to read both sides of each page. The time limit is three hours. No calculators are permitted. You are permitted one page
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationAsymmetric Encryption
-3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function
More informationMath/Mthe 418/818. Review Questions
Math/Mthe 418/818 Review Questions 1. Show that the number N of bit operations required to compute the product mn of two integers m, n > 1 satisfies N = O(log(m) log(n)). 2. Can φ(n) be computed in polynomial
More informationPublic-key Cryptography and elliptic curves
Public-key Cryptography and elliptic curves Dan Nichols University of Massachusetts Amherst nichols@math.umass.edu WINRS Research Symposium Brown University March 4, 2017 Cryptography basics Cryptography
More informationApplied cryptography
Applied cryptography Identity-based Cryptography Andreas Hülsing 19 November 2015 1 / 37 The public key problem How to obtain the correct public key of a user? How to check its authenticity? General answer:
More informationDigital Signatures. Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay
Digital Signatures Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical Engineering Indian Institute of Technology Bombay July 24, 2018 1 / 29 Group Theory Recap Groups Definition A set
More informationPractical validation of several fault attacks against the Miller algorithm
Practical validation of several fault attacks against the Miller algorithm Ronan Lashermes, Marie Paindavoine, Nadia El Mrabet, Jacques Fournier, Louis Goubin To cite this version: Ronan Lashermes, Marie
More informationEfficient Pairings Computation on Jacobi Quartic Elliptic Curves
Efficient Pairings Computation on Jacobi Quartic Elliptic Curves Sylvain Duquesne 1, Nadia El Mrabet 2, and Emmanuel Fouotsa 3 1 IRMAR, UMR CNRS 6625, Université Rennes 1, Campus de Beaulieu 35042 Rennes
More informationBlinded Fault Resistant Exponentiation FDTC 06
Previous Work Our Algorithm Guillaume Fumaroli 1 David Vigilant 2 1 Thales Communications guillaume.fumaroli@fr.thalesgroup.com 2 Gemalto david.vigilant@gemalto.com FDTC 06 Outline Previous Work Our Algorithm
More informationOptimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves
CT-RSA 2012 February 29th, 2012 Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves Joint work with: Nicolas Estibals CARAMEL project-team, LORIA, Université de Lorraine / CNRS / INRIA,
More informationarxiv:math/ v1 [math.nt] 21 Nov 2003
arxiv:math/0311391v1 [math.nt] 21 Nov 2003 IMPROVED WEIL AND TATE PAIRINGS FOR ELLIPTIC AND HYPERELLIPTIC CURVES KIRSTEN EISENTRÄGER, KRISTIN LAUTER, AND PETER L. MONTGOMERY Abstract. We present algorithms
More informationPublic Key Encryption with Conjunctive Field Keyword Search
Public Key Encryption with Conjunctive Field Keyword Search Dong Jin PARK Kihyun KIM Pil Joong LEE IS Lab, POSTECH, Korea August 23, 2004 Contents 1 Preliminary 2 Security Model 3 Proposed Scheme 1 4 Proposed
More informationABHELSINKI UNIVERSITY OF TECHNOLOGY
Identity-Based Cryptography T-79.5502 Advanced Course in Cryptology Billy Brumley billy.brumley at hut.fi Helsinki University of Technology Identity-Based Cryptography 1/24 Outline Classical ID-Based Crypto;
More informationSharing a Secret in Plain Sight. Gregory Quenell
Sharing a Secret in Plain Sight Gregory Quenell 1 The Setting: Alice and Bob want to have a private conversation using email or texting. Alice Bob 2 The Setting: Alice and Bob want to have a private conversation
More informationID-based Encryption Scheme Secure against Chosen Ciphertext Attacks
ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks ongxing Lu and Zhenfu Cao Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai 200030, P.. China {cao-zf,
More informationAnalysis of Optimum Pairing Products at High Security Levels
Analysis of Optimum Pairing Products at High Security Levels Xusheng Zhang and Dongdai Lin Institute of Software, Chinese Academy of Sciences Institute of Information Engineering, Chinese Academy of Sciences
More informationVerifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin
Verifiable Security of Boneh-Franklin Identity-Based Encryption Federico Olmedo Gilles Barthe Santiago Zanella Béguelin IMDEA Software Institute, Madrid, Spain 5 th International Conference on Provable
More informationA Remark on Implementing the Weil Pairing
A Remark on Implementing the Weil Pairing Cheol Min Park 1, Myung Hwan Kim 1 and Moti Yung 2 1 ISaC and Department of Mathematical Sciences, Seoul National University, Korea {mpcm,mhkim}@math.snu.ac.kr
More informationSecurity Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography
Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography Peter Schwabe October 21 and 28, 2011 So far we assumed that Alice and Bob both have some key, which nobody else has. How
More informationEfficient Computation for Pairing Based
Provisional chapter Chapter 3 Efficient Computation for Pairing Based Cryptography: Efficient Computation A Statefor ofpairing the Art Based Cryptography: A State of the Art Nadia El Mrabet Nadia El Mrabet
More informationEfficient Computation of Tate Pairing in Projective Coordinate Over General Characteristic Fields
Efficient Computation of Tate Pairing in Projective Coordinate Over General Characteristic Fields Sanjit Chatterjee, Palash Sarkar and Rana Barua Cryptology Research Group Applied Statistics Unit Indian
More informationCS-E4320 Cryptography and Data Security Lecture 11: Key Management, Secret Sharing
Lecture 11: Key Management, Secret Sharing Céline Blondeau Email: celine.blondeau@aalto.fi Department of Computer Science Aalto University, School of Science Key Management Secret Sharing Shamir s Threshold
More informationCryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05
Cryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05 Fangguo Zhang 1 and Xiaofeng Chen 2 1 Department of Electronics and Communication Engineering, Sun Yat-sen
More informationGenerating more MNT elliptic curves
Generating more MNT elliptic curves Michael Scott 1 and Paulo S. L. M. Barreto 2 1 School of Computer Applications Dublin City University Ballymun, Dublin 9, Ireland. mike@computing.dcu.ie 2 Universidade
More information2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms
CRYPTOGRAPHY 19 Cryptography 5 ElGamal cryptosystems and Discrete logarithms Definition Let G be a cyclic group of order n and let α be a generator of G For each A G there exists an uniue 0 a n 1 such
More informationQuestion: Total Points: Score:
University of California, Irvine COMPSCI 134: Elements of Cryptography and Computer and Network Security Midterm Exam (Fall 2016) Duration: 90 minutes November 2, 2016, 7pm-8:30pm Name (First, Last): Please
More informationCryptography IV: Asymmetric Ciphers
Cryptography IV: Asymmetric Ciphers Computer Security Lecture 7 David Aspinall School of Informatics University of Edinburgh 31st January 2011 Outline Background RSA Diffie-Hellman ElGamal Summary Outline
More informationSM9 identity-based cryptographic algorithms Part 1: General
SM9 identity-based cryptographic algorithms Part 1: General Contents 1 Scope... 1 2 Terms and definitions... 1 2.1 identity... 1 2.2 master key... 1 2.3 key generation center (KGC)... 1 3 Symbols and abbreviations...
More informationFixed Argument Pairings
craig.costello@qut.edu.au Queensland University of Technology LatinCrypt 2010 Puebla, Mexico Joint work with Douglas Stebila Pairings A mapping e : G 1 G 2 G T : P G 1, Q G 2 and e(p, Q) G T : groups are
More informationFast Formulas for Computing Cryptographic Pairings
Fast Formulas for Computing Cryptographic Pairings Craig Costello craig.costello@qut.edu.au Queensland University of Technology May 28, 2012 1 / 47 Thanks: supervisors and co-authors Prof. Colin Boyd Dr.
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Instructor: Michael Fischer Lecture by Ewa Syta Lecture 13 March 3, 2013 CPSC 467b, Lecture 13 1/52 Elliptic Curves Basics Elliptic Curve Cryptography CPSC
More informationPairings on Generalized Huff Curves
Pairings on Generalized Huff Curves Abdoul Aziz Ciss and Djiby Sow Laboratoire d Algèbre, Codage, Cryptologie, Algèbre et Applications Université Cheikh Anta Diop de Dakar, Sénégal BP: 5005, Dakar Fann
More informationIntroduction to Modern Cryptography. Benny Chor
Introduction to Modern Cryptography Benny Chor RSA Public Key Encryption Factoring Algorithms Lecture 7 Tel-Aviv University Revised March 1st, 2008 Reminder: The Prime Number Theorem Let π(x) denote the
More informationConstructing Abelian Varieties for Pairing-Based Cryptography
for Pairing-Based CWI and Universiteit Leiden, Netherlands Workshop on Pairings in Arithmetic Geometry and 4 May 2009 s MNT MNT Type s What is pairing-based cryptography? Pairing-based cryptography refers
More informationIntroduction to Elliptic Curve Cryptography
Indian Statistical Institute Kolkata May 19, 2017 ElGamal Public Key Cryptosystem, 1984 Key Generation: 1 Choose a suitable large prime p 2 Choose a generator g of the cyclic group IZ p 3 Choose a cyclic
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationarxiv: v3 [cs.cr] 5 Aug 2014
Further Refinements of Miller Algorithm on Edwards curves Duc-Phong Le, Chik How Tan Temasek Laboratories, National University of Singapore 5A Engineering Drive 1, #09-02, Singapore 117411. arxiv:1305.2694v3
More informationCIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography
CIS 6930/4930 Computer and Network Security Topic 5.2 Public Key Cryptography 1 Diffie-Hellman Key Exchange 2 Diffie-Hellman Protocol For negotiating a shared secret key using only public communication
More informationElliptic Curve Cryptography
AIMS-VOLKSWAGEN STIFTUNG WORKSHOP ON INTRODUCTION TO COMPUTER ALGEBRA AND APPLICATIONS Douala, Cameroon, October 12, 2017 Elliptic Curve Cryptography presented by : BANSIMBA Gilda Rech BANSIMBA Gilda Rech
More informationA brief overwiev of pairings
Bordeaux November 22, 2016 A brief overwiev of pairings Razvan Barbulescu CNRS and IMJ-PRG R. Barbulescu Overview pairings 0 / 37 Plan of the lecture Pairings Pairing-friendly curves Progress of NFS attacks
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer 1 Lecture 13 October 16, 2017 (notes revised 10/23/17) 1 Derived from lecture notes by Ewa Syta. CPSC 467, Lecture 13 1/57 Elliptic Curves
More informationLecture 7: Boneh-Boyen Proof & Waters IBE System
CS395T Advanced Cryptography 2/0/2009 Lecture 7: Boneh-Boyen Proof & Waters IBE System Instructor: Brent Waters Scribe: Ioannis Rouselakis Review Last lecture we discussed about the Boneh-Boyen IBE system,
More informationSide-Channel Attacks on Quantum-Resistant Supersingular Isogeny Diffie-Hellman
Side-Channel Attacks on Quantum-Resistant Supersingular Isogeny Diffie-Hellman Presenter: Reza Azarderakhsh CEECS Department and I-Sense, Florida Atlantic University razarderakhsh@fau.edu Paper by: Brian
More informationSecure Bilinear Diffie-Hellman Bits
Secure Bilinear Diffie-Hellman Bits Steven D. Galbraith 1, Herbie J. Hopkins 1, and Igor E. Shparlinski 2 1 Mathematics Department, Royal Holloway University of London Egham, Surrey, TW20 0EX, UK Steven.Galbraith@rhul.ac.uk,
More informationAlgorithm for RSA and Hyperelliptic Curve Cryptosystems Resistant to Simple Power Analysis
Algorithm for RSA and Hyperelliptic Curve Cryptosystems Resistant to Simple Power Analysis Christophe Negre ici joined work with T. Plantard (U. of Wollongong, Australia) Journees Nationales GDR IM January
More informationCyclic Groups in Cryptography
Cyclic Groups in Cryptography p. 1/6 Cyclic Groups in Cryptography Palash Sarkar Indian Statistical Institute Cyclic Groups in Cryptography p. 2/6 Structure of Presentation Exponentiation in General Cyclic
More informationCPSC 467b: Cryptography and Computer Security
Outline Authentication CPSC 467b: Cryptography and Computer Security Lecture 18 Michael J. Fischer Department of Computer Science Yale University March 29, 2010 Michael J. Fischer CPSC 467b, Lecture 18
More informationOptimal TNFS-secure pairings on elliptic curves with even embedding degree
Optimal TNFS-secure pairings on elliptic curves with even embedding degree Georgios Fotiadis 1 and Chloe Martindale 2 1 University of the Aegean, Greece gfotiadis@aegean.gr 2 Technische Universiteit Eindhoven,
More informationPoints of High Order on Elliptic Curves ECDSA
! Independent thesis advanced level (degree of master (two years)) Points of High Order on Elliptic Curves ECDSA Author: Behnaz Kouchaki Barzi Supervisor: Per-Anders Svensson Examiner: Andrei Khrennikov
More informationKatherine Stange. Pairing, Tokyo, Japan, 2007
via via Department of Mathematics Brown University http://www.math.brown.edu/~stange/ Pairing, Tokyo, Japan, 2007 Outline via Definition of an elliptic net via Definition (KS) Let R be an integral domain,
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationColored Burau Matrices, E-multiplication, and the Algebraic Eraser Key Agreement Protocol
Colored Burau Matrices, E-multiplication, and the Algebraic Eraser Key Agreement Protocol SecureRF Corporation 100 Beard Sawmill Road Suite 350 Shelton, CT 06484 203-227-3151 info@securerf.com www.securerf.com
More informationElliptic Curves. Giulia Mauri. Politecnico di Milano website:
Elliptic Curves Giulia Mauri Politecnico di Milano email: giulia.mauri@polimi.it website: http://home.deib.polimi.it/gmauri May 13, 2015 Giulia Mauri (DEIB) Exercises May 13, 2015 1 / 34 Overview 1 Elliptic
More informationOpen problems in lattice-based cryptography
University of Auckland, New Zealand Plan Goal: Highlight some hot topics in cryptography, and good targets for mathematical cryptanalysis. Approximate GCD Homomorphic encryption NTRU and Ring-LWE Multi-linear
More informationEfficient Implementation of Cryptographic pairings. Mike Scott Dublin City University
Efficient Implementation of Cryptographic pairings Mike Scott Dublin City University First Steps To do Pairing based Crypto we need two things Efficient algorithms Suitable elliptic curves We have got
More informationPairings for Cryptographers
Pairings for Cryptographers Steven D. Galbraith 1, Kenneth G. Paterson 1, and Nigel P. Smart 2 1 Information Security Group, Royal Holloway, University of London, Egham, Surrey, TW20 0EX, United Kingdom.
More informationPublic-key Cryptography and elliptic curves
Public-key Cryptography and elliptic curves Dan Nichols nichols@math.umass.edu University of Massachusetts Oct. 14, 2015 Cryptography basics Cryptography is the study of secure communications. Here are
More informationNotes for Lecture 17
U.C. Berkeley CS276: Cryptography Handout N17 Luca Trevisan March 17, 2009 Notes for Lecture 17 Scribed by Matt Finifter, posted April 8, 2009 Summary Today we begin to talk about public-key cryptography,
More informationRSA. Ramki Thurimella
RSA Ramki Thurimella Public-Key Cryptography Symmetric cryptography: same key is used for encryption and decryption. Asymmetric cryptography: different keys used for encryption and decryption. Public-Key
More information