Algebraic Attacks on linear RFID Authentication Protocols
|
|
- Clarence Perkins
- 5 years ago
- Views:
Transcription
1 Algebraic Attacks on linear RFID Authentication Protocols 1/14 Algebraic Attacks on linear RFID Authentication Protocols Matthias Krause and Dirk Stegemann University of Mannheim (Germany) 10th GI-Kryptotag March 20, 2009 Technische Universität Berlin, Germany
2 Algebraic Attacks on linear RFID Authentication Protocols 2/14 Challenge-Response Authentication Protocols Verifier Alice RFID reader accept if proof valid challenge response Prover Bob RFID tag compute proof A passive attacker collects a set O of observed challenge/response pairs cannot manipulate the communication tries to forge valid responses
3 Algebraic Attacks on linear RFID Authentication Protocols 3/14 Idea of Linear Authentication Protocols Prover and Verifier agree on L linear n-dim. subspaces of {0, 1} m. Verifier Alice RFID reader challenge Prover Bob RFID tag choose l R [L] accept if l {1,..., L} with w V l w R V l Problems: V V L too small responses w efficiently distinguishable from random values V V L too large Pr[successful faugery] too high
4 Algebraic Attacks on linear RFID Authentication Protocols 4/14 Linear (n, k, L) Authentication Protocols Prover and Verifier agree on L lin. n-dim. subspaces of {0, 1} n+k. Observation: Any linear subspace V l {0, 1} n+k can be represented by a linear mapping f l : {0, 1} n {0, 1} k and a permutation σ l S n+k such that V l = {σ l (v f l (v)), v {0, 1} n }.
5 Algebraic Attacks on linear RFID Authentication Protocols 4/14 Linear (n, k, L) Authentication Protocols Prover and Verifier agree on L lin. n-dim. subspaces of {0, 1} n+k. Observation: Any linear subspace V l {0, 1} n+k can be represented by a linear mapping f l : {0, 1} n {0, 1} k and a permutation σ l S n+k such that V l = {σ l (v f l (v)), v {0, 1} n }. Verifier Alice RFID reader challenge w := σ l (v f l (v)) for i := 1 to L (x y) := σ 1 l (w) if (y = f l (x)) accept reject Prover Bob RFID tag choose l R [L], v R {0, 1} n
6 Algebraic Attacks on linear RFID Authentication Protocols 5/14 Special Case: The CKK 2 Protocol proposed by Cichoń, Klonowski and Kuty lowski at Pervasive 2008 CKK 2 is a linear (n + k, k, 2) protocol with f 1 = f 2 = f f depends only on the first n inputs. σ 1 exchanges the last two k-bit blocks. σ 2 = id Verifier Alice RFID reader challenge w := σl(v fl(v)) for i := 1 to L (x y) := σ 1 l (w) if (y = fl(x)) accept reject Prover Bob RFID tag choose l R [L], v R {0, 1} n
7 Algebraic Attacks on linear RFID Authentication Protocols 5/14 Special Case: The CKK 2 Protocol proposed by Cichoń, Klonowski and Kuty lowski at Pervasive 2008 CKK 2 is a linear (n + k, k, 2) protocol with f 1 = f 2 = f f depends only on the first n inputs. σ 1 exchanges the last two k-bit blocks. σ 2 = id Verifier Alice RFID reader challenge w := σl(v fl(v)) for i := 1 to L (x y) := σ 1 l (w) if (y = fl(x)) accept reject Implications: V 1 = {(v a b) v {0, 1} n, a = f (v), b {0, 1} k } V 2 = {(v a b) v {0, 1} n, a {0, 1} k, b = f (v)} f (v) can be written as f (v) = c a (1 c) b with c {0, 1} = c(a b) b Prover Bob RFID tag choose l R [L], v R {0, 1} n
8 Algebraic Attacks on linear RFID Authentication Protocols 6/14 A polynomial Time Attack on CKK 2 Basic Idea Collect a set of responses O = {(v 1 a 1 b 1 ),..., (v m a m b m )}. Observations: Already for m slightly larger than n, {v 1,..., v m } contains a basis of {0, 1} n with high probability. With a basis {v 1,..., v n } of {0, 1} n, any v {0, 1} n can be written as v = d D v d with D {1,..., n}, and
9 Algebraic Attacks on linear RFID Authentication Protocols 6/14 A polynomial Time Attack on CKK 2 Basic Idea Collect a set of responses O = {(v 1 a 1 b 1 ),..., (v m a m b m )}. Observations: Already for m slightly larger than n, {v 1,..., v m } contains a basis of {0, 1} n with high probability. With a basis {v 1,..., v n } of {0, 1} n, any v {0, 1} n can be written as v = d D v d with D {1,..., n}, and d D f (v) = c(a b) b f (v d ) = c(a b) b d D (c d (a d b d ) b d )) = c(a b) b d D (c d (a d b d )) c(a b) = d D b d b yields k equations in the unknowns c 1,..., c n, c.
10 Algebraic Attacks on linear RFID Authentication Protocols 7/14 A polynomial Time Attack on CKK 2 repeat Obtain a response (v a b). until a basis {v 1,..., v n } of {0, 1} n is found. Initialize a system of linear equations LES in c 1, c 2,...
11 Algebraic Attacks on linear RFID Authentication Protocols 7/14 A polynomial Time Attack on CKK 2 repeat Obtain a response (v a b). until a basis {v 1,..., v n } of {0, 1} n is found. Initialize a system of linear equations LES in c 1, c 2,... repeat Obtain a response (v a b) with v {v 1,..., v n }. Add the k equations given by (c d (a d b d )) c(a b) = b d b d D d D to LES. until LES has full rank.
12 Algebraic Attacks on linear RFID Authentication Protocols 7/14 A polynomial Time Attack on CKK 2 repeat Obtain a response (v a b). until a basis {v 1,..., v n } of {0, 1} n is found. Initialize a system of linear equations LES in c 1, c 2,... repeat Obtain a response (v a b) with v {v 1,..., v n }. Add the k equations given by (c d (a d b d )) c(a b) = b d b d D d D to LES. until LES has full rank. Compute the images of the basis vectors as f (v i ) = c i (a i b i ) b i for i {1,..., n}. Recover f w.r.t. the standard basis of {0, 1} n.
13 Algebraic Attacks on linear RFID Authentication Protocols 8/14 Another polynomial Time Attack on CKK 2 Let f be defined by the component functions f r : {0, 1} n {0, 1}, r {1,..., k}, i.e., f (v) = (f 1 (v),..., f k (v)). Observation: If a response (v (a 1,..., a k ) (b 1,..., b k )) satisfies a r = b r for some r, then we know that f r (v) = a r = b r.
14 Algebraic Attacks on linear RFID Authentication Protocols 8/14 Another polynomial Time Attack on CKK 2 Let f be defined by the component functions f r : {0, 1} n {0, 1}, r {1,..., k}, i.e., f (v) = (f 1 (v),..., f k (v)). Observation: If a response (v (a 1,..., a k ) (b 1,..., b k )) satisfies a r = b r for some r, then we know that f r (v) = a r = b r. Idea: Recover the component functions separately. for r {1,..., k} do repeat Obtain a response (v (a 1,..., a k ) (b 1,..., b k )) with a r = b r until a basis of {0, 1} n is found. Recover f r w.r.t. the standard basis. end for
15 Algebraic Attacks on linear RFID Authentication Protocols 9/14 Performance of the CKK 2 Attacks Main observations: The most costly operations are Gaussian eliminations. Rather few responses are needed to recover the secret function f A straightforward Magma implementation shows (n, k) #responses attack time first attack (128, 30) s (1024, 256) s second attack (128, 30) s (1024, 256) s (n, k) = (128, 30) was suggested for practical application. Don t use CKK 2 in practice.
16 Algebraic Attacks on linear RFID Authentication Protocols 10/14 Attacks on general (n, k, 2) Protocols Verifier Alice RFID reader challenge w := σ l (v f l (v)) for i := 1 to L (x y) := σ 1 l (w) if (y = f l (x)) accept reject Prover Bob RFID tag choose l R [L], v R {0, 1} n Problems of the general (n, k, 2) case: A single response σ 1 (v f 1 (v)) does not say anything about σ 2 (v f 2 (v)) and vice versa. The positions of dependent bits (=bits that belong to v) and independent bits (=bits that belong to f (v)) in a single response are unknown.
17 Algebraic Attacks on linear RFID Authentication Protocols 11/14 First Step: Attack on linear (n, 1, 2) Protocols Assume that σ 1 = σ 2 = id and consider a set of responses O = {(v 1 w 1 ),..., (v m w m )} with w i {0, 1}. For x i := f 1 (v i ) and y i := f 2 (v i ) it holds that (w i x i )(w i y i ) = 0 for all i {1,..., n}, which leads to quadratic equations in the unknowns x i, y i.
18 Algebraic Attacks on linear RFID Authentication Protocols 11/14 First Step: Attack on linear (n, 1, 2) Protocols Assume that σ 1 = σ 2 = id and consider a set of responses O = {(v 1 w 1 ),..., (v m w m )} with w i {0, 1}. For x i := f 1 (v i ) and y i := f 2 (v i ) it holds that (w i x i )(w i y i ) = 0 for all i {1,..., n}, which leads to quadratic equations in the unknowns x i, y i. Observation: A symmetry-avoiding linearization allows to recover the secret functions f 1 and f 2 efficiently. Performance for n = 128: Approx responses and 4 minutes of computation
19 Algebraic Attacks on linear RFID Authentication Protocols 12/14 Extension to linear (n, k, 2) Protocols Basic ideas: repeat Guess a dependent position w.r.t. V 1 and V 2 and apply the (n + k 1, 1, 2) attack. until (n + k 1, 1, 2) attack successful Use the result to distinguish responses from V 1 and V 2. Recover specifications for V 1 and V 2 from the respective responses. More details in M. Krause and D. Stegemann: Algebraic Attacks against Linear RFID Authentication Protocols, Workshop Record of the Dagstuhl Seminar on Symmetric Cryptogaphy, 2009.
20 Algebraic Attacks on linear RFID Authentication Protocols 13/14 Future Work How to extend the attack ideas to efficient attacks for L > 2? What about active attacks against linear (n, k, L) protocols? How do linear (n, k, L) protocols (and their security properties) relate to the HB family of authentication protocols?...
21 Algebraic Attacks on linear RFID Authentication Protocols 14/14 The End.
Performance Evaluation of an Advanced Man-in-the-Middle Attack Against Certain HB Authentication Protocols
Performance Evaluation of an Advanced Man-in-the-Middle Attack Against Certain HB Authentication Protocols Miodrag Mihaljević, Siniša Tomović and Milica Knežević Mathematical Institute of Serbian Academy
More informationPractical Attacks on HB and HB+ Protocols
Practical Attacks on HB and HB+ Protocols Zbigniew Gołębiewski 1, Krzysztof Majcher 2, Filip Zagórski 3, and Marcin Zawada 3 1 Institute of Computer Science, Wrocław University 2 Mathematical Institute,
More informationL7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015
L7. Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang, 5 March 2015 1 Outline The basic foundation: multiplicative group modulo prime The basic Diffie-Hellman (DH) protocol The discrete logarithm
More informationLecture 10: Zero-Knowledge Proofs
Lecture 10: Zero-Knowledge Proofs Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Some of these slides are based on note by Boaz Barak. Quo vadis? Eo Romam
More informationCryptanalysis of the Algebraic Eraser
Cryptanalysis of the Algebraic Eraser Simon R. Blackburn Royal Holloway University of London 9th June 2016 Simon R. Blackburn (RHUL) The Algebraic Eraser 1 / 14 Diffie-Hellman key exchange Alice and Bob
More informationCS-E4320 Cryptography and Data Security Lecture 11: Key Management, Secret Sharing
Lecture 11: Key Management, Secret Sharing Céline Blondeau Email: celine.blondeau@aalto.fi Department of Computer Science Aalto University, School of Science Key Management Secret Sharing Shamir s Threshold
More informationQuestion: Total Points: Score:
University of California, Irvine COMPSCI 134: Elements of Cryptography and Computer and Network Security Midterm Exam (Fall 2016) Duration: 90 minutes November 2, 2016, 7pm-8:30pm Name (First, Last): Please
More informationUsing semidirect product of (semi)groups in public key cryptography
Using semidirect product of (semi)groups in public key cryptography Delaram Kahrobaei City University of New York Graduate Center: PhD Program in Computer Science NYCCT: Mathematics Department University
More informationOblivious Transfer and Secure Multi-Party Computation With Malicious Parties
CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties Vitaly Shmatikov slide 1 Reminder: Oblivious Transfer b 0, b 1 i = 0 or 1 A b i B A inputs two bits, B inputs the index
More informationNotes 10: Public-key cryptography
MTH6115 Cryptography Notes 10: Public-key cryptography In this section we look at two other schemes that have been proposed for publickey ciphers. The first is interesting because it was the earliest such
More informationZero-Knowledge Proofs and Protocols
Seminar: Algorithms of IT Security and Cryptography Zero-Knowledge Proofs and Protocols Nikolay Vyahhi June 8, 2005 Abstract A proof is whatever convinces me. Shimon Even, 1978. Zero-knowledge proof is
More informationOn the Simulatability Condition in Key Generation Over a Non-authenticated Public Channel
On the Simulatability Condition in Key Generation Over a Non-authenticated Public Channel Wenwen Tu and Lifeng Lai Department of Electrical and Computer Engineering Worcester Polytechnic Institute Worcester,
More informationLecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography
CS 7880 Graduate Cryptography September 10, 2015 Lecture 1: Perfect Secrecy and Statistical Authentication Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Definition of perfect secrecy One-time
More informationColored Burau Matrices, E-multiplication, and the Algebraic Eraser Key Agreement Protocol
Colored Burau Matrices, E-multiplication, and the Algebraic Eraser Key Agreement Protocol SecureRF Corporation 100 Beard Sawmill Road Suite 350 Shelton, CT 06484 203-227-3151 info@securerf.com www.securerf.com
More informationQuantum key distribution for the lazy and careless
Quantum key distribution for the lazy and careless Noisy preprocessing and twisted states Joseph M. Renes Theoretical Quantum Physics, Institut für Angewandte Physik Technische Universität Darmstadt Center
More informationCryptography and Security Final Exam
Cryptography and Security Final Exam Solution Serge Vaudenay 29.1.2018 duration: 3h no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationLecture 15: Privacy Amplification against Active Attackers
Randomness in Cryptography April 25, 2013 Lecture 15: Privacy Amplification against Active Attackers Lecturer: Yevgeniy Dodis Scribe: Travis Mayberry 1 Last Time Previously we showed that we could construct
More informationAdvanced Cryptography Quantum Algorithms Christophe Petit
The threat of quantum computers Advanced Cryptography Quantum Algorithms Christophe Petit University of Oxford Christophe Petit -Advanced Cryptography 1 Christophe Petit -Advanced Cryptography 2 The threat
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationMATH UN Midterm 2 November 10, 2016 (75 minutes)
Name: UNI: Instructor: Shrenik Shah MATH UN3025 - Midterm 2 November 10, 2016 (75 minutes) This examination booklet contains 6 problems. There are 10 sheets of paper including the front cover. This is
More informationA FRAMEWORK FOR UNCONDITIONALLY SECURE PUBLIC-KEY ENCRYPTION (WITH POSSIBLE DECRYPTION ERRORS)
A FRAMEWORK FOR UNCONDITIONALLY SECURE PUBLIC-KEY ENCRYPTION (WITH POSSIBLE DECRYPTION ERRORS) MARIYA BESSONOV, DIMA GRIGORIEV, AND VLADIMIR SHPILRAIN ABSTRACT. We offer a public-key encryption protocol
More informationPruning and Extending the HB + Family Tree
Pruning and Extending the HB + Family Tree Henri Gilbert, Matt Robshaw, and Yannick Seurin Orange Labs unrestricted Outline HB + [Juels and Weis 05]: strengths and weaknesses Cryptanalysis of HB + variants
More informationLecture 17: Constructions of Public-Key Encryption
COM S 687 Introduction to Cryptography October 24, 2006 Lecture 17: Constructions of Public-Key Encryption Instructor: Rafael Pass Scribe: Muthu 1 Secure Public-Key Encryption In the previous lecture,
More informationPrivacy and Computer Science (ECI 2015) Day 4 - Zero Knowledge Proofs Mathematics
Privacy and Computer Science (ECI 2015) Day 4 - Zero Knowledge Proofs Mathematics F. Prost Frederic.Prost@ens-lyon.fr Ecole Normale Supérieure de Lyon July 2015 F. Prost Frederic.Prost@ens-lyon.fr (Ecole
More informationPseudonym and Anonymous Credential Systems. Kyle Soska 4/13/2016
Pseudonym and Anonymous Credential Systems Kyle Soska 4/13/2016 Moving Past Encryption Encryption Does: Hide the contents of messages that are being communicated Provide tools for authenticating messages
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Identification Identification Non- Repudiation Consider signature- based C- R sk ch=r res = Sig(vk,ch) Bob can prove to police
More informationCryptography and Security Final Exam
Cryptography and Security Final Exam Serge Vaudenay 17.1.2017 duration: 3h no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices are not
More informationOn The Hardness of Approximate and Exact (Bichromatic) Maximum Inner Product. Lijie Chen (Massachusetts Institute of Technology)
On The Hardness of Approximate and Exact (Bichromatic) Maximum Inner Product Max a,b A B a b Lijie Chen (Massachusetts Institute of Technology) Max-IP and Z-Max-IP (Boolean) Max-IP: Given sets A and B
More informationUniversal Blind Quantum Computing
Universal Blind Quantum Computing Elham Kashefi Laboratoire d Informatique de Grenoble Joint work with Anne Broadbent Montreal Joe Fitzsimons Oxford Classical Blind Computing Fundamentally asymmetric unlike
More informationMessage Authentication Codes (MACs)
Message Authentication Codes (MACs) Tung Chou Technische Universiteit Eindhoven, The Netherlands October 8, 2015 1 / 22 About Me 2 / 22 About Me Tung Chou (Tony) 2 / 22 About Me Tung Chou (Tony) Ph.D.
More informationPublic-Key Identification Schemes based on Multivariate Quadratic Polynomials
Public-Key Identification Schemes based on Multivariate Quadratic Polynomials Koichi Sakumoto, Taizo Shirai, Harunaga Hiwatari from Tokyo, Japan Sony Corporation @CRYPTO2011 Motivation Finding a new alternative
More informationCIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography
CIS 6930/4930 Computer and Network Security Topic 5.2 Public Key Cryptography 1 Diffie-Hellman Key Exchange 2 Diffie-Hellman Protocol For negotiating a shared secret key using only public communication
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationCryptanalysis of a key exchange protocol based on the endomorphisms ring End(Z p Z p 2)
AAECC (212) 23:143 149 DOI 1.17/s2-12-17-z ORIGINAL PAPER Cryptanalysis of a key exchange protocol based on the endomorphisms ring End(Z p Z p 2) Abdel Alim Kamal Amr M. Youssef Received: 2 November 211
More informationCPSC 467b: Cryptography and Computer Security
Outline Authentication CPSC 467b: Cryptography and Computer Security Lecture 18 Michael J. Fischer Department of Computer Science Yale University March 29, 2010 Michael J. Fischer CPSC 467b, Lecture 18
More informationLeftovers from Lecture 3
Leftovers from Lecture 3 Implementing GF(2^k) Multiplication: Polynomial multiplication, and then remainder modulo the defining polynomial f(x): (1,1,0,1,1) *(0,1,0,1,1) = (1,1,0,0,1) For small size finite
More informationZero-Knowledge Against Quantum Attacks
Zero-Knowledge Against Quantum Attacks John Watrous Department of Computer Science University of Calgary January 16, 2006 John Watrous (University of Calgary) Zero-Knowledge Against Quantum Attacks QIP
More informationLecture 4: Postulates of quantum mechanics
Lecture 4: Postulates of quantum mechanics Rajat Mittal IIT Kanpur The postulates of quantum mechanics provide us the mathematical formalism over which the physical theory is developed. For people studying
More informationCS/Ph120 Homework 8 Solutions
CS/Ph0 Homework 8 Solutions December, 06 Problem : Thinking adversarially. Solution: (Due to De Huang) Attack to portocol : Assume that Eve has a quantum machine that can store arbitrary amount of quantum
More informationWinter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2
0368.3049.01 Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod Assignment #2 Published Sunday, February 17, 2008 and very slightly revised Feb. 18. Due Tues., March 4, in Rani Hod
More informationAn Identification Scheme Based on KEA1 Assumption
All rights are reserved and copyright of this manuscript belongs to the authors. This manuscript has been published without reviewing and editing as received from the authors: posting the manuscript to
More informationHybrid Approach : a Tool for Multivariate Cryptography
Hybrid Approach : a Tool for Multivariate Cryptography Luk Bettale, Jean-Charles Faugère and Ludovic Perret INRIA, Centre Paris-Rocquencourt, SALSA Project UPMC, Univ. Paris 06, LIP6 CNRS, UMR 7606, LIP6
More informationHILA5 Pindakaas: On the CCA security of lattice-based encryption with error correction
HILA5 Pindakaas: On the CCA security of lattice-based encryption with error correction Daniel J. Bernstein 1 Leon Groot Bruinderink 2 Tanja Lange 2 Lorenz Panny 2 1 University of Illinois at Chicago 2
More informationNoisy Diffie-Hellman protocols
Noisy Diffie-Hellman protocols Carlos Aguilar 1, Philippe Gaborit 1, Patrick Lacharme 1, Julien Schrek 1 and Gilles Zémor 2 1 University of Limoges, France, 2 University of Bordeaux, France. Classical
More informationCHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30
CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA35 (Chalmers) - DIT50 (GU) 11 April 017, 8:30-1:30 No extra material is allowed during the exam except for pens and a simple calculator (not smartphones).
More informationAlgebraic Attacks on Human Identification Protocols
Algebraic Attacks on Human Identification Protocols Hassan Jameel Asghar 1, Ron Steinfeld, Shuun Li 3, Mohamed Ali Kaafar 1, Josef Pieprzyk 4 1 National ICT Australia, NICTA, Australia {hassan.asghar,dali.kaafar}@nicta.com.au
More informationCryptography and Security Final Exam
Cryptography and Security Final Exam Serge Vaudenay 29.1.2018 duration: 3h no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices are not
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 33 The Diffie-Hellman Problem
More information+ = OTP + QKD = QC. ψ = a. OTP One-Time Pad QKD Quantum Key Distribution QC Quantum Cryptography. θ = 135 o state 1
Quantum Cryptography Quantum Cryptography Presented by: Shubhra Mittal Instructor: Dr. Stefan Robila Intranet & Internet Security (CMPT-585-) Fall 28 Montclair State University, New Jersey Introduction
More informationPrevention of Exponential Equivalence in Simple Password Exponential Key Exchange (SPEKE)
Symmetry 2015, 7, 1587-1594; doi:10.3390/sym7031587 OPEN ACCESS symmetry ISSN 2073-8994 www.mdpi.com/journal/symmetry Article Prevention of Exponential Equivalence in Simple Password Exponential Key Exchange
More information14 Diffie-Hellman Key Agreement
14 Diffie-Hellman Key Agreement 14.1 Cyclic Groups Definition 14.1 Example Let д Z n. Define д n = {д i % n i Z}, the set of all powers of д reduced mod n. Then д is called a generator of д n, and д n
More informationSecret sharing schemes
Secret sharing schemes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Introduction Shamir s secret sharing scheme perfect secret
More informationTHE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY
THE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY Mark Zhandry - Stanford University Joint work with Dan Boneh Classical Cryptography Post-Quantum Cryptography All communication stays classical
More informationLecture Notes 20: Zero-Knowledge Proofs
CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Lecture Notes 20: Zero-Knowledge Proofs Reading. Katz-Lindell Ÿ14.6.0-14.6.4,14.7 1 Interactive Proofs Motivation: how can parties
More informationStructural Cryptanalysis of SASAS
tructural Cryptanalysis of AA Alex Biryukov and Adi hamir Computer cience department The Weizmann Institute Rehovot 76100, Israel. Abstract. In this paper we consider the security of block ciphers which
More informationTROPICAL CRYPTOGRAPHY II: EXTENSIONS BY HOMOMORPHISMS
TROPICAL CRYPTOGRAPHY II: EXTENSIONS BY HOMOMORPHISMS DIMA GRIGORIEV AND VLADIMIR SHPILRAIN Abstract We use extensions of tropical algebras as platforms for very efficient public key exchange protocols
More informationHIMMO. Oscar Garcia-Morchon, Ronald Rietman, Ludo Tolhuizen. July PHILIPS RESEARCH
HIMMO Oscar Garcia-Morchon, Ronald Rietman, Ludo Tolhuizen July 2016 1 1 Aims of the presentation To share work done at Philips Research To discuss rationale of HIMMO To get feedback on our work 2 Contents
More informationPre-Calculus Midterm Practice Test (Units 1 through 3)
Name: Date: Period: Pre-Calculus Midterm Practice Test (Units 1 through 3) Learning Target 1A I can describe a set of numbers in a variety of ways. 1. Write the following inequalities in interval notation.
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationA Polynomial Description of the Rijndael Advanced Encryption Standard
A Polynomial Description of the Rijndael Advanced Encryption Standard arxiv:cs/0205002v1 [cs.cr] 2 May 2002 Joachim Rosenthal Department of Mathematics University of Notre Dame Notre Dame, Indiana 46556,
More informationPractical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits
Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits Damien Vergnaud École normale supérieure CHES September, 15th 2015 (with Aurélie Bauer) Damien Vergnaud
More informationWeek 1 Factor & Remainder Past Paper Questions - SOLUTIONS
Question Solution Marks C2 JUNE 2010 Q2 f(3) = 3(3) 3 5(3) 2 58(3) + 40 f(3) = 98 So, the remainder is 98 Substitute x = 3 into 98 (If it is not stated that 98 is the remainder, do not give this C2 JUNE
More informationPing Pong Protocol & Auto-compensation
Ping Pong Protocol & Auto-compensation Adam de la Zerda For QIP seminar Spring 2004 02.06.04 Outline Introduction to QKD protocols + motivation Ping-Pong protocol Security Analysis for Ping-Pong Protocol
More informationIntro to Public Key Cryptography Diffie & Hellman Key Exchange
Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie & Hellman Key Exchange Course Summary - Math Part
More informationAuthentication. Chapter Message Authentication
Chapter 5 Authentication 5.1 Message Authentication Suppose Bob receives a message addressed from Alice. How does Bob ensure that the message received is the same as the message sent by Alice? For example,
More informationarxiv: v1 [cs.cr] 1 May 2012
A SECRET SHARING SCHEME BASED ON GROUP PRESENTATIONS AND THE WORD PROBLEM arxiv:1205.0157v1 [cs.cr] 1 May 2012 MAGGIE HABEEB, DELARAM KAHROBAEI, AND VLADIMIR SHPILRAIN Abstract. A (t, n)-threshold secret
More informationIntroducing a new variant of fast algberaic attacks and minimizing their successive data complexity
Introducing a new variant of fast algberaic attacks and minimizing their successive data complexity Frederik Armknecht 1 Gwénolé Ars 2 1 Theoretische Informatik, University of Mannheim, Germany 2 IRMAR,
More informationTopics in Complexity
Topics in Complexity Please evaluate this course on Axess! Your feedback really does make a difference. Applied Complexity Theory Complexity theory has enormous practical relevance across various domains
More informationUnconditional Security of the Bennett 1992 quantum key-distribution protocol over a lossy and noisy channel
Unconditional Security of the Bennett 1992 quantum key-distribution protocol over a lossy and noisy channel Kiyoshi Tamaki *Perimeter Institute for Theoretical Physics Collaboration with Masato Koashi
More informationMinimum Number of Multiplications of U Hash Functions
Minimum Number of Multiplications of U Hash Functions Indian Statistical Institute, Kolkata mridul@isical.ac.in March 4, FSE-2014, London Authentication: The Popular Story 1 Alice and Bob share a secret
More informationWinter 2011 Josh Benaloh Brian LaMacchia
Winter 2011 Josh Benaloh Brian LaMacchia Fun with Public-Key Tonight we ll Introduce some basic tools of public-key crypto Combine the tools to create more powerful tools Lay the ground work for substantial
More informationPublic Key Authentication with One (Online) Single Addition
Public Key Authentication with One (Online) Single Addition Marc Girault and David Lefranc France Télécom R&D 42 rue des Coutures F-14066 Caen, France {marc.girault,david.lefranc}@francetelecom.com Abstract.
More informationCryptography CS 555. Topic 25: Quantum Crpytography. CS555 Topic 25 1
Cryptography CS 555 Topic 25: Quantum Crpytography CS555 Topic 25 1 Outline and Readings Outline: What is Identity Based Encryption Quantum cryptography Readings: CS555 Topic 25 2 Identity Based Encryption
More informationZero-Knowledge Proofs 1
Zero-Knowledge Proofs 1 CS 702 SEMINAR Theme : Cryptography Instructor : Prof. C. Pandu Rangan ZERO-KNOWLEDGE PROOFS G. Venkatesan CS 93133 Dept. of C.S & E I.I.T Madras Zero-Knowledge Proofs 2 Outline
More informationExperimental Study of DIGIPASS GO3 and the Security of Authentication
Experimental Study of DIGIPASS GO3 and the Security of Authentication Igor Semaev Department of Informatics, University of Bergen, Norway e-mail: igor@ii.uib.no arxiv:1506.06332v1 [cs.cr] 21 Jun 2015 Abstract.
More informationLecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security
Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationCryptanalysis of the Anshel-Anshel-Goldfeld-Lemieux Key Agreement Protocol
Groups-Complexity-Cryptology Volume 1 (2009), No. 1, 63 75 Cryptanalysis of the Anshel-Anshel-Goldfeld-Lemieux Key Agreement Protocol Alex D. Myasnikov Department of Mathematics, Stevens Institute of Technology,
More informationApplications of Galois Geometries to Coding Theory and Cryptography
Applications of Galois Geometries to Coding Theory and Cryptography Ghent University Dept. of Mathematics Krijgslaan 281 - Building S22 9000 Ghent Belgium Albena, July 1, 2013 1. Affine spaces 2. Projective
More informationMultiparty Computation
Multiparty Computation Principle There is a (randomized) function f : ({0, 1} l ) n ({0, 1} l ) n. There are n parties, P 1,...,P n. Some of them may be adversarial. Two forms of adversarial behaviour:
More informationPractice Exam Winter 2018, CS 485/585 Crypto March 14, 2018
Practice Exam Name: Winter 2018, CS 485/585 Crypto March 14, 2018 Portland State University Prof. Fang Song Instructions This exam contains 8 pages (including this cover page) and 5 questions. Total of
More informationIntroduction to Quantum Cryptography
Università degli Studi di Perugia September, 12th, 2011 BunnyTN 2011, Trento, Italy This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. Quantum Mechanics
More informationMTH 1310, SUMMER 2012 DR. GRAHAM-SQUIRE. A rational expression is just a fraction involving polynomials, for example 3x2 2
MTH 1310, SUMMER 2012 DR. GRAHAM-SQUIRE SECTION 1.2: PRECALCULUS REVIEW II Practice: 3, 7, 13, 17, 19, 23, 29, 33, 43, 45, 51, 57, 69, 81, 89 1. Rational Expressions and Other Algebraic Fractions A rational
More informationOn the Complexity of the Hybrid Approach on HFEv-
On the Complexity of the Hybrid Approach on HFEv- Albrecht Petzoldt National Institute of Standards and Technology, Gaithersburg, Maryland, USA albrecht.petzoldt@gmail.com Abstract. The HFEv- signature
More informationA New Framework for RFID Privacy
New Framework for RFID Privacy No uthor Given No Institute Given bstract. Formal RFID security and privacy frameworks are fundamental to the design and analysis of robust RFID systems. In this paper, we
More informationNon-Interactive Zero-Knowledge Proofs of Non-Membership
Non-Interactive Zero-Knowledge Proofs of Non-Membership O. Blazy, C. Chevalier, D. Vergnaud XLim / Université Paris II / ENS O. Blazy (XLim) Negative-NIZK CT-RSA 2015 1 / 22 1 Brief Overview 2 Building
More informationLecture 10. Public Key Cryptography: Encryption + Signatures. Identification
Lecture 10 Public Key Cryptography: Encryption + Signatures 1 Identification Public key cryptography can be also used for IDENTIFICATION Identification is an interactive protocol whereby one party: prover
More informationUniv.-Prof. Dr. rer. nat. Rudolf Mathar. Written Examination. Cryptography. Tuesday, August 29, 2017, 01:30 p.m.
Cryptography Univ.-Prof. Dr. rer. nat. Rudolf Mathar 1 2 3 4 15 15 15 15 60 Written Examination Cryptography Tuesday, August 29, 2017, 01:30 p.m. Name: Matr.-No.: Field of study: Please pay attention to
More informationGeneration X and Y. 1. Experiment with the following function using your CAS (for instance try n = 0,1,2,3): 1 2 t + t2-1) n + 1 (
13 1. Experiment with the following function using your CAS (for instance try n = 0,1,2,3): 1 ( 2 t + t2-1) n + 1 ( 2 t - t2-1) n Ï P 0 The generating function for the recursion Ì P 1 Ó P n = P n-1 + 6P
More informationCryptographical Security in the Quantum Random Oracle Model
Cryptographical Security in the Quantum Random Oracle Model Center for Advanced Security Research Darmstadt (CASED) - TU Darmstadt, Germany June, 21st, 2012 This work is licensed under a Creative Commons
More informationCryptology. Vilius Stakėnas autumn
Cryptology Vilius Stakėnas 2010 autumn 2.22 Cryptographic protocols 2 Key distribution............................................ 3 Zero-knowledge proofs...................................... 4 ZKP concept.............................................
More informationSolutions to the Midterm Test (March 5, 2011)
MATC16 Cryptography and Coding Theory Gábor Pete University of Toronto Scarborough Solutions to the Midterm Test (March 5, 2011) YOUR NAME: DO NOT OPEN THIS BOOKLET UNTIL INSTRUCTED TO DO SO. INSTRUCTIONS:
More informationTHE CONJUGACY SEARCH PROBLEM IN PUBLIC KEY CRYPTOGRAPHY: UNNECESSARY AND INSUFFICIENT
THE CONJUGACY SEARCH PROBLEM IN PUBLIC KEY CRYPTOGRAPHY: UNNECESSARY AND INSUFFICIENT VLADIMIR SHPILRAIN AND ALEXANDER USHAKOV Abstract. The conjugacy search problem in a group G is the problem of recovering
More informationCS120, Quantum Cryptography, Fall 2016
CS10, Quantum Cryptography, Fall 016 Homework # due: 10:9AM, October 18th, 016 Ground rules: Your homework should be submitted to the marked bins that will be by Annenberg 41. Please format your solutions
More informationLecture Notes, Week 10
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 10 (rev. 2) Professor M. J. Fischer March 29 & 31, 2005 Lecture Notes, Week 10 1 Zero Knowledge Interactive
More informationInteractive protocols & zero-knowledge
Interactive protocols & zero-knowledge - interactive protocols formalize what can be recognized by polynomial time restricted verifiers in arbitrary protocols - generalizes NP - zero-knowledge formalizes
More informationRSA RSA public key cryptosystem
RSA 1 RSA As we have seen, the security of most cipher systems rests on the users keeping secret a special key, for anyone possessing the key can encrypt and/or decrypt the messages sent between them.
More informationAN AUTHENTICATION SCHEME BASED ON THE TWISTED CONJUGACY PROBLEM
AN AUTHENTICATION SCHEME BASED ON THE TWISTED CONJUGACY PROBLEM VLADIMIR SHPILRAIN AND ALEXANDER USHAKOV Abstract. The conjugacy search problem in a group G is the problem of recovering an x G from given
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 16 March 19, 2012 CPSC 467b, Lecture 16 1/58 Authentication While Preventing Impersonation Challenge-response authentication protocols
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 7, 2015 CPSC 467, Lecture 11 1/37 Digital Signature Algorithms Signatures from commutative cryptosystems Signatures from
More information