Diophantine equations via weighted LLL algorithm
|
|
- Ellen Mason
- 5 years ago
- Views:
Transcription
1 Cryptanalysis of a public key cryptosystem based on Diophantine equations via weighted LLL algorithm Momonari Kudo Graduate School of Mathematics, Kyushu University, JAPAN Kyushu University Number Theory Seminar 1 st September, Kyushu University, JAPAN This is a joint work with Jintai Ding, Shinya Okumura, Tsuyoshi Takagi and Chengdong Tao.
2 Contents 1. Introduction This talk is based on the paper Jintai Ding, Momonari Kudo, Shinya Okumura, Tsuyoshi Takagi and Chengdong Tao, Cryptanalysis of a public key ctyptosystem based on Diophantine equations via weighted LLL reduction, IACR Cryptology eprint Archive 2015/1229, A short paper version has been accepted by the refereed-international conference IWSEC 2016, and it will be published.
3 1-1. Diophantine equations and Cryptography Diophantine Problem / Q For a given f Z x 1,, x n, find a 1,, a n Q n s.t. f(a 1,, a n ) = 0. In general, there is no algorithm to test Diophantine equations for solvability in Z [1]. apply Some cryptographic protocols based on the difficulty of solving Diophantine Equations have been proposed as Post-Quantum Cryptosystems (PQC). Q. How secure are these cryptosystems? [1] M. Davis, Y. Matijasevi c and J. Robinson, Hilbert s tenth problem, Diophantine equations: positive aspects of a negative solution, In: Mathematical Developments Arising from Hilbert Problem Browder, F.E.(ed.) AMS, Providence, RI., pp (1976).
4 1-2. Previous Works E.g. A public key cryptosystem [2] in 1995 Key exchange protocols [3, 4, 5] in Algebraic Surface Cryptosystem (ASC09) by Akiyama, Goto, Miyake [6] in 2009 Impractical In 2010, ASC09 has been broken by the ideal decomposition attack [7] via Grӧbner basis theory. [2] C. H. Lin, C. C. Chang, R. C. T. Lee, A new public-key cipher system based upon the diophantine equations, IEEE Trans. Comp. 44, (1995). [3] A. Bérczes, L. Hajdu, N. Hirata-Kohno, T. Kovács, A. Pethö, A key exchange protocol based on Diophantine equations and S-integers, JSIAM Letters Vol.6, (2014). [4] N. Hirata-Kohno, A. Pethӧ, On a key exchange protocol based on Diophantine equations, Infocommunications Journal 5, (2013). [5] H. Yosh, The key exchange cryptosystem used with higher order Diophantine equations, IJNSA Journal 3, (2011). [6] K. Akiyama, Y. Goto, H. Miyake, Algebraic Surface Cryptosystem, In : Proceedings of PKC'09, Lecture Notes in Comput. Sci., 5443, (2009). [7] J. -C. Faugere, P. -J. Spaenlehauer, Algebraic Cryptanalysis of the PKC'2009 Algebraic Surface Cryptosystem, In: Proceedings of PKC'10, Lecture Notes in Comput. Sci., 6056, (2010).
5 1-3. Previous Works A public key cryptosystem [2] in 1995 Key exchange protocols [3, 4, 5] in Algebraic Surface Cryptosystem (ASC09) by Akiyama, Goto, Miyake [6] in 2009 Impractical In 2010, ASC09 has been broken by the ideal decomposition attack [7] via Grӧbner basis theory. Okumura [Oku15] proposed in 2015 a new public key cryptosystem as an analogue of ASC: A public key Cryptosystem based on Diophantine Equations of degree increasing type (DEC). Expected to have resistance against the ideal decomposition attack (and other attacks). [Oku15] S. Okumura, A public key cryptosystem based on diophantine equations of degree increasing type, Pac. Journal of Math. for Industry, 7 (4), pp (2015).
6 1-4. Our Problem Okumura [Oku15] proposed in 2015 a new public key cryptosystem as an analogue of ASC: Function field Number field Section finding problem Diophantine problem Algebraic Surface Cryptosystem (ASC) Broken by the ideal decomposition attack Diophantine Equation Cryptosystem (DEC) What s new : ``twisting plaintext (to avoid the ideal decomposition attack) A public key Cryptosystem based on Diophantine Equations of degree increasing type (DEC). Expected to have resistance against the ideal decomposition attack (and other attacks), and to be one of PQC. Q. How secure is DEC? [Oku15] S. Okumura, A public key cryptosystem based on diophantine equations of degree increasing type, Pac. Journal of Math. for Industry, 7 (4), pp (2015).
7 1-5. Our Main Contribution We call it ``weighted LLL algorithm. Apply a variant of the LLL algorithm to the cryptanalysis. Break the one-wayness of instances of DEC via weighted LLL.
8 Contents 1. Introduction 2. Overview of DEC 3. Cryptanalysis of DEC via the weighted LLL algorithm 4. Complexity Analysis and Experimental Results 5. Summary
9 2-1. DEC scheme To simplify the notation, assume n = 2 throughout this talk. Public key Secret key d, e Z >0, X Z[x, y] with certain conditions (a, b) Z 2 s.t. X a d, b d = 0. Plaintext polynomial m Z[x, y] ``twist m by e, N Z Encrypt Ciphertext (3 polynomials and N Z) F 1 = m + s 1 f + r 1 X F 2 = m + s 2 f + r 2 X F 3 = m + s 3 f + r 3 X Crucial Remark (1) The sets of the monomials of X, m, m, f, s j, r j are same and known. (2) The bit length of the coefficients of X, m, m, f, s j, r j are known. (3) The coefficients of s j, X are much smaller than those of the others. some randomness N, f, s j, r j
10 2-2. Notation For a polynomial f x, y = c i,j x i y j Z x, y {0}, define 1. c i,j f : = c i,j. Non-zero coefficient of the monomial x i y j in f 2. f: = (c i1,j 1 f,, c iq,j q f ). The vector consisting of all the non-zero coefficients of f, with (i 1, j 1 ) (i q, j q ) : lexicographical order Bold style
11 2-3. Toy Example of DEC (Key Generation) λ : security parameter (In this example, λ 4) Public key d = 5 e = 15 X = 25x 3 4y Z[x, y] Secret key a, b = (46,64) Z 2 chosen so that gcd ab, d = 1, gcd e, φ(d) = 1, (φ : Euler s function) X a d, b d = 0, 2 λ 2λ+1 d max{ a, b } < d, φ(d) φ(d) Remark [Oku15] suggests λ = 128. d 2 λ 2, e λ λ +1 deg X. 2
12 2-4. Toy Example of DEC (Encryption) Plaintext (polynomial) m = 3x 3 + 3y + 3 Encryption 1 < c i,j m < d, gcd c i,j m, d = 1. Step 1. Twist the plaintext m Choose an N Z >0 s.t. Nd > 2 λ max i,j c i,j X. N = (Nd = ) Put c i,j m c i,j m e (mod Nd). c 3,0 m 3 15 (mod ) m: = 55787x y = Recall X = 25x 3 4y d = 5 e = 15
13 2-5. Toy Example of DEC (Encryption) Step 2. Choose some polynomials Recall uniformly at random. X = 25x 3 4y f = x y s 1 = 28x 3 + 4y , s 2 = 26x 3 + 7y , s 3 = 28x 3 + 5y , Crucial Remark s j : very short r 1 = x y , r 2 = x y , r 3 = x y f, s j, r j are chosen so that certain conditions hold. e.g. the coefficients of s j and X have the same bit sizes.
14 2-6. Toy Example of DEC (Encryption) Step 3. Make a ciphertext (polynomials) Put F 1 m + s 1 f + r 1 X, F 2 m + s 2 f + r 2 X, F 3 m + s 3 f + r 3 X, F 1 = x x 3 y x y y , F 2 = x x 3 y x y y , Send (F 1, F 2, F 3, N). F 3 = x x 3 y x y y Remark 1 One can decrypt the ciphertext as in Sections 3.4 and 3.5 of [Oku15]. In this talk we omit the decryption process. Remark 2 We mention the recommended (and estimated) parameter size later.
15 Contents 1. Introduction 2. Overview of DEC 3. Cryptanalysis of DEC via the weighted LLL algorithm 4. Complexity Analysis and Experimental Results 5. Summary
16 3-1. Idea of Our Attack Ciphertext (3 polynomials) F 1 = m + s 1 f + r 1 X F 2 = m + s 2 f + r 2 X F 3 = m + s 3 f + r 3 X X, F 1, F 2, F 3 : known m, f, s j, r j : unknown Crucial Remark (1) The sets of the monomials of X, m, m, f, s j, r j are same and known. (2) The bit length of the coefficients of X, m, m, f, s j, r j are known. (3) The coefficients of s j, X are much smaller than those of the others.
17 3-2. Idea of Our Attack Ciphertext (3 polynomials) F 1 = m + s 1 f + r 1 X F 2 = m + s 2 f + r 2 X F 3 = m + s 3 f + r 3 X X, F 1, F 2, F 3 : known m, f, s j, r j : unknown Put F 1 F 1 F 2, F 2 F 2 F 3, s 1 s 1 s 2, s 2 s 2 s 3, r 1 r 1 r 2, r 2 r 2 r 3. From the above equalities s 2 F 1 s 1 F 2 = g X, where g s 2 r 1 s 1 r 2.
18 3-3. Idea of Our Attack F 1 F 1 F 2, F 2 F 2 F 3, s 1 s 1 s 2, s 2 s 2 s 3, r 1 r 1 r 2, r 2 r 2 r 3. s 2 F 1 s 1 F 2 = g X, where g s 2 r 1 s 1 r 2. X, F 1, F 2 : known s j, g : unknown However, the monomials of s 1, s 2, g are known. First step of our attack is to find s 1, s 2. Regarding the unknown coefficients of s 1, s 2, g as indeterminates derives a linear system over Z.
19 3-4. Outline of Our Attack It is sufficient for breaking DEC to find m. Step 1. Step 2. Find s 1 s 1 s 2 and s 2 s 2 s 3 by the weighted LLL. Find f satisfying F 1 = s 1 f + r 1 X, F 2 = s 2 f + r 2 X by using s 1 and s 2 obtained in Step 1. We fix such f. Focus on Step 1 in this talk. Step 3. Find s 1 by Babai s nearest plane algorithm. After that, recover m by linear algebra technique and modular arithmetic. In each step, we obtain a linear system by comparing the coefficients of L.H.S and those of R.H.S.
20 3-5. SVP and LLL algorithm LLL alg. is an algorithm to (approximately) solve the SVP: Definition (Shortest Vector Problem). Given: B = {b 1,, b n } ; a basis of a lattice L R m ; a norm on R m (typically the Euclidean norm is chosen) SVP is to find the shortest vector u L w.r.t., i.e., u w for all w L {0}.
21 3-6. SVP and LLL algorithm LLL alg. is an algorithm proposed in 1982 to (approximately) solve the SVP. In this talk, let us omit to describe its detail (see [8, 9]), but review some properties. LLL algorithm Input: a (ordered) basis A = {a 1,, a n } of a lattice L Q m, and a real number 1 4 < δ < 1 Output: an LLL-reduced basis B = {b 1,, b n } of L for the factor δ Remark: An LLL-reduced basis is defined as a sufficiently close to orthogonal basis for a lattice, see [8, 9] for details (1) B is LLL-reduced with δ = 3/4 b 1 < 2 (n 1)/2 min{ w : w L {0}} Note: In practice, LLL seeks the shortest vector with high probability for random lattices of low rank (2) LLL terminates in polynomial time for rank and dimension of the input lattice basis [8] A. K. Lenstra, H. W. Lenstra and L. Lovasz, Factoring polynomials with rational coefficients, In: Mathematische Annalen 261 (4), (1982). [9] S. D. Galbraith, Mathematics of Public Key Cryptography, Cambridge University Press (2012).
22 3-7. CVP and Babai s nearest plane algorithm Babai s nearest plane alg. is an algorithm to (approximately) solve the CVP: Definition (Closest Vector Problem). Given: B = {b 1,, b n } ; a basis of a lattice L R m v R m ; a vector in R m with v L ; a norm on R m (typically the Euclidean norm is chosen) CVP is to find the closest lattice point u L to v w.r.t., i.e., u v w v for all w L. b 1 b 2 v u
23 3-8. CVP and Babai s nearest plane algorithm Babai s nearest plane alg. is an algorithm to (approximately) solve the CVP. In this talk, let us omit to describe its detail (see [9, 10]), but review some properties. Babai s nearest plane algorithm (Babai NPA) Input: a basis B = {b 1,, b n } of a lattice L Z m, and v Span b 1,, b n Output: a vector u L b (1) B is LLL-reduced with δ = 3/4 1 v u < 2 n/2 v w for all w L Note: In practice, NPA outputs a lattice point very b 2 close to v for many cases (2) Babai NPA terminates in polynomial time for rank and dimension of the input lattice basis [9] S. D. Galbraith, Mathematics of Public Key Cryptography, Cambridge University Press (2012). [10] L. Babai, On Lovasz lattice reduction and the nearest lattice point problem, Combinatorica 6 (1), 1-13 (1986). Q m with v L u v
24 3-9. Detail of Step 1 In the following, we use blue symbols for unknown objects. s 2 F 1 s 1 F 2 = g X, where g s 2 r 1 s 1 r 2. The monomials with non-zero coefficients of s 1, s 2 and g are known. We obtain a linear system from. L 1 : the lattice defined as the nullspace of the system Clearly, s 1, s 2, g L 1. We can estimate the bit length of all entries of s 1 and s 2 from X.
25 3-10. Example In the previous example, F 1 = x x 3 y x y y , F 2 = x x 3 y x y y , F 3 = x x 3 y x y y F 1 = F 1 F 2 = x x 3 y x y y , F 2 = F 2 F 3 = x x 3 y x y y
26 3-11. Example s 2 F 1 s 1 F 2 = g X, where g s 2 r 1 s 1 r 2. Put s 1 c 1 x 3 + c 2 y + c 3, s 2 c 4 x 3 + c 5 y + c 6, g: = c 7 x 6 + c 8 x 3 y + c 9 x 3 + c 10 y 2 + c 11 y + c 12, X = 25x 3 4y (Public Key), F 1 = x x 3 y x y y , F 2 = x x 3 y x y y By ( ), c 1, c 2,, c 12 A = 0 ; linear system over Z
27 3-12. Example c 1, c 2,, c 12 A = 0 ; linear system L 1 Ker A = {u Z 12 ; ua = 0} Basis Matrix : c 1 c 2 c 3 c 4 c 5 c 6 c 7 c Cut s 1 c 1 x 3 + c 2 y + c 3, s 2 c 4 x 3 + c 5 y + c 6, g: = c 7 x 6 + c 8 x 3 y + c 9 x 3 + c 10 y 2 + c 11 y + c 12, Remark s 1, s 2 : very short. (s 1, s 2 ) : very short.
28 3-13. Recall (unknown objects) s 1 = 28x 3 + 4y , s 2 = 26x 3 + 7y , s 3 = 28x 3 + 5y , s 1 s 1 s 2 = 2x 3 3y , s 2 s 2 s 3 = 2x 3 + 2y , s s 1, s 2 = Remark The bit length of the entries of s can be estimated because known from the encryption process the bit length of the entries of s 1, s 2 are the same as those of a public key X.
29 3-14. Does the usual LLL work well? u 1 u 2 u 3 : = c 1 c 2 c 3 c 4 c 5 c s 1 c 1 x 3 + c 2 y + c 3 s 2 c 4 x 3 + c 5 y + c 6 L 1 u 1, u 2, u 3 Z Z 6 s : = (s 1, s 2 ) L 1 : very short. s = Shortest vector??
30 3-15. Does the usual LLL work well? u 1 u 2 u 3 : = c 1 c 2 c 3 c 4 c 5 c LLL s 1 c 1 x 3 + c 2 y + c 3 s 2 c 4 x 3 + c 5 y + c 6 L 1 u 1, u 2, u 3 Z Z 6 s : = (s 1, s 2 ) L 1 : very short. s = v 1 v 2 v 3 = Shortest vector?? No!
31 3-16. Why does the usual LLL work less? s (s 1, s 2 ) L 1 s = small small large? small small large? s is relatively short but not shortest (with unbalanced entries) because of the existence of certain large entries. Nevertheless, we predict s is a shortest vector ``in some sense. Apply a weighted norm instead of the Euclidean norm.
32 3-17. Idea of Weighted LLL Algorithm s (s 1, s 2 ) = small small large? small small large? Recall The coefficients of s j and X have the same bit sizes. The entries of s 1, s 2 and X have ``near (or the same) bit sizes. X = (25, 4, 19416) ; Public Key 25 Ratio : (absolute values) From this, set : : w: = 2 lg lg lg lg =
33 3-18. Idea of Weighted LLL Algorithm w = W W i : the diagonal matrix defined by W i = w i u 1 u 2 u 3 : = W u 1 W u 2 W u 3 W : =
34 3-19. Idea of Weighted LLL Algorithm w = W W i u 1 W u 2 W = u 3 W u 1 u 2 u 3 : the diagonal matrix defined by W i = w i : = LLL W 1 Just the same as s 1, s 2! u 1 W 1 u 2 W 1 u 3 W 1 =
35 3-20. Assumption of (s 1, s 2 ) What should we assume that (s 1, s 2 ) is, theoretically? Definition (weighted norm and weighted lattice). For a lattice L R m and a vector w = w 1,, w m define an weighted norm w for w as follows: R >0 m, we u w (u 1 w 1 ) 2 + (u m w m ) 2 (u L). Then w is a norm on L R m, and we call L a weighted lattice for w. We denote L by L w depending on the situation.
36 3-21. Assumption of (s 1, s 2 ) Lemma (shortest vectors with a weight). Let L w R m be a lattice with the weight w = w 1,, w m R m >0. We set W as the following diagonal matrix. w 1 0 W, f W R m R m ; x xw. 0 w m Then the following are equivalent for any x L w : 1. The vector x is a shortest vector in L w with respect to the norm w. 2. The vector xw is a shortest vector in Im(f W ) with respect to the Euclidean norm. From this, we may assume that (s 1, s 2 ) is a shortest vector in L 1 w w.r.t. the norm w.
37 3-22. Summary of Weighted LLL Target (3-rank case) s L 1 : relatively short vector with entries of unbalanced sizes. (not a shortest) L 1 u 1, u 2, u 3 Z ``Weighted LLL reduced basis u 1 W 1, u 2 W 1, u 3 W 1 of L 1 f W u uw. f W 1 : u u W 1. f W (L 1 ) = u 1 W, u 2 W, u 3 W Z LLL LLL reduced basis u 1, u 2, u 3 of f W (L 1 ) We generalize this method to an algorithm (let us omit to mention it precisely in this talk). The algorithm terminates in polynomial time w.r.t. the rank and the dimension of a lattice.
38 3-23. Outline of Our Attack It is sufficient for breaking DEC to find m. Step 1. Step 2. Find s 1 s 1 s 2 and s 2 s 2 s 3 by the weighted LLL. Find f satisfying F 1 = s 1 f + r 1 X, F 2 = s 2 f + r 2 X by using s 1 and s 2 obtained in Step 1. We fix such f. Focused on Step 1 in this talk. Step 3. Find s 1 by Babai s nearest plane algorithm. After that, recover m by linear algebra technique and modular arithmetic. In each step, we obtain a linear system by comparing the coefficients of L.H.S and those of R.H.S.
39 Contents 1. Introduction 2. Overview of DEC 3. Cryptanalysis of DEC via the weighted LLL algorithm 4. Complexity Analysis and Experimental Results 5. Summary
40 4-1. Complexity of Our Algorithm Parameters : λ and w deg X Main Computation Computation common to all steps Step 1 Weighted LLL Solving linear systems (by Hermite Normal form) Step 2 LLL Arithmetic over Z[x 1, x n ] Step 3 (dominant) Babai nearest plane with LLL Modular arithmetic Under certain assumptions*, Considering the seize of ciphertext, Theorem w should not be so large. The worst case total bit complexity of our attack algorithm is O(w 11 λ 2 + w 5 λ 3 ). Consequently, the attack performs in polynomial time for λ and w. *e.g. assume that the coefficient explosion does not happen in computation of HNF.
41 4-2. Experimental Results 1 Table 1* : Results of our attack for the parameters suggested in [Oku15] with n = 3 and λ = 128 w {term of X} Success Times Average Time (seconds) Step 1 Step 2 Step Step 1 : More than 70 % by weighted LLL Break the one way-ness of instances almost 30 % in practical time. It is sufficiently high probability for cryptanalysis. *EV: Magma V , Windows 8.1 Pro OS 64 bit GHz CPU (Intel Core i5) and 8 GB memory
42 4-3. Experimental Results 2 Table 2* : Results in the case of increasing w (with n = 3 and λ = 128) w {term of X} Average Time (seconds) Size of Secret Key (bit) Size of Public key (bit) Size of Ciphertext (bit) Required time is expected to be more shorter than the estimated complexity. The computation of HNF, estimated to be most expensive, does not take much time because the coefficient matrices obtained in our attack are sparse in many cases.
43 Contents 1. Introduction 2. Overview of DEC 3. Cryptanalysis of DEC via the weighted LLL algorithm 4. Complexity Analysis and Experimental Results 5. Summary
44 5-1. Summary DEC has resistance against recovering the secret key directly (difficulty of solving Diophantine equations). However, the one-wayness of the system is transformed to finding a relatively shorter but not a shortest vector in lattices of low ranks. Our experimental results show that our attack with the weighted LLL can find such vectors. As a consequence, the one-wayness of DEC can be broken with high probability in polynomial time for the parameters suggested in [Oku15].
Cryptanalysis of a public key cryptosystem based on Diophantine equations via weighted LLL reduction
Cryptanalysis of a public key cryptosystem based on Diophantine equations via weighted LLL reduction Shinya Okumura Institute of Systems, Information Technologies and Nanotechnologies This is a joint work
More informationPractical Analysis of Key Recovery Attack against Search-LWE Problem
Practical Analysis of Key Recovery Attack against Search-LWE Problem The 11 th International Workshop on Security, Sep. 13 th 2016 Momonari Kudo, Junpei Yamaguchi, Yang Guo and Masaya Yasuda 1 Graduate
More informationLattice Reduction Attack on the Knapsack
Lattice Reduction Attack on the Knapsack Mark Stamp 1 Merkle Hellman Knapsack Every private in the French army carries a Field Marshal wand in his knapsack. Napoleon Bonaparte The Merkle Hellman knapsack
More informationM4. Lecture 3. THE LLL ALGORITHM AND COPPERSMITH S METHOD
M4. Lecture 3. THE LLL ALGORITHM AND COPPERSMITH S METHOD Ha Tran, Dung H. Duong, Khuong A. Nguyen. SEAMS summer school 2015 HCM University of Science 1 / 31 1 The LLL algorithm History Applications of
More informationA Public-key Encryption Scheme Based on Non-linear Indeterminate Equations (Giophantus)
A Public-key Encryption Scheme Based on Non-linear Indeterminate Equations (Giophantus) Koichiro Akiyama 1, Yasuhiro Goto 2, Shinya Okumura 3, Tsuyoshi Takagi 4, Koji Nuida 5, Goichiro Hanaoka 5, Hideo
More informationSolving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know?
Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know? Alexander May, Maike Ritzenhofen Faculty of Mathematics Ruhr-Universität Bochum, 44780 Bochum,
More informationCryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev
Cryptography Lecture 2: Perfect Secrecy and its Limitations Gil Segev Last Week Symmetric-key encryption (KeyGen, Enc, Dec) Historical ciphers that are completely broken The basic principles of modern
More informationShortest Vector Problem (1982; Lenstra, Lenstra, Lovasz)
Shortest Vector Problem (1982; Lenstra, Lenstra, Lovasz) Daniele Micciancio, University of California at San Diego, www.cs.ucsd.edu/ daniele entry editor: Sanjeev Khanna INDEX TERMS: Point lattices. Algorithmic
More informationDeterministic Polynomial Time Equivalence between Factoring and Key-Recovery Attack on Takagi s RSA
Deterministic Polynomial Time Equivalence between Factoring and Key-Recovery Attack on Takagi s RSA Noboru Kunihiro 1 and Kaoru Kurosawa 2 1 The University of Electro-Communications, Japan kunihiro@iceuecacjp
More informationBackground: Lattices and the Learning-with-Errors problem
Background: Lattices and the Learning-with-Errors problem China Summer School on Lattices and Cryptography, June 2014 Starting Point: Linear Equations Easy to solve a linear system of equations A s = b
More informationPractical Analysis of Key Recovery Attack against Search-LWE Problem
Practical Analysis of Key Recovery Attack against Search-LWE Problem IMI Cryptography Seminar 28 th June, 2016 Speaker* : Momonari Kuo Grauate School of Mathematics, Kyushu University * This work is a
More informationLattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.
Lattices A Lattice is a discrete subgroup of the additive group of n-dimensional space R n. Lattices have many uses in cryptography. They may be used to define cryptosystems and to break other ciphers.
More informationSimple Matrix Scheme for Encryption (ABC)
Simple Matrix Scheme for Encryption (ABC) Adama Diene, Chengdong Tao, Jintai Ding April 26, 2013 dama Diene, Chengdong Tao, Jintai Ding ()Simple Matrix Scheme for Encryption (ABC) April 26, 2013 1 / 31
More informationCryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97
Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97 Phong Nguyen and Jacques Stern École Normale Supérieure, Laboratoire d Informatique 45, rue d Ulm, F 75230 Paris Cedex 05 {Phong.Nguyen,Jacques.Stern}@ens.fr
More informationComputers and Mathematics with Applications
Computers and Mathematics with Applications 61 (2011) 1261 1265 Contents lists available at ScienceDirect Computers and Mathematics with Applications journal homepage: wwwelseviercom/locate/camwa Cryptanalysis
More informationDeterministic Polynomial Time Equivalence of Computing the RSA Secret Key and Factoring
Deterministic Polynomial Time Equivalence of Computing the RSA Secret Key and Factoring Jean-Sébastien Coron and Alexander May Gemplus Card International 34 rue Guynemer, 92447 Issy-les-Moulineaux, France
More informationNew attacks on RSA with Moduli N = p r q
New attacks on RSA with Moduli N = p r q Abderrahmane Nitaj 1 and Tajjeeddine Rachidi 2 1 Laboratoire de Mathématiques Nicolas Oresme Université de Caen Basse Normandie, France abderrahmane.nitaj@unicaen.fr
More informationLattice Reduction of Modular, Convolution, and NTRU Lattices
Summer School on Computational Number Theory and Applications to Cryptography Laramie, Wyoming, June 19 July 7, 2006 Lattice Reduction of Modular, Convolution, and NTRU Lattices Project suggested by Joe
More information9 Knapsack Cryptography
9 Knapsack Cryptography In the past four weeks, we ve discussed public-key encryption systems that depend on various problems that we believe to be hard: prime factorization, the discrete logarithm, and
More informationA new attack on RSA with a composed decryption exponent
A new attack on RSA with a composed decryption exponent Abderrahmane Nitaj and Mohamed Ould Douh,2 Laboratoire de Mathématiques Nicolas Oresme Université de Caen, Basse Normandie, France abderrahmane.nitaj@unicaen.fr
More informationCryptanalysis of a Public Key Cryptosystem Proposed at ACISP 2000
Cryptanalysis of a Public Key Cryptosystem Proposed at ACISP 2000 Amr Youssef 1 and Guang Gong 2 1 Center for Applied Cryptographic Research Department of Combinatorics & Optimization 2 Department of Electrical
More informationLooking back at lattice-based cryptanalysis
September 2009 Lattices A lattice is a discrete subgroup of R n Equivalently, set of integral linear combinations: α 1 b1 + + α n bm with m n Lattice reduction Lattice reduction looks for a good basis
More informationGentry s SWHE Scheme
Homomorphic Encryption and Lattices, Spring 011 Instructor: Shai Halevi May 19, 011 Gentry s SWHE Scheme Scribe: Ran Cohen In this lecture we review Gentry s somewhat homomorphic encryption (SWHE) scheme.
More informationMutantXL: Solving Multivariate Polynomial Equations for Cryptanalysis
MutantXL: Solving Multivariate Polynomial Equations for Cryptanalysis Johannes Buchmann 1, Jintai Ding 2, Mohamed Saied Emam Mohamed 1, and Wael Said Abd Elmageed Mohamed 1 1 TU Darmstadt, FB Informatik
More informationReduction of Smith Normal Form Transformation Matrices
Reduction of Smith Normal Form Transformation Matrices G. Jäger, Kiel Abstract Smith normal form computations are important in group theory, module theory and number theory. We consider the transformation
More informationPublic Key Cryptography
Public Key Cryptography Spotlight on Science J. Robert Buchanan Department of Mathematics 2011 What is Cryptography? cryptography: study of methods for sending messages in a form that only be understood
More informationPublic-Key Cryptosystems CHAPTER 4
Public-Key Cryptosystems CHAPTER 4 Introduction How to distribute the cryptographic keys? Naïve Solution Naïve Solution Give every user P i a separate random key K ij to communicate with every P j. Disadvantage:
More informationPractical Analysis of Key Recovery Attack against Search-LWE Problem
Practical Analysis of Key Recovery Attack against Search-LWE Problem Royal Holloway an Kyushu University Workshop on Lattice-base cryptography 7 th September, 2016 Momonari Kuo Grauate School of Mathematics,
More informationAlgebraic Cryptanalysis of MQQ Public Key Cryptosystem by MutantXL
Algebraic Cryptanalysis of MQQ Public Key Cryptosystem by MutantXL Mohamed Saied Emam Mohamed 1, Jintai Ding 2, and Johannes Buchmann 1 1 TU Darmstadt, FB Informatik Hochschulstrasse 10, 64289 Darmstadt,
More informationA New Trapdoor in Modular Knapsack Public-Key Cryptosystem
A New Trapdoor in Modular Knapsack Public-Key Cryptosystem Takeshi Nasako Yasuyuki Murakami Abstract. Merkle and Hellman proposed a first knapsack cryptosystem. However, it was broken because the density
More informationLattice Basis Reduction Part 1: Concepts
Lattice Basis Reduction Part 1: Concepts Sanzheng Qiao Department of Computing and Software McMaster University, Canada qiao@mcmaster.ca www.cas.mcmaster.ca/ qiao October 25, 2011, revised February 2012
More informationA NEW ATTACK ON RSA WITH A COMPOSED DECRYPTION EXPONENT
A NEW ATTACK ON RSA WITH A COMPOSED DECRYPTION EXPONENT Abderrahmane Nitaj 1 and Mohamed Ould Douh 1,2 1 Laboratoire de Mathématiques Nicolas Oresme, Université de Caen, Basse Normandie, France Université
More informationCHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S. Ant nine J aux
CHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S Ant nine J aux (g) CRC Press Taylor 8* Francis Croup Boca Raton London New York CRC Press is an imprint of the Taylor &
More informationA new lattice construction for partial key exposure attack for RSA
A new lattice construction for partial key exposure attack for RSA Yoshinori Aono Dept. of Mathematical and Computing Sciences Tokyo Institute of Technology, Tokyo, Japan aono5@is.titech.ac.jp Abstract.
More informationNew Cryptosystem Using The CRT And The Jordan Normal Form
New Cryptosystem Using The CRT And The Jordan Normal Form Hemlata Nagesh 1 and Birendra Kumar Sharma 2 School of Studies in Mathematics,Pt.Ravishankar Shukla University Raipur(C.G.). E-mail:5Hemlata5@gmail.com
More informationIntroduction to Cybersecurity Cryptography (Part 5)
Introduction to Cybersecurity Cryptography (Part 5) Prof. Dr. Michael Backes 13.01.2017 February 17 th Special Lecture! 45 Minutes Your Choice 1. Automotive Security 2. Smartphone Security 3. Side Channel
More informationA Digital Signature Scheme based on CVP
A Digital Signature Scheme based on CVP Thomas Plantard Willy Susilo Khin Than Win Centre for Computer and Information Security Research Universiy Of Wollongong http://www.uow.edu.au/ thomaspl thomaspl@uow.edu.au
More informationCPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems
CPE 776:DATA SECURITY & CRYPTOGRAPHY Some Number Theory and Classical Crypto Systems Dr. Lo ai Tawalbeh Computer Engineering Department Jordan University of Science and Technology Jordan Some Number Theory
More informationOn Deterministic Polynomial-Time Equivalence of Computing the CRT-RSA Secret Keys and Factoring
On Deterministic Polynomial-Time Equivalence of Computing the CRT-RSA Secret Keys and Factoring Subhamoy Maitra and Santanu Sarkar Applied Statistics Unit, Indian Statistical Institute, 203 B T Road, Kolkata
More informationSolving All Lattice Problems in Deterministic Single Exponential Time
Solving All Lattice Problems in Deterministic Single Exponential Time (Joint work with P. Voulgaris, STOC 2010) UCSD March 22, 2011 Lattices Traditional area of mathematics Bridge between number theory
More informationSieving for Shortest Vectors in Ideal Lattices:
Sieving for Shortest Vectors in Ideal Lattices: a Practical Perspective Joppe W. Bos Microsoft Research LACAL@RISC Seminar on Cryptologic Algorithms CWI, Amsterdam, Netherlands Joint work with Michael
More informationComputing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring
Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring Alexander May Faculty of Computer Science, Electrical Engineering and Mathematics University of Paderborn 33102 Paderborn,
More informationNotes for Lecture 15
COS 533: Advanced Cryptography Lecture 15 (November 8, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Kevin Liu Notes for Lecture 15 1 Lattices A lattice looks something like the following.
More informationNotes for Lecture 16
COS 533: Advanced Cryptography Lecture 16 (11/13/2017) Lecturer: Mark Zhandry Princeton University Scribe: Boriana Gjura Notes for Lecture 16 1 Lattices (continued) 1.1 Last time. We defined lattices as
More informationA Fast Phase-Based Enumeration Algorithm for SVP Challenge through y-sparse Representations of Short Lattice Vectors
A Fast Phase-Based Enumeration Algorithm for SVP Challenge through y-sparse Representations of Short Lattice Vectors Dan Ding 1, Guizhen Zhu 2, Yang Yu 1, Zhongxiang Zheng 1 1 Department of Computer Science
More informationThe Cryptanalysis of a New Public-Key Cryptosystem based on Modular Knapsacks
The Cryptanalysis of a New Pblic-Key Cryptosystem based on Modlar Knapsacks Yeow Meng Chee Antoine Jox National Compter Systems DMI-GRECC Center for Information Technology 45 re d Ulm 73 Science Park Drive,
More informationRecovering Short Generators of Principal Ideals in Cyclotomic Rings
Recovering Short Generators of Principal Ideals in Cyclotomic Rings Ronald Cramer Chris Peikert Léo Ducas Oded Regev University of Leiden, The Netherlands CWI, Amsterdam, The Netherlands University of
More informationPost-quantum key exchange for the Internet based on lattices
Post-quantum key exchange for the Internet based on lattices Craig Costello Talk at MSR India Bangalore, India December 21, 2016 Based on J. Bos, C. Costello, M. Naehrig, D. Stebila Post-Quantum Key Exchange
More informationCSE 206A: Lattice Algorithms and Applications Spring Basis Reduction. Instructor: Daniele Micciancio
CSE 206A: Lattice Algorithms and Applications Spring 2014 Basis Reduction Instructor: Daniele Micciancio UCSD CSE No efficient algorithm is known to find the shortest vector in a lattice (in arbitrary
More informationIdeal Lattices and NTRU
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin April 23-30, 2013 Ideal Lattices and NTRU Scribe: Kina Winoto 1 Algebraic Background (Reminders) Definition 1. A commutative
More informationFully homomorphic encryption scheme using ideal lattices. Gentry s STOC 09 paper - Part II
Fully homomorphic encryption scheme using ideal lattices Gentry s STOC 09 paper - Part GGH cryptosystem Gentry s scheme is a GGH-like scheme. GGH: Goldreich, Goldwasser, Halevi. ased on the hardness of
More informationSecurity Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography
Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography Peter Schwabe October 21 and 28, 2011 So far we assumed that Alice and Bob both have some key, which nobody else has. How
More informationOpen problems in lattice-based cryptography
University of Auckland, New Zealand Plan Goal: Highlight some hot topics in cryptography, and good targets for mathematical cryptanalysis. Approximate GCD Homomorphic encryption NTRU and Ring-LWE Multi-linear
More informationThe Shortest Vector Problem (Lattice Reduction Algorithms)
The Shortest Vector Problem (Lattice Reduction Algorithms) Approximation Algorithms by V. Vazirani, Chapter 27 - Problem statement, general discussion - Lattices: brief introduction - The Gauss algorithm
More informationCryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)
Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R) Eli Biham Computer Science Department Technion Israel Institute of Technology Haifa 32000, Israel biham@cs.technion.ac.il http://www.cs.technion.ac.il/~biham/
More informationPost-Quantum Cryptography
Post-Quantum Cryptography Sebastian Schmittner Institute for Theoretical Physics University of Cologne 2015-10-26 Talk @ U23 @ CCC Cologne This work is licensed under a Creative Commons Attribution-ShareAlike
More informationA New Class of Product-sum Type Public Key Cryptosystem, K(V)ΣΠPKC, Constructed Based on Maximum Length Code
A New Class of Product-sum Type Public Key Cryptosystem, K(V)ΣΠPKC, Constructed Based on Maximum Length Code Masao KASAHARA Abstract The author recently proposed a new class of knapsack type PKC referred
More informationFinal Exam Math 105: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 30 April :30 11:00 a.m.
Final Exam Math 10: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 0 April 2002 :0 11:00 a.m. Instructions: Please be as neat as possible (use a pencil), and show
More informationCryptanalysis via Lattice Techniques
Cryptanalysis via Lattice Techniques Alexander May Horst Görtz Institute for IT-Security Faculty of Mathematics Ruhr-University Bochum crypt@b-it 2010, Aug 2010, Bonn Lecture 1, Mon Aug 2 Introduction
More informationDouble-Moduli Gaussian Encryption/Decryption with Primary Residues and Secret Controls
Int. J. Communications, Network and System Sciences, 011, 4, 475-481 doi:10.436/ijcns.011.47058 Published Online July 011 (http://www.scirp.org/journal/ijcns) Double-Moduli Gaussian Encryption/Decryption
More informationA Large Block Cipher using an Iterative Method and the Modular Arithmetic Inverse of a key Matrix
A Large Block Cipher using an Iterative Method and the Modular Arithmetic Inverse of a key Matrix S. Udaya Kumar V. U. K. Sastry A. Vinaya babu Abstract In this paper, we have developed a block cipher
More information2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms
CRYPTOGRAPHY 19 Cryptography 5 ElGamal cryptosystems and Discrete logarithms Definition Let G be a cyclic group of order n and let α be a generator of G For each A G there exists an uniue 0 a n 1 such
More informationLattice Reduction Attacks on HE Schemes. Martin R. Albrecht 15/03/2018
Lattice Reduction Attacks on HE Schemes Martin R. Albrecht 15/03/2018 Learning with Errors The Learning with Errors (LWE) problem was defined by Oded Regev. 1 Given (A, c) with uniform A Z m n q, uniform
More informationIntroduction to Cryptology. Lecture 2
Introduction to Cryptology Lecture 2 Announcements 2 nd vs. 1 st edition of textbook HW1 due Tuesday 2/9 Readings/quizzes (on Canvas) due Friday 2/12 Agenda Last time Historical ciphers and their cryptanalysis
More informationA New Attack on RSA with Two or Three Decryption Exponents
A New Attack on RSA with Two or Three Decryption Exponents Abderrahmane Nitaj Laboratoire de Mathématiques Nicolas Oresme Université de Caen, France nitaj@math.unicaen.fr http://www.math.unicaen.fr/~nitaj
More informationParameter selection in Ring-LWE-based cryptography
Parameter selection in Ring-LWE-based cryptography Rachel Player Information Security Group, Royal Holloway, University of London based on joint works with Martin R. Albrecht, Hao Chen, Kim Laine, and
More informationNumber Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers
Number Theory: Applications Number Theory Applications Computer Science & Engineering 235: Discrete Mathematics Christopher M. Bourke cbourke@cse.unl.edu Results from Number Theory have many applications
More informationHard Instances of Lattice Problems
Hard Instances of Lattice Problems Average Case - Worst Case Connections Christos Litsas 28 June 2012 Outline Abstract Lattices The Random Class Worst-Case - Average-Case Connection Abstract Christos Litsas
More information1 Shortest Vector Problem
Lattices in Cryptography University of Michigan, Fall 25 Lecture 2 SVP, Gram-Schmidt, LLL Instructor: Chris Peikert Scribe: Hank Carter Shortest Vector Problem Last time we defined the minimum distance
More informationCryptography IV: Asymmetric Ciphers
Cryptography IV: Asymmetric Ciphers Computer Security Lecture 7 David Aspinall School of Informatics University of Edinburgh 31st January 2011 Outline Background RSA Diffie-Hellman ElGamal Summary Outline
More informationLattice-Based Cryptography
Liljana Babinkostova Department of Mathematics Computing Colloquium Series Detecting Sensor-hijack Attacks in Wearable Medical Systems Krishna Venkatasubramanian Worcester Polytechnic Institute Quantum
More informationDimension-Preserving Reductions Between Lattice Problems
Dimension-Preserving Reductions Between Lattice Problems Noah Stephens-Davidowitz Courant Institute of Mathematical Sciences, New York University. noahsd@cs.nyu.edu Last updated September 6, 2016. Abstract
More informationAdapting Density Attacks to Low-Weight Knapsacks
Adapting Density Attacks to Low-Weight Knapsacks Phong Q. Nguy ên 1 and Jacques Stern 2 1 CNRS & École normale supérieure, DI, 45 rue d Ulm, 75005 Paris, France. Phong.Nguyen@di.ens.fr http://www.di.ens.fr/
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationCryptanalysis of two knapsack public-key cryptosystems
Cryptanalysis of two knapsack public-key cryptosystems Jingguo Bi 1, Xianmeng Meng 2, and Lidong Han 1 {jguobi,hanlidong}@sdu.edu.cn mengxm@sdfi.edu.cn 1 Key Laboratory of Cryptologic Technology and Information
More informationA variant of the F4 algorithm
A variant of the F4 algorithm Vanessa VITSE - Antoine JOUX Université de Versailles Saint-Quentin, Laboratoire PRISM CT-RSA, February 18, 2011 Motivation Motivation An example of algebraic cryptanalysis
More informationCryptanalysis of RSA with Small Multiplicative Inverse of (p 1) or (q 1) Modulo e
Cryptanalysis of RSA with Small Multiplicative Inverse of (p 1) or (q 1) Modulo e P Anuradha Kameswari, L Jyotsna Department of Mathematics, Andhra University, Visakhapatnam - 5000, Andhra Pradesh, India
More informationImproving BDD cryptosystems in general lattices
University of Wollongong Research Online Faculty of Informatics - Papers (Archive) Faculty of Engineering and Information Sciences 2011 Improving BDD cryptosystems in general lattices Willy Susilo University
More informationA Lattice-Based Public-Key Cryptosystem
A Lattice-Based Public-Key Cryptosystem Jin-Yi Cai and Thomas W. Cusick 1 Department of Computer Science State University of New York at Buffalo, Buffalo, NY 1460 cai@cs.buffalo.edu Department of Mathematics
More informationRSA. Ramki Thurimella
RSA Ramki Thurimella Public-Key Cryptography Symmetric cryptography: same key is used for encryption and decryption. Asymmetric cryptography: different keys used for encryption and decryption. Public-Key
More informationHow to Generalize RSA Cryptanalyses
How to Generalize RSA Cryptanalyses Atsushi Takayasu and Noboru Kunihiro The University of Tokyo, Japan AIST, Japan {a-takayasu@it., kunihiro@}k.u-tokyo.ac.jp Abstract. Recently, the security of RSA variants
More informationCryptography and Security Midterm Exam
Cryptography and Security Midterm Exam Serge Vaudenay 23.11.2017 duration: 1h45 no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices
More informationHFERP - A New Multivariate Encryption Scheme
- A New Multivariate Encryption Scheme Yasuhiko Ikematsu (Kyushu University) Ray Perlner (NIST) Daniel Smith-Tone (NIST, University of Louisville) Tsuyoshi Takagi (Kyushi University) Jeremy Vates (University
More informationSide Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents
Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents Santanu Sarkar and Subhamoy Maitra Leuven, Belgium 12 September, 2012 Outline of the Talk RSA Cryptosystem
More informationNotes. Number Theory: Applications. Notes. Number Theory: Applications. Notes. Hash Functions I
Number Theory: Applications Slides by Christopher M. Bourke Instructor: Berthe Y. Choueiry Fall 2007 Computer Science & Engineering 235 Introduction to Discrete Mathematics Sections 3.4 3.7 of Rosen cse235@cse.unl.edu
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationDivision Property: a New Attack Against Block Ciphers
Division Property: a New Attack Against Block Ciphers Christina Boura (joint on-going work with Anne Canteaut) Séminaire du groupe Algèbre et Géometrie, LMV November 24, 2015 1 / 50 Symmetric-key encryption
More informationMultivariate Public Key Cryptography
Winter School, PQC 2016, Fukuoka Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Feb. 22 2016 Outline Outline What is a MPKC? Multivariate Public Key Cryptosystems - Cryptosystems,
More informationSolution to Midterm Examination
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Handout #13 Xueyuan Su November 4, 2008 Instructions: Solution to Midterm Examination This is a closed book
More information2 cryptology was immediately understood, and they were used to break schemes based on the knapsack problem (see [99, 23]), which were early alternativ
Corrected version of Algorithmic Number Theory { Proceedings of ANTS-IV (July 3{7, 2000, Leiden, Netherlands) W. Bosma (Ed.), vol.???? of Lecture Notes in Computer Science, pages???{??? cspringer-verlag
More informationPost Quantum Cryptography
Malaysian Journal of Mathematical Sciences 11(S) August: 1-28 (2017) Special Issue: The 5th International Cryptology and Information Security Conference (New Ideas in Cryptology) MALAYSIAN JOURNAL OF MATHEMATICAL
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationMy brief introduction to cryptography
My brief introduction to cryptography David Thomson dthomson@math.carleton.ca Carleton University September 7, 2013 introduction to cryptography September 7, 2013 1 / 28 Outline 1 The general framework
More informationCSE 206A: Lattice Algorithms and Applications Spring Basic Algorithms. Instructor: Daniele Micciancio
CSE 206A: Lattice Algorithms and Applications Spring 2014 Basic Algorithms Instructor: Daniele Micciancio UCSD CSE We have already seen an algorithm to compute the Gram-Schmidt orthogonalization of a lattice
More informationAn Algebraic Approach to NTRU (q = 2 n ) via Witt Vectors and Overdetermined Systems of Nonlinear Equations
An Algebraic Approach to NTRU (q = 2 n ) via Witt Vectors and Overdetermined Systems of Nonlinear Equations J.H. Silverman 1, N.P. Smart 2, and F. Vercauteren 2 1 Mathematics Department, Box 1917, Brown
More informationA Unified Framework for Small Secret Exponent Attack on RSA
A Unified Framework for Small Secret Exponent Attack on RSA Noboru Kunihiro 1, Naoyuki Shinohara 2, and Tetsuya Izu 3 1 The University of Tokyo, Japan kunihiro@k.u-tokyo.ac.jp 2 NICT, Japan 3 Fujitsu Labs,
More informationApproximate Integer Common Divisor Problem relates to Implicit Factorization
Approximate Integer Common Divisor Problem relates to Implicit Factorization Santanu Sarar and Subhamoy Maitra Applied Statistics Unit, Indian Statistical Institute, 203 B T Road, Kolata 700 108, India
More informationPublic Key Encryption
Public Key Encryption 3/13/2012 Cryptography 1 Facts About Numbers Prime number p: p is an integer p 2 The only divisors of p are 1 and p s 2, 7, 19 are primes -3, 0, 1, 6 are not primes Prime decomposition
More informationPost-Quantum Cryptography & Privacy. Andreas Hülsing
Post-Quantum Cryptography & Privacy Andreas Hülsing Privacy? Too abstract? How to achieve privacy? Under the hood... Public-key crypto ECC RSA DSA Secret-key crypto AES SHA2 SHA1... Combination of both
More informationCHAPTER 12 CRYPTOGRAPHY OF A GRAY LEVEL IMAGE USING A MODIFIED HILL CIPHER
177 CHAPTER 12 CRYPTOGRAPHY OF A GRAY LEVEL IMAGE USING A MODIFIED HILL CIPHER 178 12.1 Introduction The study of cryptography of gray level images [110, 112, 118] by using block ciphers has gained considerable
More information