True & Deterministic Random Number Generators
|
|
- Rodger Richardson
- 6 years ago
- Views:
Transcription
1 True & Deterministic Random Number Generators Çetin Kaya Koç Koç ( HRL RNG April 11, / 47
2 Random Numbers in Cryptography Session keys Signature keys and parameters Authentication protocols Ephemeral keys (DSA, ECDSA, ElGamal) Zero-knowledge protocols IVs for block ciphers Blinding and masking values... Koç ( HRL RNG April 11, / 47
3 Properties of Random Numbers Silent Requirement: The random numbers should assume all admissible values with equal probability and should be independent from predecessors and successors. Koç ( HRL RNG April 11, / 47
4 Properties of Random Numbers Silent Requirement: The random numbers should assume all admissible values with equal probability and should be independent from predecessors and successors. This characterizes an ideal random number generator Koç ( HRL RNG April 11, / 47
5 Ideal RNGs Even with maximal knowledge and unlimited computational power an attacker has no better strategy than blind guessing Brute force attack Koç ( HRL RNG April 11, / 47
6 Ideal RNGs Even with maximal knowledge and unlimited computational power an attacker has no better strategy than blind guessing Brute force attack Guessing n random bits costs 2 n 1 trials in average The guess work remains invariant in the course of time Today, in 2 years, in 100 years Koç ( HRL RNG April 11, / 47
7 Ideal RNGs Even with maximal knowledge and unlimited computational power an attacker has no better strategy than blind guessing Brute force attack Guessing n random bits costs 2 n 1 trials in average The guess work remains invariant in the course of time Today, in 2 years, in 100 years However, An ideal RNG is a mathematical construct! Koç ( HRL RNG April 11, / 47
8 Real World RNGs Koç ( HRL RNG April 11, / 47
9 Random Number Generators in Cryptography Deterministic RNGs are also known as pseudorandom number generators Koç ( HRL RNG April 11, / 47
10 Random Number Generators in Cryptography Deterministic RNGs are also known as pseudorandom number generators Hybrid deterministic RNGs and hybrid true RNGs apply design criteria from both deterministic RNGs and non-deterministic RNGs Koç ( HRL RNG April 11, / 47
11 Random Number Generators in Cryptography Deterministic RNGs are also known as pseudorandom number generators Hybrid deterministic RNGs and hybrid true RNGs apply design criteria from both deterministic RNGs and non-deterministic RNGs True random numbers cannot be computed on deterministic computers, they are best produced using physical RNGs which operate by measuring a well controlled and specially prepared random physical process Koç ( HRL RNG April 11, / 47
12 Random Number Generators in Cryptography Deterministic RNGs are also known as pseudorandom number generators Hybrid deterministic RNGs and hybrid true RNGs apply design criteria from both deterministic RNGs and non-deterministic RNGs True random numbers cannot be computed on deterministic computers, they are best produced using physical RNGs which operate by measuring a well controlled and specially prepared random physical process Especially valuable are information-theoretic provable RNGs which, at state of the art, seem to be possible only by exploiting randomness inherent to certain quantum systems Koç ( HRL RNG April 11, / 47
13 Challenge-Response Protocol Koç ( HRL RNG April 11, / 47
14 Challenge-Response Protocol To prevent replay attacks the random numbers U 1,U 2,... should be distinct with overwhelming probability Koç ( HRL RNG April 11, / 47
15 Security Requirement R1 Random numbers should not show any statistical weaknesses Koç ( HRL RNG April 11, / 47
16 Security Requirement R1 Random numbers should not show any statistical weaknesses Requirement R1 is usually verified by statistical tests Koç ( HRL RNG April 11, / 47
17 Security Requirement R1 Random numbers should not show any statistical weaknesses Requirement R1 is usually verified by statistical tests Is Requirement R1 is sufficient? Koç ( HRL RNG April 11, / 47
18 Key Exchange Protocol Alice Bob Charles Daniel r e 1 B mod nb T 1 r e 2 C mod nc T 2 r e 3 C mod nc T 3 r e 4 D mod nd T 4 Koç ( HRL RNG April 11, / 47
19 Key Exchange Protocol Alice Bob Charles Daniel r e 1 B mod nb T 1 r e 2 C mod nc T 2 r e 3 C mod nc T 3 r e 4 D mod nd T 4 Privileged attacker Charles: The knowledge of r 2 and r 3 may allow him to guess r 3 Koç ( HRL RNG April 11, / 47
20 Security Requirement R2 The knowledge of subsequences of random numbers should not allow one to compute predecessors or successors practically or to guess them with non-negligibly larger probability than without knowledge of these subsequences Koç ( HRL RNG April 11, / 47
21 Security Requirement R2 The knowledge of subsequences of random numbers should not allow one to compute predecessors or successors practically or to guess them with non-negligibly larger probability than without knowledge of these subsequences Requirement R2 implies backward and forward security Koç ( HRL RNG April 11, / 47
22 Security Requirement R2 The knowledge of subsequences of random numbers should not allow one to compute predecessors or successors practically or to guess them with non-negligibly larger probability than without knowledge of these subsequences Requirement R2 implies backward and forward security Requirement R2 can be thought of as the union of R3 (backward security) and R4 (forward security) Koç ( HRL RNG April 11, / 47
23 Security Requirements The minimum requirements on the random numbers depend on the intended applications Koç ( HRL RNG April 11, / 47
24 Security Requirements The minimum requirements on the random numbers depend on the intended applications For sensitive applications, e.g., the generation of session keys or signature parameters, Requirement R2 is indispensable Koç ( HRL RNG April 11, / 47
25 DRNGs A pure DRNG starts with a seed (s 0 ) value and using a seeding procedure computes the first internal state s 1 from s 0 The output is the random number r 1 which is computed using the output function Ψ while the next state s 2 is computed using the state transition function Φ as s 1 = seeding (s 0 ) r 1 = Ψ(s 1 ) s 2 = Φ(s 1 ) Koç ( HRL RNG April 11, / 47
26 Pure DRNG Schematic Koç ( HRL RNG April 11, / 47
27 DRNG Examples Linear Feedback Shift Registers (LFSRs) Cellular Automata (CA) Linear Congruential Generators (LCGs) Block cipher based methods Hash function based methods Number-theoretical methods: Blum-Blum-Shub, RSA, Rabin Elliptic curve methods: LCG, Power Generator, Naor-Reingold New: Edward curves method Koç ( HRL RNG April 11, / 47
28 DRNG Advantages DRNGs as random number generators have many advantages: low cost no dedicated hardware is required implementations can be done in software identical seed values imply identical random numbers which is a necessary condition for using them as stream ciphers Koç ( HRL RNG April 11, / 47
29 DRNG Disadvantages However, there are disadvantages: For pure DRNGs, the output is completely determined by the seed Output sequences of pure DRNGs cannot be truly independent They may behave as output sequence of an ideal RNG at most with respect to certain aspects The internal state has to be protected even if the device is not active Koç ( HRL RNG April 11, / 47
30 Security Requirements of DRNGs LFSRs: usually meet Requirement R1, but they do not meet R2 CA: on certain conditions meet R1 and R2 LCGs: usually meet Requirement R1, on certain conditions meet R2 Koç ( HRL RNG April 11, / 47
31 Security Requirements of DRNGs LFSRs: usually meet Requirement R1, but they do not meet R2 CA: on certain conditions meet R1 and R2 LCGs: usually meet Requirement R1, on certain conditions meet R2 Simple structures are useful for efficient implementations but they have serious security shortcomings Koç ( HRL RNG April 11, / 47
32 Block Cipher DRNGs Block cipher based DRNGs: k key (to be kept secret) and internal state s n = (r n,k) and s n+1 = (E k (r n ),k) = (r n+1,k) Internal state: s n = (r n,k) s n+1 = (E(r n,k),k) = (r n+1,k) Koç ( HRL RNG April 11, / 47
33 Block Cipher DRNGs Block cipher based DRNGs meet R1: ciphertext from a strong cipher should not have any statistical weakness Koç ( HRL RNG April 11, / 47
34 Block Cipher DRNGs Block cipher based DRNGs meet R1: ciphertext from a strong cipher should not have any statistical weakness They also meet R2: only if the encryption and decryption functions are secure against chosen-plaintext attacks Koç ( HRL RNG April 11, / 47
35 Block Cipher DRNGs Block cipher based DRNGs meet R1: ciphertext from a strong cipher should not have any statistical weakness They also meet R2: only if the encryption and decryption functions are secure against chosen-plaintext attacks This security proof is typical for DRNGs: tracing back to the recognized properties of well-known cryptographic primitives Koç ( HRL RNG April 11, / 47
36 Block Cipher DRNGs Block cipher based DRNGs meet R1: ciphertext from a strong cipher should not have any statistical weakness They also meet R2: only if the encryption and decryption functions are secure against chosen-plaintext attacks This security proof is typical for DRNGs: tracing back to the recognized properties of well-known cryptographic primitives For AES and Triple-DES encryption functions, may assume that this DRNG meets R2 Koç ( HRL RNG April 11, / 47
37 Block Cipher DRNGs Block cipher based DRNGs meet R1: ciphertext from a strong cipher should not have any statistical weakness They also meet R2: only if the encryption and decryption functions are secure against chosen-plaintext attacks This security proof is typical for DRNGs: tracing back to the recognized properties of well-known cryptographic primitives For AES and Triple-DES encryption functions, may assume that this DRNG meets R2 In the 80s, the same conclusion was justified for Single-DES, but this conclusion is no longer valid! Koç ( HRL RNG April 11, / 47
38 Hash Function DRNGs s n is a 160-bit vector Koç ( HRL RNG April 11, / 47
39 Hash Function DRNGs s n is a 160-bit vector Fulfills R1 and R2 (both backward and forward security) Koç ( HRL RNG April 11, / 47
40 Cryptographically Secure DRNGs Their security is based on intractability assumptions, e.g., factoring is hard or DLP is hard Examples: Blum-Blum-Shub, RSA, Rabin bit generators Koç ( HRL RNG April 11, / 47
41 Cryptographically Secure DRNGs Their security is based on intractability assumptions, e.g., factoring is hard or DLP is hard Examples: Blum-Blum-Shub, RSA, Rabin bit generators On the basis of these intractability assumptions certain security properties can be proved, such as next-bit security Usually only asymptotic security properties can be proved, for example, with increasing RSA modulus Koç ( HRL RNG April 11, / 47
42 Cryptographically Secure DRNGs Their security is based on intractability assumptions, e.g., factoring is hard or DLP is hard Examples: Blum-Blum-Shub, RSA, Rabin bit generators On the basis of these intractability assumptions certain security properties can be proved, such as next-bit security Usually only asymptotic security properties can be proved, for example, with increasing RSA modulus Not used in practice due to their low output rate Koç ( HRL RNG April 11, / 47
43 Security Requirement R4 For specific applications, Requirement R4 (enhanced forward security) is desirable Koç ( HRL RNG April 11, / 47
44 Security Requirement R4 For specific applications, Requirement R4 (enhanced forward security) is desirable It should not be practically feasible to compute future random numbers from the internal state or to guess them with non-negligibly larger probability than without the knowledge of the internal state Koç ( HRL RNG April 11, / 47
45 Security Requirement R4 For specific applications, Requirement R4 (enhanced forward security) is desirable It should not be practically feasible to compute future random numbers from the internal state or to guess them with non-negligibly larger probability than without the knowledge of the internal state Attack Scenario: An attacker is able to read or to manipulate the internal state of a DRNG without being noticed by the user/owner of the DRNG who uses the subsequent random numbers Koç ( HRL RNG April 11, / 47
46 Security Requirement R4 For specific applications, Requirement R4 (enhanced forward security) is desirable It should not be practically feasible to compute future random numbers from the internal state or to guess them with non-negligibly larger probability than without the knowledge of the internal state Attack Scenario: An attacker is able to read or to manipulate the internal state of a DRNG without being noticed by the user/owner of the DRNG who uses the subsequent random numbers Pure DRNGs cannot fulfill Requirement R4 Koç ( HRL RNG April 11, / 47
47 Security Requirement R4 For specific applications, Requirement R4 (enhanced forward security) is desirable It should not be practically feasible to compute future random numbers from the internal state or to guess them with non-negligibly larger probability than without the knowledge of the internal state Attack Scenario: An attacker is able to read or to manipulate the internal state of a DRNG without being noticed by the user/owner of the DRNG who uses the subsequent random numbers Pure DRNGs cannot fulfill Requirement R4 A hybrid DRNG may fulfill R4 for the random numbers that are generated after the first update of its internal state with random data after the internal state has been compromised Koç ( HRL RNG April 11, / 47
48 Hybrid DRNGs Koç ( HRL RNG April 11, / 47
49 Hybrid DRNGs Additional input may be provided After each step Occasionally Upon external request of an application Koç ( HRL RNG April 11, / 47
50 Hybrid DRNGs Additional input may be provided After each step Occasionally Upon external request of an application Additional input may have Large entropy per bit, using a strong physical RNG Low entropy, time etc Koç ( HRL RNG April 11, / 47
51 Block Cipher Hybrid DRNGs Strong block cipher, e.g., AES or Triple-DES Key k is kept secret The algorithmic part guarantees R1 and R2 Additional input large entropy may ensure R3 and R4 Koç ( HRL RNG April 11, / 47
52 Elliptic Curve DRNGs There are three existing proposals Linear congruential generator Power generator Naor-Reingold generator Koç ( HRL RNG April 11, / 47
53 Elliptic Curve DRNGs There are three existing proposals Linear congruential generator Power generator Naor-Reingold generator Some results have been obtained Some complexity results (bounds) for the power generators Studies involving Koblitz curves Koç ( HRL RNG April 11, / 47
54 Elliptic Curve DRNGs There are three existing proposals Linear congruential generator Power generator Naor-Reingold generator Some results have been obtained Some complexity results (bounds) for the power generators Studies involving Koblitz curves Our new work New pure and hybrid DRNG over Edward Curves New complexity results Koç ( HRL RNG April 11, / 47
55 Elliptic Curve DRNGs Weierstrass form of elliptic curves has been the standard tool Interesting applications of character sums, combinatorics, and curves Requirement R1 is usually assumed Requirement R2: Security proofs of elliptic curve DRNGs are based on the elliptic curve discrete logarithm problem: Find d, given P and Q = [d]p Koç ( HRL RNG April 11, / 47
56 Weierstrass Elliptic Curves The set of points (x,y) on elliptic curve together with the point at infinity O E = {(x,y) (x,y) F 2 p and y2 = x 3 +ax +b} {O} forms an Abelian group with respect to the addition operation Koç ( HRL RNG April 11, / 47
57 Elliptic Curve Point Addition The addition operation computes the coordinates (x 3,y 3 ) of P 3 for P 3 = P 1 P 2 = (x 1,y 1 ) (x 2,y 2 ) Koç ( HRL RNG April 11, / 47
58 Elliptic Curve Addition and Doubling over F p Given P 1 = (x 1,y 1 ) and P 2 = (x 2,y 2 ), the computation of P 3 = (x 3,y 3 ): If (x 1,y 1 ) = O, then (x 3,y 3 ) = (x 2,y 2 ) since P 3 = O+P 2 = P 2 If (x 2,y 2 ) = O, then (x 3,y 3 ) = (x 1,y 1 ) since P 3 = P 1 +O = P 1 If x 2 = x 1 and y 2 = y 1, then (x 3,y 3 ) = O since P 3 = P 1 +P 1 = O Otherwise, first compute the slope using y 2 y 1 x 2 x 1 for x 1 x 2 m = 3x1 2+a 2y 1 for x 1 = x 2 and y 1 = y 2 Then, (x 3,y 3 ) is computed using x 3 = m 2 x 1 x 2 y 3 = m (x 1 x 3 ) y 1 Koç ( HRL RNG April 11, / 47
59 Sequence from Points Map points P n = (x n,y n ) F 2 p into [0,1) [0,1) There is a natural map since F p = {0,1,...,p 1} P n ( xn p, y ) n p Some applications use only the x coordinate or apply maps to the coordinate values (for example, hash functions or trace maps) Koç ( HRL RNG April 11, / 47
60 Elliptic Curve Linear Congruential Generator For the initial value Q 0 E(F p ), consider the sequence Q k = P Q k 1 = [k]p Q 0 for k = 1,2,... Easy to construct the following element given two consecutive ones Let Q k = (x k,y k ) and use (x k ) k=0 as sequence in F p or normalize to [0,1) using an enumeration of the field and dividing by p Period is linked to the number of points in E If the field is F 2 n, this sequence is studied Tr(x 0 ),Tr(y 0 ),Tr(x 1 ),Tr(y 1 ),Tr(x 2 ),Tr(y 2 ),... Koç ( HRL RNG April 11, / 47
61 Elliptic Curve Power Generator For integer e 2, consider the sequence with Q 0 = P Q k = [e]q k 1 = [e k ]P Determining e from Q k and Q k 1 would be solving the ECDLP Constructing the sequence element given longer substrings is related to the generalized ECDH problem Koç ( HRL RNG April 11, / 47
62 Elliptic Curve Naor-Reingold Given an integer vector A = (a 1,a 2,...,a n ), consider the sequence Q A,k = [a k 1 1 ak 2 2 akn n ]P where k = k 1 k 2...k n is the bit representation of k, 0 k 2 n 1 Ezample: n = 4, l = 19, and A = (2,5,3,4) f A,0 = P = P f A,1 = P = [4]P f A,2 = P = [3]P f A,3 = P = [12]P f A,11 = P = [24]P = [5]P f A,15 = P = [120]P = [6]P Koç ( HRL RNG April 11, / 47
63 Research on EC-LCG, EC-PG, and EC-NRG Recent work of Tanja Lange, David Kohel, Igor Shparlinski, Berry Schoenmakers, and Vladimir Sidorenko Some results of theoretical value; Other results are more practical: If the order of P is at least p 0.5+ǫ then all three sequences are reasonably well distributed Koç ( HRL RNG April 11, / 47
64 Research on EC-LCG, EC-PG, and EC-NRG Recent work of Tanja Lange, David Kohel, Igor Shparlinski, Berry Schoenmakers, and Vladimir Sidorenko Some results of theoretical value; Other results are more practical: If the order of P is at least p 0.5+ǫ then all three sequences are reasonably well distributed Cryptanalysis results: A variant of EC-LCG, dual elliptic curve generator : s 0 random seed, Q = [a]p, a is secret s i = x([s i 1 ]P) r i = lsb 240 (x([s i ]Q)) r i are not uniformly distributed; next bit is predictable without knowing a; looks secure if fewer bits are extracted Koç ( HRL RNG April 11, / 47
65 Edwards Curves Harold Edwards introduced a new normal form for elliptic curves and gave an addition law which is remarkably symmetric and much simpler The original form the equation Edwards studied was x 2 +y 2 = c 2 +c 2 x 2 y 2 solved over a field F whose characteristic is not equal to 2 Studies on such groups go as far back as to Gauss Bernstein and Lange gave a slightly simpler form where d is a quadratic non residue x 2 +y 2 = 1+dx 2 y 2 Koç ( HRL RNG April 11, / 47
66 Edwards Curves (d = 0) When d = 0, this becomes the unit circle The zero element of the group is (0,1) The addition law is given as (x 1,y 1 ) (x 2,y 2 ) = (x 1 y 2 +x 2 y 1,y 1 y 2 x 1 x 2 ) The geometric interpretation: add the angles of the points P 1 and P 2 Koç ( HRL RNG April 11, / 47
67 Edwards Curves Other values of d F {0,1} for a non-binary field F form curves within the unit circle Edwards curves for d = 0, 2, 10, 50, Koç ( HRL RNG April 11, / 47
68 Edwards Curve Addition Law The zero (neutral) element is (0,1) The inverse of (x,y) is ( x,y) The addition law ( x1 y 2 +x 2 y 1 (x 1,y 1 ) (x 2,y 2 ) =, 1+dx 1 x 2 y 1 y 2 ) y 1 y 2 x 1 x 2 1 dx 1 x 2 y 1 y 2 Koç ( HRL RNG April 11, / 47
69 Edwards Curve Projections A point (x,y) on the Edwards curve E d projects to the point (u,v) in the same quadrant on the unit circle as (u,v) = (αx,αy), where α = 1 x 2 +y 2 Koç ( HRL RNG April 11, / 47
70 Edwards Curve Projections A point (x,y) on the Edwards curve E d projects to the point (u,v) in the same quadrant on the unit circle as (u,v) = (αx,αy), where α = 1 x 2 +y 2 A point (u,v) on the unit circle projects back to the point (x,y) in the same quadrant on the Edwards curve E d as (x,y) = (βu,βv), where 2 β = du 2 v 2 Koç ( HRL RNG April 11, / 47
71 Edwards Curve Projections A point (x 0,y 0 ) on the Edwards curve E d0 projects to the point (x 1,y 1 ) in the same quadrant on the Edwards curve E d1 as (x 1,y 1 ) = (γx 0,γx 1 ), where γ = 2 x 20 +y20 + (x0 2 +y2 0 )2 4d 1 x0 2y2 0 Koç ( HRL RNG April 11, / 47
72 Edwards Curve Projections A point (x 0,y 0 ) on the Edwards curve E d0 projects to the point (x 1,y 1 ) in the same quadrant on the Edwards curve E d1 as (x 1,y 1 ) = (γx 0,γx 1 ), where γ = 2 x 20 +y20 + (x0 2 +y2 0 )2 4d 1 x0 2y2 0 Equations are more complicated however where it is possible to project from one curve to another, using clock addition and roots of unity ( sin ( ) 2π,cos n ( )) 2π n Koç ( HRL RNG April 11, / 47
73 Edwards Curve Hybrid DRNG Given the seed vector K = (k 0,k 1,...,k n ), consider the Edwards curve E d over the odd prime p Koç ( HRL RNG April 11, / 47
74 Edwards Curve Hybrid DRNG Given the seed vector K = (k 0,k 1,...,k n ), consider the Edwards curve E d over the odd prime p Take initial d 0 = d and start with P 0 = (x 0,y 0 ) on E d0, and compute [k 0 ]P 0 = (x 0,y 0 ) d0 d0 (x 0,y 0 ) = (a 0,b 0 ) Koç ( HRL RNG April 11, / 47
75 Edwards Curve Hybrid DRNG Given the seed vector K = (k 0,k 1,...,k n ), consider the Edwards curve E d over the odd prime p Take initial d 0 = d and start with P 0 = (x 0,y 0 ) on E d0, and compute [k 0 ]P 0 = (x 0,y 0 ) d0 d0 (x 0,y 0 ) = (a 0,b 0 ) Obtain t 0 from the entropy source such that a 2 0 +b2 0 t2 0 is a QNR Koç ( HRL RNG April 11, / 47
76 Edwards Curve Hybrid DRNG Given the seed vector K = (k 0,k 1,...,k n ), consider the Edwards curve E d over the odd prime p Take initial d 0 = d and start with P 0 = (x 0,y 0 ) on E d0, and compute [k 0 ]P 0 = (x 0,y 0 ) d0 d0 (x 0,y 0 ) = (a 0,b 0 ) Obtain t 0 from the entropy source such that a0 2 +b2 0 t2 0 Assuming a 0 b 0 0, set is a QNR d 1 = t2 0 a0 2 (a b b0 2 t0) 2 0 Koç ( HRL RNG April 11, / 47
77 Edwards Curve Hybrid DRNG This d 1 is a QNR, and we can use it to define a new Edwards curve Koç ( HRL RNG April 11, / 47
78 Edwards Curve Hybrid DRNG This d 1 is a QNR, and we can use it to define a new Edwards curve The selection t 0 = 1 always works, but this gives d 1 = d 0 Koç ( HRL RNG April 11, / 47
79 Edwards Curve Hybrid DRNG This d 1 is a QNR, and we can use it to define a new Edwards curve The selection t 0 = 1 always works, but this gives d 1 = d 0 Now, project the point (a 0,b 0 ) on the Edwards curve E d1 by P 1 = (x 1,y 1 ) = (γ 0 a 0,γ 0 b 0 ) Koç ( HRL RNG April 11, / 47
80 Edwards Curve Hybrid DRNG This d 1 is a QNR, and we can use it to define a new Edwards curve The selection t 0 = 1 always works, but this gives d 1 = d 0 Now, project the point (a 0,b 0 ) on the Edwards curve E d1 by P 1 = (x 1,y 1 ) = (γ 0 a 0,γ 0 b 0 ) The projection coefficient simplifies γ 0 = t 1 0 Now compute [k 1 ]P 1 = (x 1,y 1 ) d1 d1 (x 1,y 1 ) = (a 1,b 1 ) Koç ( HRL RNG April 11, / 47
81 Edwards Curve Hybrid DRNG Assuming a 1 b 1 0, the parameter for the next Edwards curve is d 2 = t2 1 a1 2 (a b b1 2 t1) 2 1 such that a 2 1 +b2 1 t2 1 is a QNR and t 1 comes from the entropy source Koç ( HRL RNG April 11, / 47
82 Edwards Curve Hybrid DRNG Assuming a 1 b 1 0, the parameter for the next Edwards curve is d 2 = t2 1 a1 2 (a b b1 2 t1) 2 1 such that a 2 1 +b2 1 t2 1 is a QNR and t 1 comes from the entropy source Now compute [k 2 ]P 2 on E d2 where P 2 is the projection and so on P 2 = (x 2,y 2 ) = (t 1 1 a 1,t 1 1 b 1) Koç ( HRL RNG April 11, / 47
83 Edwards Curve Hybrid DRNG Assuming a 1 b 1 0, the parameter for the next Edwards curve is d 2 = t2 1 a1 2 (a b b1 2 t1) 2 1 such that a 2 1 +b2 1 t2 1 is a QNR and t 1 comes from the entropy source Now compute [k 2 ]P 2 on E d2 where P 2 is the projection and so on P 2 = (x 2,y 2 ) = (t 1 1 a 1,t 1 1 b 1) The final point produced is [k n ]P n on the Edwards curve E dn Koç ( HRL RNG April 11, / 47
84 Edwards Curve Hybrid DRNG System parameters: Edward curve over F p with odd prime p and d 0 = d, and a point on the curve P 0 = (x 0,y 0 ) Koç ( HRL RNG April 11, / 47
85 Edwards Curve Hybrid DRNG System parameters: Edward curve over F p with odd prime p and d 0 = d, and a point on the curve P 0 = (x 0,y 0 ) Input seed vector: K = (k 0,k 1,...,k n ) Koç ( HRL RNG April 11, / 47
86 Edwards Curve Hybrid DRNG System parameters: Edward curve over F p with odd prime p and d 0 = d, and a point on the curve P 0 = (x 0,y 0 ) Input seed vector: K = (k 0,k 1,...,k n ) The entropy source produces: T 0,T 1,...,T n which have been modified to obtain the QNRs t 0,t 1,...,t n at each step Koç ( HRL RNG April 11, / 47
87 Edwards Curve Hybrid DRNG System parameters: Edward curve over F p with odd prime p and d 0 = d, and a point on the curve P 0 = (x 0,y 0 ) Input seed vector: K = (k 0,k 1,...,k n ) The entropy source produces: T 0,T 1,...,T n which have been modified to obtain the QNRs t 0,t 1,...,t n at each step For i = 0 to i = n, Step i: (a i,b i ) = [k i ]P i Get T i and compute t i such that a 2 i +b 2 i t 2 i is a QNR d i+1 = t2 i (a ai 2b2 i 2 +bi 2 ti 2) i γ i = t 1 i P i+1 = (γ i a i,γ i b i ) Koç ( HRL RNG April 11, / 47
88 Edwards Curve Hybrid DRNG System parameters: Edward curve over F p with odd prime p and d 0 = d, and a point on the curve P 0 = (x 0,y 0 ) Input seed vector: K = (k 0,k 1,...,k n ) The entropy source produces: T 0,T 1,...,T n which have been modified to obtain the QNRs t 0,t 1,...,t n at each step For i = 0 to i = n, Step i: (a i,b i ) = [k i ]P i Get T i and compute t i such that a 2 i +b 2 i t 2 i is a QNR d i+1 = t2 i (a ai 2b2 i 2 +bi 2 ti 2) i γ i = t 1 i P i+1 = (γ i a i,γ i b i ) Random points P 1,P 2,...,P n Koç ( HRL RNG April 11, / 47
89 Edwards Curve Hybrid DRNG Koç ( HRL RNG April 11, / 47
90 A Complexity Result Theorem Suppose p,q are prime numbers with p = 4q 1. A few such (p,q) pairs are (11, 3), (19, 5), (331, 83), ( , ), ( , ). Consider the Edwards group G on E d with d = 1 (a QNR) over F p. G has identity (0,1), the element (0, 1) of order 2, and the elements (±1,0) are of order 4. Any other (x,y) has order q, 2q or 4q. Koç ( HRL RNG April 11, / 47
Elliptic Curve DRNGs. Çetin Kaya Koç Winter / 19
Elliptic Curve DRNGs Çetin Kaya Koç koc@cs.ucsb.edu Çetin Kaya Koç http://koclab.org Winter 2017 1 / 19 Elliptic Curve DRNGs There are three existing proposals Linear Congruential Generator Power Generator
More informationElliptic Curve DRNGs. Çetin Kaya Koç Winter / 21
Elliptic Curve DRNGs http://koclab.org Çetin Kaya Koç Winter 2017 1 / 21 Elliptic Curve DRNGs Linear Congruential Generator Power Generator Naor-Reingold Generator Dual EC RNG http://koclab.org Çetin Kaya
More informationPublic Key Cryptography
Public Key Cryptography Introduction Public Key Cryptography Unlike symmetric key, there is no need for Alice and Bob to share a common secret Alice can convey her public key to Bob in a public communication:
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer 1 Lecture 13 October 16, 2017 (notes revised 10/23/17) 1 Derived from lecture notes by Ewa Syta. CPSC 467, Lecture 13 1/57 Elliptic Curves
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Instructor: Michael Fischer Lecture by Ewa Syta Lecture 13 March 3, 2013 CPSC 467b, Lecture 13 1/52 Elliptic Curves Basics Elliptic Curve Cryptography CPSC
More informationPublic-key cryptography and the Discrete-Logarithm Problem. Tanja Lange Technische Universiteit Eindhoven. with some slides by Daniel J.
Public-key cryptography and the Discrete-Logarithm Problem Tanja Lange Technische Universiteit Eindhoven with some slides by Daniel J. Bernstein Cryptography Let s understand what our browsers do. Schoolbook
More informationEfficient Pseudorandom Generators Based on the DDH Assumption
Efficient Pseudorandom Generators Based on the DDH Assumption Andrey Sidorenko (Joint work with Reza Rezaeian Farashahi and Berry Schoenmakers) TU Eindhoven Outline Introduction provably secure pseudorandom
More informationUniv.-Prof. Dr. rer. nat. Rudolf Mathar. Written Examination. Cryptography. Tuesday, August 29, 2017, 01:30 p.m.
Cryptography Univ.-Prof. Dr. rer. nat. Rudolf Mathar 1 2 3 4 15 15 15 15 60 Written Examination Cryptography Tuesday, August 29, 2017, 01:30 p.m. Name: Matr.-No.: Field of study: Please pay attention to
More informationPublic-Key Cryptosystems CHAPTER 4
Public-Key Cryptosystems CHAPTER 4 Introduction How to distribute the cryptographic keys? Naïve Solution Naïve Solution Give every user P i a separate random key K ij to communicate with every P j. Disadvantage:
More informationIntroduction to Elliptic Curve Cryptography. Anupam Datta
Introduction to Elliptic Curve Cryptography Anupam Datta 18-733 Elliptic Curve Cryptography Public Key Cryptosystem Duality between Elliptic Curve Cryptography and Discrete Log Based Cryptography Groups
More informationPublic-key Cryptography and elliptic curves
Public-key Cryptography and elliptic curves Dan Nichols University of Massachusetts Amherst nichols@math.umass.edu WINRS Research Symposium Brown University March 4, 2017 Cryptography basics Cryptography
More informationStream Ciphers. Çetin Kaya Koç Winter / 20
Çetin Kaya Koç http://koclab.cs.ucsb.edu Winter 2016 1 / 20 Linear Congruential Generators A linear congruential generator produces a sequence of integers x i for i = 1,2,... starting with the given initial
More informationInformation Security
SE 4472 / ECE 9064 Information Security Week 12: Random Number Generators and Picking Appropriate Key Lengths Fall 2015 Prof. Aleksander Essex Random Number Generation Where do keys come from? So far we
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationAsymmetric Encryption
-3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function
More informationPseudo-random Number Generation. Qiuliang Tang
Pseudo-random Number Generation Qiuliang Tang Random Numbers in Cryptography The keystream in the one-time pad The secret key in the DES encryption The prime numbers p, q in the RSA encryption The private
More informationDigital Signature Algorithm
Çetin Kaya Koç koc@cs.ucsb.edu Çetin Kaya Koç http://koclab.org Winter 2017 1 / 11 DSA: The is a US standard, proposed in 1991 by the NIST Along with the DSA, the hash function SHA-1 was also specified
More informationPseudo-Random Generators
Pseudo-Random Generators Why do we need random numbers? Simulation Sampling Numerical analysis Computer programming (e.g. randomized algorithm) Elementary and critical element in many cryptographic protocols
More informationPseudo-Random Generators
Pseudo-Random Generators Topics Why do we need random numbers? Truly random and Pseudo-random numbers. Definition of pseudo-random-generator What do we expect from pseudorandomness? Testing for pseudo-randomness.
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 33 The Diffie-Hellman Problem
More informationOther Public-Key Cryptosystems
Other Public-Key Cryptosystems Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-11/
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 11 February 21, 2013 CPSC 467b, Lecture 11 1/27 Discrete Logarithm Diffie-Hellman Key Exchange ElGamal Key Agreement Primitive Roots
More informationComputer Science A Cryptography and Data Security. Claude Crépeau
Computer Science 308-547A Cryptography and Data Security Claude Crépeau These notes are, largely, transcriptions by Anton Stiglic of class notes from the former course Cryptography and Data Security (308-647A)
More informationCryptography IV: Asymmetric Ciphers
Cryptography IV: Asymmetric Ciphers Computer Security Lecture 7 David Aspinall School of Informatics University of Edinburgh 31st January 2011 Outline Background RSA Diffie-Hellman ElGamal Summary Outline
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationPublic Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy
Symmetric Cryptography Review Alice Bob Public Key x e K (x) y d K (y) x K K Instructor: Dr. Wei (Lisa) Li Department of Computer Science, GSU Two properties of symmetric (secret-key) crypto-systems: The
More informationElliptic Curve Cryptography with Derive
Elliptic Curve Cryptography with Derive Johann Wiesenbauer Vienna University of Technology DES-TIME-2006, Dresden General remarks on Elliptic curves Elliptic curces can be described as nonsingular algebraic
More informationTopics. Pseudo-Random Generators. Pseudo-Random Numbers. Truly Random Numbers
Topics Pseudo-Random Generators Why do we need random numbers? Truly random and Pseudo-random numbers. Definition of pseudo-random-generator What do we expect from pseudorandomness? Testing for pseudo-randomness.
More informationMath/Mthe 418/818. Review Questions
Math/Mthe 418/818 Review Questions 1. Show that the number N of bit operations required to compute the product mn of two integers m, n > 1 satisfies N = O(log(m) log(n)). 2. Can φ(n) be computed in polynomial
More information5199/IOC5063 Theory of Cryptology, 2014 Fall
5199/IOC5063 Theory of Cryptology, 2014 Fall Homework 2 Reference Solution 1. This is about the RSA common modulus problem. Consider that two users A and B use the same modulus n = 146171 for the RSA encryption.
More informationThe Dual Elliptic Curve Deterministic RBG
/ The Dual Elliptic Curve Deterministic RBG Background, Specification, Security and Notes Joshua E Hill Department of Mathematics, University of California, Irvine Math C Mathematical Cryptography June,
More informationLecture V : Public Key Cryptography
Lecture V : Public Key Cryptography Internet Security: Principles & Practices John K. Zao, PhD (Harvard) SMIEEE Amir Rezapoor Computer Science Department, National Chiao Tung University 2 Outline Functional
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationThe Elliptic Curve in https
The Elliptic Curve in https Marco Streng Universiteit Leiden 25 November 2014 Marco Streng (Universiteit Leiden) The Elliptic Curve in https 25-11-2014 1 The s in https:// HyperText Transfer Protocol
More informationState Recovery Attacks on Pseudorandom Generators
Appears in WEWoRC 2005 - Western European Workshop on Research in Cryptology, Lecture Notes in Informatics (LNI) P-74 (2005) 53-63. Gesellschaft für Informatik. State Recovery Attacks on Pseudorandom Generators
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationMATH 158 FINAL EXAM 20 DECEMBER 2016
MATH 158 FINAL EXAM 20 DECEMBER 2016 Name : The exam is double-sided. Make sure to read both sides of each page. The time limit is three hours. No calculators are permitted. You are permitted one page
More informationPermutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1
Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1 Kwangsu Lee A Thesis for the Degree of Master of Science Division of Computer Science, Department
More informationElliptic Curve Cryptography
The State of the Art of Elliptic Curve Cryptography Ernst Kani Department of Mathematics and Statistics Queen s University Kingston, Ontario Elliptic Curve Cryptography 1 Outline 1. ECC: Advantages and
More informationDiscrete Logarithm Problem
Discrete Logarithm Problem Çetin Kaya Koç koc@cs.ucsb.edu (http://cs.ucsb.edu/~koc/ecc) Elliptic Curve Cryptography lect08 discrete log 1 / 46 Exponentiation and Logarithms in a General Group In a multiplicative
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationLecture Notes. Advanced Discrete Structures COT S
Lecture Notes Advanced Discrete Structures COT 4115.001 S15 2015-01-27 Recap ADFGX Cipher Block Cipher Modes of Operation Hill Cipher Inverting a Matrix (mod n) Encryption: Hill Cipher Example Multiple
More informationCryptography and Security Final Exam
Cryptography and Security Final Exam Serge Vaudenay 17.1.2017 duration: 3h no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices are not
More informationElliptic curves. Tanja Lange Technische Universiteit Eindhoven. with some slides by Daniel J. Bernstein
Elliptic curves Tanja Lange Technische Universiteit Eindhoven with some slides by Daniel J. Bernstein Diffie-Hellman key exchange Pick some generator. Diffie-Hellman key exchange Pick some generator. Diffie-Hellman
More informationOther Public-Key Cryptosystems
Other Public-Key Cryptosystems Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: 10-1 Overview 1. How to exchange
More informationChapter 8 Public-key Cryptography and Digital Signatures
Chapter 8 Public-key Cryptography and Digital Signatures v 1. Introduction to Public-key Cryptography 2. Example of Public-key Algorithm: Diffie- Hellman Key Exchange Scheme 3. RSA Encryption and Digital
More informationCryptanalysis of the Dual Elliptic Curve Pseudorandom Generator
Cryptanalysis of the Dual Elliptic Curve Pseudorandom Generator Berry Schoenmakers and Andrey Sidorenko Dept. of Mathematics and Computer Science, TU Eindhoven, P.O. Box 513, 5600 MB Eindhoven, The Netherlands.
More informationFinal Exam Math 105: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 30 April :30 11:00 a.m.
Final Exam Math 10: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 0 April 2002 :0 11:00 a.m. Instructions: Please be as neat as possible (use a pencil), and show
More informationDefinition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University
Number Theory, Public Key Cryptography, RSA Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr The Euler Phi Function For a positive integer n, if 0
More informationElliptic Curve Cryptography
Elliptic Curve Cryptography Elliptic Curves An elliptic curve is a cubic equation of the form: y + axy + by = x 3 + cx + dx + e where a, b, c, d and e are real numbers. A special addition operation is
More informationCHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30
CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA35 (Chalmers) - DIT50 (GU) 11 April 017, 8:30-1:30 No extra material is allowed during the exam except for pens and a simple calculator (not smartphones).
More informationOne can use elliptic curves to factor integers, although probably not RSA moduli.
Elliptic Curves Elliptic curves are groups created by defining a binary operation (addition) on the points of the graph of certain polynomial equations in two variables. These groups have several properties
More informationChair for Network Architectures and Services Institute of Informatics TU München Prof. Carle. Network Security. Chapter 2 Basics
Chair for Network Architectures and Services Institute of Informatics TU München Prof. Carle Network Security Chapter 2 Basics 2.4 Random Number Generation for Cryptographic Protocols Motivation It is
More informationElliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.
Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem. Elisa Lorenzo García Université de Rennes 1 14-09-2017 Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 1 /
More informationQuestion: Total Points: Score:
University of California, Irvine COMPSCI 134: Elements of Cryptography and Computer and Network Security Midterm Exam (Fall 2016) Duration: 90 minutes November 2, 2016, 7pm-8:30pm Name (First, Last): Please
More informationIntroduction to Elliptic Curve Cryptography
Indian Statistical Institute Kolkata May 19, 2017 ElGamal Public Key Cryptosystem, 1984 Key Generation: 1 Choose a suitable large prime p 2 Choose a generator g of the cyclic group IZ p 3 Choose a cyclic
More information6.080 / Great Ideas in Theoretical Computer Science Spring 2008
MIT OpenCourseWare http://ocw.mit.edu 6.080 / 6.089 Great Ideas in Theoretical Computer Science Spring 2008 For information about citing these materials or our Terms of Use, visit: http://ocw.mit.edu/terms.
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 7, 2015 CPSC 467, Lecture 11 1/37 Digital Signature Algorithms Signatures from commutative cryptosystems Signatures from
More informationCodes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII
Codes and Cryptography MAMME, Fall 2015 PART XII Outline 1 Symmetric Encryption (II) 2 Construction Strategies Construction Strategies Stream ciphers: For arbitrarily long messages (e.g., data streams).
More informationCIS 551 / TCOM 401 Computer and Network Security
CIS 551 / TCOM 401 Computer and Network Security Spring 2008 Lecture 15 3/20/08 CIS/TCOM 551 1 Announcements Project 3 available on the web. Get the handout in class today. Project 3 is due April 4th It
More informationCRYPTOGRAPHY AND NUMBER THEORY
CRYPTOGRAPHY AND NUMBER THEORY XINYU SHI Abstract. In this paper, we will discuss a few examples of cryptographic systems, categorized into two different types: symmetric and asymmetric cryptography. We
More informationLattice-Based Cryptography
Liljana Babinkostova Department of Mathematics Computing Colloquium Series Detecting Sensor-hijack Attacks in Wearable Medical Systems Krishna Venkatasubramanian Worcester Polytechnic Institute Quantum
More information8 Elliptic Curve Cryptography
8 Elliptic Curve Cryptography 8.1 Elliptic Curves over a Finite Field For the purposes of cryptography, we want to consider an elliptic curve defined over a finite field F p = Z/pZ for p a prime. Given
More information1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:
Today: Introduction to the class. Examples of concrete physical attacks on RSA A computational approach to cryptography Pseudorandomness 1 What are Physical Attacks Tampering/Leakage attacks Issue of how
More informationElliptic Curve Cryptography
Areas for Discussion Elliptic Curve Cryptography Joseph Spring Department of Computer Science 7COM1027 - Distributed Systems Security Lecture - Elliptic Curves 1 1 Motivation Elliptic Curves Security of
More informationPoints of High Order on Elliptic Curves ECDSA
! Independent thesis advanced level (degree of master (two years)) Points of High Order on Elliptic Curves ECDSA Author: Behnaz Kouchaki Barzi Supervisor: Per-Anders Svensson Examiner: Andrei Khrennikov
More informationYALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Notes 23 (rev. 1) Professor M. J. Fischer November 29, 2005 1 Oblivious Transfer Lecture Notes 23 In the locked
More informationElliptic Curves. Giulia Mauri. Politecnico di Milano website:
Elliptic Curves Giulia Mauri Politecnico di Milano email: giulia.mauri@polimi.it website: http://home.deib.polimi.it/gmauri May 13, 2015 Giulia Mauri (DEIB) Exercises May 13, 2015 1 / 34 Overview 1 Elliptic
More informationNumber Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers
Number Theory: Applications Number Theory Applications Computer Science & Engineering 235: Discrete Mathematics Christopher M. Bourke cbourke@cse.unl.edu Results from Number Theory have many applications
More informationPublic-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Appendix A: Symmetric Techniques Block Ciphers A block cipher f of block-size
More informationSecurity II: Cryptography exercises
Security II: Cryptography exercises Markus Kuhn Lent 2015 Part II Some of the exercises require the implementation of short programs. The model answers use Perl (see Part IB Unix Tools course), but you
More informationTi Secured communications
Ti5318800 Secured communications Pekka Jäppinen September 20, 2007 Pekka Jäppinen, Lappeenranta University of Technology: September 20, 2007 Relies on use of two keys: Public and private Sometimes called
More informationMathematics of Cryptography
UNIT - III Mathematics of Cryptography Part III: Primes and Related Congruence Equations 1 Objectives To introduce prime numbers and their applications in cryptography. To discuss some primality test algorithms
More informationElliptic Curve Cryptography and Security of Embedded Devices
Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil Institut de Mathématiques de Bordeaux Inside Secure June 13th, 2012 V. Verneuil - Elliptic Curve Cryptography
More informationBenes and Butterfly schemes revisited
Benes and Butterfly schemes revisited Jacques Patarin, Audrey Montreuil Université de Versailles 45 avenue des Etats-Unis 78035 Versailles Cedex - France Abstract In [1], W. Aiello and R. Venkatesan have
More informationComparison of Elliptic Curve and Edwards Curve
CS90G - PROJECT REPORT Comparison of Elliptic Curve and Edwards Curve Shivapriya Hiremath, Stephanie Smith June 14, 013 1 INTRODUCTION In this project we have implemented the Elliptic Curve and Edwards
More informationSecurity Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography
Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography Peter Schwabe October 21 and 28, 2011 So far we assumed that Alice and Bob both have some key, which nobody else has. How
More informationOn the distribution of the elliptic curve power generator
On the distribution of the elliptic curve power generator László Mérai Eötvös Loránd University Budapest 26. 06. 2012. László Mérai (Budapest) On the elliptic curve power generator 26. 06. 2012. 1 / 16
More informationEfficient Application of Countermeasures for Elliptic Curve Cryptography
Efficient Application of Countermeasures for Elliptic Curve Cryptography Vladimir Soukharev, Ph.D. Basil Hess, Ph.D. InfoSec Global Inc. May 19, 2017 Outline Introduction Brief Summary of ECC Arithmetic
More informationAttacks on Elliptic Curve Cryptography Discrete Logarithm Problem (EC-DLP)
Attacks on Elliptic Curve Cryptography Discrete Logarithm Problem (EC-DLP) Mrs.Santoshi Pote 1, Mrs. Jayashree Katti 2 ENC, Usha Mittal Institute of Technology, Mumbai, India 1 Information Technology,
More informationDiscrete logarithm and related schemes
Discrete logarithm and related schemes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Discrete logarithm problem examples, equivalent
More information10 Public Key Cryptography : RSA
10 Public Key Cryptography : RSA 10.1 Introduction The idea behind a public-key system is that it might be possible to find a cryptosystem where it is computationally infeasible to determine d K even if
More informationCPSC 467b: Cryptography and Computer Security
Outline Quadratic residues Useful tests Digital Signatures CPSC 467b: Cryptography and Computer Security Lecture 14 Michael J. Fischer Department of Computer Science Yale University March 1, 2010 Michael
More informationAdvanced Cryptography 1st Semester Public Encryption
Advanced Cryptography 1st Semester 2007-2008 Pascal Lafourcade Université Joseph Fourrier, Verimag Master: October 1st 2007 1 / 64 Last Time (I) Indistinguishability Negligible function Probabilities Indistinguishability
More informationENEE 459-C Computer Security. Message authentication (continue from previous lecture)
ENEE 459-C Computer Security Message authentication (continue from previous lecture) Last lecture Hash function Cryptographic hash function Message authentication with hash function (attack?) with cryptographic
More informationPseudorandom Generators
Outlines Saint Petersburg State University, Mathematics and Mechanics 2nd April 2005 Outlines Part I: Main Approach Part II: Blum-Blum-Shub Generator Part III: General Concepts of Pseudorandom Generator
More informationCryptanalysis on An ElGamal-Like Cryptosystem for Encrypting Large Messages
Cryptanalysis on An ElGamal-Like Cryptosystem for Encrypting Large Messages MEI-NA WANG Institute for Information Industry Networks and Multimedia Institute TAIWAN, R.O.C. myrawang@iii.org.tw SUNG-MING
More informationCHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S. Ant nine J aux
CHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S Ant nine J aux (g) CRC Press Taylor 8* Francis Croup Boca Raton London New York CRC Press is an imprint of the Taylor &
More informationInformation Protection Based on Extraction of Square Roots of Gaussian Integers
Int. J. Communications, Network System Sciences, 0,, 33-38 doi:0.36/ijcns.0.306 Published Online March 0 (http://www.scirp.org/journal/ijcns) Information Protection Based on Extraction of Square Roots
More informationProvable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval
Provable Security for Public-Key Schemes I Basics David Pointcheval Ecole normale supérieure, CNRS & INRIA IACR-SEAMS School Cryptographie: Foundations and New Directions November 2016 Hanoi Vietnam Introduction
More informationLecture 7: ElGamal and Discrete Logarithms
Lecture 7: ElGamal and Discrete Logarithms Johan Håstad, transcribed by Johan Linde 2006-02-07 1 The discrete logarithm problem Recall that a generator g of a group G is an element of order n such that
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationLecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography
CS 7880 Graduate Cryptography September 10, 2015 Lecture 1: Perfect Secrecy and Statistical Authentication Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Definition of perfect secrecy One-time
More informationChapter 7 Random Numbers
Chapter 7 Random Numbers February 15, 2010 7 In the following random numbers and random sequences are treated as two manifestations of the same thing. A series of random numbers strung together is considered
More informationHigh-speed cryptography, part 3: more cryptosystems. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven
High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Cryptographers Working systems Cryptanalytic algorithm designers
More informationFundamentals of Modern Cryptography
Fundamentals of Modern Cryptography BRUCE MOMJIAN This presentation explains the fundamentals of modern cryptographic methods. Creative Commons Attribution License http://momjian.us/presentations Last
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationDigital Signatures. Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay
Digital Signatures Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical Engineering Indian Institute of Technology Bombay July 24, 2018 1 / 29 Group Theory Recap Groups Definition A set
More informationPractice Assignment 2 Discussion 24/02/ /02/2018
German University in Cairo Faculty of MET (CSEN 1001 Computer and Network Security Course) Dr. Amr El Mougy 1 RSA 1.1 RSA Encryption Practice Assignment 2 Discussion 24/02/2018-29/02/2018 Perform encryption
More informationTHE CUBIC PUBLIC-KEY TRANSFORMATION*
CIRCUITS SYSTEMS SIGNAL PROCESSING c Birkhäuser Boston (2007) VOL. 26, NO. 3, 2007, PP. 353 359 DOI: 10.1007/s00034-006-0309-x THE CUBIC PUBLIC-KEY TRANSFORMATION* Subhash Kak 1 Abstract. This note proposes
More information