Known-plaintext cryptanalysis of the Domingo-Ferrer algebraic privacy homomorphism scheme
|
|
- Colin Wells
- 6 years ago
- Views:
Transcription
1 Information Processing Letters ) 8 23 wwwelseviercom/locate/ipl Known-plaintext cryptanalysis of the Domingo-Ferrer algebraic privacy homomorphism scheme Jung Hee Cheon a, Woo-Hwan Kim b,, Hyun Soo Nam a a ISaC and Department of Mathematical Sciences, Seoul National University, San 56- Shinrim-dong, Kwanak-gu, Seoul 5-747, Republic of Korea b National Security Research Institute, 6 Gajeong-dong, Yuseong-gu, Daejeon , Republic of Korea Received May 2004; received in revised form 28 February 2005; accepted 27 September 2005 Available online 7 November 2005 Communicated by Y Desmedt Abstract We propose cryptanalysis of the First Domingo-Ferrer s algebraic privacy homomorphism E : Z n Z p Z q ) d where n = pq We show that the scheme can be broken by d + ) known plaintexts in Od 3 log 2 n) time Even when the modulus n is kept secret, it can be broken by 2d + ) known plaintexts in Od 4 log dn+ d 3 log 2 n + εm)) time with overwhelming probability 2005 Elsevier BV All rights reserved Keywords: Privacy homomorphism; Cryptanalysis; Safety/security in digital systems Introduction The conceptofprocessing encrypted data was firstly introduced by Rivest et al [] in 978 A privacy homomorphism is an encryption function which allows processing the encrypted data without knowledge of the decryption function More precisely, an algebraic privacy homomorphic encryption E over a ring R is an encryption function which has efficient algorithms to compute Exy) and Ex + y) from Ex) and Ey) without revealing x and y One example of an algebraic privacy homomorphism [] is as follows: * Corresponding author addresses: jhcheon@mathsnuackr JH Cheon), whkim5@etrirekr W-H Kim), hsnam@mathsnuackr HS Nam) Example Let p,q be large primes, and n = pq P = Z n, C = Z p Z q, Ex) = x mod p,x mod q) and decryption is done using the Chinese remainder theorem This function is an algebraic privacy homomorphism under the usual modular addition and modular multiplication Unfortunately, it is shown that this algebraic privacy homomorphism can be broken using a knownplaintext attack [5] In 99, Feigenbaum and Merritt [8] questioned directly whether an algebraic privacy homomorphism does exist Many schemes are suggested, but almost all of them are shown to be insecure [5,3,3,4] In particular, Ahituv et al showed that any algebraic privacy homomorphism can be broken efficiently by cho /$ see front matter 2005 Elsevier BV All rights reserved doi:006/jipl
2 JH Cheon et al / Information Processing Letters ) sen ciphertext attacks [2] Boneh and Lipton proved that any deterministic algebraic privacy homomorphism over rings Z n can be broken in sub-exponential time under a reasonable) number theoretic assumption [4] Domingo-Ferrer proposed two algebraic privacy homomorphisms in 996 and 2002 [6,7] The second one is broken by Bao [3] and Wagner [3,4] But there is no serious attack on the first scheme It is the only algebraic privacy homomorphism that remains secure to the authors knowledge In this paper, we analyze the original privacy homomorphism of Domingo-Ferrer [6], and show that it is not secure against known-plaintext attacks When we consider an encryption function from Z n to Z p Z q ) d for n = pq, it can be broken by d + plaintext ciphertext pairs in Od 3 log 2 n) with the probability larger than 2/p ) Even when n is kept secret, it can be broken by d + more pairs in Od 4 log dn + d 3 log 2 n + εm)) with the probability larger than /2 m 2 ) 2/p )) where εm) = O2 2m ) The outline of the paper is as follows: In Section 2, we introduce the Domingo-Ferrer s scheme In Section 3, we propose known-plaintext attacks for the scheme The analysis consists of two parts One is the case that the modulus of the input space is public and the second is the case that the modulus is kept secret We conclude in Section 4 2 Domingo-Ferrer s algebraic privacy homomorphism In this section, we introduce the first Domingo-Ferrer scheme [6] Let p,q be large primes and n = pq Fora positive integer d,wesetp = Z n, C = Z p Z q ) d ) SetupTaketwolargeprimesp and q and compute n = pq Choose a positive integer d r p Z p and r q Z q are randomly selected so that each of them generates a large subgroup of Z p and Z q, respectively The public parameter is d, n) and the secret parameter is p,q,r p,r q ) To increase the security n can be kept secret, but in this case encrypted data can be processed less efficiently 2) Encrypt Randomly split x Z n into x,x 2,,x d so that x = d i= x i mod n and x i Z n Ex) = [x r p mod p,x r q mod q],, [x d rp d mod p,x drq d mod q]) 3) Decrypt For each j, to retrieve the [x j mod p, x j mod q], compute the scalar product of the jth coordinate [x j rp j mod p,x j rq j mod q] pair by [rp j mod p,rq j mod q]) Add them up to get [x mod p,x mod q] Use the Chinese remainder theorem to get x mod n To explain the operation of ciphertexts, we adopt a polynomial notation: Denote a polynomial fx) = a X + a 2 X a d X d by its coefficient vectors a,a 2,,a d ) Then we have Ex) = f x r p X) mod p, f x r q X) mod q) for a polynomial f x X) Z n [X] with f x 0) 0modn and f x ) x mod n GivenEx) = p x X), q x X)) and Ex ) = p x X), q x X)),wehave Ex + y) = p x X) + p x X) mod n, q x X) + q x X) mod n ), Exy) = p x X)p x X) mod n, q x X)q x X) mod n ) Note that a multiplication doubles up the number of components in a ciphertext If n is secret, the operations are done in Z[x] Domingo-Ferrer s scheme is an algebraic privacy homomorphism with respect to the operation of addition and multiplication in Z n [X] or Z[X] This scheme is claimed to be secure against knownplaintext attacks when d> Note that if d =, r p =, and r q =, Domingo-Ferrer s scheme is simply the scheme in Example 3 Cryptanalysis of Domingo-Ferrer s scheme We show that Domingo-Ferrer s scheme can be broken with d + known plaintexts when n is known and with one more known plaintexts when n is unknown Without loss of generality, we assume p<q throughout this paper 3 The case that n is public Assume we have d + plaintext ciphertext pairs {x i,y i,z i ) i =,,d + } where x i = x i + + x id mod n and Y i = y i,,y id ) = x i r p mod p,,x id rp d mod p), Z i = z i,,z id ) = x i r q mod q,,z id rq d mod q) for i =,,d + By letting t = rp,wehave f i t) = x i + y i t + y i2 t 2 + +y id t d 0modp for i =,,d+ This can be written as the following matrix:
3 20 JH Cheon et al / Information Processing Letters ) 8 23 x y y 2 y d x 2 y 2 y 22 y 2d x d+ y d+, y d+,2 y d+,d ṭ t d mod p ) Since the homogeneous equation ) has a nontrivial solution in Z d+ p, the determinant deta p ) of the coefficient matrix A p of Eq ) is zero mod p Wemay apply Gaussian elimination to A p over Z n to compute deta p ) since a prime factor of n can be obtained when a failure happens in Gaussian elimination Gaussian elimination of a d + ) d + ) matrix over Z n takes Od 3 log 2 n) bit operations On the other hand, Pr[detA p ) 0modq] is overwhelming as in the following lemma: Lemma 2 Let p and q be primes with p<qand M = v ij ) be an l l random matrix with 0 v ij <p Then the probability that detm) 0modq is larger than e 3/2p ) Proof Let v i = v i,,v li ) be the ith column vector of M Then detm) 0modq if and only if {v,, v l } is linearly independent over Z q Thus we estimate the size of the set I = { v,,v l ) {v,,v l } is linearly independent over Z q, 0 v ij <p } Suppose that {v,,v k } is linearly independent over Z q and each entry of v i is contained in [0,p ] Consider an l k matrix whose ith column is v i Since the rank of the matrix is k, there is a submatrix of rank k made by k rows of the matrix: v j v j 2 v j k v jk v jk 2 v jk k Denote the set of linear combinations of {v,,v k } over Z q by v,,v k Suppose v k+ is contained in v,,v k and v j,k+ [0,p ] for all j Then a,,a k Z q are uniquely determined such that v j k+ v j v j k = a + +a k v jk k+ v jk v jk k Other places of v k+ are determined according to v k+ = a i v i and the number of such v k+ s cannot exceed p k Therefore I is larger than p l )p l p) p l p l ) The probability that {v,v 2,,v l } is linearly independent is larger than p l )p l p) p l p l ) p l ) l = p ) l ) p l ) p e 3 2 p l +p+ +pl ) e 2p ) 3 x e 3 2 x for 0 x ) 2 From Lemma 2, we can obtain gcddeta) mod n, n) = p and q = n/p with probability larger than e 2p ) 3 Once p is known, r p can be obtained by computing gt) := gcd f t),, f d+ t) ) since t rp ) divides gt) The greatest common divisor of two polynomials in Z p [x] of degrees less than d can be computed by Od 2 log 2 p) bit operations [0] Thus gt) can be computed by Od 3 log 2 p) bit operations The degree of gt) may not be but we show that the probability is negligible Let f i = f i/t rp ) for i =,,d + We may assume that f i s are random polynomials of degree d over Z p Lemma 3 Let g,,g k be random polynomials of degree l over Z p Then there is no common root of g i s with probability larger than /p k ) l Proof Assume g has l distinct roots x,,x l For each i = 2,,k, the probability that g i x ) = 0is/p Thus Pr [ i such that g i x ) 0 ] = /p k, Pr [ j, j i such that g ji x j ) 0 ] = /p k ) l Since the number of distinct roots of g may be less than l, the probability is larger than /p k ) l By Lemma 3, f i s have no common root other than rp with the probability larger than /p d ) d Similarly r q can be computed The success probability of determining r p and r q uniquely is larger than /p d ) d /q d ) d e 3d )/2pd 3d )/2q d e 3d )pd e /2p )
4 JH Cheon et al / Information Processing Letters ) if d 2 and q>p>6d Hence the overall success probability is larger than e 3/2p ) e /2p ) e 2/p ) 2 p because e x x for 0 <x< 2 In summary, we have the following theorem Theorem 4 Suppose the modulus n = pq is public with 6d <p<qand d 2 in Domingo-Ferrer s privacy homomorphism The scheme can be broken by d + known plaintext ciphertext pairs in time Od 3 log 2 n) with probability larger than 2/p ) For example, when n and p q 2 52, the probability that the algorithm fails is less than 2/p ) The case that n is not public Domingo-Ferrer suggested that his scheme could be more secure by hiding the modulus n In this case, however, we can not perform many multiplications since one multiplication makes the length of ciphertexts four times longer We will show that even if n is not public, a similar cryptanalysis can be applied Assume that we have 2d + ) known plaintext ciphertext pairs From each d + pairs, we can induce two d + ) d + ) coefficient matrices, A and A 2 as ) First, we compute the determinant of A i s viewed as integer matrices When A = a ij ) is a d + ) d + ) integer matrix, it is known that deta) can be computed by Od 4 log d + log A ) + d 3 log 2 A ) bit operations where A =max i,j { a ij } [] and there are algorithms with the lower complexity For more detail, see [9]) For the matrix A i, we may assume that A i n and deta i ) can be computed by Od 4 log dn + d 3 log 2 n) bit operations Second, we compute p from the gcd of determinants of A i s We claim that gcddeta ), deta 2 )) = p, equivalently gcd deta )/p, deta 2 )/p ) = with high probability More precisely, we have Lemma 5 Assume that divisibility of an integer by different primes is independent Let N be a positive integer If positive integers n,,n k are randomly drawn from the interval 0,N), then the probability P k i) of the greatest common divisor of k integers n,,n k is equal to i, P k i) = lim Pr{ gcdn,n 2,,n k ) = i } N i k ζk), where ζk) is the Riemann s zeta function Proof See [2, Section 44] If l = gcddeta ), deta 2 )) is not prime and l has only small factors other than p, then we can easily calculate p by trial divisions or some integer factoring algorithms By Lemma 5, we have the probability for finding p greater than 2 m i= P 2 i) = 2 m i= = ζ2) i 2 ζ2) = ζ2) i=2 m + i 2 2 m i= i 2 assuming that prime factors of l smaller than 2 m can be easily calculated We can find q by the same method After getting p and q, we can compute the other secret keys r p and r q as the case that n is known Theorem 6 Suppose the modulus n = pq is secret with 2p>q>p 6d and d 2 in Domingo-Ferrer s algebraic privacy homomorphism The scheme can be broken by 2d +) known plaintext ciphertext pairs in time Od 4 log dn+ d 3 log 2 n + εm)) with the success probability larger than /2 m 2 ) 2/p )) where εm) = O2 2m ) is the complexity of a factorization algorithm to find all factors less than 2 m Proof The computing time of deta i ) for i =, 2in Z is estimated as Od 4 log dn + d 3 log 2 n) Next,using a suitable factorization algorithm whose complexity is εm)), we can discard prime factors smaller than 2 m and obtain p by computing the gcd of deta i ) s The number of primes less than 2 m is approximately 2 m /log 2 m ) = 2 m /m log 2) LetM be the product of primes less than 2 m, then M = p i <2 m p i 2 m 2m/log 2m) = 2 2m/log 2) The approximate value of ζk) for k = 2, 4, 6, 8, 0 is , , , ,
5 22 JH Cheon et al / Information Processing Letters ) 8 23 and log M 2 m /log 2) 2 m+ The computation of gcdm, det A i ) takes O2 m+ ) 2 ) bit operations and εm) = O2 2m ) follows By Lemma 5, we have Pr [ gcd deta ), deta 2 ) ) = p ] ζ2) i=2 m + i 2 Also the same probability holds for computing q Let Error be the event that p or q is not determined Since i=2 m + and ζ2), i 2 2 m Pr[Error] ζ2) i=2 m + ) 2 i 2 ) 2 2 m 2 m 2 The computation of r p, r q and its complexity is the same as the case when n is known The total complexity is O d 4 log dn+ d 3 log 2 n + 2 2m) The success probability is Pr [ ] Error Findr p Findr q ) 2 m 2 2 ) p Note that the probability that the algorithm fails, is less than 0 3 if m 2, n and d 0 Remark 7 In fact, d + 2) known plaintext ciphertext pairs are enough to make two d + ) d + ) matrices by use of a plaintext ciphertext pair twice In Lemma 5, it is assumed that the integers are chosen randomly and in order to apply the lemma, we assume 2d + ) known plaintext ciphertext pairs Table The summary of the proposed attacks Case The number of known-plaintexts The success probability Time complexity bit operations) n is known p 2 52 ) n is unknown m 2, d 0) d + 2d + ) 2 p 2 5 ) 2m 2 ) 2 p ) 0 3 ) Od 3 log 2 n) Od 4 log dn+ d 3 log 2 n + 2 2m ) 32 Example This example is in the paper of Domingo-Ferrer [6] We illustrate the above analysis by this example Let p = 7, q = 3, r p = 2, and r q = 3 be secret key We can encrypt, 3,, 2, 4, and 5 as follows: E ) = E2, 3) = [4, 6], [5, 2] ), E3) = E2, ) = [4, 6], [4, 9] ), E) = E4, 3) = [8, 2], [5, 2] ), E2) = E3, ) = [6, 9], [3, 4] ), E4) = E3, ) = [6, 9], [4, 9] ), E5) = E6, ) = [2, 5], [3, 4] ) We use three plaintext ciphertext pairs, {, E )), 3, E3)),, E))} to make a coefficient matrix A where ) 4 5 A = 3 4 4, deta) = 68, 8 5 gcd deta), 3 7 = 22 ) = 7 If n = 22 is unknown, with three more plaintext ciphertext pair, make another matrix for {2, E2)), 4, E4)), 5, E5))}, ) B = 4 6 4, detb) = 02, gcd deta), detb) ) = 34 We next calculate r p by using + 4t + 5t 2 = 0, 3 + 4t + 4t 2 = 0 then by elimination 9 + 4t = 0 mod 7 so t = 9 mod 7, r p = t mod 7 = 2 4 Conclusion Domingo-Ferrer proposed two algebraic privacy homomorphisms in 996 [6] and 2002 [7] The second was analyzed by Bao [3] and Wagner [3,4], but no attack against the first one was announced In this paper we firstly analyzed the first Domingo-Ferrer s algebraic privacy homomorphism It can be broken by d + ) plaintext ciphertext pairs by known plaintext attacks when the modulus is public Even when the modulus is kept secret, it can be broken by 2d + ) pairs Therefore, it is still open to decide whether an algebraic privacy homomorphism exists References [] J Abbot, M Bronstein, T Mulders, Fast deterministic computation of determinants of dense matrices, in: International Conference on Symbolic and Algebraic Computation Proceedings of
6 JH Cheon et al / Information Processing Letters ) the 999 International Symposium on Symbolic and Algebraic Computation, pp [2] N Ahituv, Y Lapid, S Neumann, Processing encrypted data, Comm ACM ) [3] F Bao, Cryptanalysis of a provable secure additive and multiplicative privacy homomorphism, in: International Workshop on Coding and Cryptography WCC), 2003 [4] D Boneh, R Lipton, Searching for elements in black-box fields and applications, in: Advances in Cryptology, Crypto 96, in: Lecture Notes in Comput Sci, vol 09, Springer-Verlag, Berlin, 996, pp [5] E Brickell, Y Yacobi, On privacy homomorphisms, in: Advances in Cryptology, Eurocrypt 87, in: Lecture Notes in Comput Sci, vol 304, Springer-Verlag, Berlin, 988, pp 7 25 [6] J Domingo-Ferrer, A new privacy homomorphism and applications, Inform Process Lett 60 5) 996) [7] J Domingo-Ferrer, A provably secure additive and multiplicative privacy homomorphism, in: ISC2002, in: Lecture Notes in Comput Sci, vol 2443, Springer-Verlag, Berlin, 2002, pp [8] J Feigenbaum, M Merritt, Open questions, talk abstracts, and summary of discussions, in: DIMACS series in Discrete Mathematics and Theoretical Computer Science, vol 2, Amer Math Soc, 99, pp 45 [9] E Kaltofen, G Villard, Computing the sign or the value of the determinant of an integer matrix, a complexity survey, J Comput Appl Math ) [0] A Menezes, P van Oorschot, S Vanstone, Handbook of Applied Cryptography, CRC Press, Inc, Boca Raton, FL, 997 [] R Rivest, L Adleman, M Dertouzos, On data banks and privacy homomorphisms, in: Foundations of Secure Computation, Academic Press, New York, 978, pp [2] M Schroeder, Number Theory in Science and Communication, second ed, Springer-Verlag, Berlin, 986 [3] D Wagner, Cryptanalysis of an algebraic privacy homomorphism, in: ISC2003, in: Lecture Notes in Comput Sci, vol 285, Springer-Verlag, Berlin, 2003, pp [4] D Wagner, Erratum concerning Cryptanalysis of an Algebraic Privacy Homomorphism, available at edu/~daw/papers/
Cryptanalysis of a Public Key Cryptosystem Proposed at ACISP 2000
Cryptanalysis of a Public Key Cryptosystem Proposed at ACISP 2000 Amr Youssef 1 and Guang Gong 2 1 Center for Applied Cryptographic Research Department of Combinatorics & Optimization 2 Department of Electrical
More informationA New Attack on RSA with Two or Three Decryption Exponents
A New Attack on RSA with Two or Three Decryption Exponents Abderrahmane Nitaj Laboratoire de Mathématiques Nicolas Oresme Université de Caen, France nitaj@math.unicaen.fr http://www.math.unicaen.fr/~nitaj
More informationComputers and Mathematics with Applications
Computers and Mathematics with Applications 61 (2011) 1261 1265 Contents lists available at ScienceDirect Computers and Mathematics with Applications journal homepage: wwwelseviercom/locate/camwa Cryptanalysis
More informationNew attacks on RSA with Moduli N = p r q
New attacks on RSA with Moduli N = p r q Abderrahmane Nitaj 1 and Tajjeeddine Rachidi 2 1 Laboratoire de Mathématiques Nicolas Oresme Université de Caen Basse Normandie, France abderrahmane.nitaj@unicaen.fr
More informationANALYSIS OF PRIVACY-PRESERVING ELEMENT REDUCTION OF A MULTISET
J. Korean Math. Soc. 46 (2009), No. 1, pp. 59 69 ANALYSIS OF PRIVACY-PRESERVING ELEMENT REDUCTION OF A MULTISET Jae Hong Seo, HyoJin Yoon, Seongan Lim, Jung Hee Cheon, and Dowon Hong Abstract. The element
More informationPartially homomorphic encryption schemes over finite fields
Partially homomorphic encryption schemes over finite fields Jian Liu Lusheng Chen Sihem Mesnager Abstract Homomorphic encryption scheme enables computation in the encrypted domain, which is of great importance
More informationAn Introduction to Probabilistic Encryption
Osječki matematički list 6(2006), 37 44 37 An Introduction to Probabilistic Encryption Georg J. Fuchsbauer Abstract. An introduction to probabilistic encryption is given, presenting the first probabilistic
More informationSolving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know?
Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know? Alexander May, Maike Ritzenhofen Faculty of Mathematics Ruhr-Universität Bochum, 44780 Bochum,
More informationCryptanalysis of a key exchange protocol based on the endomorphisms ring End(Z p Z p 2)
AAECC (212) 23:143 149 DOI 1.17/s2-12-17-z ORIGINAL PAPER Cryptanalysis of a key exchange protocol based on the endomorphisms ring End(Z p Z p 2) Abdel Alim Kamal Amr M. Youssef Received: 2 November 211
More informationCryptanalysis of a Message Authentication Code due to Cary and Venkatesan
Cryptanalysis of a Message Authentication Code due to Cary and Venkatesan Simon R. Blackburn and Kenneth G. Paterson Department of Mathematics Royal Holloway, University of London Egham, Surrey, TW20 0EX,
More informationDeterministic Polynomial Time Equivalence of Computing the RSA Secret Key and Factoring
Deterministic Polynomial Time Equivalence of Computing the RSA Secret Key and Factoring Jean-Sébastien Coron and Alexander May Gemplus Card International 34 rue Guynemer, 92447 Issy-les-Moulineaux, France
More informationGeneralized hyper-bent functions over GF(p)
Discrete Applied Mathematics 55 2007) 066 070 Note Generalized hyper-bent functions over GFp) A.M. Youssef Concordia Institute for Information Systems Engineering, Concordia University, Montreal, QC, H3G
More informationLemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).
1 Background 1.1 The group of units MAT 3343, APPLIED ALGEBRA, FALL 2003 Handout 3: The RSA Cryptosystem Peter Selinger Let (R, +, ) be a ring. Then R forms an abelian group under addition. R does not
More informationA new attack on RSA with a composed decryption exponent
A new attack on RSA with a composed decryption exponent Abderrahmane Nitaj and Mohamed Ould Douh,2 Laboratoire de Mathématiques Nicolas Oresme Université de Caen, Basse Normandie, France abderrahmane.nitaj@unicaen.fr
More informationCryptanalysis of Unbalanced RSA with Small CRT-Exponent
Cryptanalysis of Unbalanced RSA with Small CRT-Exponent Alexander May Department of Mathematics and Computer Science University of Paderborn 3310 Paderborn, Germany alexx@uni-paderborn.de Abstract. We
More informationOn Deterministic Polynomial-Time Equivalence of Computing the CRT-RSA Secret Keys and Factoring
On Deterministic Polynomial-Time Equivalence of Computing the CRT-RSA Secret Keys and Factoring Subhamoy Maitra and Santanu Sarkar Applied Statistics Unit, Indian Statistical Institute, 203 B T Road, Kolkata
More informationPublic Key Cryptography
Public Key Cryptography Spotlight on Science J. Robert Buchanan Department of Mathematics 2011 What is Cryptography? cryptography: study of methods for sending messages in a form that only be understood
More informationHOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 1 / 51
HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY Abderrahmane Nitaj Laboratoire de Mathe matiques Nicolas Oresme Universite de Caen Normandie, France Nouakchott, February 15-26, 2016 Abderrahmane
More informationMathematical Foundations of Public-Key Cryptography
Mathematical Foundations of Public-Key Cryptography Adam C. Champion and Dong Xuan CSE 4471: Information Security Material based on (Stallings, 2006) and (Paar and Pelzl, 2010) Outline Review: Basic Mathematical
More informationDeterministic Polynomial Time Equivalence between Factoring and Key-Recovery Attack on Takagi s RSA
Deterministic Polynomial Time Equivalence between Factoring and Key-Recovery Attack on Takagi s RSA Noboru Kunihiro 1 and Kaoru Kurosawa 2 1 The University of Electro-Communications, Japan kunihiro@iceuecacjp
More informationCryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg
Course 1: Remainder: RSA Université du Luxembourg September 21, 2010 Public-key encryption Public-key encryption: two keys. One key is made public and used to encrypt. The other key is kept private and
More informationCryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97
Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97 Phong Nguyen and Jacques Stern École Normale Supérieure, Laboratoire d Informatique 45, rue d Ulm, F 75230 Paris Cedex 05 {Phong.Nguyen,Jacques.Stern}@ens.fr
More informationComputing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring
Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring Alexander May Faculty of Computer Science, Electrical Engineering and Mathematics University of Paderborn 33102 Paderborn,
More informationA New Generalization of the KMOV Cryptosystem
J Appl Math Comput manuscript No. (will be inserted by the editor) A New Generalization of the KMOV Cryptosystem Maher Boudabra Abderrahmane Nitaj Received: date / Accepted: date Abstract The KMOV scheme
More informationIntroduction to Modern Cryptography. Benny Chor
Introduction to Modern Cryptography Benny Chor RSA Public Key Encryption Factoring Algorithms Lecture 7 Tel-Aviv University Revised March 1st, 2008 Reminder: The Prime Number Theorem Let π(x) denote the
More informationPartial Key Exposure: Generalized Framework to Attack RSA
Partial Key Exposure: Generalized Framework to Attack RSA Cryptology Research Group Indian Statistical Institute, Kolkata 12 December 2011 Outline of the Talk 1 RSA - A brief overview 2 Partial Key Exposure
More informationOptimal Use of Montgomery Multiplication on Smart Cards
Optimal Use of Montgomery Multiplication on Smart Cards Arnaud Boscher and Robert Naciri Oberthur Card Systems SA, 71-73, rue des Hautes Pâtures, 92726 Nanterre Cedex, France {a.boscher, r.naciri}@oberthurcs.com
More informationPREDICTING MASKED LINEAR PSEUDORANDOM NUMBER GENERATORS OVER FINITE FIELDS
PREDICTING MASKED LINEAR PSEUDORANDOM NUMBER GENERATORS OVER FINITE FIELDS JAIME GUTIERREZ, ÁLVAR IBEAS, DOMINGO GÓMEZ-PEREZ, AND IGOR E. SHPARLINSKI Abstract. We study the security of the linear generator
More informationPrimitive sets in a lattice
Primitive sets in a lattice Spyros. S. Magliveras Department of Mathematical Sciences Florida Atlantic University Boca Raton, FL 33431, U.S.A spyros@fau.unl.edu Tran van Trung Institute for Experimental
More informationCryptography CS 555. Topic 24: Finding Prime Numbers, RSA
Cryptography CS 555 Topic 24: Finding Prime Numbers, RSA 1 Recap Number Theory Basics Abelian Groups φφ pppp = pp 1 qq 1 for distinct primes p and q φφ NN = Z N gg xx mod N = gg [xx mmmmmm φφ NN ] mod
More informationPseudo-random Number Generation. Qiuliang Tang
Pseudo-random Number Generation Qiuliang Tang Random Numbers in Cryptography The keystream in the one-time pad The secret key in the DES encryption The prime numbers p, q in the RSA encryption The private
More informationBreaking Plain ElGamal and Plain RSA Encryption
Breaking Plain ElGamal and Plain RSA Encryption (Extended Abstract) Dan Boneh Antoine Joux Phong Nguyen dabo@cs.stanford.edu joux@ens.fr pnguyen@ens.fr Abstract We present a simple attack on both plain
More informationCryptology. Scribe: Fabrice Mouhartem M2IF
Cryptology Scribe: Fabrice Mouhartem M2IF Chapter 1 Identity Based Encryption from Learning With Errors In the following we will use this two tools which existence is not proved here. The first tool description
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 10 February 19, 2013 CPSC 467b, Lecture 10 1/45 Primality Tests Strong primality tests Weak tests of compositeness Reformulation
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani 1 Mathematical Institute 2 PQShield Ltd. 1 of 44 Outline 1 Public Key Encryption: security notions 2 RSA Encryption Scheme 2 of 44 Course main reference 3 of 44
More informationCRT-based Fully Homomorphic Encryption over the Integers
CRT-based Fully Homomorphic Encryption over the Integers Jinsu Kim 1, Moon Sung Lee 1, Aaram Yun 2 and Jung Hee Cheon 1 1 Seoul National University (SNU), Republic of Korea 2 Ulsan National Institute of
More informationCryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev
Cryptography Lecture 2: Perfect Secrecy and its Limitations Gil Segev Last Week Symmetric-key encryption (KeyGen, Enc, Dec) Historical ciphers that are completely broken The basic principles of modern
More informationSOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies
SOBER Cryptanalysis Daniel Bleichenbacher and Sarvar Patel {bleichen,sarvar}@lucent.com Bell Laboratories Lucent Technologies Abstract. SOBER is a new stream cipher that has recently been developed by
More informationCryptanalysis of a Knapsack Based Two-Lock Cryptosystem
Cryptanalysis of a Knapsack Based Two-Lock Cryptosystem Bin Zhang 1,2, Hongjun Wu 1, Dengguo Feng 2, and Feng Bao 1 1 Institute for Infocomm Research, Singapore 119613 2 State Key Laboratory of Information
More informationCPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems
CPE 776:DATA SECURITY & CRYPTOGRAPHY Some Number Theory and Classical Crypto Systems Dr. Lo ai Tawalbeh Computer Engineering Department Jordan University of Science and Technology Jordan Some Number Theory
More informationCryptography. P. Danziger. Transmit...Bob...
10.4 Cryptography P. Danziger 1 Cipher Schemes A cryptographic scheme is an example of a code. The special requirement is that the encoded message be difficult to retrieve without some special piece of
More information10 Modular Arithmetic and Cryptography
10 Modular Arithmetic and Cryptography 10.1 Encryption and Decryption Encryption is used to send messages secretly. The sender has a message or plaintext. Encryption by the sender takes the plaintext and
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 8 February 1, 2012 CPSC 467b, Lecture 8 1/42 Number Theory Needed for RSA Z n : The integers mod n Modular arithmetic GCD Relatively
More informationA Knapsack Cryptosystem Based on The Discrete Logarithm Problem
A Knapsack Cryptosystem Based on The Discrete Logarithm Problem By K.H. Rahouma Electrical Technology Department Technical College in Riyadh Riyadh, Kingdom of Saudi Arabia E-mail: kamel_rahouma@yahoo.com
More informationLinear Ciphers. Klaus Pommerening Fachbereich Physik, Mathematik, Informatik der Johannes-Gutenberg-Universität Saarstraße 21 D Mainz
Linear Ciphers Klaus Pommerening Fachbereich Physik, Mathematik, Informatik der Johannes-Gutenberg-Universität Saarstraße 21 D-55099 Mainz January 16, 2000 English version July 28, 2014 last change August
More informationPublic Key Encryption
Public Key Encryption KG October 17, 2017 Contents 1 Introduction 1 2 Public Key Encryption 2 3 Schemes Based on Diffie-Hellman 3 3.1 ElGamal.................................... 5 4 RSA 7 4.1 Preliminaries.................................
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 9 February 6, 2012 CPSC 467b, Lecture 9 1/53 Euler s Theorem Generating RSA Modulus Finding primes by guess and check Density of
More informationA DPA Attack against the Modular Reduction within a CRT Implementation of RSA
A DPA Attack against the Modular Reduction within a CRT Implementation of RSA Bert den Boer, Kerstin Lemke, and Guntram Wicke T-Systems ISS GmbH Rabinstr. 8, D-53111 Bonn, Germany BdenBoer@tpd.tno.nl,
More informationChapter 8 Public-key Cryptography and Digital Signatures
Chapter 8 Public-key Cryptography and Digital Signatures v 1. Introduction to Public-key Cryptography 2. Example of Public-key Algorithm: Diffie- Hellman Key Exchange Scheme 3. RSA Encryption and Digital
More informationMy brief introduction to cryptography
My brief introduction to cryptography David Thomson dthomson@math.carleton.ca Carleton University September 7, 2013 introduction to cryptography September 7, 2013 1 / 28 Outline 1 The general framework
More informationAn Overview of Homomorphic Encryption
An Overview of Homomorphic Encryption Alexander Lange Department of Computer Science Rochester Institute of Technology Rochester, NY 14623 May 9, 2011 Alexander Lange (RIT) Homomorphic Encryption May 9,
More informationMultikey Homomorphic Encryption from NTRU
Multikey Homomorphic Encryption from NTRU Li Chen lichen.xd at gmail.com Xidian University January 12, 2014 Multikey Homomorphic Encryption from NTRU Outline 1 Variant of NTRU Encryption 2 Somewhat homomorphic
More informationAsymmetric Cryptography
Asymmetric Cryptography Chapter 4 Asymmetric Cryptography Introduction Encryption: RSA Key Exchange: Diffie-Hellman General idea: Use two different keys -K and +K for encryption and decryption Given a
More informationChapter 4 Asymmetric Cryptography
Chapter 4 Asymmetric Cryptography Introduction Encryption: RSA Key Exchange: Diffie-Hellman [NetSec/SysSec], WS 2008/2009 4.1 Asymmetric Cryptography General idea: Use two different keys -K and +K for
More informationMathematics of Cryptography
UNIT - III Mathematics of Cryptography Part III: Primes and Related Congruence Equations 1 Objectives To introduce prime numbers and their applications in cryptography. To discuss some primality test algorithms
More informationTheme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS
1 C Theme : Cryptography Instructor : Prof. C Pandu Rangan Speaker : Arun Moorthy 93115 CS 2 RSA Cryptosystem Outline of the Talk! Introduction to RSA! Working of the RSA system and associated terminology!
More informationDiscrete Mathematics GCD, LCM, RSA Algorithm
Discrete Mathematics GCD, LCM, RSA Algorithm Abdul Hameed http://informationtechnology.pk/pucit abdul.hameed@pucit.edu.pk Lecture 16 Greatest Common Divisor 2 Greatest common divisor The greatest common
More informationCryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)
Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R) Eli Biham Computer Science Department Technion Israel Institute of Technology Haifa 32000, Israel biham@cs.technion.ac.il http://www.cs.technion.ac.il/~biham/
More informationSELECTED APPLICATION OF THE CHINESE REMAINDER THEOREM IN MULTIPARTY COMPUTATION
Journal of Applied Mathematics and Computational Mechanics 2016, 15(1), 39-47 www.amcm.pcz.pl p-issn 2299-9965 DOI: 10.17512/jamcm.2016.1.04 e-issn 2353-0588 SELECTED APPLICATION OF THE CHINESE REMAINDER
More informationPractical Fully Homomorphic Encryption without Noise Reduction
Practical Fully Homomorphic Encryption without Noise Reduction Dongxi Liu CSIRO, Marsfield, NSW 2122, Australia dongxi.liu@csiro.au Abstract. We present a new fully homomorphic encryption (FHE) scheme
More informationHidden Number Problem Given Bound of Secret Jia-ning LIU and Ke-wei LV *
2017 2nd International Conference on Artificial Intelligence: Techniques and Applications (AITA 2017) ISBN: 978-1-60595-491-2 Hidden Number Problem Given Bound of Secret Jia-ning LIU and Ke-wei LV * DCS
More information1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2
Contents 1 Recommended Reading 1 2 Public Key/Private Key Cryptography 1 2.1 Overview............................................. 1 2.2 RSA Algorithm.......................................... 2 3 A Number
More informationCIS 551 / TCOM 401 Computer and Network Security
CIS 551 / TCOM 401 Computer and Network Security Spring 2008 Lecture 15 3/20/08 CIS/TCOM 551 1 Announcements Project 3 available on the web. Get the handout in class today. Project 3 is due April 4th It
More informationBasic elements of number theory
Cryptography Basic elements of number theory Marius Zimand 1 Divisibility, prime numbers By default all the variables, such as a, b, k, etc., denote integer numbers. Divisibility a 0 divides b if b = a
More informationModular Multiplication in GF (p k ) using Lagrange Representation
Modular Multiplication in GF (p k ) using Lagrange Representation Jean-Claude Bajard, Laurent Imbert, and Christophe Nègre Laboratoire d Informatique, de Robotique et de Microélectronique de Montpellier
More informationBasic elements of number theory
Cryptography Basic elements of number theory Marius Zimand By default all the variables, such as a, b, k, etc., denote integer numbers. Divisibility a 0 divides b if b = a k for some integer k. Notation
More informationCryptography. pieces from work by Gordon Royle
Cryptography pieces from work by Gordon Royle The set-up Cryptography is the mathematics of devising secure communication systems, whereas cryptanalysis is the mathematics of breaking such systems. We
More informationCompartmented Threshold RSA Based on the Chinese Remainder Theorem
Compartmented Threshold RSA Based on the Chinese Remainder Theorem Sorin Iftene Department of Computer Science, Al. I. Cuza University, 700483 Iasi, Romania siftene@info.uaic.ro Manuela Grindei LSV, ENS
More informationPrimitive Sets of a Lattice and a Generalization of Euclidean Algorithm
Primitive Sets of a Lattice and a Generalization of Euclidean Algorithm Spyros. S. Magliveras Center for Cryptology and Information Security Department of Mathematical Sciences Florida Atlantic University
More informationA NEW ATTACK ON RSA WITH A COMPOSED DECRYPTION EXPONENT
A NEW ATTACK ON RSA WITH A COMPOSED DECRYPTION EXPONENT Abderrahmane Nitaj 1 and Mohamed Ould Douh 1,2 1 Laboratoire de Mathématiques Nicolas Oresme, Université de Caen, Basse Normandie, France Université
More informationSome security bounds for the DGHV scheme
Some security bounds for the DGHV scheme Franca Marinelli f.marinelli@studenti.unitn.it) Department of Mathematics, University of Trento, Italy Riccardo Aragona riccardo.aragona@unitn.it) Department of
More informationPublic Key Algorithms
Public Key Algorithms Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-09/
More informationCandidates must show on each answer book the type of calculator used. Only calculators permitted under UEA Regulations may be used.
UNIVERSITY OF EAST ANGLIA School of Mathematics May/June UG Examination 2010 2011 CRYPTOGRAPHY Time allowed: 2 hours Attempt THREE questions. Candidates must show on each answer book the type of calculator
More informationOn a generalization of addition chains: Addition multiplication chains
Discrete Mathematics 308 (2008) 611 616 www.elsevier.com/locate/disc On a generalization of addition chains: Addition multiplication chains Hatem M. Bahig Computer Science Division, Department of Mathematics,
More informationPractical Fault Countermeasures for Chinese Remaindering Based RSA
Practical Fault Countermeasures for Chinese Remaindering Based RSA (Extended Abstract) Mathieu Ciet 1 and Marc Joye 2, 1 Gemplus R&D, Advanced Research and Security Centre La Vigie, ZI Athélia IV, Av.
More informationCryptanalysis of a homomorphic public-key cryptosystem over a finite group
Cryptanalysis of a homomorphic public-key cryptosystem over a finite group Su-Jeong Choi Simon R. Blackburn and Peter R. Wild Department of Mathematics Royal Holloway, University of London Egham, Surrey
More informationPublic-Key Encryption: ElGamal, RSA, Rabin
Public-Key Encryption: ElGamal, RSA, Rabin Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Public-Key Encryption Syntax Encryption algorithm: E. Decryption
More informationRSA ENCRYPTION USING THREE MERSENNE PRIMES
Int. J. Chem. Sci.: 14(4), 2016, 2273-2278 ISSN 0972-768X www.sadgurupublications.com RSA ENCRYPTION USING THREE MERSENNE PRIMES Ch. J. L. PADMAJA a*, V. S. BHAGAVAN a and B. SRINIVAS b a Department of
More informationYALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Notes 13 (rev. 2) Professor M. J. Fischer October 22, 2008 53 Chinese Remainder Theorem Lecture Notes 13 We
More informationMath 299 Supplement: Modular Arithmetic Nov 8, 2013
Math 299 Supplement: Modular Arithmetic Nov 8, 2013 Numbers modulo n. We have previously seen examples of clock arithmetic, an algebraic system with only finitely many numbers. In this lecture, we make
More informationRABIN PUBLIC-KEY CRYPTOSYSTEM IN RINGS OF POLYNOMIALS OVER FINITE FIELDS
RABIN PUBLIC-KEY CRYPTOSYSTEM IN RINGS OF POLYNOMIALS OVER FINITE FIELDS A. N. El-Kassar * Ramzi Haraty Y. A. Awad Department of Division of Computer Department of Mathematics Science and Mathematics Mathematics
More informationAlgorithmic Number Theory and Public-key Cryptography
Algorithmic Number Theory and Public-key Cryptography Course 3 University of Luxembourg March 22, 2018 The RSA algorithm The RSA algorithm is the most widely-used public-key encryption algorithm Invented
More informationCube attack in finite fields of higher order
Cube attack in finite fields of higher order Andrea Agnesse 1 Marco Pedicini 2 1 Dipartimento di Matematica, Università Roma Tre Largo San Leonardo Murialdo 1, Rome, Italy 2 Istituto per le Applicazioni
More informationNew Variant of ElGamal Signature Scheme
Int. J. Contemp. Math. Sciences, Vol. 5, 2010, no. 34, 1653-1662 New Variant of ElGamal Signature Scheme Omar Khadir Department of Mathematics Faculty of Science and Technology University of Hassan II-Mohammedia,
More informationBlind Signature Protocol Based on Difficulty of. Simultaneous Solving Two Difficult Problems
Applied Mathematical Sciences, Vol. 6, 202, no. 39, 6903-690 Blind Signature Protocol Based on Difficulty of Simultaneous Solving Two Difficult Problems N. H. Minh, D. V. Binh 2, N. T. Giang 3 and N. A.
More informationHans Delfs & Helmut Knebl: Kryptographie und Informationssicherheit WS 2008/2009. References. References
Hans Delfs & Helmut Knebl: Kryptographie und Informationssicherheit WS 2008/2009 Die Unterlagen sind ausschliesslich zum persoenlichen Gebrauch der Vorlesungshoerer bestimmt. Die Herstellung von elektronischen
More informationPollard s Rho Algorithm for Elliptic Curves
November 30, 2015 Consider the elliptic curve E over F 2 k, where E = n. Assume we want to solve the elliptic curve discrete logarithm problem: find k in Q = kp. Partition E into S 1 S 2 S 3, where the
More informationComputers and Electrical Engineering
Computers and Electrical Engineering 36 (2010) 56 60 Contents lists available at ScienceDirect Computers and Electrical Engineering journal homepage: wwwelseviercom/locate/compeleceng Cryptanalysis of
More information19. Coding for Secrecy
19. Coding for Secrecy 19.1 Introduction Protecting sensitive information from the prying eyes and ears of others is an important issue today as much as it has been for thousands of years. Government secrets,
More informationRSA. Ramki Thurimella
RSA Ramki Thurimella Public-Key Cryptography Symmetric cryptography: same key is used for encryption and decryption. Asymmetric cryptography: different keys used for encryption and decryption. Public-Key
More informationCryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1
Cryptography CS 555 Topic 18: RSA Implementation and Security Topic 18 1 Outline and Readings Outline RSA implementation issues Factoring large numbers Knowing (e,d) enables factoring Prime testing Readings:
More informationIntroduction to Public-Key Cryptosystems:
Introduction to Public-Key Cryptosystems: Technical Underpinnings: RSA and Primality Testing Modes of Encryption for RSA Digital Signatures for RSA 1 RSA Block Encryption / Decryption and Signing Each
More informationCosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks
1 Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks Michael Albert michael.albert@cs.otago.ac.nz 2 This week Arithmetic Knapsack cryptosystems Attacks on knapsacks Some
More informationAsymmetric Encryption
-3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function
More informationAn Efficient Broadcast Attack against NTRU
An Efficient Broadcast Attack against NTRU Jianwei Li, Yanbin Pan, Mingjie Liu, Guizhen Zhu Institute for Advanced Study, Tsinghua University Beijing 00084, China {lijianwei0, liu-mj07, zhugz08}@mailstsinghuaeducn
More informationIntroduction to Cryptology. Lecture 2
Introduction to Cryptology Lecture 2 Announcements 2 nd vs. 1 st edition of textbook HW1 due Tuesday 2/9 Readings/quizzes (on Canvas) due Friday 2/12 Agenda Last time Historical ciphers and their cryptanalysis
More informationQuadratic Equations from APN Power Functions
IEICE TRANS. FUNDAMENTALS, VOL.E89 A, NO.1 JANUARY 2006 1 PAPER Special Section on Cryptography and Information Security Quadratic Equations from APN Power Functions Jung Hee CHEON, Member and Dong Hoon
More informationCryptography IV: Asymmetric Ciphers
Cryptography IV: Asymmetric Ciphers Computer Security Lecture 7 David Aspinall School of Informatics University of Edinburgh 31st January 2011 Outline Background RSA Diffie-Hellman ElGamal Summary Outline
More informationCSCI3390-Lecture 16: Probabilistic Algorithms: Number Theory and Cryptography
CSCI3390-Lecture 16: Probabilistic Algorithms: Number Theory and Cryptography 1 Two Problems Problem 1. Generate Primes Find a prime number p of between 200 and 1000 decimal digits that has never been
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More information