On the Security of EPOC and TSH-ESIGN
|
|
- Kellie Tate
- 6 years ago
- Views:
Transcription
1 On the Security of EPOC and TSH-ESIGN Tatsuaki Okamoto Tetsutaro Kobayashi NTT Laboratories 1-1 Hikarinooka, Yokosuka-shi, Japan {okamoto, kotetsu Abstract We submitted a public-key encryption scheme, EPOC, and digital signature scheme, TSH-ESIGN, to IEEE P1363a. The security of EPOC and TSH-ESIGN is based on the intractability of factoring n = p 2 q,wherepand q are primes. TSH-ESIGN is also based on the intractability of the approximate e-th root (AERP) assumption, which is the approximate version of the RSA assumption. This draft describes the latest research status on the intractability of factoring n = p 2 q and the approximate e-th root assumption, and concludes that these problems are considered to be almost as intractable as those of factoring n = pq and of inverting the RSA function (i.e., solving the e-th root). 1 Security of EPOC and TSH-ESIGN 1.1 Security of EPOC EPOC (EPOC-2 with one-time padding) [9] is proven to be secure in the strongest sense (nonmalleable against chosen ciphertext attacks: NM-CCA2) under the random oracle model and the factoring assumption of n = p 2 q. That is, EPOC is as secure as factoring n = p 2 q (in the strongest sense in the random oracle model). Schemes Security Number-theoretical Random function against CCA assumption assumption EPOC-2(with OTP) Secure (NM-CCA) Factoring Truly random OAEP Secure (NM-CCA) RSA Truly random Cramer-Shoup Secure (NM-CCA) DDH UOWHF 1.2 Security of TSH-ESIGN TSH-ESIGN [7] is proven to be secure in the strongest sense (existentially unforgeable against adaptive chosen message attacks: EUF-CMA) under the random oracle model and the approximate e-th root (AERP) assumption (with modulus n = p 2 q), which is the approximate version of the RSA assumption. That is, TSH-ESIGN is as secure as AERP (in the strongest sense in the random oracle model). 1
2 Definition 1.1 Let G be a key-generator of the TSH-ESIGN algorithm. Approximate e-th root problem (AERP) is, for given pk := {n, e} Gen(1 k ) and y R {0, 1} k 1, to find x (Z/nZ)\pZ such that 0 y == [x e mod n] k. The approximate e-th root problem (AERP) is intractable, if for any (uniform/non-uniform) probabilistic polynomial time machine Adv, for any constant c, for sufficiently large k, Pr[Adv(k, n, e, y) x] < 1/k c, where 0 y == [x e mod n] k. The probability is taken over the coin flips of G and A. The assumption that the approximate e-th root problem (AERP) is intractable is called the approximate e-th root assumption (AERP assumption). Table 1: Comparison of security Schemes Security Number-theoretical Random function against CMA assumption assumption TSH-ESIGN Secure (EUF-CMA) AERP Truly random PSS or FDH-RSA Secure (EUF-CMA) RSA Truly random EC-Schnorr Secure (EUF-CMA) EC Discrete Log. Truly random Schemes Table 2: Comparison of computation amount Sig. Gen. (M(1024)) Sig. Ver. (M(1024)) TSH-ESIGN 9 5 RSA-based scheme (e.g., PSS or FDH-RSA) EC-based scheme (e.g., EC-Schnorr or EC-DSA) On the intractability of factoring n = p 2 q Although it is not known whether n = p 2 q is more tractable to factor than n = pq, some special algorithms to factor n = p 2 q have been studied [11, 12, 13, 1]. However, such techniques are specific on the elliptic curve factoring method (ECM), and the fastest algorithm for factoring both n = pq and n = p 2 q is the number field sieve (NFS) method, whose running time depends only on the composite size, n. (Even these algorithms based on the ECM [11, 12, 13] are just several times faster than the traditional ECM.) Recently Boneh et.al. presented an algorithm for factoring n = p r q with large r, using the LLL algorithm (lattice reduction) [2]. Their algorithm, however, is only effective for the 2
3 case where r is large (at least (log p) 1/2 ). If r is constant (or small), the running time of their algorithm is exponential in n. Hence, as for n = p 2 q, their algorithm is less efficient than the ECM and NFS methods. Therefore, currently the size of n = p 2 q can be the same as n = pq if n is sufficiently large (e.g., n is at least 1024). 3 On the intractability of the approximate e-th root problem The square degree version of ESIGN was proposed in 1985 [8], which was broken by Brickell and DeLaurentis in the same year [3, 4]. In other words, they showed an efficient algorithm to solve the approximatesquare root problem (AERP with e = 2). They also presented an efficient algorithm to solve the cubic version, AERP with e =3. In late 1980 s, French mathematicians, Girault, Toffin and Vallée, extensively studied various types of the approximate e-th root modulo n problems, by using the lattice base reduction [5, 14, 15]. (Brickell and DeLaurentis s attack is a special case of their lattice base reduction attack.) However, they could find no efficient solution to AERP with e 4. Since the lattice base reduction is currently the only effective tool to solve such approximate e-th root modulo n problems, we have no way to efficiently solve AERP with e 4. (Note that the lattice base reduction is a very powerful tool to solve various problems: for example, almost all knapsack public-key cryptosystems were broken by the lattice base reduction.) We have the following conjecture on AERP: Conjecture: Problem A is expected polynomial-time reducible to problem B. Problem A: Given three positive integers, M and n, and e, solve s which satisfies s e M (mod n). Problem B: Given four positive integers, M,n, δ, ande, and positive real number ε such that solve s which satisfies δ =( e 1 e ε) n, M s e mod n<m+ δ. If the following conjecture is true, AERP is as intractable as the RSA inversion or the Rabin inversion. In particular, when e is even (e.g., 8, 16,...), which we recommend, the conjecture implies that AERP is as intractable as factoring n. Note: The original ESIGN based on the same problem as TSH-ESIGN has been already adopted by ISO/IEC (digital signatures with appendix). (TSH-ESIGN is a provably secure variant of the original ESIGN.) 3
4 4 Conclusion The both problems, factoring n = p 2 q and approximate e-th root problem (AERP), were explicitly raised by us in For the last 14 years the both problems have been extensively investigated by many excellent researchers such as Adleman, Bleichenbacher, Brickell, DeLaurentis, Girault, McCurley, Odlyzko, Peralta, Pollard, Shamir, Toffin, Vallée. The authors have been also communicated with Lenstra and Buchmann on these problems. The fact that no efficient algorithms on the both problems have been found for more than 14 years after they were raised implies that these problems are considered to be almost as intractable as factoring n = pq and the RSA problem. References [1] Adleman, L.M. and McCurley, K.S.: Open Problems in Number Theoretic Complexity,II (open problems: C7, O7a and O7b), Proc. of ANTS-I, LNCS 877, Springer-Verlag, pp (1995). [2] Boneh, D., Durfee, G. and Howgrave-Graham, N.: Factoring N = p r q for Large r, Proc.of Crypto 99, LNCS 1666, Springer-Verlag, pp (1999) [3] Brickell, E. and DeLaurentis, J.: An Attack on a Signature Scheme Proposed by Okamoto and Shiraishi, Proc. of Crypto 85, LNCS 218, Springer-Verlag, pp (1986) [4] Brickell, E. and Odlyzko: Cryptanalysis: A Survey of Recent Results, Chap.10, Contemporary Cryptology, Simmons (Ed.), IEEE Press, pp (1991). [5] Girault, M., Toffin, P. and Vallée, B.: Computation of Approximate L-th Roots Modulo n and Application to Cryptography, Proc. of Crypto 88, LNCS 403, Springer-Verlag, pp (1990) [6] Okamoto, T.: A Fast Signature Scheme Based on Congruential Polynomial Operations, IEEE Trans. on Inform. Theory, IT-36, 1, pp (1990). [7] Okamoto, T., Fujisaki, E. and Morita, H.: TSH-ESIGN: Efficient Digital Signature Scheme Using Trisection Size Hash, submission to P1363a (1998). [8] Okamoto, T. and Shiraishi, A.: A Fast Signature Scheme Based on Quadratic Inequalities, Proc. of the ACM Symposium on Security and Privacy, ACM Press (1985). [9] Okamoto, T., Uchiyama, S. and Fujisaki, E.: EPOC: Efficient Probabilistic Public-Key Encryption, submission to IEEE P1363a (1998). [10] T. Okamoto, and S. Uchiyama, A New Public-Key Cryptosystem as Secure as Factoring, Proc. of Eurocrypt 98, LNCS, Springer-Verlag (1998). [11] Peralta, R.: Bleichenbacher s improvement for factoring numbers of the form N = PQ 2 (private communication) (1997). 4
5 [12] Peralta, R. and Okamoto, E.: Faster Factoring of Integers of a Special Form, IEICE Trans. Fundamentals, E79-A, 4, pp (1996). [13] Pollard, J.L.: Manuscript (1997). [14] Vallée, B., Girault, M. and Toffin, P.: How to Break Okamoto s Cryptosystem by Reducing Lattice Bases, Proc. of Eurocrypt 88, LNCS 330, Springer-Verlag, pp (1988) [15] Vallée, B., Girault, M. and Toffin, P.: How to Guess L-th Roots Modulo n by Reducing Lattice Bases, Proc. of Conference of ISSAC-88 and AAECC-6, (1988) 5 Appendix A: Patent Statement by Nippon Telegraph Telephone Corporation (NTT) Nippon Telegraph Telephone Corporation (NTT) has submitted EPOC and TSH-ESIGN to IEEE P1363a. Should these submissions be selected for inclusion in the IEEE P1363a, NTT hereby declares that it is prepared to license its patents, both granted and pending, which are necessary to use and/or sell implementations of the above submissions to an unrestricted number of applicants on a worldwide, non-exclusive, royalty-free basis. 6 Appendix B: Specification of EPOC Key Generation: G The input and output of G are as follows: [Input ] Security parameter k(= plen). [Output ] A pair of public-key, (n, g, h, H, G, plen, hlen, glen, rlen), and secret-key, (p, g p ). The operation of G, on input k, is as follows: Choose two primes p, q ( p = q = k), and compute n = p 2 q. Here, p 1=p u and q 1=q v such that p and q are primes, and u and v are O(log k). Choose g (Z/nZ) randomly such that the order of g p := g p 1 mod p 2 is p. (Note that gcd(p, q 1) = 1 and gcd(q,p 1) = 1.) Choose h 0 from (Z/nZ) randomly and independently from g. Compute h := h n 0 mod n. Set plen := k. SetrLen such that rlen plen 1. Select (hash) functions H: {0, 1} {0, 1} hlen,andg: {0, 1} {0, 1} glen. Note: g p is a supplementary parameter that improves the efficiency of decryption, since g p can be calculated from p and g. h can be g n mod n when hlen =(2+c 0 )k (c o is a constant > 0). H and G canbefixedbythesystemandsharedbymanyusers. 5
6 6.2 Encryption: E Let SymE =(SymEnc,SymDec) be a pair of symmetric-key encryption and decryption algorithms with symmetric-key K, where the length of K is glen. Encryption algorithm SymEnc takes key K and plaintext X, and returns ciphertext SymEnc(K, X). Decryption algorithm SymDec takes key K and ciphertext Y, and returns plaintext SymDec(K, Y ). The input and output of E are as follows: [Input ] Plaintext M {0, 1} mlen along with public-key (n, g, h, H, G, plen, hlen, glen, rlen) and SymEnc. [Output ] Ciphertext C =(C 1,C 2 ). The operation of E, on input M, (n, g, h, H, G, plen, hlen, glen, rlen) andsymenc, isas follows: Select R {0, 1} rlen uniformly, and compute G(R). Compute H(M R). Here M R denotes the concatenation of M and R. C 1 := g R h H(M R) mod n, C 2 := SymEnc(G(R),M). Remark: A typical way to realize SymE is one-time padding. That is, SymEnc(K, X) :=K X, andsymdec(k, Y ):=K Y,where denotes the bit-wise exclusive-or operation. 6.3 Decryption: D The input and output of D are as follows: [Input ] Ciphertext C =(C 1,C 2 ) along with public-key (n, g, h, H, G, plen, hlen, glen, rlen), secret-key (p, g p )andsymdec. [Output ] Plaintext M or null string. The operation of D, on input C =(C 1,C 2 )alongwith(n, g, h, H, G, plen, hlen, glen), (p, g p )andsymdec, is as follows: Compute C p := C 1 p 1 mod p 2,andR := L(Cp) L(g p) Compute M := SymDec(G(R ),C 2 ). Check whether the following equation holds or not: C 1 = g R h H(M R ) mod n. mod p, wherel(x) := x 1 p. If it holds, output M as decrypted plaintext. Otherwise, output null string. 6
7 7 Appendix C: Specification of TSH-ESIGN 7.1 Key Generation: G The input and output of G is as follows: [Input ] Security parameter k(= plen), which is a positive integer. [Output ] A pair of public-key, (n, e, H, plen), and secret-key, (p, q). The operation of G, on input k, is as follows: Choose two primes p, q ( p = q = k), and compute n := p 2 q. Here, p 1=p u and q 1=q v such that p and q are primes, and u and v are O(log k). Select an integer e>4 (e.g., e =2 l, l = O(log n)). Set plen := k. Select a (hash) function H: {0, 1} {0, 1} plen 1. Remark: Since not H(x) itself but 0 H(x) is always required in the signing and verification procedures, H(x) can be realized by using hash function H : {0, 1} {0, 1} plen as follows: first H (x) is computed, then the most significant bit of H (x) is set to be 0 with preserving the other bits. The resulting value is 0 H(x). 7.2 Signing: S The input and output of S is as follows: [Input ] Message M {0, 1} mlen along with public-key (n, e, H, plen). [Output ]SignatureS. The operation of S, on input M and (p, q, n, e, H, plen), is as follows: 1. Pick r at random and uniformly from (Z/pqZ)\pZ/pZ := {r Z/pqZ gcd(r, p) =1}. 2. Set z (0 H(M) 0 2 plen )andα (z r e )modn. 3. Set (w 0,w 1 ) such that w 0 = α, pq (1) w 1 = w 0 pq α. (2) If w 1 2 2pLen 1, then go back to Step 1. (I.e., if the most significant bit of w 1 is 1, then go back to Step 1.) 4. Set t w 0 mod p, ands (r + tpq) modn. er e 1 5. Output S as the signature of M. 7
8 7.3 Verification: V The input and output of V is as follows: [Input ]PairofsignatureS and message M along with public-key (n, e, H, plen). [Output ] Verification result (valid or invalid). The operation of V, on input (M,S) alongwith(n, e, H, plen) is as follows: Check whether the following equation hold or not: [S e mod n] plen == 0 H(M). (3) Here [X] k denotes the most significant k bits of X. If it holds, output valid (or 1). Otherwise output invalid (or 0). 8
Evaluation Report on the ESIGN signature scheme
Evaluation Report on the ESIGN signature scheme Jacques Stern 1 Introduction This document is an evaluation of the ESIGN signature scheme. Our work is based on the analysis of various documents [12, 13,
More informationBellare and Rogaway presented a generic and ecient way to convert a trap-door one-way permutation to an IND-CCA2 secure scheme in the random oracle mo
Specication of PSEC: Provably Secure Elliptic Curve Encryption Scheme 1 Introduction We describe an elliptic curve encryption scheme, PSEC (provably secure elliptic curve encryption scheme), which has
More informationFrom Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited
From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited Julien Cathalo 1, Jean-Sébastien Coron 2, and David Naccache 2,3 1 UCL Crypto Group Place du Levant 3, Louvain-la-Neuve, B-1348, Belgium
More informationEvaluation of Security Level of Cryptography: The HIME(R) Encryption Scheme. Alfred Menezes University of Waterloo Contact:
Evaluation of Security Level of Cryptography: The HIME(R) Encryption Scheme Alfred Menezes University of Waterloo Contact: ajmeneze@uwaterloo.ca July 31, 2002 Contents Page 1 Contents 1 Executive Summary
More informationAlterative Signature Schemes. Richard Kramer, Member IEEE Oregon State University
ESIGN and Other RSA Alterative Signature Schemes Richard Kramer, Member IEEE Oregon State University What is the Main Disadvantage of RSA? 2 Today s Objective Provide you with a general understanding of:
More informationSecurity Level of Cryptography Integer Factoring Problem (Factoring N = p 2 q) December Summary 2
Security Level of Cryptography Integer Factoring Problem (Factoring N = p 2 ) December 2001 Contents Summary 2 Detailed Evaluation 3 1 The Elliptic Curve Method 3 1.1 The ECM applied to N = p d............................
More informationDeterministic Polynomial Time Equivalence between Factoring and Key-Recovery Attack on Takagi s RSA
Deterministic Polynomial Time Equivalence between Factoring and Key-Recovery Attack on Takagi s RSA Noboru Kunihiro 1 and Kaoru Kurosawa 2 1 The University of Electro-Communications, Japan kunihiro@iceuecacjp
More informationComputing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring
Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring Alexander May Faculty of Computer Science, Electrical Engineering and Mathematics University of Paderborn 33102 Paderborn,
More informationA Generic Hybrid Encryption Construction in the Quantum Random Oracle Model
A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model Presented by: Angela Robinson Department of Mathematical Sciences, Florida Atlantic University April 4, 2018 Motivation Quantum-resistance
More informationThe Gap-Problems: a New Class of Problems for the Security of Cryptographic Schemes
Proceedings of the 2001 International Workshop on Practice and Theory in Public Key Cryptography (PKC 2001) (13 15 february 2001, Cheju Islands, South Korea) K. Kim Ed. Springer-Verlag, LNCS 1992, pages
More informationAlgorithmic Number Theory and Public-key Cryptography
Algorithmic Number Theory and Public-key Cryptography Course 3 University of Luxembourg March 22, 2018 The RSA algorithm The RSA algorithm is the most widely-used public-key encryption algorithm Invented
More informationCryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg
Course 1: Remainder: RSA Université du Luxembourg September 21, 2010 Public-key encryption Public-key encryption: two keys. One key is made public and used to encrypt. The other key is kept private and
More informationShort Exponent Diffie-Hellman Problems
Short Exponent Diffie-Hellman Problems Takeshi Koshiba 12 and Kaoru Kurosawa 3 1 Secure Computing Lab., Fujitsu Laboratories Ltd. 2 ERATO Quantum Computation and Information Project, Japan Science and
More informationFlaws in Applying Proof Methodologies to Signature Schemes
Flaws in Applying Proof Methodologies to Signature Schemes Jacques Stern 1,, David Pointcheval 1, John Malone-Lee 2, and Nigel P. Smart 2 1 Dépt d Informatique, ENS CNRS, 45 rue d Ulm, 75230 Paris Cedex
More informationBreaking Plain ElGamal and Plain RSA Encryption
Breaking Plain ElGamal and Plain RSA Encryption (Extended Abstract) Dan Boneh Antoine Joux Phong Nguyen dabo@cs.stanford.edu joux@ens.fr pnguyen@ens.fr Abstract We present a simple attack on both plain
More informationID-based Encryption Scheme Secure against Chosen Ciphertext Attacks
ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks ongxing Lu and Zhenfu Cao Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai 200030, P.. China {cao-zf,
More informationDigital signature schemes
Digital signature schemes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Introduction digital signature scheme security of digital
More informationHow to Enhance the Security of Public-Key. Encryption at Minimum Cost 3. NTT Laboratories, 1-1 Hikarinooka Yokosuka-shi Kanagawa Japan
How to Enhance the Security of Public-Key Encryption at Minimum Cost 3 Eiichiro Fujisaki Tatsuaki Okamoto NTT Laboratories, 1-1 Hikarinooka Yokosuka-shi Kanagawa 239-0847 Japan ffujisaki,okamotog@isl.ntt.co.jp
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationNew attacks on RSA with Moduli N = p r q
New attacks on RSA with Moduli N = p r q Abderrahmane Nitaj 1 and Tajjeeddine Rachidi 2 1 Laboratoire de Mathématiques Nicolas Oresme Université de Caen Basse Normandie, France abderrahmane.nitaj@unicaen.fr
More informationA New Attack on RSA with Two or Three Decryption Exponents
A New Attack on RSA with Two or Three Decryption Exponents Abderrahmane Nitaj Laboratoire de Mathématiques Nicolas Oresme Université de Caen, France nitaj@math.unicaen.fr http://www.math.unicaen.fr/~nitaj
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationCryptanalysis of RSA Signatures with Fixed-Pattern Padding
Cryptanalysis of RSA Signatures with Fixed-Pattern Padding [Published in J. Kilian Ed., Advances in Cryptology CRYPTO 2001, vol. 2139 of Lecture Notes in Computer Science, pp. 433 439, Springer-Verlag,
More information5199/IOC5063 Theory of Cryptology, 2014 Fall
5199/IOC5063 Theory of Cryptology, 2014 Fall Homework 2 Reference Solution 1. This is about the RSA common modulus problem. Consider that two users A and B use the same modulus n = 146171 for the RSA encryption.
More informationRSA OAEP is Secure under the RSA Assumption
RSA OAEP is Secure under the RSA Assumption Eiichiro Fujisaki 1, Tatsuaki Okamoto 1, David Pointcheval 2, and Jacques Stern 2 1 NTT Labs, 1-1 Hikarino-oka, Yokosuka-shi, 239-0847 Japan. E-mail: {fujisaki,okamoto}@isl.ntt.co.jp.
More informationChapter 8 Public-key Cryptography and Digital Signatures
Chapter 8 Public-key Cryptography and Digital Signatures v 1. Introduction to Public-key Cryptography 2. Example of Public-key Algorithm: Diffie- Hellman Key Exchange Scheme 3. RSA Encryption and Digital
More informationFrom Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes
From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes [Published in D. Naccache, Ed., Topics in Cryptology CT-RSA 2001, vol. 2020 of Lecture Notes in Computer
More informationWeek : Public Key Cryptosystem and Digital Signatures
Week 10-11 : Public Key Cryptosystem and Digital Signatures 1. Public Key Encryptions RSA, ElGamal, 2 RSA- PKC(1/3) 1st public key cryptosystem R.L.Rivest, A.Shamir, L.Adleman, A Method for Obtaining Digital
More informationCryptanalysis of two knapsack public-key cryptosystems
Cryptanalysis of two knapsack public-key cryptosystems Jingguo Bi 1, Xianmeng Meng 2, and Lidong Han 1 {jguobi,hanlidong}@sdu.edu.cn mengxm@sdfi.edu.cn 1 Key Laboratory of Cryptologic Technology and Information
More informationLecture 14 More on Digital Signatures and Variants. COSC-260 Codes and Ciphers Adam O Neill Adapted from
Lecture 14 More on Digital Signatures and Variants COSC-260 Codes and Ciphers Adam O Neill Adapted from http://cseweb.ucsd.edu/~mihir/cse107/ Setting the Stage We will cover in more depth some issues for
More informationOutline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security
The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key
More informationRSA and Rabin Signatures Signcryption
T-79.5502 Advanced Course in Cryptology RSA and Rabin Signatures Signcryption Alessandro Tortelli 26-04-06 Overview Introduction Probabilistic Signature Scheme PSS PSS with message recovery Signcryption
More informationCryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97
Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97 Phong Nguyen and Jacques Stern École Normale Supérieure, Laboratoire d Informatique 45, rue d Ulm, F 75230 Paris Cedex 05 {Phong.Nguyen,Jacques.Stern}@ens.fr
More informationDesign Validations for Discrete Logarithm Based Signature Schemes
Proceedings of the 2000 International Workshop on Practice and Theory in Public Key Cryptography (PKC 2000) (18 20 january 2000, Melbourne, Australia) H. Imai and Y. Zheng Eds. Springer-Verlag, LNCS 1751,
More informationPartial Key Exposure: Generalized Framework to Attack RSA
Partial Key Exposure: Generalized Framework to Attack RSA Cryptology Research Group Indian Statistical Institute, Kolkata 12 December 2011 Outline of the Talk 1 RSA - A brief overview 2 Partial Key Exposure
More informationSecure and Practical Identity-Based Encryption
Secure and Practical Identity-Based Encryption David Naccache Groupe de Cyptographie, Deṕartement d Informatique École Normale Supérieure 45 rue d Ulm, 75005 Paris, France david.nacache@ens.fr Abstract.
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani 1 Mathematical Institute 2 PQShield Ltd. 1 of 44 Outline 1 Public Key Encryption: security notions 2 RSA Encryption Scheme 2 of 44 Course main reference 3 of 44
More informationNew Variant of ElGamal Signature Scheme
Int. J. Contemp. Math. Sciences, Vol. 5, 2010, no. 34, 1653-1662 New Variant of ElGamal Signature Scheme Omar Khadir Department of Mathematics Faculty of Science and Technology University of Hassan II-Mohammedia,
More informationf (x) f (x) easy easy
A General Construction of IND-CCA2 Secure Public Key Encryption? Eike Kiltz 1 and John Malone-Lee 2 1 Lehrstuhl Mathematik & Informatik, Fakultat fur Mathematik, Ruhr-Universitat Bochum, Germany. URL:
More informationCS 355: Topics in Cryptography Spring Problem Set 5.
CS 355: Topics in Cryptography Spring 2018 Problem Set 5 Due: June 8, 2018 at 5pm (submit via Gradescope) Instructions: You must typeset your solution in LaTeX using the provided template: https://crypto.stanford.edu/cs355/homework.tex
More informationFactoring N = p 2 q. Abstract. 1 Introduction and Problem Overview. =±1 and therefore
Factoring N = p 2 Nathan Manohar Ben Fisch Abstract We discuss the problem of factoring N = p 2 and survey some approaches. We then present a specialized factoring algorithm that runs in time Õ( 0.1 ),
More informationDigital Signatures. Adam O Neill based on
Digital Signatures Adam O Neill based on http://cseweb.ucsd.edu/~mihir/cse207/ Signing by hand COSMO ALICE ALICE Pay Bob $100 Cosmo Alice Alice Bank =? no Don t yes pay Bob Signing electronically SIGFILE
More informationStrongly Unforgeable Signatures Based on Computational Diffie-Hellman
Strongly Unforgeable Signatures Based on Computational Diffie-Hellman Dan Boneh 1, Emily Shen 1, and Brent Waters 2 1 Computer Science Department, Stanford University, Stanford, CA {dabo,emily}@cs.stanford.edu
More informationChosen-Ciphertext Security without Redundancy
This is the full version of the extended abstract which appears in Advances in Cryptology Proceedings of Asiacrypt 03 (30 november 4 december 2003, Taiwan) C. S. Laih Ed. Springer-Verlag, LNCS 2894, pages
More informationCryptography IV: Asymmetric Ciphers
Cryptography IV: Asymmetric Ciphers Computer Security Lecture 7 David Aspinall School of Informatics University of Edinburgh 31st January 2011 Outline Background RSA Diffie-Hellman ElGamal Summary Outline
More informationEfficient Identity-Based Encryption Without Random Oracles
Efficient Identity-Based Encryption Without Random Oracles Brent Waters Abstract We present the first efficient Identity-Based Encryption (IBE) scheme that is fully secure without random oracles. We first
More informationA New Generalization of the KMOV Cryptosystem
J Appl Math Comput manuscript No. (will be inserted by the editor) A New Generalization of the KMOV Cryptosystem Maher Boudabra Abderrahmane Nitaj Received: date / Accepted: date Abstract The KMOV scheme
More informationA NEW ATTACK ON RSA WITH A COMPOSED DECRYPTION EXPONENT
A NEW ATTACK ON RSA WITH A COMPOSED DECRYPTION EXPONENT Abderrahmane Nitaj 1 and Mohamed Ould Douh 1,2 1 Laboratoire de Mathématiques Nicolas Oresme, Université de Caen, Basse Normandie, France Université
More informationAsymmetric Encryption
-3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function
More informationDeterministic Polynomial Time Equivalence of Computing the RSA Secret Key and Factoring
Deterministic Polynomial Time Equivalence of Computing the RSA Secret Key and Factoring Jean-Sébastien Coron and Alexander May Gemplus Card International 34 rue Guynemer, 92447 Issy-les-Moulineaux, France
More informationA New Paradigm of Hybrid Encryption Scheme
A New Paradigm of Hybrid Encryption Scheme Kaoru Kurosawa 1 and Yvo Desmedt 2 1 Ibaraki University, Japan kurosawa@cis.ibaraki.ac.jp 2 Dept. of Computer Science, University College London, UK, and Florida
More informationSimple SK-ID-KEM 1. 1 Introduction
1 Simple SK-ID-KEM 1 Zhaohui Cheng School of Computing Science, Middlesex University The Burroughs, Hendon, London, NW4 4BT, United Kingdom. m.z.cheng@mdx.ac.uk Abstract. In 2001, Boneh and Franklin presented
More informationMathematics of Public Key Cryptography
Mathematics of Public Key Cryptography Eric Baxter April 12, 2014 Overview Brief review of public-key cryptography Mathematics behind public-key cryptography algorithms What is Public-Key Cryptography?
More informationA new attack on RSA with a composed decryption exponent
A new attack on RSA with a composed decryption exponent Abderrahmane Nitaj and Mohamed Ould Douh,2 Laboratoire de Mathématiques Nicolas Oresme Université de Caen, Basse Normandie, France abderrahmane.nitaj@unicaen.fr
More informationEncoding-Free ElGamal Encryption Without Random Oracles
Encoding-Free ElGamal Encryption Without Random Oracles Benoît Chevallier-Mames 1,2, Pascal Paillier 3, and David Pointcheval 2 1 Gemplus, Security Technology Department, La Vigie, Avenue du Jujubier,
More informationLecture V : Public Key Cryptography
Lecture V : Public Key Cryptography Internet Security: Principles & Practices John K. Zao, PhD (Harvard) SMIEEE Amir Rezapoor Computer Science Department, National Chiao Tung University 2 Outline Functional
More informationTransitive Signatures Based on Non-adaptive Standard Signatures
Transitive Signatures Based on Non-adaptive Standard Signatures Zhou Sujing Nanyang Technological University, Singapore, zhousujing@pmail.ntu.edu.sg Abstract. Transitive signature, motivated by signing
More informationSolving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know?
Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know? Alexander May, Maike Ritzenhofen Faculty of Mathematics Ruhr-Universität Bochum, 44780 Bochum,
More information5 Public-Key Encryption: Rabin, Blum-Goldwasser, RSA
Leo Reyzin. Notes for BU CAS CS 538. 1 5 Public-Key Encryption: Rabin, Blum-Goldwasser, RSA 5.1 Public Key vs. Symmetric Encryption In the encryption we ve been doing so far, the sender and the recipient
More information10 Concrete candidates for public key crypto
10 Concrete candidates for public key crypto In the previous lecture we talked about public key cryptography and saw the Diffie Hellman system and the DSA signature scheme. In this lecture, we will see
More informationSecurity Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography
Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography Peter Schwabe October 21 and 28, 2011 So far we assumed that Alice and Bob both have some key, which nobody else has. How
More informationPublic Key Cryptography
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Public Key Cryptography EECE 412 1 What is it? Two keys Sender uses recipient s public key to encrypt Receiver uses his private key to decrypt
More information1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:
Today: Introduction to the class. Examples of concrete physical attacks on RSA A computational approach to cryptography Pseudorandomness 1 What are Physical Attacks Tampering/Leakage attacks Issue of how
More informationCryptanalysis of a Public Key Cryptosystem Proposed at ACISP 2000
Cryptanalysis of a Public Key Cryptosystem Proposed at ACISP 2000 Amr Youssef 1 and Guang Gong 2 1 Center for Applied Cryptographic Research Department of Combinatorics & Optimization 2 Department of Electrical
More informationRSA-OAEP and Cramer-Shoup
RSA-OAEP and Cramer-Shoup Olli Ahonen Laboratory of Physics, TKK 11th Dec 2007 T-79.5502 Advanced Cryptology Part I: Outline RSA, OAEP and RSA-OAEP Preliminaries for the proof Proof of IND-CCA2 security
More informationOn estimating the lattice security of NTRU
On estimating the lattice security of NTRU Nick Howgrave-Graham, Jeff Hoffstein, Jill Pipher, William Whyte NTRU Cryptosystems Abstract. This report explicitly refutes the analysis behind a recent claim
More informationIntroduction to Elliptic Curve Cryptography
Indian Statistical Institute Kolkata May 19, 2017 ElGamal Public Key Cryptosystem, 1984 Key Generation: 1 Choose a suitable large prime p 2 Choose a generator g of the cyclic group IZ p 3 Choose a cyclic
More informationMaTRU: A New NTRU-Based Cryptosystem
MaTRU: A New NTRU-Based Cryptosystem Michael Coglianese 1 and Bok Min Goi 2 1 Macgregor, 321 Summer Street Boston, MA 02210, USA mcoglian@comcast.net 2 Centre for Cryptography and Information Security
More informationChosen-Ciphertext Secure RSA-type Cryptosystems
Published in J. Pieprzyk and F. Zhang, Eds, Provable Security (ProvSec 2009), vol 5848 of Lecture Notes in Computer Science, pp. 32 46, Springer, 2009. Chosen-Ciphertext Secure RSA-type Cryptosystems Benoît
More informationProtecting RSA Against Fault Attacks: The Embedding Method
Published in L. Breveglieri et al., Eds, Fault Diagnosis and Tolerance in Cryptography (FDTC 2009), IEEE Computer Society, pp. 41 45, 2009. Protecting RSA Against Fault Attacks: The Embedding Method Marc
More informationPSS Is Secure against Random Fault Attacks
PSS Is Secure against Random Fault Attacks Jean-Sébastien Coron and Avradip Mandal University of Luxembourg Abstract. A fault attack consists in inducing hardware malfunctions in order to recover secrets
More informationA Strong Identity Based Key-Insulated Cryptosystem
A Strong Identity Based Key-Insulated Cryptosystem Jin Li 1, Fangguo Zhang 2,3, and Yanming Wang 1,4 1 School of Mathematics and Computational Science, Sun Yat-sen University, Guangzhou, 510275, P.R.China
More informationOn the Big Gap Between p and q in DSA
On the Big Gap Between p and in DSA Zhengjun Cao Department of Mathematics, Shanghai University, Shanghai, China, 200444. caozhj@shu.edu.cn Abstract We introduce a message attack against DSA and show that
More informationDefinition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University
Number Theory, Public Key Cryptography, RSA Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr The Euler Phi Function For a positive integer n, if 0
More informationA New Trapdoor in Modular Knapsack Public-Key Cryptosystem
A New Trapdoor in Modular Knapsack Public-Key Cryptosystem Takeshi Nasako Yasuyuki Murakami Abstract. Merkle and Hellman proposed a first knapsack cryptosystem. However, it was broken because the density
More informationBoneh-Franklin Identity Based Encryption Revisited
Boneh-Franklin Identity Based Encryption Revisited David Galindo Institute for Computing and Information Sciences Radboud University Nijmegen P.O.Box 9010 6500 GL, Nijmegen, The Netherlands. d.galindo@cs.ru.nl
More informationComputers and Mathematics with Applications
Computers and Mathematics with Applications 61 (2011) 1261 1265 Contents lists available at ScienceDirect Computers and Mathematics with Applications journal homepage: wwwelseviercom/locate/camwa Cryptanalysis
More informationHidden Number Problem Given Bound of Secret Jia-ning LIU and Ke-wei LV *
2017 2nd International Conference on Artificial Intelligence: Techniques and Applications (AITA 2017) ISBN: 978-1-60595-491-2 Hidden Number Problem Given Bound of Secret Jia-ning LIU and Ke-wei LV * DCS
More informationRSA RSA public key cryptosystem
RSA 1 RSA As we have seen, the security of most cipher systems rests on the users keeping secret a special key, for anyone possessing the key can encrypt and/or decrypt the messages sent between them.
More informationFault Attacks Against emv Signatures
Fault Attacks Against emv Signatures Jean-Sébastien Coron 1, David Naccache 2, and Mehdi Tibouchi 2 1 Université du Luxembourg 6, rue Richard Coudenhove-Kalergi l-1359 Luxembourg, Luxembourg {jean-sebastien.coron,
More informationHidden Field Equations
Security of Hidden Field Equations (HFE) 1 The security of Hidden Field Equations ( H F E ) Nicolas T. Courtois INRIA, Paris 6 and Toulon University courtois@minrank.org Permanent HFE web page : hfe.minrank.org
More informationCOMP4109 : Applied Cryptography
COMP409 : Applied Cryptography Fall 203 M. Jason Hinek Carleton University Applied Cryptography Day 3 public-key encryption schemes some attacks on RSA factoring small private exponent 2 RSA cryptosystem
More informationJohn Hancock enters the 21th century Digital signature schemes. Table of contents
John Hancock enters the 21th century Digital signature schemes Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents From last time: Good news and bad There
More informationCryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)
Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R) Eli Biham Computer Science Department Technion Israel Institute of Technology Haifa 32000, Israel biham@cs.technion.ac.il http://www.cs.technion.ac.il/~biham/
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationDouble-Moduli Gaussian Encryption/Decryption with Primary Residues and Secret Controls
Int. J. Communications, Network and System Sciences, 011, 4, 475-481 doi:10.436/ijcns.011.47058 Published Online July 011 (http://www.scirp.org/journal/ijcns) Double-Moduli Gaussian Encryption/Decryption
More informationOn the security of Jhanwar-Barua Identity-Based Encryption Scheme
On the security of Jhanwar-Barua Identity-Based Encryption Scheme Adrian G. Schipor aschipor@info.uaic.ro 1 Department of Computer Science Al. I. Cuza University of Iași Iași 700506, Romania Abstract In
More informationHigh-speed cryptography, part 3: more cryptosystems. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven
High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Cryptographers Working systems Cryptanalytic algorithm designers
More informationREMARKS ON IBE SCHEME OF WANG AND CAO
REMARKS ON IBE SCEME OF WANG AND CAO Sunder Lal and Priyam Sharma Derpartment of Mathematics, Dr. B.R.A.(Agra), University, Agra-800(UP), India. E-mail- sunder_lal@rediffmail.com, priyam_sharma.ibs@rediffmail.com
More informationComparing With RSA. 1 ucl Crypto Group
Comparing With RSA Julien Cathalo 1, David Naccache 2, and Jean-Jacques Quisquater 1 1 ucl Crypto Group Place du Levant 3, Louvain-la-Neuve, b-1348, Belgium julien.cathalo@uclouvain.be, jean-jacques.quisquater@uclouvain.be
More informationA New Class of Product-sum Type Public Key Cryptosystem, K(V)ΣΠPKC, Constructed Based on Maximum Length Code
A New Class of Product-sum Type Public Key Cryptosystem, K(V)ΣΠPKC, Constructed Based on Maximum Length Code Masao KASAHARA Abstract The author recently proposed a new class of knapsack type PKC referred
More informationPublic-Key Encryption: ElGamal, RSA, Rabin
Public-Key Encryption: ElGamal, RSA, Rabin Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Public-Key Encryption Syntax Encryption algorithm: E. Decryption
More informationAn Introduction to Probabilistic Encryption
Osječki matematički list 6(2006), 37 44 37 An Introduction to Probabilistic Encryption Georg J. Fuchsbauer Abstract. An introduction to probabilistic encryption is given, presenting the first probabilistic
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani Mathematical Institute Oxford University 1 of 60 Outline 1 RSA Encryption Scheme 2 Discrete Logarithm and Diffie-Hellman Algorithm 3 ElGamal Encryption Scheme 4
More informationIntroduction to Public-Key Cryptosystems:
Introduction to Public-Key Cryptosystems: Technical Underpinnings: RSA and Primality Testing Modes of Encryption for RSA Digital Signatures for RSA 1 RSA Block Encryption / Decryption and Signing Each
More informationProvable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval
Provable Security for Public-Key Schemes I Basics David Pointcheval Ecole normale supérieure, CNRS & INRIA IACR-SEAMS School Cryptographie: Foundations and New Directions November 2016 Hanoi Vietnam Introduction
More informationOutline. Available public-key technologies. Diffie-Hellman protocol Digital Signature. Elliptic curves and the discrete logarithm problem
Outline Public-key cryptography A collection of hard problems Mathematical Background Trapdoor Knapsack Integer factorization Problem Discrete logarithm problem revisited Case of Study: The Sun NFS Cryptosystem
More informationA Simple Public-Key Cryptosystem with a Double Trapdoor Decryption Mechanism and its Applications
A Simple Public-Key Cryptosystem with a Double Trapdoor Decryption Mechanism and its Applications Emmanuel Bresson 1, Dario Catalano, and David Pointcheval 1 Cryptology Department, CELAR, 35174 Bruz Cedex,
More informationThe Decisional Diffie-Hellman Problem and the Uniform Boundedness Theorem
The Decisional Diffie-Hellman Problem and the Uniform Boundedness Theorem Qi Cheng and Shigenori Uchiyama April 22, 2003 Abstract In this paper, we propose an algorithm to solve the Decisional Diffie-Hellman
More information