Fast Three-Party Shared Generation of RSA Keys Without Distributed Primality Tests
|
|
- Adelia Shepherd
- 6 years ago
- Views:
Transcription
1 Fast Three-Party Shared Generation of RSA Keys Without Distributed Primality Tests Maged H. Ibrahim I. I. Ibrahim A. H. El-Sawy Telecommunications Department, Faculty of Engineering, Helwan University Helwan, Cairo; Egypt Abstract Distributed primality tests for the purpose of testing the factors of the jointly generated RSA modulus were always considered as a nightmare due to the large amount of time required for this test to succeed. Enormous number of trials must be performed before a suitable RSA modulus is established. In this paper we propose a protocol to allow three parties to share the generation of a RSA modulus N and to share the secret key d. The protocol enjoys the following properties which do not exist in previous protocols: The protocol does not need any distributed primality tests. The three parties are able to find a suitable modulus from the first trial without any additional tests. The protocol can generate a RSA modulus which is a composite of safe primes. The protocol is less vulnerable to the RSA attacks in [26, 27]. 1 Introduction In several cryptographic protocols, such as threshold cryptography [1, 6, 23], there are n parties (players) sharing the signature key in a way that no subset of t or less players can generate a signature, while any subset of t + 1 or more players can perform the signature correctly, where t is the threshold. The shares of the private key are set and distributed by an honest dealer.the problem with such protocols is that the dealer himself is a single point of failure, any adversary who compromises the dealer can forge the signature. When collective signature protocols are considered, the problem with the RSA signature scheme is that the RSA public modulus N is a composite of two large primes p and q, these two primes must be kept secret from the players. The players need to agree on a modulus N and be convinced that N is a product of two large primes with no information revealed to them about its factorization. The nature of the modulus N of the RSA function increased the difficulties to share the RSA keys without the help of the dealer over other signature schemes which only require large public primes such as DSS [2, 3, 4]. 2 Related Work, Motivations and Contributions 2.1 Related work Boneh and Franklin [7] showed how to generate the RSA keys without the help of the dealer, several phases of their protocols utilize reduced versions of information theoretic private multiparty computations. Clifford Cocks [8] has proposed another but unproven solution for the two party RSA function sharing, the protocol was extended for the multiparty case in [21]; the computational intractability of his problem is weaker than RSA. Blackburn et al [9] have investigated Cocks protocol by adding verifiability to his scheme to face malicious behavior of the two parties. Frankel, Mackenzie and Yung [10] have improved the security of the Boneh-Franklin protocol. Later, Poupard and Stern [11] showed a different protocol for two Parties to jointly generate an RSA key. Niv Gilboa [12] constructed three protocols for the two-party RSA key generation, the first is based on the (1-out-2) - oblivious transfer of strings, the second is based on an efficient polynomial evaluation technique, the third uses special type of homomorphic encryption function. Due to the way the modulus is generated as a product of two l-bit random numbers chosen simultaneously the probability that such generated modulus is a product of exactly two primes is (ln 2.l) 2 according to the prime number theorm requiring a number of trials in the order of
2 O(l 2 ). The method of Boneh and Horwitz [24] is a k private test to check if a candidate modulus is a product of three primes. Yet picking three l-bit numbers simultaneously would result in an O(l 3 ) running time. Confining itself to the three party setting, a variant of the algorithm achieves an O(l) running time. Straub in [25] took up ideas of Boneh-Horwitz and Gilboa to obtain an efficient algorithm tailored to the two-party scenario. His method allows the generation of a multi-prime RSA modulus of length 3l in an expected running time of O(l). In [?], in the honest but curious scenario, Shoup et al introduced a protocol to share a safe prime and applied this protocol to jointly generate an RSA modulus which is a composite of safe primes. However, their protocol still requires a number of trials of O(l). In the above protocols, if trial division test (spoken off as trivial division test) is performed to test if the picked random strings are not divisible by small primes, the number of trials required to find a suitable modulus drop by a factor of lg l. 2.2 Motivations The work in this paper is motivated by the observation that almost all the methods proposed so far suffer from the following common weaknesses: They require a distributed primality test to ensure that the generated modulus is a composite of two or more primes, requiring a large number of trials until this test succeeds, which is an extensive task. They are unable to generate an RSA modulus which is a composite of two or more safe primes. Remark. The second weakness applies to all previous protocols except the protocol in [?] 2.3 Contributions In this paper we propose a three-party protocol for the shared generation of an RSA modulus N which is a composite of three primes without the need for any distributed primality tests after this modulus is generated. A suitable modulus is generated from the first trial. Also, our protocol is able to generate an RSA modulus which is a product of three safe primes. This is possible since the parties originally select the factors as prime numbers. 3 The Model In the communication model, the three parties, Alice, Bob and Carol are fully connected such that any party can communicate with any other party through a private and authenticated channel. Also the parties have access to a broadcast channel. In the adversary model, we assume a passive adversary, which means that this adversary can see and learn all information sent to or from the corrupted party without compromising the correct behavior of this party. The parties follow the execution steps of the protocol word for word. This commonly used security model is well-known as the honest-but-curious scenario. The protocol is 1-private, a single party has no information about the full factorization of the RSA modulus N, whereas, if two parties collaborate, they can factor N. One may alternatively say, if the adversary can successfully eavesdrops more than one party she can factor N. 4 Preliminaries 4.1 RSA Cryptosystem A valid RSA modulus N is a product of distinct odd primes or safe primes, N = n i=1 q i, n 2. A safe prime q is on the form q = 2q + 1 where q is also a prime. In case n = 2, the cryptosystem is spoken off as standard RSA, otherwise, it is a multi-prime RSA. e is the public exponent while d is the private exponent satisfying ed = 1modφ(N). For threshold cryptography purposes, the private exponent is to be shared among the incorporated parties, a straight forward way to do that is to additively share d = d 1 + d 2 + d 3 modφ(n) among three parties for example. In order to sign the hash of a message h, each party generates her partial signature as S i = h di modn. The final signature is S = S 1 S 2 S 3 modn. There are some advantages to using RSA modulus N = q 1 q 2 q 3 rather than the usual N = pq: Signature generation is much faster using the Chinese remainder theorem [28]. One may compute m dmodqi 1 modq i, i = (1, 2, 3), since the numbers and exponents are smaller, the generation of the signature is twice as fast as using the Chinese remainder theorem for N = pq. The attack on RSA due to Wiener [26] becomes less efficient when using three prime factors [24]. The fastest factoring methods [27] cannot take advantage that the factors of N = q 1 q 2 q 3 are smaller than those of a standard RSA modulus N = pq [24]. 4.2 Related Protocols As a warmup, we introduce several protocols which are closely related to the protocol presented in this paper. First,
3 we describe the protocol of Boneh and Franklin [7] which allows three parties (Alice, Bob and Carol) to jointly generate an RSA modulus N = pq, the protocol outlines are as follows: Step 1. Alice picks at random two secret l-bit integers p a and q a, Bob picks two random and secret l-bit integers p b and q b while Carol picks two random and secret l-bit integers p c and q c. Step 2. Using private distributed computation they compute N = (p a + p b + p c )(q a + q b + q c ). Step 3. They perform a distributed primality test to ensure that N is a product of two primes. The expected number of trials until a suitable modulus is generated is O(l 2 ). An alternate approach proposed by Boneh and Horwitz [24] to combat the quadratic slowdown in the above protocol is as follows: Step 1. Alice picks a random l-bit prime p and a random l-bit integer r a, Bob picks a random l-bit prime q and a random l-bit integer r b and Carol picks a random l-bit integer r c. Step 2. Using a private distributed computation they compute N = pq(r a + r b + r c ) with no information revealed about the full factorization of N. Step 3. The three parties run a distributed primality test to test that r a + r b + r c is exactly a prime. In the recent two-party protocol of Straub [25], the two parties Alice and Bob construct a 3l-bit modulus of the form (p a + p b )q a q b where p a, p b are arbitrary l 1-bit random numbers and q a, q b are l-bit primes. Alice holds p a, q a while Bob holds p b, q b. A suitable modulus is found after an expected time of O(l) using distributed sieving. 4.3 Notion of Secret Sharing Representations: The Building Block Let R be a ring and let s R be a secret. Assume that Alice holds the pair x, a R while Bob holds the pair y, b R where s = x + y = ab The pair (x, y) is called an additive sharing of s while the pair (a, b) is called a multiplicative sharing of s. The protocol described in this paper requires a subprotocol for two parties to switch from multiplicative sharing of a secret value to additive sharing of this value. Namely, Alice holds a while Bob holds b such that ab = s, Alice and Bob runs a subroutine which we will call it mult-to-sum, at the end of this subroutine Alice holds x and Bob holds y such that x + y = s, with no information leaked to any of them about s or the multiplicative shares. The mult-to-sum subroutine can be implemented by different techniques, it may be implemented by Homomorphic encryption which is essentially a public key cryptosystem with a useful homomorphic property [25]. It can also be implemented via oblivious transfer of strings [13, 14, 15, 16, 18, 19]. The subroutine we describe next is an example not a restriction, it uses the 1-out-2 oblivious transfer of strings OT 1 2 [20] as the underlying primitive. Consider party A(lice) and party B(ob) where A holds a secret a and B holds a secret b. a, b R where R is a public ring and let ρ = log R. A and B wish to perform a computation resulting in that A has x and B has y such that x + y = ab. All computations are performed over R. The mult-to-sum subroutine is as follows [12]: B selects uniformly at random and independently ρ ring elements, s 0,..., s ρ 1 R. B proceeds by preparing ρ pairs of elements in R: (t 0 0, t 1 0),..., (t 0 ρ 1, t 1 ρ 1). B sets t 0 i = s i and t 1 i = 2 i b + s i i(0 i ρ 1). Let the binary representation of a be a ρ 1,..., a 0. A and B executes ρ OT 1 2 s. In the k-th invocation, A chooses t ai k from the pair (t0 k, t1 k ). A sets x = ρ 1 i=0 tai i and B sets y = ρ 1 i=0 s i. In the above subroutine, x = ρ 1 i=0 t(ai) i = ρ 1 i=0 a i2 i b + s i and consequently, x + y = ab over R. The transcript of the view of both parties can be simulated and hence the protocol is secure. The proof of this statement is given in [12]. 5 The Protocol In this section we present the complete description of our protocol. 5.1 Shared Generation of the RSA Modulus N Alice picks a random l-bit prime q a, Bob picks a random l-bit prime q b and Carol picks a random l-bit prime q c. They want to share the computation of the RSA modulus N = q a q b q c with no information revealed to any of them about the full factorization of N. The protocol must end with Alice only knows q a, Bob only knows q b and Carol only knows q c, in addition to the published modulus N. Let R be a publicly known ring and let ρ = 3l = log R. The protocol is as follows:
4 Bob picks two (l 1)-bit random numbers r a and r c such that q b = r a + r c. Bob secretly delivers r a to Alice and r c to Carol. Alice computes a = q a r a while carol computes c = q c r c to compute additive shares of the product aq c. At the end, Alice holds x 1 while Carol holds y 1 such that x 1 + y 1 = aq c. to compute additive shares of the product cq a. At the end, Alice holds y 2 while Carol holds x 2 such that x 2 + y 2 = cq a. Alice broadcasts x 1 +y 2 while Carol broadcasts y 1 + x 2. Any of the three parties is able to compute N from the broadcasted quantities. Due to the extreme simplicity of our protocol, the proofs of the following two lemmas may be noticeable by any expert in the field, however, we give them for clarity. Lemma 1. N = x 1 + x 2 + y 1 + y 2 over the ring. Proof. x 1 + y 1 = aq c, x 2 + y 2 = cq a, but a = r a q a and c = r c q c. Hence, x 1 + y 1 + x 2 + y 2 = r a q a q c + r c q c q a = q a q c (r a + r c ) = q a q c q b = N. Lemma 2. Under the assumption that the mult-to-sum subroutine is secure and the parties are honest-but-curious, the above described protocol is 1-private. Proof. It is obvious that the protocol cannot withstand a collusion of two parties, an adversary that successfully eavesdrops any two parties knows the full factorization of N. This is accepted in the theory of threshold cryptography, since in threshold cryptography it is assumed that the majority of the players must be honest (untouchable by any adversary) in order to perform computations. An adversary that successfully eavesdrops any of the three parties has the view of this party. The situation for Bob is trivial, the adversary knows only q b, she is faced with the problem of factorizing q a q c. Considering the situation for Alice (the situation for Carol is similar), the adversary view is N, q a, r a, x 1, y 2. Assuming that the underlying mult-to-sum subroutine is secure (i.e. preserves the privacy of both Alice and Carol), the adversary gains no information about r c or q c from x 1, y 2 and consequently, knowing r a provides no information about q b since all values of r c is possible such that r c = q b r a. Therefore, non of the three parties knows any factor of N other than what he initially picked and hence the protocol is 1-private. It is also nice to notice that the situation for Alice and Carol is exactly the situation for the two parties in Straub protocol [25]. 5.2 Sharing the Secret Euler Totient φ(n) We reached the point where the three parties Alice, Bob and Carol agreed on an RSA modulus N which is a composite of exactly three primes (or safe primes if needed). They jointly agree on a public prime exponent e. Now, they want to compute shares of the secret key d where ed = 1modφ(N) where φ(n) = (q a 1)(q b 1)(q c 1). To additively share φ(n) the parties proceed in a similar fashion as follows: Bob picks to random numbers r a and r c such that q b 1 = r a + r c. Bob secretly delivers r a to Alice and r c to Carol. Remark. Notice that the above two steps can be eliminated if Alice and Carol did not forget the values r a and r c they previously received from Bob. If so, Alice may set r a = r a 1 and Carol sets r c = r c, it follows that r a+r c = q b 1. Alice computes a = r a(q a 1) while Carol computes c = r c(q c 1). to additively share a(q c 1). At the end, Alice holds x 1 while Carol holds y 1 such that a(q c 1) = x 1 +y 1. to additively share c(q a 1). At the end, Alice holds y 2 while Carol holds x 2 such that c(q a 1) = x 2 +y 2. Alice computes φ a = x 1 + y 2 while Carol computes φ c = x 2 + y 1. It is clear that φ(n) = φ a + φ c. One may argue that Bob does not hold a share of φ(n). Bob must not worry about this since the protocol is 1-private, an adversary that eavesdrops either Alice or Carol gains no information about φ(n). What mainly concerns Bob is that he will recieve a valid share of the secret key d at the end of the protocol. 5.3 Computing Inverses Over the Shared Secret φ(n): Sharing the Secret Key Alice picks two random secret numbers λ a, R a, Bob picks a secret random number R b and Carol picks two random secret numbers λ c, R c. Following the recommendations in [22], the secrets λ a, λ c are much greater than φ(n) (i.e. in the order of O(N 2 )) while R a, R b, R c are in the order of O(N 3 ). Alice, Bob and Carol want to jointly compute the quantity γ where
5 γ = λφ(n)+re = (λ a +λ c )(φ a +φ c )+(R a +R b +R c )e Bob picks two random numbers R a, R c such that R b = R a + R c. He secretly delivers R a to Alice and R c to Carol. twice. At the end of the first run, Alice holds x 1 while Carol holds y 1 such that λ a φ c = x 1 + y 1. At the end of the second run, Alice holds y 2 while Carol holds x 2 such that λ c φ a = x 2 + y 2. Alice computes γ a = x 1 + y 2 + λ a φ a + (R a + R a)e while Carol computes γ c = x 2 + y 1 + λ c φ c + (R c + R c)e. Alice broadcasts γ a while Carol broadcasts γ c. Any of the three parties is able to compute γ = γ a + γ c. Assuming that gcd(γ, e) = 1, the parties run the extended Euclidian algorithm to find the pair (x, y) such that xγ + ye = 1 which must exist. Since xr + y = e 1 modφ(n), one may set d = xr + y. Additive shares of d can be computed easily, Alice sets d a = xr a + y, Bob sets d b = xr b and Carol sets d c = xr c. Clearly, d = d a + d b + d c. 5.4 Signature Generation In the classical method, in order to perform a signature on a message m after hashing and padding, Alice computes and broadcasts S a = m da modn, Bob computes and broadcasts S b = m d b modn while Carol computes and broadcasts S c = m dc modn. The final signature is computed as S = S a S b S c modn. 5.5 Note on Tolerating Crashes: Threshold Structure At this point, Alice, Bob and Carol share the secret key d as a 3-out-3 secret sharing structure. In this structure, if a party is halted or crashed, the other two parties will not be able to perform the signature. It is possible to convert this structure to be an efficient threshold one allowing any two parties to be able to generate the signature even in the absence of the third party [29]. Let P be a set of three parties, P= {P 1, P 2, P 3 }. Each party P i holds a share d i of the secret key d such that d = d 1 + d 2 + d 3. Let the minimal set of qualified subsets Γ 0 be the set of all subsets of cardinality two, that is Γ 0 = {X 1, X 2, X 3 } where, X 1 = {P 1, P 2 }, X 2 = {P 1, P 3 }, X 3 = {P 2, P 3 }. Simply, for each X j each party P i, i = (1, 2, 3) splits her share d i of d into two pieces, she gives a piece to each of the two parties in X j. Each party in X j sums what she has to compute a new share of d. The shares represent a 2-out-3 secret sharing structure. 6 Conclusions Distributed primality tests for the purpose of testing the factors of the RSA modulus were always considered as a nightmare due to the large amount of time required for this test to succeed. Enormous number of trials must be performed before a suitable RSA-modulus is established. All previous RSA-key generation protocols are not able to generate a RSA-modulus which is a composite of safe primes. In this paper we proposed a three-party RSA-key generation protocol which covers all the mentioned drawbacks. The protocol establishes a suitable modulus from the first trial and is able to produce a modulus which is a composite of three safe primes. The protocol can be easily extended to n several parties larger than three with a number of prime factors equal to n. The darkside of our protocol is that it is not secure for the two-party case. References [1] Desmedt, Y.: Threshold cryptography. European Transactions on Tele-communications and Related technologies. Vol.5 No.4 (July-august 1994) [2] Langford, S.: Threshold DSS Signatures without a Trusted Party. In CRYPTO 95 (1995) , LNCS 963, Springer-Verlag, (1995). [3] Gennaro, R.: Theory and Practice of Verifiable Secret Sharing. PhD thesis, Massachusetts Institute of Technology (MIT) (May 1996). [4] Gennaro, R., Jarecki, S., Krawczyk, H., Rabin, T.: Robust Threshold DSS Signatures. Advances in Cryptology, Proc. Eurocrypt 96, Lecture Notes in Computer Science 1070, Springer, (1996) [5] Frankel, Y., Desmedt, Y.: Parallel reliable threshold multisignature. Technical Report TR Univ. of Wisconsin Milwaukee (1992). [6] Desmedt, Y., Frankel, Y.: Threshold Cryptosystem. In Crypto 89, Lecture Notes in Computer Science, LNCS 435, Springer Verlag (1990) [7] Boneh, D., Franklin, M.: Efficient generation of shared RSA keys. In Crypto 97 (1997) [8] Cocks, C.: Split Knowledge Generation of RSA Parameters. In Cryptography and Coding 6th IMA Conference, LNCS 1355, Springer-Verlag (1997)
6 [9] Blackburn, S., Blake-Wilson, S., Burmester, M., Galbraith, S.: Shared generation of shared RSA keys. Technical Report CORR98-19, Department of Combinatorics and Optimization, University of Waterloo (1998). [10] Frankel, Y., Mackenzie, P., Yung, M.: Robust efficient distributed rsa-key generation. In Proc. of 30th Stoc. (1998) [11] Poupard, G., Stern, J.: Generation of shared rsa-keys by two parties. In ASIACRYPT 98 (1999) [12] Gilboa, N.: Two Party RSA Key Generation. Proc. of Crypto 99, Lecture Notes in Computer Science, Vol. 1666, Springer-Verlag (1999) [13] Rabin, M.: How to exchange secrets by oblivious transfer. Technical Report TR-81, Harvard Aiken Computation Laboratory (1981). [14] Gertner, Y.,Ishai, Y.,Kushilevitz, E., Malkin, T.: Protecting data privacy in information retrieval schemes. In Proc. of 30th Stoc. (1998). [15] Stern, J.: A new and efficient all-or-nothing disclosure of secrets protocol. In ASIACRYPT 98, Springer- Verlag (1998) [16] Kushilevitz, E., Ostrovsky, R.: Single-database computationally private information retrieval. In Proc. of 38th FOCS. (1997) [17] Cachin, C., Micali, S., Stadler, M.: Computationally private information retrieval with polylogarithmic communication. In Advances in Cryptography. EU- ROCRYPT 99 (1999). [18] Ben-Or, M., Goldwasser, S., Wigderson, A.: Completeness theorems for non-cryptographic faulttolerant distributed computation. In Proc. of the 20th ACM symposium on the theory of computing (1988) [23] Desmedt, Y.: Society and group oriented cryptography: A new concept. In Advances in Cryptology, Proceedings of Crypto 87, Lecture Notes in Computer Science, Vol.293, Springer-Verlag (1988) [24] D. Boneh, J. Horwitz: Generating a product of three primes with an unknown factorization, Proc. 3rd Algorithmic Number Theory Symposium (ANTS-III), Portland, USA, (1998), pp [25] T. Straub: Efficient Two Party Multi-Prime RSA Key Generation. In (Hamza, M.H. Hrsg.): Proc. IASTED International Conference on Communication, Network, and Information Security, New York, [26] Michael J. Wiener: Cryptanalysis of Short RSA Secret Exponents. IEEE Transactions on Information Theory, Vol. 36, No. 3, pp , May [27] A. K. Lenstra, H. W. Lenstra, Jr. (eds), The development of the number field sieve, Lecture Notes in Math. 1554, Springer-Verlag, Berlin, [28] J. Grobschadl: The Chinese Remainder Theorem and its Application in a High-Speed RSA Crypto Chip,in Proceedings of the 16th Annual Computer Security Applications Conference, pp IEEE Computer Society Press, ISBN [29] Maged H. Ibrahim, I. A. Ali, I. I. Ibrahim and A. H. El-Sawy, Fully Distributed and Robust Threshold RSA Function Sharing Efficient for Small Number of Players, Embedded Cryptographic Hardware: Methodologies and Architectures-2004, Nadia Nedjah and Luiza de Macedo Mourelle (Editors) (State Univ. of Rio de Janeiro), Nova Science Publishers, NewYork, USA, ISBN: [19] Chor, B., Goldreich, O., Kushilevitz, E., Susdan, M.: Private information retrieval. Journal of the ACM 45(6) (1998) [20] Noar, M., Pinkas, B.: Oblivious transfer and polynomial evaluation. In Proc. of stat. Stoc. (1999) [21] Cocks, C.: Split generation of RSA parameters with multiple participants. Appears on the web at [22] Catalano, D., Gennaro, R., Halevi, S.: Computing Inverses over a Shared Secret Modulus. In Eurocrypt 00, LNCS 1807, Springer-Verlag (2000)
Eliminating Quadratic Slowdown in Two-Prime RSA Function Sharing
International Journal of Network Security, Vol.7, No.1, PP.107 114, July 2008 107 Eliminating Quadratic Slowdown in Two-Prime RSA Function Sharing Maged Hamada Ibrahim Department of Electronics, Communications
More informationGeneration of Shared RSA Keys by Two Parties
Generation of Shared RSA Keys by Two Parties Guillaume Poupard and Jacques Stern École Normale Supérieure, Laboratoire d informatique 45 rue d Ulm, F-75230 Paris Cedex 05, France email: {Guillaume.Poupard,Jacques.Stern}@ens.fr
More informationduring signature generation the secret key is never reconstructed at a single location. To provide fault tolerance, one slightly modies the above tech
Generating a Product of Three Primes with an Unknown Factorization Dan Boneh and Jeremy Horwitz Computer Science Department, Stanford University, Stanford, CA 94305-9045 fdabo,horwitzg@cs.stanford.edu
More informationThreshold Undeniable RSA Signature Scheme
Threshold Undeniable RSA Signature Scheme Guilin Wang 1, Sihan Qing 1, Mingsheng Wang 1, and Zhanfei Zhou 2 1 Engineering Research Center for Information Security Technology; State Key Laboratory of Information
More informationCryptanalysis of Threshold-Multisignature Schemes
Cryptanalysis of Threshold-Multisignature Schemes Lifeng Guo Institute of Systems Science, Academy of Mathematics and System Sciences, Chinese Academy of Sciences, Beijing 100080, P.R. China E-mail address:
More informationSELECTED APPLICATION OF THE CHINESE REMAINDER THEOREM IN MULTIPARTY COMPUTATION
Journal of Applied Mathematics and Computational Mechanics 2016, 15(1), 39-47 www.amcm.pcz.pl p-issn 2299-9965 DOI: 10.17512/jamcm.2016.1.04 e-issn 2353-0588 SELECTED APPLICATION OF THE CHINESE REMAINDER
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationAn Unconditionally Secure Protocol for Multi-Party Set Intersection
An Unconditionally Secure Protocol for Multi-Party Set Intersection Ronghua Li 1,2 and Chuankun Wu 1 1 State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences,
More informationSharing DSS by the Chinese Remainder Theorem
Sharing DSS by the Chinese Remainder Theorem Kamer Kaya,a, Ali Aydın Selçuk b a Ohio State University, Columbus, 43210, OH, USA b Bilkent University, Ankara, 06800, Turkey Abstract In this paper, we propose
More informationSingle Database Private Information Retrieval with Logarithmic Communication
Single Database Private Information Retrieval with Logarithmic Communication Yan-Cheng Chang Harvard University ycchang@eecs.harvard.edu February 10, 2004 Abstract In this paper, we study the problem of
More informationLecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures
Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures Boaz Barak November 27, 2007 Quick review of homework 7 Existence of a CPA-secure public key encryption scheme such that oracle
More informationError-Tolerant Combiners for Oblivious Primitives
Error-Tolerant Combiners for Oblivious Primitives Bartosz Przydatek 1 and Jürg Wullschleger 2 1 Google Switzerland, (Zurich, Switzerland) przydatek@google.com 2 University of Bristol (Bristol, United Kingdom)
More information1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:
Today: Introduction to the class. Examples of concrete physical attacks on RSA A computational approach to cryptography Pseudorandomness 1 What are Physical Attacks Tampering/Leakage attacks Issue of how
More informationPublic-Key Cryptosystems CHAPTER 4
Public-Key Cryptosystems CHAPTER 4 Introduction How to distribute the cryptographic keys? Naïve Solution Naïve Solution Give every user P i a separate random key K ij to communicate with every P j. Disadvantage:
More informationIntroduction to Modern Cryptography Lecture 11
Introduction to Modern Cryptography Lecture 11 January 10, 2017 Instructor: Benny Chor Teaching Assistant: Orit Moskovich School of Computer Science Tel-Aviv University Fall Semester, 2016 17 Tuesday 12:00
More informationGeneralized Oblivious Transfer by Secret Sharing
Generalized Oblivious Transfer by Secret Sharing Tamir Tassa Abstract The notion of Generalized Oblivious Transfer (GOT) was introduced by Ishai and Kushilevitz in [12]. In a GOT protocol, Alice holds
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 7, 2015 CPSC 467, Lecture 11 1/37 Digital Signature Algorithms Signatures from commutative cryptosystems Signatures from
More informationAsymmetric Encryption
-3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function
More informationCryptanalysis of a Public Key Cryptosystem Proposed at ACISP 2000
Cryptanalysis of a Public Key Cryptosystem Proposed at ACISP 2000 Amr Youssef 1 and Guang Gong 2 1 Center for Applied Cryptographic Research Department of Combinatorics & Optimization 2 Department of Electrical
More informationOne Round Threshold Discrete-Log Key Generation without Private Channels
One Round Threshold Discrete-Log Key Generation without Private Channels Pierre-Alain Fouque and Jacques Stern École Normale Supérieure, Département d Informatique 45, rue d Ulm, F-75230 Paris Cedex 05,
More informationRound-Efficient Perfectly Secure Message Transmission Scheme Against General Adversary
Round-Efficient Perfectly Secure Message Transmission Scheme Against General Adversary Kaoru Kurosawa Department of Computer and Information Sciences, Ibaraki University, 4-12-1 Nakanarusawa, Hitachi,
More informationFrom Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited
From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited Julien Cathalo 1, Jean-Sébastien Coron 2, and David Naccache 2,3 1 UCL Crypto Group Place du Levant 3, Louvain-la-Neuve, B-1348, Belgium
More informationVerifiable Secret Redistribution
Verifiable Secret Redistribution Theodore M. Wong Jeannette M. Wing October 2001 CMU-CS-01-155 School of Computer Science Carnegie Mellon University Pittsburgh, PA 15213 Abstract We present a new protocol
More informationOblivious Keyword Search
Oblivious Keyword Search Wakaha Ogata 1 Kaoru Kurosawa 2 1 Tokyo Institute of Technology, 2-12-1 O-okayama, Meguro-ku, Tokyo 152-8552, Japan wakaha@ss.titech.ac.jp 2 Ibaraki University, 4-12-1 Nakanarusawa,
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationOblivious Evaluation of Multivariate Polynomials. and Applications
The Open University of Israel Department of Mathematics and Computer Science Oblivious Evaluation of Multivariate Polynomials and Applications Thesis submitted as partial fulfillment of the requirements
More informationShared Generation of Shared RSA Keys 1. Simon Blake-Wilson 3. Certicom Corp. Steven Galbraith.
Shared Generation of Shared RSA Keys 1 Simon Blackburn 2 Royal Holloway simonb@dcs.rhbnc.ac.uk Simon Blake-Wilson 3 Certicom Corp. sblakewi@certicom.com Steven Galbraith Royal Holloway stevenga@dcs.rhbnc.ac.uk
More informationDefinition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University
Number Theory, Public Key Cryptography, RSA Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr The Euler Phi Function For a positive integer n, if 0
More information4-3 A Survey on Oblivious Transfer Protocols
4-3 A Survey on Oblivious Transfer Protocols In this paper, we survey some constructions of oblivious transfer (OT) protocols from public key encryption schemes. We begin with a simple construction of
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani 1 Mathematical Institute 2 PQShield Ltd. 1 of 44 Outline 1 Public Key Encryption: security notions 2 RSA Encryption Scheme 2 of 44 Course main reference 3 of 44
More informationTheory of Computation Chapter 12: Cryptography
Theory of Computation Chapter 12: Cryptography Guan-Shieng Huang Dec. 20, 2006 0-0 Introduction Alice wants to communicate with Bob secretely. x Alice Bob John Alice y=e(e,x) y Bob y??? John Assumption
More informationComputing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring
Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring Alexander May Faculty of Computer Science, Electrical Engineering and Mathematics University of Paderborn 33102 Paderborn,
More informationSecure Multiplication of Shared Secrets In The Exponent
Secure Multiplication of Shared Secrets In The Exponent Rosario Gennaro Mario Di Raimondo May 26, 2003 Abstract We present a new protocol for the following task. Given tow secrets a, b shared among n players,
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 10 February 19, 2013 CPSC 467b, Lecture 10 1/45 Primality Tests Strong primality tests Weak tests of compositeness Reformulation
More informationAlgorithmic Number Theory and Public-key Cryptography
Algorithmic Number Theory and Public-key Cryptography Course 3 University of Luxembourg March 22, 2018 The RSA algorithm The RSA algorithm is the most widely-used public-key encryption algorithm Invented
More informationA Fair and Efficient Solution to the Socialist Millionaires Problem
In Discrete Applied Mathematics, 111 (2001) 23 36. (Special issue on coding and cryptology) A Fair and Efficient Solution to the Socialist Millionaires Problem Fabrice Boudot a Berry Schoenmakers b Jacques
More informationThreshold Cryptography
Threshold Cryptography Cloud Security Mechanisms Björn Groneberg - Summer Term 2013 09.07.2013 Threshold Cryptography 1 ? 09.07.2013 Threshold Cryptography 2 Threshold Cryptography Sharing Secrets Treasure
More informationCPSC 467b: Cryptography and Computer Security
Outline Authentication CPSC 467b: Cryptography and Computer Security Lecture 18 Michael J. Fischer Department of Computer Science Yale University March 29, 2010 Michael J. Fischer CPSC 467b, Lecture 18
More informationComputationally Private Information Retrieval With Polylogarithmic Communication
Computationally Private Information Retrieval With Polylogarithmic Communication Christian Cachin Silvio Micali Markus Stadler August 9, 1999 Abstract We present a single-database computationally private
More informationAbstract In a (k; n) threshold digital signature scheme, k out of n signers must cooperate to issue a signature. In this paper, we show an ecient (k;
New ElGamal Type Threshold Digital Signature Scheme Choonsik PARK y and Kaoru KUROSAWA z y Electronics and Telecommunications Research Institute, P.O.Box 106, Yusong-ku, Taejeon, 305-600, Korea z Tokyo
More informationStrongly Unforgeable Signatures Based on Computational Diffie-Hellman
Strongly Unforgeable Signatures Based on Computational Diffie-Hellman Dan Boneh 1, Emily Shen 1, and Brent Waters 2 1 Computer Science Department, Stanford University, Stanford, CA {dabo,emily}@cs.stanford.edu
More informationCryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05
Cryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05 Fangguo Zhang 1 and Xiaofeng Chen 2 1 Department of Electronics and Communication Engineering, Sun Yat-sen
More informationQuestion: Total Points: Score:
University of California, Irvine COMPSCI 134: Elements of Cryptography and Computer and Network Security Midterm Exam (Fall 2016) Duration: 90 minutes November 2, 2016, 7pm-8:30pm Name (First, Last): Please
More informationA Verifiable 1-out-of-n Distributed Oblivious Transfer Protocol
A Verifiable 1-out-of-n Distributed Oblivious Transfer Protocol Christian L F Corniaux and Hossein Ghodosi James Cook University, Townsville QLD 4811, Australia chriscorniaux@myjcueduau, hosseinghodosi@jcueduau
More informationIntro to Public Key Cryptography Diffie & Hellman Key Exchange
Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie & Hellman Key Exchange Course Summary - Math Part
More informationIntroduction to Cryptography Lecture 13
Introduction to Cryptography Lecture 13 Benny Pinkas June 5, 2011 Introduction to Cryptography, Benny Pinkas page 1 Electronic cash June 5, 2011 Introduction to Cryptography, Benny Pinkas page 2 Simple
More informationA Simplified Approach to Threshold and Proactive RSA
A Simplified Approach to Threshold and Proactive RSA Tal Rabin IBM T.J. Watson Research Center PO Box 704, Yorktown Heights, New York 10598 talr@watson.ibm.com Abstract. We present a solution to both the
More informationPrivacy-preserving cooperative statistical analysis
Syracuse University SURFACE Electrical Engineering and Computer Science College of Engineering and Computer Science 2001 Privacy-preserving cooperative statistical analysis Wenliang Du Syracuse University,
More informationIntroduction to Modern Cryptography. Benny Chor
Introduction to Modern Cryptography Benny Chor RSA Public Key Encryption Factoring Algorithms Lecture 7 Tel-Aviv University Revised March 1st, 2008 Reminder: The Prime Number Theorem Let π(x) denote the
More informationSolving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know?
Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know? Alexander May, Maike Ritzenhofen Faculty of Mathematics Ruhr-Universität Bochum, 44780 Bochum,
More informationMathematics of Cryptography
UNIT - III Mathematics of Cryptography Part III: Primes and Related Congruence Equations 1 Objectives To introduce prime numbers and their applications in cryptography. To discuss some primality test algorithms
More informationIntroduction to Modern Cryptography. Benny Chor
Introduction to Modern Cryptography Benny Chor RSA: Review and Properties Factoring Algorithms Trapdoor One Way Functions PKC Based on Discrete Logs (Elgamal) Signature Schemes Lecture 8 Tel-Aviv University
More informationCPSC 467b: Cryptography and Computer Security
Outline Quadratic residues Useful tests Digital Signatures CPSC 467b: Cryptography and Computer Security Lecture 14 Michael J. Fischer Department of Computer Science Yale University March 1, 2010 Michael
More informationLecture 3,4: Multiparty Computation
CS 276 Cryptography January 26/28, 2016 Lecture 3,4: Multiparty Computation Instructor: Sanjam Garg Scribe: Joseph Hui 1 Constant-Round Multiparty Computation Last time we considered the GMW protocol,
More informationAttacks on RSA & Using Asymmetric Crypto
Attacks on RSA & Using Asymmetric Crypto Luke Anderson luke@lukeanderson.com.au 7 th April 2017 University Of Sydney Overview 1. Crypto-Bulletin 2. Breaking RSA 2.1 Chinese Remainder Theorem 2.2 Common
More informationPractice Assignment 2 Discussion 24/02/ /02/2018
German University in Cairo Faculty of MET (CSEN 1001 Computer and Network Security Course) Dr. Amr El Mougy 1 RSA 1.1 RSA Encryption Practice Assignment 2 Discussion 24/02/2018-29/02/2018 Perform encryption
More informationCryptography IV: Asymmetric Ciphers
Cryptography IV: Asymmetric Ciphers Computer Security Lecture 7 David Aspinall School of Informatics University of Edinburgh 31st January 2011 Outline Background RSA Diffie-Hellman ElGamal Summary Outline
More informationNew Variant of ElGamal Signature Scheme
Int. J. Contemp. Math. Sciences, Vol. 5, 2010, no. 34, 1653-1662 New Variant of ElGamal Signature Scheme Omar Khadir Department of Mathematics Faculty of Science and Technology University of Hassan II-Mohammedia,
More informationANALYSIS OF PRIVACY-PRESERVING ELEMENT REDUCTION OF A MULTISET
J. Korean Math. Soc. 46 (2009), No. 1, pp. 59 69 ANALYSIS OF PRIVACY-PRESERVING ELEMENT REDUCTION OF A MULTISET Jae Hong Seo, HyoJin Yoon, Seongan Lim, Jung Hee Cheon, and Dowon Hong Abstract. The element
More informationUniversally Composable Multi-Party Computation with an Unreliable Common Reference String
Universally Composable Multi-Party Computation with an Unreliable Common Reference String Vipul Goyal 1 and Jonathan Katz 2 1 Department of Computer Science, UCLA vipul@cs.ucla.edu 2 Department of Computer
More informationLECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS
LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS Modular arithmetics that we have discussed in the previous lectures is very useful in Cryptography and Computer Science. Here we discuss several
More informationOn the security of Jhanwar-Barua Identity-Based Encryption Scheme
On the security of Jhanwar-Barua Identity-Based Encryption Scheme Adrian G. Schipor aschipor@info.uaic.ro 1 Department of Computer Science Al. I. Cuza University of Iași Iași 700506, Romania Abstract In
More information14 Diffie-Hellman Key Agreement
14 Diffie-Hellman Key Agreement 14.1 Cyclic Groups Definition 14.1 Example Let д Z n. Define д n = {д i % n i Z}, the set of all powers of д reduced mod n. Then д is called a generator of д n, and д n
More informationCryptanalysis of a Knapsack Based Two-Lock Cryptosystem
Cryptanalysis of a Knapsack Based Two-Lock Cryptosystem Bin Zhang 1,2, Hongjun Wu 1, Dengguo Feng 2, and Feng Bao 1 1 Institute for Infocomm Research, Singapore 119613 2 State Key Laboratory of Information
More informationChapter 4 Asymmetric Cryptography
Chapter 4 Asymmetric Cryptography Introduction Encryption: RSA Key Exchange: Diffie-Hellman [NetSec/SysSec], WS 2008/2009 4.1 Asymmetric Cryptography General idea: Use two different keys -K and +K for
More informationAsymmetric Cryptography
Asymmetric Cryptography Chapter 4 Asymmetric Cryptography Introduction Encryption: RSA Key Exchange: Diffie-Hellman General idea: Use two different keys -K and +K for encryption and decryption Given a
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 22 November 27, 2017 CPSC 467, Lecture 22 1/43 BBS Pseudorandom Sequence Generator Secret Splitting Shamir s Secret Splitting Scheme
More informationSecure Modulo Zero-Sum Randomness as Cryptographic Resource
Secure Modulo Zero-Sum Randomness as Cryptographic Resource Masahito Hayashi 12 and Takeshi Koshiba 3 1 Graduate School of Mathematics, Nagoya University masahito@math.nagoya-u.ac.jp 2 Centre for Quantum
More informationUniversity Alexandru Ioan Cuza of Iaşi Faculty of Computer Science. Threshold RSA Based on the General Chinese Remainder Theorem
University Alexandru Ioan Cuza of Iaşi Faculty of Computer Science T E C H N I C A L R E P O R T Threshold RSA Based on the General Chinese Remainder Theorem Sorin Iftene TR 05-05, August 2005 ISSN 1224-9327
More informationOn Two Round Rerunnable MPC Protocols
On Two Round Rerunnable MPC Protocols Paul Laird Dublin Institute of Technology, Dublin, Ireland email: {paul.laird}@dit.ie Abstract. Two-rounds are minimal for all MPC protocols in the absence of a trusted
More informationAn Anonymous Authentication Scheme for Trusted Computing Platform
An Anonymous Authentication Scheme for Trusted Computing Platform He Ge Abstract. The Trusted Computing Platform is the industrial initiative to implement computer security. However, privacy protection
More informationLecture 38: Secure Multi-party Computation MPC
Lecture 38: Secure Multi-party Computation Problem Statement I Suppose Alice has private input x, and Bob has private input y Alice and Bob are interested in computing z = f (x, y) such that each party
More informationPrivacy Preserving Multiset Union with ElGamal Encryption
Privacy Preserving Multiset Union with ElGamal Encryption Jeongdae Hong 1, Jung Woo Kim 1, and Jihye Kim 2 and Kunsoo Park 1, and Jung Hee Cheon 3 1 School of Computer Science and Engineering, Seoul National
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationTHE CUBIC PUBLIC-KEY TRANSFORMATION*
CIRCUITS SYSTEMS SIGNAL PROCESSING c Birkhäuser Boston (2007) VOL. 26, NO. 3, 2007, PP. 353 359 DOI: 10.1007/s00034-006-0309-x THE CUBIC PUBLIC-KEY TRANSFORMATION* Subhash Kak 1 Abstract. This note proposes
More informationBroadcast and Verifiable Secret Sharing: New Security Models and Round-Optimal Constructions
Broadcast and Verifiable Secret Sharing: New Security Models and Round-Optimal Constructions Dissertation submitted to the Faculty of the Graduate School of the University of Maryland, College Park in
More informationLinear Integer Secret Sharing and Distributed Exponentiation
Linear Integer Secret Sharing and Distributed Exponentiation Ivan Damgård and Rune Thorbek BRICS, Dept. of Computer Science, University of Aarhus Abstract. We introduce the notion of Linear Integer Secret-Sharing
More informationCIS 551 / TCOM 401 Computer and Network Security
CIS 551 / TCOM 401 Computer and Network Security Spring 2008 Lecture 15 3/20/08 CIS/TCOM 551 1 Announcements Project 3 available on the web. Get the handout in class today. Project 3 is due April 4th It
More informationLecture V : Public Key Cryptography
Lecture V : Public Key Cryptography Internet Security: Principles & Practices John K. Zao, PhD (Harvard) SMIEEE Amir Rezapoor Computer Science Department, National Chiao Tung University 2 Outline Functional
More informationPrivacy Preserving Set Intersection Protocol Secure Against Malicious Behaviors
Privacy Preserving Set Intersection Protocol Secure Against Malicious Behaviors Yingpeng Sang, Hong Shen School of Computer Science The University of Adelaide Adelaide, South Australia, 5005, Australia
More informationMulti-Party Computation with Conversion of Secret Sharing
Multi-Party Computation with Conversion of Secret Sharing Josef Pieprzyk joint work with Hossein Ghodosi and Ron Steinfeld NTU, Singapore, September 2011 1/ 33 Road Map Introduction Background Our Contribution
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 9 February 6, 2012 CPSC 467b, Lecture 9 1/53 Euler s Theorem Generating RSA Modulus Finding primes by guess and check Density of
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 11 February 21, 2013 CPSC 467b, Lecture 11 1/27 Discrete Logarithm Diffie-Hellman Key Exchange ElGamal Key Agreement Primitive Roots
More informationINFORMATION-THEORETICALLY SECURE STRONG VERIFIABLE SECRET SHARING
INFORMATION-THEORETICALLY SECURE STRONG VERIFIABLE SECRET SHARING Changlu Lin State Key Lab. of Information Security, Graduate University of Chinese Academy of Sciences, China Key Lab. of Network Security
More informationHidden Number Problem Given Bound of Secret Jia-ning LIU and Ke-wei LV *
2017 2nd International Conference on Artificial Intelligence: Techniques and Applications (AITA 2017) ISBN: 978-1-60595-491-2 Hidden Number Problem Given Bound of Secret Jia-ning LIU and Ke-wei LV * DCS
More informationCompartmented Threshold RSA Based on the Chinese Remainder Theorem
Compartmented Threshold RSA Based on the Chinese Remainder Theorem Sorin Iftene Department of Computer Science, Al. I. Cuza University, 700483 Iasi, Romania siftene@info.uaic.ro Manuela Grindei LSV, ENS
More informationHow many rounds can Random Selection handle?
How many rounds can Random Selection handle? Shengyu Zhang Abstract The construction of zero-knowledge proofs can be greatly simplified if the protocol is only required be secure against the honest verifier.
More informationLectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols
CS 294 Secure Computation January 19, 2016 Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols Instructor: Sanjam Garg Scribe: Pratyush Mishra 1 Introduction Secure multiparty computation
More informationPublic-Key Encryption: ElGamal, RSA, Rabin
Public-Key Encryption: ElGamal, RSA, Rabin Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Public-Key Encryption Syntax Encryption algorithm: E. Decryption
More informationFast Distributed RSA Key Generation for Semi-Honest and Malicious Adversaries
Fast Distributed RSA Key Generation for Semi-Honest and Malicious Adversaries Tore Kasper Frederiksen 1, Yehuda Lindell 2,3, Valery Osheter 3, and Benny Pinkas 2 1 Security Lab, Alexandra Institute, Denmark
More informationSealed-bid Auctions with Efficient Bids
Sealed-bid Auctions with Efficient Bids Toru Nakanishi, Daisuke Yamamoto, and Yuji Sugiyama Department of Communication Network Engineering, Faculty of Engineering, Okayama University 3-1-1 Tsushima-naka,
More informationA New Attack on RSA with Two or Three Decryption Exponents
A New Attack on RSA with Two or Three Decryption Exponents Abderrahmane Nitaj Laboratoire de Mathématiques Nicolas Oresme Université de Caen, France nitaj@math.unicaen.fr http://www.math.unicaen.fr/~nitaj
More informationChapter 8 Public-key Cryptography and Digital Signatures
Chapter 8 Public-key Cryptography and Digital Signatures v 1. Introduction to Public-key Cryptography 2. Example of Public-key Algorithm: Diffie- Hellman Key Exchange Scheme 3. RSA Encryption and Digital
More informationCOMS W4995 Introduction to Cryptography October 12, Lecture 12: RSA, and a summary of One Way Function Candidates.
COMS W4995 Introduction to Cryptography October 12, 2005 Lecture 12: RSA, and a summary of One Way Function Candidates. Lecturer: Tal Malkin Scribes: Justin Cranshaw and Mike Verbalis 1 Introduction In
More informationLinear Integer Secret Sharing and Distributed Exponentiation
Linear Integer Secret Sharing and Distributed Exponentiation Ivan Damgård and Rune Thorbek BRICS, Dept. of Computer Science, University of Aarhus Abstract. We introduce the notion of Linear Integer Secret-Sharing
More informationTwo-Party Generation of DSA Signatures
Two-Party Generation of DSA Signatures (Extended Abstract) Philip MacKenzie and Michael K. Reiter Bell Labs, Lucent Technologies, Murray Hill, NJ, USA Abstract. We describe a means of sharing the DSA signature
More informationRobust Operations. Yvo Desmedt. Department of Computer Science, University College London, United Kingdom
Robust Operations Yvo Desmedt Department of Computer Science, University College London, United Kingdom Abstract Operations under malicious attack are usually studied in a very narrow context. The typical
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 33 The Diffie-Hellman Problem
More informationComplete Fairness in Multi-Party Computation Without an Honest Majority
Complete Fairness in Multi-Party Computation Without an Honest Maority Samuel Dov Gordon Abstract A well-known result of Cleve shows that complete fairness is impossible, in general, without an honest
More information