A New and Optimal Chosen-message Attack on RSA-type Cryptosystems
|
|
- Winfred Walsh
- 6 years ago
- Views:
Transcription
1 Published in Y. Han, T. Okamoto, and S. Qing, eds, Information and Communications Security (ICICS 97), vol of Lecture Notes in Comer Science, , Sringer-Verlag, A New and Otimal Chosen-message Attack on RSA-tye Crytosystems Daniel Bleichenbacher 1, Marc Joye and Jean-Jacques Quisquater 3 1 Bell Laboratories 700 Mountain Av., Murray Hill, NJ 07974, U.S.A. bleichen@research.bell-labs.com UCL Cryto Grou, Dé. de Mathématique, Université de Louvain Chemin du Cyclotron, B-1348 Louvain-la-Neuve, Belgium joye@agel.ucl.ac.be 3 UCL Cryto Grou, Lab. de Microélectronique, Université de Louvain Place du Levant 3, B-1348 Louvain-la-Neuve, Belgium jjq@dice.ucl.ac.be Abstract. Chosen-message attack on RSA is usually considered as an inherent roerty of its homomorhic structure. In this aer, we show that nonhomomorhic RSA-tye crytosystems are also suscetible to a chosen-message attack. In articular, we rove that only one message is needed to mount a successful chosen-message attack against the Lucas-based systems and Demytko s ellitic curve system. Keywords. Chosen-message attack, signature forgery, RSA, Lucas-based systems, Demytko s ellitic curve system. 1 Introduction The most used ublic-key crytosystem is certainly the RSA [1]. Due to its oularity, the RSA was subject to an extensive crytanalysis. Many attacks are based on the multilicative nature of RSA [5]. To overcome this vulnerability, numerous generalizations of the original RSA were roosed and broken. Later, other structures were envisaged to imlement analogues of RSA. This seemed to be the right way to foil the homomorhic attacks. So, a crytosystem based on Lucas sequences was roosed in [10] and analyzed in [11] by Müller and Nöbauer. The ahors use Dickson olynomials to describe their scheme; however, Dickson olynomials can be rehrased in terms of Lucas sequences [, 14]. The Lucas sequences lay the same role in this scheme as exonentiations in RSA. In 1985, Koblitz and Miller indeendently suggested the use of ellitic curves in crytograhy [7, 9]. Afterwards, Koyama et al. [8] and Demytko [4] exhibited new one-way tradoor functions on ellitic curves in order to roduce analogues of RSA. Demytko s system has the articularity to only use the first coordinate and is therefore not subject to the chosen-message attack described in [8]. The Lucas-based crytosystems and Demytko s ellitic curve crytosystem seem to be resistant against homomorhic attack. However, the existence of a chosen-message
2 forgery that needs two messages has been described in [1]. Kaliski found a similar attack on Demytko s system [6]. In this aer, we describe a new chosen-message attack which needs only one message. This new attack shows that the RSA-tye crytosystems are even closer related to RSA, i.e. it shows that all the attacks based on the multilicative nature of the original RSA can straightforward be adated to any RSA-tye crytosystem. We illustrate this toic with the common modulus failure [13]. The remainder of this aer is organized as follows. In Section, we review the Lucas-based and Demytko s ellitic curve crytosystems. The reader who is not not familiar with these systems may first read the aendix. We resent our attack in Section 3 and aly it in Section 4. In Section 5, we revisit the common modulus failure. Finally, we conclude in Section 6. RSA-tye crytosystems In this section, we resent crytosystems based on Lucas sequences [10, 11, 14] and on ellitic curves [4]. We only oline the systems, for a detailed descrition we refer to the original aers..1 Lucas-based RSA The Lucas-based scheme can briefly be described as follows. Each user A chooses two large rimes and q and an exonent e that is relatively rime to ( 1)(q 1), comes n = q, and ublishes n and e as his ublic key. The corresonding d e 1 (mod lcm( 1; + 1; q 1; q + 1)) is ket secret. A s ublic arameters: n and e. A s secret arameters:, q and d. A message m is encryted by coming c v e (m; 1) (mod n). It is decryted using the secret key d by m v d (c; 1) (mod n). The correctness of this system is based on Proosition 3 (in aendix) as v d ve (m; 1); 1 v de (m; 1) v 1 (m; 1) m (mod n). Signatures are generated accordingly by exchanging the roles of the ublic and secret arameters e and d.. Demytko s system Similarly to RSA, to setu Demytko s system, each user A chooses two large rimes and q, and ublishes their roduct n = q. He ublicly selects integers a and b such that gcd(4a 3 + 7b ; n) = 1. Then once and for all, he comes N n = lcm #E (a; b); #E q (a; b); #E (a; b); #E q (a; b) : (1) He randomly chooses the ublic encrytion key e such that gcd(e; N n ) = 1, and comes the secret decrytion key d according to ed 1 mod N n.
3 A s ublic arameters: n, a, b and e. A s secret arameters:, q, N n and d. It is useful to introduce some notation. The x and the ycoordinates of a oint P will resectively be denoted by x(p) and y(p). To send a message m to Alice, Bob uses Alice s ublic key e and comes the corresonding cihertext c x(em) (mod n) where M is a oint having its xcoordinate equal to m. Note that, from Proosition 1, the comation of c x(em) (mod n) does not require the knowledge of y(m). Using her secret key d, Alice can recover the laintext m by coming m x(dc) (mod n) where C is a oint having its xcoordinate equal to c. Note also that Alice has not to know y(c). Remark 1. To seed u the comations, Alice can choose ; q mod 3 and a = 0. In that case, N n = lcm( + 1; q + 1). The same conclusion holds by choosing ; q 3 mod 4 and b = 0 (see [8]). Remark. For efficiency reasons, it is also ossible to define a message-deendent system (see [4]). 3 Sketch of the new attack Let n = q be a RSA modulus. Let e and d be resectively the ublic key and the secret key of Alice, according to ed 1 (mod (n)). The ublic key e is used to encryt messages and verify signatures; the secret key d is used to decryt cihertexts and to sign messages. Suose a crytanalyst (say Carol) wants to make Alice to sign message m witho her consent. Carol can roceeds as follows. She chooses a random number k and asks Alice to sign (or to decryt) m 0 mk e (mod n). Carol gets then c 0 m d (k e ) d m d k, and therefore the signature c of message m as c c 0 k 1 (mod n). Consequently, chosen-message attacks against RSA seem quite naturally to be a consequence of its multilicative structure. By reformulating this attack with the extended Euclidean algorithm, it aears that non-homomorhic crytosystems are also suscetible to a chosen-message attack. Alying to RSA, the attack goes as follows. In: A message m and the ublic key n; e of Alice. Ste 1: Carol chooses an integer k relatively rime to e. Then she uses the extended Euclidean algorithm to find r; s Z such that kr +es = 1. Ste : Carol comes m 0 m k (mod n). Ste 3: Next, she asks Alice to sign m 0 and gets therefore c 0 m 0 d (mod n): Ste 4: Consequently, Carol can come the signature c of m by c c 0 r m s (mod n): ()
4 O: The signature c of message m. Proof. From kr + es = 1, it follows d = d(kr + es) dkr + s (mod (n)). Hence, c m d m dkr m s m dk r m s c 0r m s (mod n). Remark 3. This attack can also be considered as a generalization of the Davida s attack [3]. 4 Alications The revious attack alies also to non-homomorhic crytosystems. In this section, we show how it works against Lucas-based systems and Demytko s system. 4.1 Attacking Lucas-based systems The crytanalyst Carol can try to get a signature c on a message m in the following way. In: A message m and the ublic key n; e of Alice. Ste 1: Carol chooses an integer k relatively rime to e. Then she uses extended Euclidean algorithm to find r; s Z such that kr + es = 1. Ste : Next she comes m 0 v k (m; 1) (mod n). Ste 3: Now she asks Alice to sign m 0. If Alice does so then Carol knows c 0 such that c 0 v d (m 0 ; 1) (mod n): Ste 4: Finally Carol comes the signature c of m as follows v rkd (m; 1) v r (c 0 ; 1) (mod n); (3) u rkd (m; 1) u k(m; 1)u r (c 0 ; 1) u e (c 0 ; 1) c = v d (m; 1) v rkd(m; 1)v s (m; 1) + u rkd(m; 1)u s (m; 1) where = m 4. O: The signature c of message m. Proof. Equation (3) follows from (13) 1 since (mod n); (4) v r (c 0 ; 1) v r vkd (m; 1); 1 v rkd (m; 1) (mod n): 1 (9) to () refer to equations in the aendix. (mod n) (5)
5 Equation (4) is a consequence of (14) and u rkd (m; 1)u e (c 0 ; 1) u r vkd (m; 1); 1 u kd (m; 1)u e vkd (m; 1); 1 u r vkd (m; 1); 1 u kde (m; 1) u r vkd (m; 1); 1 u k (m; 1) (mod n): Moreover, kr + es = 1 imlies v d (m; 1) = v rkd+des (m; 1) = v rkd+s (m; 1). Hence Equation (5) is an alication of (15). Remark 4. This attack is the analogue to the chosen-message attack on RSA resented in Section 3, by using algebraic numbers (relace m by = (m + )= and use Equation (9)). The only additional ste to be roved is that u kd (m; 1) is comable from m and v kd (m; 1). This can be shown by using (14) and noting that u k (m; 1) u kde (m; 1) u kd (m; 1)u e vkd (m; 1); 1 (mod n): If = m=+ = then the signature vkd (m; 1) on the message v k (m; 1) can be used to come kd v kd (m; 1)= + u kd (m; 1) =: Once kd is known, d = v d (m; 1)= + u d (m; 1) = can be comed from d (kr+es)d kd r s (mod n): Hence (3) and (4) corresond to the comation of c 0r and (5) corresonds to the multilication of c 0r by m s in (). 4. Attacking Demytko s system Before showing that a similar attack alies to Demytko s system, we need to rove the following roosition. Proosition 1. Let be a rime greater than 3, and let E (a; b) be an ellitic curve over Z. If P E (a; b) or if P E (a; b), then the comations of x(kp) and y(kp) deend only on x(p). y(p) Proof. Letting X j := x(jp) and Y j := y(jp) y (P), the tangent-and-chord comosition rule on ellitic curves gives the following formulas 8 >< X j = x(jp + jp) = >: = 1 X 3 1 +ax1+b 3X j +a Y j X j ; 3 x(jp) +a y (jp) x(jp) if P E (a; b) 3 x(jp) +a D y (jp) D x(jp) if P E (a; b)
6 Y j = y(jp+jp) y (P) = = 8 >< >: 3 x(jp) +a y(jp) x(jp)x(jp) y (jp) 3 x(jp) +a D y(jp) x(jp)x(jp) 1 3X j +a X1 3+aX1+b Y (X j j X j ) Y j ; X j+1 = x jp + (j + 1)P 8 >< = >: y (P) if P E (a; b) y (jp) y (P) if P E (a; b) y(jp)y((j+1)p) x(jp)x((j+1)p) x(jp) x (j + 1)P if P E (a; b) y(jp)y((j+1)p) x(jp)x((j+1)p) D x(jp) x (j + 1)P if P E (a; b) = (X ax Yj Y 1 + b) j+1 X j X j+1 X j X j+1 ; Y j+1 = y jp+(j+1)p y (P) = ( y(jp)y((j+1)p) x(jp)x((j+1)p) ) = x(jp)x((j+1)p) Yj Yj+1 X j X j+1 (X j X j+1 ) Y j : y (jp) y (P) if P E (a; b) or E (a; b) So X k and Y k can be comed from X 1 = x(p) and Y 1 = 1 by using the binary method. Then, the message forgery goes as follows. In: A message m and the ublic key n; e of Alice. Note that m is the xcoordinate of a oint M, i.e. m = x(m). Ste 1: The crytanalyst Carol chooses a random k relatively rime to e. Then she uses extended Euclidean algorithm to find r; s Z such that kr + es = 1. Ste : From x(m), Carol comes m 0 = x(m 0 ) x(km) (mod n). Next, she asks Alice to sign m 0. So, Carol obtains the signature c 0 = x(c 0 ) x(dm 0 ) (mod n): Ste 3: Finally, Carol finds the signature c = x(c) x(dm) (mod n) of message m as follows. 3a) If x(rc 0 ) 6 x(sm) (mod n) then, using Proosition 1, Carol can come y(km) y(m) ; y (rc 0 ) y(c and y (ec 0 ) (6) 0 ) y(c 0 ) and c (m 3 + am + b) 6 4 y (km) y (rc 0 ) y (M) y (C 0 ) y(ec 0 ) y (C 0 ) x(rc 0 ) x(sm) 1 y(sm) y (M) x(rc 0 ) x(sm) (mod n): (7)
7 3b) Otherwise, the signature is given by 3 x(rc 0 ) + a c 4 x(rc 0 ) 3 + a x(rc 0 ) + b x(rc0 ) (mod n): (8) O: The signature c of message m. Proof. Since kr + es = 1, d krd + esd krd + s (mod N n ). So, x(c) x(dm) x [krd + s]m x(rc 0 + sm) (mod n): a) If x(rc 0 ) 6 x(sm) (mod n), then x(rc 0 + sm) y (rc 0 ) y(sm) x(rc 0 ) x(sm) since x(rc 0 ) x(sm) y(m) 4 y (km) y (M) y (rc 0 ) y (C 0 ) y (C 0 ) x(rc 0 ) x(sm) y (ec 0 ) y(sm) y (M) y(rc 0 ) y (rc 0 y(m) = ) y(c 0 ) 3 5 y(c 0 ) y(km) x(rc 0 ) x(sm) (mod n) y(km) y(m) and y(km) y(edkm) y(ec 0 ) (mod n). b) Otherwise, since gcd(d; N n ) = 1 it follows that rc 0 6 sm (mod n) and therefore x(rc 0 + sm) 3 x(rc 0 ) + a y(rc 0 ) x(rc 0 ) x(sm) (mod n): 5 Common modulus attack Simmons ointed o in [13] that the use of a common RSA modulus is dangerous. Indeed, if a message is sent to two users that have corime ublic encrytion keys, then the message can be recovered. Because our chosen-message attack requires only one message, the Lucas-based systems and Demytko s ellitic curve system are vulnerable to the common modulus attack. We shall illustrate this toic on Demyko s system. Let (e 1 ; d 1 ) and (e ; d ) be two airs of encrytion/decrytion keys and let m = x(m) be the message being encryted. Assuming e 1 and e are relatively rime, the crytanalyst Carol can recover m from the cihertexts c 1 = x(c 1 ) x(e 1 M) (mod n) and c = x(c ) x(e M) (mod n) as follows. Carol uses the extended Euclidean algorithm to find integers r and s such that re 1 + se = 1. Then, she comes x(m) = x((re 1 + se )M) x(rc 1 + sc ) (mod n) as follows. If x(rc 1 ) 6 x(sc ) (mod n), then
8 otherwise m (c ac 1 + b) m 6 4 y (rc1) y (C1) 3 x(rc1 ) + a y(ec1) y (sc) y (C1) y (C) x(rc 1 ) x(sc ) y(e1c) y (C) x(rc 1 ) x(sc ) (mod n) 4 x(rc 1 ) 3 + a x(rc 1 ) + b x(rc 1) (mod n): Proof. Straightforward since y(e C 1 ) y(e 1 C ) (mod n). 6 Conclusion We have resented a new tye of chosen-message attack. Our formulation has ermitted to mount a successful chosen-message attack with only one message against Lucas-based systems and Demytko s system. This also roved that the use of nonhomomorhic systems is not necessarily the best way to foil chosen-message attacks. Acknowledgments The second ahor is grateful to Victor Miller for roviding some useful comments to enhance the resentation of the aer. References 1. D. Bleichenbacher, W. Bosma, and A. K. Lenstra. Some remarks on Lucas-based crytosystems. In D. Coersmith, editor, Advances in Crytology CRYPTO 95, volume 963 of Lecture Notes in Comer Science, ages Sringer-Verlag, D. M. Bressoud. Factorization and rimality testing. Undergraduate Texts in Mathematics. Sringer-Verlag, G. Davida. Chosen signature crytanalysis of the RSA (MIT) ublic key crytosystem. Technical Reort TR-CS-8-, Det. of Electrical Engineering and Comer Science, University of Wisconsin, Milwaukee, USA, October N. Demytko. A new ellitic curve based analogue of RSA. In T. Helleseth, editor, Advances in Crytology EUROCRYPT 93, volume 765 of Lecture Notes in Comer Science, ages Sringer-Verlag, D. E. Denning. Digital signatures with RSA and other ublic-key crytosystems. Communications of the ACM, 7(4):388 39, Aril B. S. Kaliski Jr. A chosen message attack on Demytko s ellitic curve crytosystem. Journal of Crytology, 10(1):71 7, N. Koblitz. Ellitic curve crytosystems. Mathematics of Comation, 48:03 09, K. Koyama, U. M. Maurer, T. Okamoto, and S. A. Vanstone. New ublic-key schemes based on ellitic curves over the ring Z n. In J. Feigenbaum, editor, Advances in Crytology CRYPTO 91, volume 576 of Lecture Notes in Comer Science, ages Sringer- Verlag, 1991.
9 9. V. S. Miller. Use of ellitic curves in crytograhy. In H. C. Williams, editor, Advances in Crytology CRYPTO 85, volume 18 of Lecture Notes in Comer Science, ages Sringer-Verlag, W. B. Müller and R. Nöbauer. Some remarks on ublic-key crytosystems. Sci. Math. Hungar, 16:71 76, W. B. Müller and R. Nöbauer. Crytanalysis of the Dickson scheme. In J. Pichler, editor, Advances in Crytology EUROCRYPT 85, volume 19 of Lecture Notes in Comer Science, ages Sringer-Verlag, R. L. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures and ublic-key crytosystems. Communications of the ACM, 1():10 16, February G. J. Simmons. A weak rivacy rotocol using the RSA crytoalgorithm. Crytologia, 7:180 18, P. J. Smith and M. J. J. Lennon. LUC: A new ublic key system. In E. G. Douglas, editor, Ninth IFIP Symosium on Comer Security, ages Elsevier Science Publishers, A Basic facts A.1 Lucas sequences Let P; Q be integers, = P 4Q be a non-square, = P + and = = P be the roots of x P x + Q = 0 in the quadratic field Q( ). The Lucas sequences v k (P; Q) and u k (P; Q) for k Z are then defined as the integers satisfying k := v k(p; Q) + u k(p; Q) : (9) From = P Q follows k = P k1 Q k. Hence the Lucas sequences satisfy the following recurrence relation v 0 (P; Q) = ; v 1 (P; Q) = P ; v k (P; Q) = P v k1 (P; Q) Qv k (P; Q); u 0 (P; Q) = 0; u 1 (P; Q) = 1; u k (P; Q) = P u k1 (P; Q) Qu k (P; Q): This recurrence relation is sometimes used as an alternative definition of Lucas sequences. Since conjugation and exonentiation are exchangeable it follows k = k = v k(p; Q) From this equation and from (9) it follows that u k(p; Q) : v k (P; Q) = k + k ; (10) and u k (P; Q) = k k : (11) The next roosition states some well-known roerties of Lucas sequences.
10 Proosition. 4Q k = v k (P; Q) u k (P; Q) (1) v km (P; Q) = v k vm (P; Q); Q m (13) u km (P; Q) = u m (P; Q)u k vm (P; Q); Q m (14) v k+m (P; Q) = v k(p; Q)v m (P; Q) u k+m (P; Q) = u k(p; Q)v m (P; Q) Proof. Equation (1) can be roved as follows. + u k(p; Q)u m (P; Q) + v k(p; Q)u m (P; Q) 4Q k = 4() k = k k = (v k (P; Q) + u k (P; Q) )(v k (P; Q) u k (P; Q) ) Equation (1) now imlies that = v k (P; Q) u k (P; Q) : k = v k(p; Q) = v k(p; Q) + and hence k = P 0 = + have + u k(p; Q) = v k(p; Q) vk (P; Q) 4Q k + uk (P; Q) (15) (16) P 0 4Q 0 = with P 0 = v k (P; Q) and Q 0 = Q k. Thus we ( k ) m = v m(p 0 ; Q 0 ) = v m(p 0 ; Q 0 ) + u m(p 0 ; Q 0 ) P 0 4Q 0 + u m(p 0 ; Q 0 )u k (P; Q) Comaring the coefficients of this equation with km = v km (P; Q)= + u km (P; Q) = roves (13) and (14). Writing k+m = k m as sums of Lucas sequences and comaring the coefficients shows (15) and (16). Proosition 3. Let be an odd rime, Q = 1 and gcd(; ) = 1. Then the sequence v k (P; 1) mod is eriodic and the length of the eriod divides. Proof. and therefore also are algebraic integers in Q( ). Thus we have = (P= + =) P= + ( ) = P= + (1)= = P= + = (mod ). Thus if = 1 then 1 1 (mod ) and if = 1 then +1 1 (mod ). It follows that the sequence k (and therefore also v k (P; 1)) is eriodic with a eriod that divides. :
11 A. Ellitic curves Ellitic curves over Z Let be a rime greater than 3, and let a and b be two integers such that 4a 3 + 7b 6= 0 (mod ). An ellitic curve E (a; b) over the rime field Z is the set of oints (x; y) Z Z satisfying the Weierstraß equation y = x 3 + ax + b (mod ) (17) together with the oint at infinity O. The oints of the ellitic curve E (a; b) form an Abelian grou under the tangent-and-chord law defined as follows. (i) O is the identity element, i.e. 8P E (a; b), P + O = P. (ii) The inverse of P = (x 1 ; y 1 ) is P = (x 1 ; y 1 ). (iii) Let P = (x 1 ; y 1 ) and Q = (x ; y ) E (a; b) with P 6= Q. Then P + Q = (x 3 ; y 3 ) where x 3 = x 1 x ; (18) y 3 = (x 1 x 3 ) y 1 ; (19) 8 3x >< 1 + a if x 1 = x ; and = y 1 y >: 1 y otherwise. x 1 x Note that if P = (x 1 ; 0) E (a; b), then P = O. Theorem 1 (Hasse). Let #E (a; b) = + 1 a denote the number of oints in E (a; b). Then ja j. Comlementary grou of E (a; b) Let E (a; b) be an ellitic curve over Z. Let D be a quadratic non-residue modulo. The twist of E (a; b), denoted by E (a; b), is the ellitic curve given by the (extended) Weierstraß equation D y = x 3 + ax + b (0) together with the oint at infinity O. The sum of two oints (that are not inverse of each other) (x 1 ; y 1 ) + (x ; y ) = (x 3 ; y 3 ) can be comed by x 3 = D x 1 x ; y 3 = (x 1 x 3 ) y 1 ; 8 3x >< 1 + a if x 1 = x ; and = D y 1 >: y 1 y otherwise. x 1 x Proosition 4. If #E (a; b) = + 1 a, then #E (a; b) = a. Proof. Since P #E (a; b) = 1 + xz 1 x + 3 +ax+b, P a = x 3 +ax+b xz. Hence, P #E (a; b) = 1 + xz 1 x 3 +ax+b = a.
12 Ellitic curves over Z n Let n = q with and q two rimes greater than 3, and let a and b be two integers such that gcd(4a 3 + 7b ; n) = 1. An ellitic curve E n (a; b) over the ring Z n is the set of oints (x; y) Z n Z n satisfying the Weierstraß equation y = x 3 + ax + b (mod n) (1) together with the oint at infinity O n. Consider the grou e En (a; b) given by the direct roduct ee n (a; b) = E (a; b) E q (a; b): () By the Chinese remainder theorem there exists a unique oint P = (x 1 ; y 1 ) E n (a; b) for every air of oints P = (x 1 ; y 1 ) E (a; b) n fo g and P q = (x 1q ; y 1q ) E q (a; b) n fo q g such that x 1 mod = x 1, x 1 mod q = x 1q, y 1 mod = y 1 and y 1 mod q = y 1q. This equivalence will be denoted by P = [P ; P q ]. Since O n = [O ; O q ], the grou e En (a; b) consists of all the oints of E n (a; b) together with a number of oints of the form [P ; O q ] or [O ; P q ]. Lemma 1. The tangent-and-chord addition on E n (a; b), whenever it is defined, coincides with the grou oeration on e En (a; b). Proof. Let P and Q E n (a; b). Assume P + Q is well-defined by the tangent-andchord rule. Therefore P + Q = [(P + Q) ; (P + Q) q ] = [P + Q ; P q + Q q ]. If n is the roduct of two large rimes, it is extremely unlikely that the addition is not defined on E n (a; b). Consequently, comations in e En (a; b) can be erformed witho knowing the two rime factors of n.
Elliptic Curves and Cryptography
Ellitic Curves and Crytograhy Background in Ellitic Curves We'll now turn to the fascinating theory of ellitic curves. For simlicity, we'll restrict our discussion to ellitic curves over Z, where is a
More informationA Public-Key Cryptosystem Based on Lucas Sequences
Palestine Journal of Mathematics Vol. 1(2) (2012), 148 152 Palestine Polytechnic University-PPU 2012 A Public-Key Crytosystem Based on Lucas Sequences Lhoussain El Fadil Communicated by Ayman Badawi MSC2010
More informationbreakthrough, many generalizations were presented (e.g. using polynomials), and broken. Recently, it has been adapted to work with other structures. I
Published in M. Lomas, editor, \Security Protocols", vol. 1189 of Lecture Notes in Computer Science, pp. 93-100, Springer-Verlag, 1997. Protocol Failures for RSA-like Functions using Lucas Sequences and
More informationLattice Attacks on the DGHV Homomorphic Encryption Scheme
Lattice Attacks on the DGHV Homomorhic Encrytion Scheme Abderrahmane Nitaj 1 and Tajjeeddine Rachidi 2 1 Laboratoire de Mathématiques Nicolas Oresme Université de Caen Basse Normandie, France abderrahmanenitaj@unicaenfr
More informationA Modified Menezes-Vanstone Elliptic Curve Multi-Keys Cryptosystem
A Modified Menezes-Vanstone Ellitic Curve Multi-Keys Crytosystem By K.H. Rahouma Electrical Technology Deartment Technical College in Riyadh Riyadh, Kingdom of Saudi Arabia E-mail: kamel_rahouma@yahoo.com
More informationCRYPTANALYSIS OF RSA-TYPE CRYPTOSYSTEMS: A VISIT
Published in R. Whright and P. Neumann, eds, Network Threats, DIMACS Series in Discrete Mathematics and Theoretical Computer Science, vol. 38, pp. 21-31, American Mathematical Society, 1998. CRYPTANALYSIS
More informationCryptography Assignment 3
Crytograhy Assignment Michael Orlov orlovm@cs.bgu.ac.il) Yanik Gleyzer yanik@cs.bgu.ac.il) Aril 9, 00 Abstract Solution for Assignment. The terms in this assignment are used as defined in [1]. In some
More informationCDH/DDH-Based Encryption. K&L Sections , 11.4.
CDH/DDH-Based Encrytion K&L Sections 8.3.1-8.3.3, 11.4. 1 Cyclic grous A finite grou G of order q is cyclic if it has an element g of q. { 0 1 2 q 1} In this case, G = g = g, g, g,, g ; G is said to be
More information1. Introduction. 2. Background of elliptic curve group. Identity-based Digital Signature Scheme Without Bilinear Pairings
Identity-based Digital Signature Scheme Without Bilinear Pairings He Debiao, Chen Jianhua, Hu Jin School of Mathematics Statistics, Wuhan niversity, Wuhan, Hubei, China, 43007 Abstract: Many identity-based
More informationAN IMPROVED BABY-STEP-GIANT-STEP METHOD FOR CERTAIN ELLIPTIC CURVES. 1. Introduction
J. Al. Math. & Comuting Vol. 20(2006), No. 1-2,. 485-489 AN IMPROVED BABY-STEP-GIANT-STEP METHOD FOR CERTAIN ELLIPTIC CURVES BYEONG-KWEON OH, KIL-CHAN HA AND JANGHEON OH Abstract. In this aer, we slightly
More informationON THE LEAST SIGNIFICANT p ADIC DIGITS OF CERTAIN LUCAS NUMBERS
#A13 INTEGERS 14 (014) ON THE LEAST SIGNIFICANT ADIC DIGITS OF CERTAIN LUCAS NUMBERS Tamás Lengyel Deartment of Mathematics, Occidental College, Los Angeles, California lengyel@oxy.edu Received: 6/13/13,
More informationSQUARES IN Z/NZ. q = ( 1) (p 1)(q 1)
SQUARES I Z/Z We study squares in the ring Z/Z from a theoretical and comutational oint of view. We resent two related crytograhic schemes. 1. SQUARES I Z/Z Consider for eamle the rime = 13. Write the
More informationAdvanced Cryptography Midterm Exam
Advanced Crytograhy Midterm Exam Solution Serge Vaudenay 17.4.2012 duration: 3h00 any document is allowed a ocket calculator is allowed communication devices are not allowed the exam invigilators will
More information#A64 INTEGERS 18 (2018) APPLYING MODULAR ARITHMETIC TO DIOPHANTINE EQUATIONS
#A64 INTEGERS 18 (2018) APPLYING MODULAR ARITHMETIC TO DIOPHANTINE EQUATIONS Ramy F. Taki ElDin Physics and Engineering Mathematics Deartment, Faculty of Engineering, Ain Shams University, Cairo, Egyt
More informationBayesian System for Differential Cryptanalysis of DES
Available online at www.sciencedirect.com ScienceDirect IERI Procedia 7 (014 ) 15 0 013 International Conference on Alied Comuting, Comuter Science, and Comuter Engineering Bayesian System for Differential
More informationCryptography. Lecture 8. Arpita Patra
Crytograhy Lecture 8 Arita Patra Quick Recall and Today s Roadma >> Hash Functions- stands in between ublic and rivate key world >> Key Agreement >> Assumtions in Finite Cyclic grous - DL, CDH, DDH Grous
More informationTanja Lange Technische Universiteit Eindhoven
Crytanalysis Course Part I Tanja Lange Technische Universiteit Eindhoven 28 Nov 2016 with some slides by Daniel J. Bernstein Main goal of this course: We are the attackers. We want to break ECC and RSA.
More informationPublic Key Cryptosystems RSA
Public Key Crytosystems RSA 57 17 Receiver Sender 41 19 and rime 53 Attacker 47 Public Key Crytosystems RSA Comute numbers n = * 2337 323 57 17 Receiver Sender 41 19 and rime 53 Attacker 2491 47 Public
More informationAn Attack on a Fully Homomorphic Encryption Scheme
An Attack on a Fully Homomorhic Encrytion Scheme Yuu Hu 1 and Fenghe Wang 2 1 Telecommunication School, Xidian University, 710071 Xi an, China 2 Deartment of Mathematics and Physics Shandong Jianzhu University,
More informationRECIPROCITY LAWS JEREMY BOOHER
RECIPROCITY LAWS JEREMY BOOHER 1 Introduction The law of uadratic recirocity gives a beautiful descrition of which rimes are suares modulo Secial cases of this law going back to Fermat, and Euler and Legendre
More informationCryptanalysis of Pseudorandom Generators
CSE 206A: Lattice Algorithms and Alications Fall 2017 Crytanalysis of Pseudorandom Generators Instructor: Daniele Micciancio UCSD CSE As a motivating alication for the study of lattice in crytograhy we
More informationDISCRIMINANTS IN TOWERS
DISCRIMINANTS IN TOWERS JOSEPH RABINOFF Let A be a Dedekind domain with fraction field F, let K/F be a finite searable extension field, and let B be the integral closure of A in K. In this note, we will
More informationA CONCRETE EXAMPLE OF PRIME BEHAVIOR IN QUADRATIC FIELDS. 1. Abstract
A CONCRETE EXAMPLE OF PRIME BEHAVIOR IN QUADRATIC FIELDS CASEY BRUCK 1. Abstract The goal of this aer is to rovide a concise way for undergraduate mathematics students to learn about how rime numbers behave
More informationImproved Hidden Vector Encryption with Short Ciphertexts and Tokens
Imroved Hidden Vector Encrytion with Short Cihertexts and Tokens Kwangsu Lee Dong Hoon Lee Abstract Hidden vector encrytion HVE) is a articular kind of redicate encrytion that is an imortant crytograhic
More information#A47 INTEGERS 15 (2015) QUADRATIC DIOPHANTINE EQUATIONS WITH INFINITELY MANY SOLUTIONS IN POSITIVE INTEGERS
#A47 INTEGERS 15 (015) QUADRATIC DIOPHANTINE EQUATIONS WITH INFINITELY MANY SOLUTIONS IN POSITIVE INTEGERS Mihai Ciu Simion Stoilow Institute of Mathematics of the Romanian Academy, Research Unit No. 5,
More informationThe inverse Goldbach problem
1 The inverse Goldbach roblem by Christian Elsholtz Submission Setember 7, 2000 (this version includes galley corrections). Aeared in Mathematika 2001. Abstract We imrove the uer and lower bounds of the
More informationBilinear Entropy Expansion from the Decisional Linear Assumption
Bilinear Entroy Exansion from the Decisional Linear Assumtion Lucas Kowalczyk Columbia University luke@cs.columbia.edu Allison Bisho Lewko Columbia University alewko@cs.columbia.edu Abstract We develo
More informationApplicable Analysis and Discrete Mathematics available online at HENSEL CODES OF SQUARE ROOTS OF P-ADIC NUMBERS
Alicable Analysis and Discrete Mathematics available online at htt://efmath.etf.rs Al. Anal. Discrete Math. 4 (010), 3 44. doi:10.98/aadm1000009m HENSEL CODES OF SQUARE ROOTS OF P-ADIC NUMBERS Zerzaihi
More informationA New Generalization of the KMOV Cryptosystem
J Appl Math Comput manuscript No. (will be inserted by the editor) A New Generalization of the KMOV Cryptosystem Maher Boudabra Abderrahmane Nitaj Received: date / Accepted: date Abstract The KMOV scheme
More informationMultiplicative group law on the folium of Descartes
Multilicative grou law on the folium of Descartes Steluţa Pricoie and Constantin Udrişte Abstract. The folium of Descartes is still studied and understood today. Not only did it rovide for the roof of
More informationConversions among Several Classes of Predicate Encryption and Applications to ABE with Various Compactness Tradeoffs
Conversions among Several Classes of Predicate Encrytion and Alications to ABE with Various Comactness Tradeoffs Nuttaong Attraadung, Goichiro Hanaoka, and Shota Yamada National Institute of Advanced Industrial
More informationMath 4400/6400 Homework #8 solutions. 1. Let P be an odd integer (not necessarily prime). Show that modulo 2,
MATH 4400 roblems. Math 4400/6400 Homework # solutions 1. Let P be an odd integer not necessarily rime. Show that modulo, { P 1 0 if P 1, 7 mod, 1 if P 3, mod. Proof. Suose that P 1 mod. Then we can write
More informationMath 261 Exam 2. November 7, The use of notes and books is NOT allowed.
Math 261 Eam 2 ovember 7, 2018 The use of notes and books is OT allowed Eercise 1: Polynomials mod 691 (30 ts In this eercise, you may freely use the fact that 691 is rime Consider the olynomials f( 4
More informationEfficient Cryptosystems From 2 k -th Power Residue Symbols
Efficient Crytosystems From 2 k -th Power Residue Symbols Marc Joye and Benoît Libert Technicolor 975 avenue des Chams Blancs, 35576 Cesson-Sévigné Cedex, France {marc.joye,benoit.libert}@technicolor.com
More informationEfficient Cryptosystems From 2 k -th Power Residue Symbols
Published in Journal of Crytology, 30(2:519 549, 2017. Efficient Crytosystems From 2 k -th Power Residue Symbols Fabrice Benhamouda 1, Javier Herranz 2, Marc Joye 3, and Benoît Libert 4, 1 ES Paris, CRS,
More informationDynamic Countermeasure Against the Zero Power Analysis
Dynamic Countermeasure Against the Zero Power Analysis Jean-Luc Danger 1,2, Sylvain Guilley 1,2, Philie Hoogvorst 2, Cédric Murdica 1,2, and David Naccache 3 1 Secure-IC S.A.S., 80 avenue des Buttes de
More informationElliptic Curves Spring 2015 Problem Set #1 Due: 02/13/2015
18.783 Ellitic Curves Sring 2015 Problem Set #1 Due: 02/13/2015 Descrition These roblems are related to the material covered in Lectures 1-2. Some of them require the use of Sage, and you will need to
More informationMATH 361: NUMBER THEORY EIGHTH LECTURE
MATH 361: NUMBER THEORY EIGHTH LECTURE 1. Quadratic Recirocity: Introduction Quadratic recirocity is the first result of modern number theory. Lagrange conjectured it in the late 1700 s, but it was first
More informationJacobi symbols and application to primality
Jacobi symbols and alication to rimality Setember 19, 018 1 The grou Z/Z We review the structure of the abelian grou Z/Z. Using Chinese remainder theorem, we can restrict to the case when = k is a rime
More informationOn the Rank of the Elliptic Curve y 2 = x(x p)(x 2)
On the Rank of the Ellitic Curve y = x(x )(x ) Jeffrey Hatley Aril 9, 009 Abstract An ellitic curve E defined over Q is an algebraic variety which forms a finitely generated abelian grou, and the structure
More informationHow to Choose Secret Parameters for RSA and its Extensions to Elliptic Curves
How to Choose Secret Parameters for RSA and its Extensions to Elliptic Curves [Published in Designs, Codes and Cryptography 23(3):297 316, 2001.] Marc Joye 1, Jean-Jacques Quisquater 2, and Tsuyoshi Takagi
More informationCERIAS Tech Report The period of the Bell numbers modulo a prime by Peter Montgomery, Sangil Nahm, Samuel Wagstaff Jr Center for Education
CERIAS Tech Reort 2010-01 The eriod of the Bell numbers modulo a rime by Peter Montgomery, Sangil Nahm, Samuel Wagstaff Jr Center for Education and Research Information Assurance and Security Purdue University,
More informationEfficient Cryptosystems From 2 k -th Power Residue Symbols
Efficient Crytosystems From k -th Power Residue Symbols Fabrice Benhamouda, Javier Herranz, Marc Joye 3, and Benoît Libert 4, ENS Paris, CNRS, INRIA, and PSL 45 rue d Ulm, 7530 Paris Cedex 06, France fabrice.benhamouda@ens.fr
More informationSolvability and Number of Roots of Bi-Quadratic Equations over p adic Fields
Malaysian Journal of Mathematical Sciences 10(S February: 15-35 (016 Secial Issue: The 3 rd International Conference on Mathematical Alications in Engineering 014 (ICMAE 14 MALAYSIAN JOURNAL OF MATHEMATICAL
More informationOn Nonlinear Polynomial Selection and Geometric Progression (mod N) for Number Field Sieve
On onlinear Polynomial Selection and Geometric Progression (mod ) for umber Field Sieve amhun Koo, Gooc Hwa Jo, and Soonhak Kwon Email: komaton@skku.edu, achimheasal@nate.com, shkwon@skku.edu Det. of Mathematics,
More informationx 2 a mod m. has a solution. Theorem 13.2 (Euler s Criterion). Let p be an odd prime. The congruence x 2 1 mod p,
13. Quadratic Residues We now turn to the question of when a quadratic equation has a solution modulo m. The general quadratic equation looks like ax + bx + c 0 mod m. Assuming that m is odd or that b
More informationHASSE INVARIANTS FOR THE CLAUSEN ELLIPTIC CURVES
HASSE INVARIANTS FOR THE CLAUSEN ELLIPTIC CURVES AHMAD EL-GUINDY AND KEN ONO Astract. Gauss s F x hyergeometric function gives eriods of ellitic curves in Legendre normal form. Certain truncations of this
More informationCryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg
Course 1: Remainder: RSA Université du Luxembourg September 21, 2010 Public-key encryption Public-key encryption: two keys. One key is made public and used to encrypt. The other key is kept private and
More informationWhen do the Fibonacci invertible classes modulo M form a subgroup?
Annales Mathematicae et Informaticae 41 (2013). 265 270 Proceedings of the 15 th International Conference on Fibonacci Numbers and Their Alications Institute of Mathematics and Informatics, Eszterházy
More informationOn the Multiplicative Order of a n Modulo n
1 2 3 47 6 23 11 Journal of Integer Sequences, Vol. 13 2010), Article 10.2.1 On the Multilicative Order of a n Modulo n Jonathan Chaelo Université Lille Nord de France F-59000 Lille France jonathan.chaelon@lma.univ-littoral.fr
More informationPredicate Encryption Supporting Disjunctions, Polynomial Equations, and Inner Products
Predicate Encrytion Suorting Disjunctions, Polynomial Equations, and Inner Products Jonathan Katz jkatz@cs.umd.edu Amit Sahai sahai@cs.ucla.edu Brent Waters bwaters@csl.sri.com Abstract Predicate encrytion
More informationSmall Zeros of Quadratic Forms Mod P m
International Mathematical Forum, Vol. 8, 2013, no. 8, 357-367 Small Zeros of Quadratic Forms Mod P m Ali H. Hakami Deartment of Mathematics, Faculty of Science, Jazan University P.O. Box 277, Jazan, Postal
More informationMATH342 Practice Exam
MATH342 Practice Exam This exam is intended to be in a similar style to the examination in May/June 2012. It is not imlied that all questions on the real examination will follow the content of the ractice
More informationDirichlet s Theorem on Arithmetic Progressions
Dirichlet s Theorem on Arithmetic Progressions Thai Pham Massachusetts Institute of Technology May 2, 202 Abstract In this aer, we derive a roof of Dirichlet s theorem on rimes in arithmetic rogressions.
More informationA secure approach for embedding message text on an elliptic curve defined over prime fields, and building 'EC-RSA-ELGamal' Cryptographic System
International Journal of Comuter Science an Information Security (IJCSIS), Vol. 5, No. 6, June 7 A secure aroach for embeing message tet on an ellitic curve efine over rime fiels, an builing 'EC-RSA-ELGamal'
More informationRepresenting Integers as the Sum of Two Squares in the Ring Z n
1 2 3 47 6 23 11 Journal of Integer Sequences, Vol. 17 (2014), Article 14.7.4 Reresenting Integers as the Sum of Two Squares in the Ring Z n Joshua Harrington, Lenny Jones, and Alicia Lamarche Deartment
More informationA SUPERSINGULAR CONGRUENCE FOR MODULAR FORMS
A SUPERSINGULAR CONGRUENCE FOR MODULAR FORMS ANDREW BAKER Abstract. Let > 3 be a rime. In the ring of modular forms with q-exansions defined over Z (), the Eisenstein function E +1 is shown to satisfy
More informationChapter 8 Public-key Cryptography and Digital Signatures
Chapter 8 Public-key Cryptography and Digital Signatures v 1. Introduction to Public-key Cryptography 2. Example of Public-key Algorithm: Diffie- Hellman Key Exchange Scheme 3. RSA Encryption and Digital
More informationAn Overview of Witt Vectors
An Overview of Witt Vectors Daniel Finkel December 7, 2007 Abstract This aer offers a brief overview of the basics of Witt vectors. As an alication, we summarize work of Bartolo and Falcone to rove that
More informationA supersingular congruence for modular forms
ACTA ARITHMETICA LXXXVI.1 (1998) A suersingular congruence for modular forms by Andrew Baker (Glasgow) Introduction. In [6], Gross and Landweber roved the following suersingular congruence in the ring
More informationMAS 4203 Number Theory. M. Yotov
MAS 4203 Number Theory M. Yotov June 15, 2017 These Notes were comiled by the author with the intent to be used by his students as a main text for the course MAS 4203 Number Theory taught at the Deartment
More informationON POLYNOMIAL SELECTION FOR THE GENERAL NUMBER FIELD SIEVE
MATHEMATICS OF COMPUTATIO Volume 75, umber 256, October 26, Pages 237 247 S 25-5718(6)187-9 Article electronically ublished on June 28, 26 O POLYOMIAL SELECTIO FOR THE GEERAL UMBER FIELD SIEVE THORSTE
More informationMATH 361: NUMBER THEORY ELEVENTH LECTURE
MATH 361: NUMBER THEORY ELEVENTH LECTURE The subjects of this lecture are characters, Gauss sums, Jacobi sums, and counting formulas for olynomial equations over finite fields. 1. Definitions, Basic Proerties
More informationAn Estimate For Heilbronn s Exponential Sum
An Estimate For Heilbronn s Exonential Sum D.R. Heath-Brown Magdalen College, Oxford For Heini Halberstam, on his retirement Let be a rime, and set e(x) = ex(2πix). Heilbronn s exonential sum is defined
More informationGalois Fields, Linear Feedback Shift Registers and their Applications
Galois Fields, Linear Feedback Shift Registers and their Alications With 85 illustrations as well as numerous tables, diagrams and examles by Ulrich Jetzek ISBN (Book): 978-3-446-45140-7 ISBN (E-Book):
More informationPOINTS ON CONICS MODULO p
POINTS ON CONICS MODULO TEAM 2: JONGMIN BAEK, ANAND DEOPURKAR, AND KATHERINE REDFIELD Abstract. We comute the number of integer oints on conics modulo, where is an odd rime. We extend our results to conics
More informationON LINEAR COMPLEXITY OF GENERALIZED SHRINKING-MULTIPLEXING GENERATOR
Journal of Basic and Alied Research International 4(1): 8 17, 015 O LIEAR COMPLEXITY OF GEERALIZED SHRIKIG-MULTIPLEXIG GEERATOR ZHAETA. TASHEVA 1* 1 Faculty of Artillery, AAD and CIS, ational Military
More informationRandomness Extraction in finite fields F p
Randomness Extraction in finite fields F n Abdoul Aziz Ciss École doctorale de Mathématiques et d Informatique, Université Cheikh Anta Dio de Dakar, Sénégal BP: 5005, Dakar Fann abdoul.ciss@ucad.edu.sn,
More informationVerifying Two Conjectures on Generalized Elite Primes
1 2 3 47 6 23 11 Journal of Integer Sequences, Vol. 12 (2009), Article 09.4.7 Verifying Two Conjectures on Generalized Elite Primes Xiaoqin Li 1 Mathematics Deartment Anhui Normal University Wuhu 241000,
More informationWhen do Fibonacci invertible classes modulo M form a subgroup?
Calhoun: The NPS Institutional Archive DSace Reository Faculty and Researchers Faculty and Researchers Collection 2013 When do Fibonacci invertible classes modulo M form a subgrou? Luca, Florian Annales
More informationA Block Cipher Involving a Key and a Key Bunch Matrix, Supplemented with Key-Based Permutation and Substitution
(IJACSA) International Journal of Advanced Comuter Science and Alications, Vol. 4, No., 0 A Block Ciher Involving a Key and a Key Bunch Matrix, Sulemented with Key-Based Permutation and Substitution Dr.
More informationMersenne and Fermat Numbers
NUMBER THEORY CHARLES LEYTEM Mersenne and Fermat Numbers CONTENTS 1. The Little Fermat theorem 2 2. Mersenne numbers 2 3. Fermat numbers 4 4. An IMO roblem 5 1 2 CHARLES LEYTEM 1. THE LITTLE FERMAT THEOREM
More informationAlmost All Palindromes Are Composite
Almost All Palindromes Are Comosite William D Banks Det of Mathematics, University of Missouri Columbia, MO 65211, USA bbanks@mathmissouriedu Derrick N Hart Det of Mathematics, University of Missouri Columbia,
More informationOutline. EECS150 - Digital Design Lecture 26 Error Correction Codes, Linear Feedback Shift Registers (LFSRs) Simple Error Detection Coding
Outline EECS150 - Digital Design Lecture 26 Error Correction Codes, Linear Feedback Shift Registers (LFSRs) Error detection using arity Hamming code for error detection/correction Linear Feedback Shift
More information3 Properties of Dedekind domains
18.785 Number theory I Fall 2016 Lecture #3 09/15/2016 3 Proerties of Dedekind domains In the revious lecture we defined a Dedekind domain as a noetherian domain A that satisfies either of the following
More informationSolving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know?
Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know? Alexander May, Maike Ritzenhofen Faculty of Mathematics Ruhr-Universität Bochum, 44780 Bochum,
More information2 Asymptotic density and Dirichlet density
8.785: Analytic Number Theory, MIT, sring 2007 (K.S. Kedlaya) Primes in arithmetic rogressions In this unit, we first rove Dirichlet s theorem on rimes in arithmetic rogressions. We then rove the rime
More information2 Asymptotic density and Dirichlet density
8.785: Analytic Number Theory, MIT, sring 2007 (K.S. Kedlaya) Primes in arithmetic rogressions In this unit, we first rove Dirichlet s theorem on rimes in arithmetic rogressions. We then rove the rime
More informationARITHMETIC PROGRESSIONS OF POLYGONAL NUMBERS WITH COMMON DIFFERENCE A POLYGONAL NUMBER
#A43 INTEGERS 17 (2017) ARITHMETIC PROGRESSIONS OF POLYGONAL NUMBERS WITH COMMON DIFFERENCE A POLYGONAL NUMBER Lenny Jones Deartment of Mathematics, Shiensburg University, Shiensburg, Pennsylvania lkjone@shi.edu
More informationHENSEL S LEMMA KEITH CONRAD
HENSEL S LEMMA KEITH CONRAD 1. Introduction In the -adic integers, congruences are aroximations: for a and b in Z, a b mod n is the same as a b 1/ n. Turning information modulo one ower of into similar
More informationIDENTIFYING CONGRUENCE SUBGROUPS OF THE MODULAR GROUP
PROCEEDINGS OF THE AMERICAN MATHEMATICAL SOCIETY Volume 24, Number 5, May 996 IDENTIFYING CONGRUENCE SUBGROUPS OF THE MODULAR GROUP TIM HSU (Communicated by Ronald M. Solomon) Abstract. We exhibit a simle
More informationQuaternionic Projective Space (Lecture 34)
Quaternionic Projective Sace (Lecture 34) July 11, 2008 The three-shere S 3 can be identified with SU(2), and therefore has the structure of a toological grou. In this lecture, we will address the question
More informationQUADRATIC RECIPROCITY
QUADRATIC RECIPROCIT POOJA PATEL Abstract. This aer is an self-contained exosition of the law of uadratic recirocity. We will give two roofs of the Chinese remainder theorem and a roof of uadratic recirocity.
More informationPiotr Blass. Jerey Lang
Ulam Quarterly Volume 2, Number 1, 1993 Piotr Blass Deartment of Mathematics Palm Beach Atlantic College West Palm Beach, FL 33402 Joseh Blass Deartment of Mathematics Bowling Green State University Bowling
More informationPredicate Privacy in Encryption Systems
Predicate Privacy in Encrytion Systems Emily Shen MIT eshen@csail.mit.edu Elaine Shi CMU/PARC eshi@arc.com December 24, 2008 Brent Waters UT Austin bwaters@cs.utexas.edu Abstract Predicate encrytion is
More informationThe Hasse Minkowski Theorem Lee Dicker University of Minnesota, REU Summer 2001
The Hasse Minkowski Theorem Lee Dicker University of Minnesota, REU Summer 2001 The Hasse-Minkowski Theorem rovides a characterization of the rational quadratic forms. What follows is a roof of the Hasse-Minkowski
More informationMobius Functions, Legendre Symbols, and Discriminants
Mobius Functions, Legendre Symbols, and Discriminants 1 Introduction Zev Chonoles, Erick Knight, Tim Kunisky Over the integers, there are two key number-theoretic functions that take on values of 1, 1,
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer 1 Lecture 13 October 16, 2017 (notes revised 10/23/17) 1 Derived from lecture notes by Ewa Syta. CPSC 467, Lecture 13 1/57 Elliptic Curves
More informationLemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).
1 Background 1.1 The group of units MAT 3343, APPLIED ALGEBRA, FALL 2003 Handout 3: The RSA Cryptosystem Peter Selinger Let (R, +, ) be a ring. Then R forms an abelian group under addition. R does not
More informationEfficient Hardware Architecture of SEED S-box for Smart Cards
JOURNL OF SEMICONDUCTOR TECHNOLOY ND SCIENCE VOL.4 NO.4 DECEMBER 4 37 Efficient Hardware rchitecture of SEED S-bo for Smart Cards Joon-Ho Hwang bstract This aer resents an efficient architecture that otimizes
More informationIntroductory Number Theory
Introductory Number Theory Lecture Notes Sudita Mallik May, 208 Contents Introduction. Notation and Terminology.............................2 Prime Numbers.................................. 2 2 Divisibility,
More informationBy Evan Chen OTIS, Internal Use
Solutions Notes for DNY-NTCONSTRUCT Evan Chen January 17, 018 1 Solution Notes to TSTST 015/5 Let ϕ(n) denote the number of ositive integers less than n that are relatively rime to n. Prove that there
More informationBent Functions of maximal degree
IEEE TRANSACTIONS ON INFORMATION THEORY 1 Bent Functions of maximal degree Ayça Çeşmelioğlu and Wilfried Meidl Abstract In this article a technique for constructing -ary bent functions from lateaued functions
More informationAn Algebraic Framework for Pseudorandom Functions and Applications to Related-Key Security
An extended abstract of this aer aears in the Proceedings of the 35th Annual Crytology Conference (CRYPTO 2015), Part I, Rosario ennaro and Matthew Robshaw (Eds.), volume 9215 of Lecture Notes in Comuter
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Instructor: Michael Fischer Lecture by Ewa Syta Lecture 13 March 3, 2013 CPSC 467b, Lecture 13 1/52 Elliptic Curves Basics Elliptic Curve Cryptography CPSC
More informationAlgorithmic Number Theory and Public-key Cryptography
Algorithmic Number Theory and Public-key Cryptography Course 3 University of Luxembourg March 22, 2018 The RSA algorithm The RSA algorithm is the most widely-used public-key encryption algorithm Invented
More informationChapter 3. Number Theory. Part of G12ALN. Contents
Chater 3 Number Theory Part of G12ALN Contents 0 Review of basic concets and theorems The contents of this first section well zeroth section, really is mostly reetition of material from last year. Notations:
More informationMulti-Operation Multi-Machine Scheduling
Multi-Oeration Multi-Machine Scheduling Weizhen Mao he College of William and Mary, Williamsburg VA 3185, USA Abstract. In the multi-oeration scheduling that arises in industrial engineering, each job
More informationWeil s Conjecture on Tamagawa Numbers (Lecture 1)
Weil s Conjecture on Tamagawa Numbers (Lecture ) January 30, 204 Let R be a commutative ring and let V be an R-module. A quadratic form on V is a ma q : V R satisfying the following conditions: (a) The
More informationOn the Unpredictability of Bits of the Elliptic Curve Diffie Hellman Scheme
On the Unredictability of Bits of the Ellitic Curve Diffie Hellman Scheme Dan Boneh 1 and Igor E. Sharlinski 2 1 Deartment of Comuter Science, Stanford University, CA, USA dabo@cs.stanford.edu 2 Deartment
More information