Hidden Number Problem Given Bound of Secret Jia-ning LIU and Ke-wei LV *
|
|
- Damian Peters
- 6 years ago
- Views:
Transcription
1 2017 2nd International Conference on Artificial Intelligence: Techniques and Applications (AITA 2017) ISBN: Hidden Number Problem Given Bound of Secret Jia-ning LIU and Ke-wei LV * DCS Research Center, Institute of Information Engineering, Chinese Academy of Sciences, University of Chinese Academy of Sciences, Beijing , China *Corresponding author KeyWords: Hidden number problem, Lattice approximate nearest vector algorithm, Schnorr signature algorithm. Abstract. In this paper, we study the HNP problem only with constant Oracle queries, and transform the problem into solving the singular variable modular inequality (tx-u) modn <δ, basing on lattice techniques given the bound X of the hidden number x. Using these Oracle queries, we can successfully recover the secret with a sufficient large probability. Furthermore, as an application, we analyze the security of Schnorr signature scheme in the Random Oracle model, and give the effective reduction from security of the scheme to bits predictability of its nonce. Introduction Boneh and Venkatesan proposed the Hidden Number Problem (HNP) method, in the study of the private key bit security of the Diffie-Hellman key exchange protocol in 1996, also known as the hidden number method [1, 2]. By combining the lattice reduction algorithm [3,4,5], the approximate nearest vector algorithm [6] and the exponential sum estimation, we can recover the hidden number in the probability polynomial time. This is essentially a process of finding an integer solution x[7] that satisfies the inequality of the form (t i x-u i ) modp<. The hidden number method can be used to study the equivalence between the security of partial bits of the private key in the cryptosystem and the security of the key itself [8]. [9] has used the HNP method to study the secutiy of DSA signature system[10] with partial bits leakage of temporary random number k (Nonce). 1999, [11] pointed the relation between solving HNP and an attack of a flawed DSA implementation software. At present the best result is: given a certain number of message signatures, the nonce of DSA signature leaks 1 bit, we can use 2 24 signatures to give an attack [12]. On the other hand, [9] indicated that at least three leaked bits of nonce is required to make the attack effective. There are multiple Oracle queries for HNP method. If we can reduce the number of Oracle queries, it will save the consumption of external resources of the application of the method, and improve the probability of success. However, there is no progress in this direction. [7] proposed the One-Time HNP method under a given bound X of the secret, reducing the number of Oracle queries to 1. The experimental simulation of the ElGamal signature scheme [13] shows that the method can directly use the range of hidden information [14], we can restore the user's private key within a few seconds. However, when is close to O(q), if we make the attack effective, X will be small, the problem will be trivial at this time. In addition, there are some technical defects in the paper. We extend the idea of [7], and study the situation of Oracle has constant number d queries, named as d-times HNP. And we give the constraint relation between X and δ and its effect on success probability and efficiency. Generally, the bigger value of the d, the higher the probability that we get x is higher. d =1, i.e., Rosa's OT-HNP method. As an application, this paper analyzes the security of the Schnorr signature in the Random Oracle model, and realize the reduction from its security to partial bit predictability of the nonce k. Organization of the Paper This paper is organized as follows. In Section 3, we introduce some basic concepts and notations. In 156
2 Section 4, we present the concept of (d-times) HNP for constant Oracle queries, and gives a concrete solution algorithm. Section 5 is the analysis of Rosa's OT-HNP method improvement. In Section 6 we propose an application, and give the security analysis about Schnorr signature scheme [15]. Finally, we make some summary in Section 7. Preliminaries For an integer x, the least significant (lower) bits of x are denoted by LSB k (x), and the k most significant bits of x are denoted by MSB k ( ). Define MSB k ( ) as a positive integer z, satisfying x-z <p/2 k+1. For example, x>p/2, MSB 1 (x) = 1. x<p/2, MSB 1 (x)=0. It approximates the actual most significant bits of a positive integer, with only a few bits in the low bits there is a certain error. By x-z <p/2 k+1, we have 0 (x-z)modp<p/2 k+1, where (x-z)modp is treated as a positive integer in [0, p-1]. LSB can be converted to MSB [16]. Notation: X=q/2 l, δ=q/2 k, d=o(1) 1 is a constant. Set G=1/2+(d+1) 1/2 2 (d-3)/4. xmodn are treated as a positive integer in [0, N-1]. Define. q as q = min b Z z-bq, z Q. Definition 1. Given n linearly independent vectors,,, R m, we define the lattice L(,,, ) { Z}. Here,,,, is the basis of the lattice. Definition 2. Given t, u Z, N N, Q, X Q, we define a five-tuple (t, u, δ, N, X) to satisfy: there exists x that makes the modular inequality (tx-u)modn< holds, where 0<x<X<N. Definition 3. (Hidden Number Problem, HNP) Suppose there is a hidden number (information) Z, where p is a large prime number. Choose some intergers t i uniformly and independently at random from Z * p. Using an Oracle that have sufficient predictive ability to give k-1 most siginificant bits MSB k-1 ( t i (modp)) of t i (modp), that is, 0 (αt i -z)modp<p/2 k holds, where 1, the hidden number problem is to find. Definition 4. For an integer x that needs to be secret, and 0<x<X, X Q is known. Given q N, it is assumed that there is an Oracle O x (t), which can compute u for the input integer t and make (tx-u)modq<δ holds, where (tx-u)modq is an integer on [0, q-1]. Then we get a five-tuple (t, u, δ, q, X) instance corresponding to the modular inequality under Oracle Ox( ). Given d instances about x, described by (t i, u i, δ, q, X), where i=1, 2,, d, to solve x. We call the problem hidden number problem given bound of secret, named d-times HNP. Proposition 1. (Babai) Let L be a d-dimensional lattice. Given a vector v R, we can find a lattice point in the polynomial time such that 2 min. d-times Hidden Number Problem Given Bound of Secret Assume that the given Orace is Oracle O x (t), which can compute u such that (tx-u)modq< holds, where (tx-u)modq is an integer on [0, q-1]. When we ask Oracle for d times, then, we will have d modular inequalities (t i x-u i )modq<. To obtain x, consider a lattice L(q, δ/x, t 1, t 2,, t d ), which is spanned by the row vector of the following matrix, q q 0. (1) 0 0 q 0 t 1 t d / Lemma 1. Given d modular inequalities (t i x-u i )modq<, i=1, 2,,d, q is a large prime number. Let t i, u i, l, k Z, Q satisfy l>0, O(1)<k<logq, 0<l<logq, and t i is uniformly distributed on [1, q). 0<x X= q/2 l, 1 δ= q/2 k, and l+kd logq+(d+1)log2g+1. Then with a probability P 1-(2G) d+1 q/2 l + kd all L(q, δ/x, t 1, t 2,, t d ) satisfying are in the form =(0,, 0, δ/x), where 0(modq). 157
3 Proof. Since L(q, δ/x, t 1, t 2,, t d ), we can write as, ( t 1 +c 1 q,, t d +c d q, δ/x), where c i is an integer (2) If β 0(modq), each t i +c i q will be a multiple of q. O(1)<k<logq, we have 1< =q/2 k <q/2g. Since <q/2, then t i +c i q=0, that is =(0,, 0, δ/x). For any β 0(modq), and t i is on [1, q), then t i 0(modq). Since, that is, + <q/2, i=1,2,,d, (3) /, that is, - (4) We use E( ) to denote the event that (3) holds. Obviously, if +, then q. We use p(, q) to denote the probability that q, we know that Pr(E( )) p(,q) d. we have p(, q)=1-pr( q >G )=1-Pr(G < (modq)<q-g ). p(, q)=1. 0(modq) and I=[-, 0) (0, ], P (, ) 2G * (2G) d+1 q/2 l + kd, Notice that l+kd logq+(d+1)log2g +1, we have Pr (2G) d+1 q/2 l + kd 1/2, P=1-Pr 1/2. Theorem 1. Given d modular inequalities (t i x-u i )modq<, i=1, 2,, d, where q is a large prime number. Let t i, u i, l, k Z, Q satisfy l>0, O(1)<k<logq, 0<l<logq, and t i is uniformly distributed on [1, q). And 0<x X=q/2 l, 1 δ=q/2 k satisfy l+kd logq+(d+1)log2g +1. Then with a probability P 1-(2G) d+1 q/2 l + kd we can find the solution x. Proof. Since (t i x-u i )modq<, i=1,2,,d, we know that there must exist c i Z such that 0 t i x-u i +c i q<, then t i x-u i - /2+c i q /2. Let us set v=(u 1 + /2, u 2 + /2,,u d + /2, /2) and consider the lattice L(q, δ/x, t 1, t 2,, t d ). There is a vector h L(q, δ/x, t 1, t 2,,t d ), such that h=(t 1 x+c 1 q,, t d x+c d q, x /X) and /2. We apply the Babai s algorithm (Proposition 1) to lattice L(q, δ/x, t 1, t 2,,t d ) and vector v, then we can get w=(w 1,,w d, w d+1 ). We have (d+1) 1/2 2 (d-3)/4. Since =h w L, then we have + (1/2+(d+1) 1/2 2 (d-3)/4 ). According to lemma 1, t with probability P 1-(2G) d+1 q/2 l + kd 1/2, is the form (0,, 0, zqδ/x). So we have x=(w d+1 X/δ)modq. According to the definition of L, it must hold (w d+1 X/δ) Z. Unique solution proof. From lemma 1, L(q, δ/x, t 1, t 2,, t d ) such (1/2+(d+1) 1/2 2 (d-3)/4 ), then with probability P 1-(2G) d+1 q/2 l + kd, we have the form =(0,, 0, qδ/x), where z Z. Assume that there is another solution x, and corresponding hidden vector h, then 1/2. Set =, then, ρ = h -v + v-h δ, so ρ (1/2+(d+1) 1/2 2 (d-3)/4 ). From lemma 1, consider the last component of, that is / /, we must have / / = qδ/x, so x x (modq). Because x and x are both on (0, q), we have x=x, the solution is unique. Application: The Security of Schnorr Signature Scheme This section analyzes the security of the Schnorr signature scheme with d-times HNP, proving that there is a probabilistic polynomial time attack algorithm, which needs less query times applied in the Schnorr signature than the classical HNP method. Next, we first review the Schnorr signature process: Select system parameters. Select a prime number p ( 512 bits), a prime number q ( 160 bits) and q p-1. g is in Z and g q 1modp. x represents the user s private key, 1<x<q. At the same time, y denotes the user's public key, y=g x modp. M denotes information to be signed. Key space K={(p, q, g, x, y): y g x modp} where p, q, g, y are public keys and x is the private key. Sign. Select nonce kϵz q, compute r=g k modp, s k-xe(modq), where e=h(r M). Return signature s= (M)=(e, s). Verify. After receiving signature information s=(e, s), compute r =g s y e modp, e =H(r M). and verify r e modp, if the equation is established, the signature is legal, then accept, otherwise refused. 158
4 Given d Schnorr signatures (r i, s i ) of M i, i=1, 2,, d, where v least significant bits of k i are known by the attacker, that is, there exists a i {0,,2 v -1} such that k i -a i =2 v b i. Then, according to the process of signature, we have s i (a i +2 v b i )-xe i (modq), so e i 2 -v x-(a i -s i )2 -v =b i (modq). We set t i =e i 2 -v modq, u i =(a i -s i )2 -v modq, then we have (t i x-u i )modq=b i <q/2 v. According to the definition, so we get the v-1 most significants MSB v-1 (xt i (modq)) of xt i (modq). Then, we compute x. Given the bound X of x, set =q/2 v, we have d modular inequalities (t i x-u i )modq<, 0<x<X, where i=1, 2,, d. In the Random Oracle model, e i can be considered uniformly distributed, being computed by hash function. Given 2 -v, so t i = e i 2 -v modq is uniformly distributed. Based on the above analysis, using the d-times HNP method, when the private key bound X=q/2 l, the v least significant bits information leakage of nonce by the side channel attack, according to Theorem 1, 0<l<logq, O(1)<v<logq, l+vd logq+(d+1)log2g +1,we can recover x in probability polynomial time. Thus, for the signer, in seeking to ensure that bits information of the nonce is not leaked at the same time, the choice of private key should be sufficiently large. Summary In this paper, we study the HNP method of constant d times Oracle queries under the premise of a given bound of secret(hidden number), and give the constraint relation between X and δ and its influence on success probability and efficiency. We analyze the security of Schnorr signature in Random Oracle model and give the effective reduction from security of the scheme to bits predictability of its nonce. Acknowledgement This work is partially supported by National Key R&D Program of China (2017YFB ). References [1] D. Boneh, R. Venkatesan, Hardness of computing the most significant bits of secret keys in Diffie-Hellman and related schemes, Advances in Cryptology-CRYPTO'96, N. Koblitz (Eds.), Springer-Verlag, Santa Barbara, 1996, pp [2] D. Boneh, R.Venkatesan, Rounding in lattices and its cryptographic applications, In Proc. of the 8th Symposium on Discrete Algorithms, ACM, 1997, pp [3] N. A. Howgrave-Graham, N. P. Smart, Lattice Attacks on Digital Signature Schemes, Designs, Codes and Cryptography, 23(3), 2001, pp [4] A. K. Lenstra, H. W. Lenstra, L. Lovasz, Factoring polynomials with rational coefficients, Math. Ann., vol. 261, 1982, pp [5] P. Q. Nguyen, J. Stern, The Two Faces of Lattices in Cryptology, in Proc. of Cryptography and Lattices CALC 01, Springer-Verlag, 2001, pp [6] L. Babai, On Lovász Lattice Reduction and the Nearest Lattice Point Problem, Combinatorica, 6:1-13. (1986) [7] T. Rosa, One-Time HNP or Attacks on a Flawed El Gamal Revisited, Proceedings of the international workshop Santa's Crypto. (2005) [8] P.Q. Nguyen, The Dark Side of the Hidden Number Problem: Lattice Attacks on DSA, Cryptography and Computational Number Theory, Birkhäuser Basel, 2001, pp
5 [9] P.Q. Nguyen, I.E. Shparlinski, The Insecurity of the Digital Signature Algorithm with Partially Known Nonces, Journal of Cryptology, 15(3) [10] FIPS PUB 186-2: Digital Signature Standard (DSS), National Institute of Standards and Technology, January 27. (2000) [11] P.Q. Nguyen, Can We Trust Cryptographic Software? Cryptographic Flaws in GNU Privacy Guard v1.2.3., Advances in Cryptology- EUROCRYPT '04, C. Cachin, J.L. Camenisch (Eds.), Springer-Verlag Interlaken, 2004, pp [12] D. Bleichenbacher, Experiments with DSA, CRYPTO 2005 Rump Session, Santa Barbara. (2005) [13] T. ElGamal, A Public Key Cryptosystem and Signature Scheme Based on Discrete Logarithms, IEEE Transactions on Information Theory, 31(4) [14] Y. Wang, K.W Lv, Improved method on the discrete logarithm problem in an interval[j], Journal of Cryptologic Research, 2(6) [15] C.P. Schnorr, Efficient signature generation for smart cards, Advances in Cryptology-CRY PTO'89, G. Brassard (Eds), Springer-Verlag, Santa Barbara, 1991, pp [16] Z.Q. Kang, K.W Lv, The Hidden Number Problem of Least Significant Bits, Future communication technology, vol. 1, ICCT2013, 2014, pp
Some Lattice Attacks on DSA and ECDSA
Some Lattice Attacks on DSA and ECDSA Dimitrios Poulakis Department of Mathematics, Aristotle University of Thessaloniki, Thessaloniki 54124, Greece, email:poulakis@math.auth.gr November 10, 2010 Abstract
More informationNew Variant of ElGamal Signature Scheme
Int. J. Contemp. Math. Sciences, Vol. 5, 2010, no. 34, 1653-1662 New Variant of ElGamal Signature Scheme Omar Khadir Department of Mathematics Faculty of Science and Technology University of Hassan II-Mohammedia,
More informationSome Security Comparisons of GOST R and ECDSA Signature Schemes
Some Security Comparisons of GOST R 34.10-2012 and ECDSA Signature Schemes Trieu Quang Phong Nguyen Quoc Toan Institute of Cryptography Science and Technology Gover. Info. Security Committee, Viet Nam
More informationA Small Subgroup Attack on Arazi s Key Agreement Protocol
Small Subgroup ttack on razi s Key greement Protocol Dan Brown Certicom Research, Canada dbrown@certicom.com lfred Menezes Dept. of C&O, University of Waterloo, Canada ajmeneze@uwaterloo.ca bstract In
More informationSecure Bilinear Diffie-Hellman Bits
Secure Bilinear Diffie-Hellman Bits Steven D. Galbraith 1, Herbie J. Hopkins 1, and Igor E. Shparlinski 2 1 Mathematics Department, Royal Holloway University of London Egham, Surrey, TW20 0EX, UK Steven.Galbraith@rhul.ac.uk,
More informationOn the Security of Diffie Hellman Bits
On the Security of Diffie Hellman Bits Maria Isabel González Vasco and Igor E. Shparlinski Abstract. Boneh and Venkatesan have recently proposed a polynomial time algorithm for recovering a hidden element
More informationSecurity Analysis of Some Batch Verifying Signatures from Pairings
International Journal of Network Security, Vol.3, No.2, PP.138 143, Sept. 2006 (http://ijns.nchu.edu.tw/) 138 Security Analysis of Some Batch Verifying Signatures from Pairings Tianjie Cao 1,2,3, Dongdai
More informationComputing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring
Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring Alexander May Faculty of Computer Science, Electrical Engineering and Mathematics University of Paderborn 33102 Paderborn,
More informationCryptanalysis of Threshold-Multisignature Schemes
Cryptanalysis of Threshold-Multisignature Schemes Lifeng Guo Institute of Systems Science, Academy of Mathematics and System Sciences, Chinese Academy of Sciences, Beijing 100080, P.R. China E-mail address:
More information2 1. Introduction 1.1. The Digital Signature Algorithm (DSA) Recall the Digital Signature Algorithm (see [16, 28]), or DSA, used in the American feder
The Insecurity of the Digital Signature Algorithm with Partially Known Nonces Phong Q. Nguyen (pnguyen@ens.fr) Departement d'informatique, Ecole Normale Superieure, 45, rue d'ulm, 75230 Paris Cedex 05,
More informationSecret Key Leakage from Public Key Perturbation of DLP-based Cryptosystems
Secret Key Leakage from Public Key Perturbation of DLP-based Cryptosystems Alexandre Berzati 1,2, Cécile Canovas-Dumas 1, Louis Goubin 2 1 CEA-LETI/MINATEC, 17 rue des Martyrs, 38054 Grenoble Cedex 9,
More informationA message recovery signature scheme equivalent to DSA over elliptic curves
A message recovery signature scheme equivalent to DSA over elliptic curves Atsuko Miyaji Multimedia Development Center Matsushita Electric Industrial Co., LTD. E-mail : miyaji@isl.mei.co.jp Abstract. The
More informationDeterministic Polynomial Time Equivalence of Computing the RSA Secret Key and Factoring
Deterministic Polynomial Time Equivalence of Computing the RSA Secret Key and Factoring Jean-Sébastien Coron and Alexander May Gemplus Card International 34 rue Guynemer, 92447 Issy-les-Moulineaux, France
More informationDeterministic Polynomial Time Equivalence between Factoring and Key-Recovery Attack on Takagi s RSA
Deterministic Polynomial Time Equivalence between Factoring and Key-Recovery Attack on Takagi s RSA Noboru Kunihiro 1 and Kaoru Kurosawa 2 1 The University of Electro-Communications, Japan kunihiro@iceuecacjp
More informationShort Exponent Diffie-Hellman Problems
Short Exponent Diffie-Hellman Problems Takeshi Koshiba 12 and Kaoru Kurosawa 3 1 Secure Computing Lab., Fujitsu Laboratories Ltd. 2 ERATO Quantum Computation and Information Project, Japan Science and
More informationOn the Big Gap Between p and q in DSA
On the Big Gap Between p and in DSA Zhengjun Cao Department of Mathematics, Shanghai University, Shanghai, China, 200444. caozhj@shu.edu.cn Abstract We introduce a message attack against DSA and show that
More informationSolving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know?
Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know? Alexander May, Maike Ritzenhofen Faculty of Mathematics Ruhr-Universität Bochum, 44780 Bochum,
More informationone eciently recover the entire key? There is no known method for doing so. Furthermore, the common belief is that no such ecient algorithm exists. Th
Exposing an RSA Private Key Given a Small Fraction of its Bits Dan Boneh Glenn Durfee y Yair Frankel dabo@cs.stanford.edu gdurf@cs.stanford.edu yfrankel@cs.columbia.edu Stanford University Stanford University
More informationDesign Validations for Discrete Logarithm Based Signature Schemes
Proceedings of the 2000 International Workshop on Practice and Theory in Public Key Cryptography (PKC 2000) (18 20 january 2000, Melbourne, Australia) H. Imai and Y. Zheng Eds. Springer-Verlag, LNCS 1751,
More informationDigital Signature Scheme Based on a New Hard Problem
Computer Science Journal of Moldova, vol.16, no.2(47), 2008 Digital Signature Scheme Based on a New Hard Problem Niolay A. Moldovyan Abstract Factorizing composite number n = qr, where q and r are two
More informationA new attack on RSA with a composed decryption exponent
A new attack on RSA with a composed decryption exponent Abderrahmane Nitaj and Mohamed Ould Douh,2 Laboratoire de Mathématiques Nicolas Oresme Université de Caen, Basse Normandie, France abderrahmane.nitaj@unicaen.fr
More informationSecurity Proofs for Signature Schemes. Ecole Normale Superieure. 45, rue d'ulm Paris Cedex 05
Security Proofs for Signature Schemes David Pointcheval David.Pointcheval@ens.fr Jacques Stern Jacques.Stern@ens.fr Ecole Normale Superieure Laboratoire d'informatique 45, rue d'ulm 75230 Paris Cedex 05
More informationA New Attack on RSA with Two or Three Decryption Exponents
A New Attack on RSA with Two or Three Decryption Exponents Abderrahmane Nitaj Laboratoire de Mathématiques Nicolas Oresme Université de Caen, France nitaj@math.unicaen.fr http://www.math.unicaen.fr/~nitaj
More informationA Knapsack Cryptosystem Based on The Discrete Logarithm Problem
A Knapsack Cryptosystem Based on The Discrete Logarithm Problem By K.H. Rahouma Electrical Technology Department Technical College in Riyadh Riyadh, Kingdom of Saudi Arabia E-mail: kamel_rahouma@yahoo.com
More informationA Fair and Efficient Solution to the Socialist Millionaires Problem
In Discrete Applied Mathematics, 111 (2001) 23 36. (Special issue on coding and cryptology) A Fair and Efficient Solution to the Socialist Millionaires Problem Fabrice Boudot a Berry Schoenmakers b Jacques
More informationID-based Encryption Scheme Secure against Chosen Ciphertext Attacks
ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks ongxing Lu and Zhenfu Cao Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai 200030, P.. China {cao-zf,
More informationGLV/GLS Decomposition, Power Analysis, and Attacks on ECDSA Signatures With Single-Bit Nonce Bias
GLV/GLS Decomposition, Power Analysis, and Attacks on ECDSA Signatures With Single-Bit Nonce Bias Diego F. Aranha Pierre-Alain Fouque Benoît Gerard Jean-Gabriel Kammerer Mehdi Tibouchi Jean-Christophe
More informationNew Partial Key Exposure Attacks on RSA
New Partial Key Exposure Attacks on RSA Johannes Blömer, Alexander May Faculty of Computer Science, Electrical Engineering and Mathematics Paderborn University 33102 Paderborn, Germany {bloemer,alexx}@uni-paderborn.de
More informationOn Deterministic Polynomial-Time Equivalence of Computing the CRT-RSA Secret Keys and Factoring
On Deterministic Polynomial-Time Equivalence of Computing the CRT-RSA Secret Keys and Factoring Subhamoy Maitra and Santanu Sarkar Applied Statistics Unit, Indian Statistical Institute, 203 B T Road, Kolkata
More informationOn the Bit Security of Elliptic Curve Diffie Hellman
On the Bit Security of Elliptic Curve Diffie Hellman Barak Shani Department of Mathematics, University of Auckland, New Zealand Abstract This paper gives the first bit security result for the elliptic
More informationBlind Signature Protocol Based on Difficulty of. Simultaneous Solving Two Difficult Problems
Applied Mathematical Sciences, Vol. 6, 202, no. 39, 6903-690 Blind Signature Protocol Based on Difficulty of Simultaneous Solving Two Difficult Problems N. H. Minh, D. V. Binh 2, N. T. Giang 3 and N. A.
More informationA NEW ATTACK ON RSA WITH A COMPOSED DECRYPTION EXPONENT
A NEW ATTACK ON RSA WITH A COMPOSED DECRYPTION EXPONENT Abderrahmane Nitaj 1 and Mohamed Ould Douh 1,2 1 Laboratoire de Mathématiques Nicolas Oresme, Université de Caen, Basse Normandie, France Université
More informationAttacking DSA Under a Repeated Bits Assumption
Attacking DSA Under a Repeated Bits Assumption P.J. Leadbitter, D. Page, and N.P. Smart Dept. Computer Science, University of Bristol, Merchant Venturers Building, Woodland Road, Bristol, BS8 1UB, United
More informationPractical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits
Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits Damien Vergnaud École normale supérieure CHES September, 15th 2015 (with Aurélie Bauer) Damien Vergnaud
More informationBlind Collective Signature Protocol
Computer Science Journal of Moldova, vol.19, no.1(55), 2011 Blind Collective Signature Protocol Nikolay A. Moldovyan Abstract Using the digital signature (DS) scheme specified by Belarusian DS standard
More informationChapter 8 Public-key Cryptography and Digital Signatures
Chapter 8 Public-key Cryptography and Digital Signatures v 1. Introduction to Public-key Cryptography 2. Example of Public-key Algorithm: Diffie- Hellman Key Exchange Scheme 3. RSA Encryption and Digital
More informationUsing Bleichenbacher s Solution to the Hidden Number Problem to Attack Nonce Leaks in 384-Bit ECDSA
Using Bleichenbacher s Solution to the Hidden Number Problem to Attack Nonce Leaks in 384-Bit ECDSA Elke De Mulder 1, Michael Hutter 1,2*, Mark E. Marson 1, and Peter Pearson 1 1 Cryptography Research,
More informationCryptanalysis via Lattice Techniques
Cryptanalysis via Lattice Techniques Alexander May Horst Görtz Institute for IT-Security Faculty of Mathematics Ruhr-University Bochum crypt@b-it 2010, Aug 2010, Bonn Lecture 1, Mon Aug 2 Introduction
More informationCryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97
Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97 Phong Nguyen and Jacques Stern École Normale Supérieure, Laboratoire d Informatique 45, rue d Ulm, F 75230 Paris Cedex 05 {Phong.Nguyen,Jacques.Stern}@ens.fr
More informationCryptanalysis of two knapsack public-key cryptosystems
Cryptanalysis of two knapsack public-key cryptosystems Jingguo Bi 1, Xianmeng Meng 2, and Lidong Han 1 {jguobi,hanlidong}@sdu.edu.cn mengxm@sdfi.edu.cn 1 Key Laboratory of Cryptologic Technology and Information
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani 1 Mathematical Institute 2 PQShield Ltd. 1 of 44 Outline 1 Public Key Encryption: security notions 2 RSA Encryption Scheme 2 of 44 Course main reference 3 of 44
More information[6] was based on the quadratic residuosity problem, whilst the second given by Boneh and Franklin [3] was based on the Weil pairing. Originally the ex
Exponent Group Signature Schemes and Ecient Identity Based Signature Schemes Based on Pairings F. Hess Dept. Computer Science, University of Bristol, Merchant Venturers Building, Woodland Road, Bristol,
More informationCryptanalysis of a Public Key Cryptosystem Proposed at ACISP 2000
Cryptanalysis of a Public Key Cryptosystem Proposed at ACISP 2000 Amr Youssef 1 and Guang Gong 2 1 Center for Applied Cryptographic Research Department of Combinatorics & Optimization 2 Department of Electrical
More informationComputers and Mathematics with Applications
Computers and Mathematics with Applications 61 (2011) 1261 1265 Contents lists available at ScienceDirect Computers and Mathematics with Applications journal homepage: wwwelseviercom/locate/camwa Cryptanalysis
More informationNew Partial Key Exposure Attacks on RSA
New Partial Key Exposure Attacks on RSA Johannes Blömer, Alexander May Faculty of Computer Science, Electrical Engineering and Mathematics Paderborn University 33102 Paderborn, Germany {bloemer,alexx}@uni-paderborn.de
More informationOn the Key-collisions in the Signature Schemes
On the Key-collisions in the Signature Schemes Tomáš Rosa ICZ a.s., Prague, CZ Dept. of Computer Science, FEE, CTU in Prague, CZ tomas.rosa@i.cz Motivation to study k-collisions Def. Non-repudiation [9,10].
More informationSecure and Practical Identity-Based Encryption
Secure and Practical Identity-Based Encryption David Naccache Groupe de Cyptographie, Deṕartement d Informatique École Normale Supérieure 45 rue d Ulm, 75005 Paris, France david.nacache@ens.fr Abstract.
More informationImproved ID-based Authenticated Group Key Agreement Secure Against Impersonation Attack by Insider
All rights are reserved and copyright of this manuscript belongs to the authors. This manuscript has been published without reviewing and editing as received from the authors: posting the manuscript to
More informationShort Signature Scheme From Bilinear Pairings
Sedat Akleylek, Barış Bülent Kırlar, Ömer Sever, and Zaliha Yüce Institute of Applied Mathematics, Middle East Technical University, Ankara, Turkey {akleylek,kirlar}@metu.edu.tr,severomer@yahoo.com,zyuce@stm.com.tr
More informationSharing DSS by the Chinese Remainder Theorem
Sharing DSS by the Chinese Remainder Theorem Kamer Kaya,a, Ali Aydın Selçuk b a Ohio State University, Columbus, 43210, OH, USA b Bilkent University, Ankara, 06800, Turkey Abstract In this paper, we propose
More informationComplexity Analysis of a Fast Modular Multiexponentiation Algorithm
Complexity Analysis of a Fast Modular Multiexponentiation Algorithm Haimin Jin 1,, Duncan S. Wong, Yinlong Xu 1 1 Department of Computer Science University of Science and Technology of China China jhm113@mail.ustc.edu.cn,
More informationMontgomery-Suitable Cryptosystems
Montgomery-Suitable Cryptosystems [Published in G. Cohen, S. Litsyn, A. Lobstein, and G. Zémor, Eds., Algebraic Coding, vol. 781 of Lecture Notes in Computer Science, pp. 75-81, Springer-Verlag, 1994.]
More informationPolynomial Interpolation in the Elliptic Curve Cryptosystem
Journal of Mathematics and Statistics 7 (4): 326-331, 2011 ISSN 1549-3644 2011 Science Publications Polynomial Interpolation in the Elliptic Curve Cryptosystem Liew Khang Jie and Hailiza Kamarulhaili School
More informationPAPER An Identification Scheme with Tight Reduction
IEICE TRANS. FUNDAMENTALS, VOL.Exx A, NO.xx XXXX 200x PAPER An Identification Scheme with Tight Reduction Seiko ARITA, Member and Natsumi KAWASHIMA, Nonmember SUMMARY There are three well-known identification
More informationA new conic curve digital signature scheme with message recovery and without one-way hash functions
Annals of the University of Craiova, Mathematics and Computer Science Series Volume 40(2), 2013, Pages 148 153 ISSN: 1223-6934 A new conic curve digital signature scheme with message recovery and without
More informationHidden Number Problem with the Trace and Bit Security of XTR and LUC
Hidden Number Problem with the Trace and Bit Security of XTR and LUC Wen-Ching W. Li 1,, Mats Näslund 2,, and Igor E. Shparlinski 3, 1 Department of Mathematics, Penn State University University Park,
More informationBatch Verification of ECDSA Signatures AfricaCrypt 2012 Ifrane, Morocco
Batch Verification of ECDSA Signatures AfricaCrypt 2012 Ifrane, Morocco Department of Computer Science and Engineering Indian Institute of Technology Kharagpur, West Bengal, India. Outline Introduction
More informationf (x) f (x) easy easy
A General Construction of IND-CCA2 Secure Public Key Encryption? Eike Kiltz 1 and John Malone-Lee 2 1 Lehrstuhl Mathematik & Informatik, Fakultat fur Mathematik, Ruhr-Universitat Bochum, Germany. URL:
More informationCRYPTANALYSIS OF ELGAMAL TYPE DIGITAL SIGNATURE SCHEMES USING INTEGER DECOMPOSITION
Trends in Mathematics Information Center for Mathematical Sciences Volume 8, Number 1, June, 2005, Pages 167 175 CRYPTANALYSIS OF ELGAMAL TYPE DIGITAL SIGNATURE SCHEMES USING INTEGER DECOMPOSITION IKKWON
More informationCryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05
Cryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05 Fangguo Zhang 1 and Xiaofeng Chen 2 1 Department of Electronics and Communication Engineering, Sun Yat-sen
More informationREMARKS ON IBE SCHEME OF WANG AND CAO
REMARKS ON IBE SCEME OF WANG AND CAO Sunder Lal and Priyam Sharma Derpartment of Mathematics, Dr. B.R.A.(Agra), University, Agra-800(UP), India. E-mail- sunder_lal@rediffmail.com, priyam_sharma.ibs@rediffmail.com
More informationPAIRING-BASED IDENTIFICATION SCHEMES
PAIRING-BASED IDENTIFICATION SCHEMES DAVID FREEMAN Abstract. We propose four different identification schemes that make use of bilinear pairings, and prove their security under certain computational assumptions.
More informationStrongly Unforgeable Signatures Based on Computational Diffie-Hellman
Strongly Unforgeable Signatures Based on Computational Diffie-Hellman Dan Boneh 1, Emily Shen 1, and Brent Waters 2 1 Computer Science Department, Stanford University, Stanford, CA {dabo,emily}@cs.stanford.edu
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationCryptographical Security in the Quantum Random Oracle Model
Cryptographical Security in the Quantum Random Oracle Model Center for Advanced Security Research Darmstadt (CASED) - TU Darmstadt, Germany June, 21st, 2012 This work is licensed under a Creative Commons
More informationHardness of Distinguishing the MSB or LSB of Secret Keys in Diffie-Hellman Schemes
Hardness of Distinguishing the MSB or LSB of Secret Keys in Diffie-Hellman Schemes Pierre-Alain Fouque, David Pointcheval, Jacques Stern, and Sébastien Zimmer CNRS-École normale supérieure Paris, France
More informationBreaking Plain ElGamal and Plain RSA Encryption
Breaking Plain ElGamal and Plain RSA Encryption (Extended Abstract) Dan Boneh Antoine Joux Phong Nguyen dabo@cs.stanford.edu joux@ens.fr pnguyen@ens.fr Abstract We present a simple attack on both plain
More informationNew attacks on RSA with Moduli N = p r q
New attacks on RSA with Moduli N = p r q Abderrahmane Nitaj 1 and Tajjeeddine Rachidi 2 1 Laboratoire de Mathématiques Nicolas Oresme Université de Caen Basse Normandie, France abderrahmane.nitaj@unicaen.fr
More informationAvailable online at J. Math. Comput. Sci. 6 (2016), No. 3, ISSN:
Available online at http://scik.org J. Math. Comput. Sci. 6 (2016), No. 3, 281-289 ISSN: 1927-5307 AN ID-BASED KEY-EXPOSURE FREE CHAMELEON HASHING UNDER SCHNORR SIGNATURE TEJESHWARI THAKUR, BIRENDRA KUMAR
More informationA Note on the Density of the Multiple Subset Sum Problems
A Note on the Density of the Multiple Subset Sum Problems Yanbin Pan and Feng Zhang Key Laboratory of Mathematics Mechanization, Academy of Mathematics and Systems Science, Chinese Academy of Sciences,
More informationSELECTED APPLICATION OF THE CHINESE REMAINDER THEOREM IN MULTIPARTY COMPUTATION
Journal of Applied Mathematics and Computational Mechanics 2016, 15(1), 39-47 www.amcm.pcz.pl p-issn 2299-9965 DOI: 10.17512/jamcm.2016.1.04 e-issn 2353-0588 SELECTED APPLICATION OF THE CHINESE REMAINDER
More informationDefinition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University
Number Theory, Public Key Cryptography, RSA Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr The Euler Phi Function For a positive integer n, if 0
More informationKnown Plaintext Only Attack on RSA CRT with Montgomery Multiplication
Known Plaintext Only Attack on RSA CRT with Montgomery Multiplication Martin Hlaváč hlavm1am@artax.karlin.mff.cuni.cz Department of Algebra, Charles University in Prague, Sokolovská 83, 186 75 Prague 8,
More informationOther Public-Key Cryptosystems
Other Public-Key Cryptosystems Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-11/
More informationA New Baby-Step Giant-Step Algorithm and Some Applications to Cryptanalysis
A New Baby-Step Giant-Step Algorithm and Some Applications to Cryptanalysis Jean Sébastien Coron 1, David Lefranc 2 and Guillaume Poupard 3 1 Université du Luxembourg Luxembourg coron@clipper.ens.fr 2
More informationNo.6 Selection of Secure HC of g = divisors D 1, D 2 defined on J(C; F q n) over F q n, to determine the integer m such that D 2 = md 1 (if such
Vol.17 No.6 J. Comput. Sci. & Technol. Nov. 2002 Selection of Secure Hyperelliptic Curves of g = 2 Based on a Subfield ZHANG Fangguo ( ) 1, ZHANG Futai ( Ξ) 1;2 and WANG Yumin(Π±Λ) 1 1 P.O.Box 119 Key
More informationFinite fields and cryptology
Computer Science Journal of Moldova, vol.11, no.2(32), 2003 Ennio Cortellini Abstract The problem of a computationally feasible method of finding the discrete logarithm in a (large) finite field is discussed,
More informationElGamal type signature schemes for n-dimensional vector spaces
ElGamal type signature schemes for n-dimensional vector spaces Iwan M. Duursma and Seung Kook Park Abstract We generalize the ElGamal signature scheme for cyclic groups to a signature scheme for n-dimensional
More informationNew Cryptosystem Using The CRT And The Jordan Normal Form
New Cryptosystem Using The CRT And The Jordan Normal Form Hemlata Nagesh 1 and Birendra Kumar Sharma 2 School of Studies in Mathematics,Pt.Ravishankar Shukla University Raipur(C.G.). E-mail:5Hemlata5@gmail.com
More informationCryptanalysis of RSA with Small Multiplicative Inverse of (p 1) or (q 1) Modulo e
Cryptanalysis of RSA with Small Multiplicative Inverse of (p 1) or (q 1) Modulo e P Anuradha Kameswari, L Jyotsna Department of Mathematics, Andhra University, Visakhapatnam - 5000, Andhra Pradesh, India
More informationDouble-Moduli Gaussian Encryption/Decryption with Primary Residues and Secret Controls
Int. J. Communications, Network and System Sciences, 011, 4, 475-481 doi:10.436/ijcns.011.47058 Published Online July 011 (http://www.scirp.org/journal/ijcns) Double-Moduli Gaussian Encryption/Decryption
More informationGOST A Brief Overview of Russia s DSA
GOST 34.10 A Brief Overview of Russia s DSA [Published in Computers & Security 15(8):725-732, 1996.] Markus Michels 1,, David Naccache 2, and Holger Petersen 1, 1 Theoretical Computer Science and Information
More informationThreshold Undeniable RSA Signature Scheme
Threshold Undeniable RSA Signature Scheme Guilin Wang 1, Sihan Qing 1, Mingsheng Wang 1, and Zhanfei Zhou 2 1 Engineering Research Center for Information Security Technology; State Key Laboratory of Information
More information1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:
Today: Introduction to the class. Examples of concrete physical attacks on RSA A computational approach to cryptography Pseudorandomness 1 What are Physical Attacks Tampering/Leakage attacks Issue of how
More informationLecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security
Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationDigital Signatures from Challenge-Divided Σ-Protocols
Digital Signatures from Challenge-Divided Σ-Protocols Andrew C. Yao Yunlei Zhao Abstract Digital signature is one of the basic primitives in cryptography. A common paradigm of obtaining signatures, known
More informationAsymmetric Encryption
-3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function
More informationCSC 774 Advanced Network Security
CSC 774 Advanced Network Security Topic 2.6 ID Based Cryptography #2 Slides by An Liu Outline Applications Elliptic Curve Group over real number and F p Weil Pairing BasicIdent FullIdent Extensions Escrow
More informationCSC 774 Advanced Network Security
CSC 774 Advanced Network Security Topic 2.6 ID Based Cryptography #2 Slides by An Liu Outline Applications Elliptic Curve Group over real number and F p Weil Pairing BasicIdent FullIdent Extensions Escrow
More informationThe Hardness of Hensel Lifting: The Case of RSA and Discrete Logarithm
The Hardness of Hensel Lifting: The Case of RSA and Discrete Logarithm Dario Catalano, Phong Q. Nguyen, and Jacques Stern École normale supérieure Département d informatique 45 rue d Ulm, 75230 Paris Cedex
More informationThe Decisional Diffie-Hellman Problem and the Uniform Boundedness Theorem
The Decisional Diffie-Hellman Problem and the Uniform Boundedness Theorem Qi Cheng and Shigenori Uchiyama April 22, 2003 Abstract In this paper, we propose an algorithm to solve the Decisional Diffie-Hellman
More informationAn Identification Scheme Based on KEA1 Assumption
All rights are reserved and copyright of this manuscript belongs to the authors. This manuscript has been published without reviewing and editing as received from the authors: posting the manuscript to
More informationA NEW ID-BASED SIGNATURE WITH BATCH VERIFICATION
Trends in Mathematics Information Center for Mathematical Sciences Volume 8, Number 1, June, 2005, Pages 119 131 A NEW ID-BASED SIGNATURE WITH BATCH VERIFICATION JUNG HEE CHEON 1, YONGDAE KIM 2 AND HYO
More informationCIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography
CIS 6930/4930 Computer and Network Security Topic 5.2 Public Key Cryptography 1 Diffie-Hellman Key Exchange 2 Diffie-Hellman Protocol For negotiating a shared secret key using only public communication
More informationMaTRU: A New NTRU-Based Cryptosystem
MaTRU: A New NTRU-Based Cryptosystem Michael Coglianese 1 and Bok Min Goi 2 1 Macgregor, 321 Summer Street Boston, MA 02210, USA mcoglian@comcast.net 2 Centre for Cryptography and Information Security
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationPseudo-random Number Generation. Qiuliang Tang
Pseudo-random Number Generation Qiuliang Tang Random Numbers in Cryptography The keystream in the one-time pad The secret key in the DES encryption The prime numbers p, q in the RSA encryption The private
More informationProvable Security Proofs and their Interpretation in the Real World
Provable Security Proofs and their Interpretation in the Real World Vikram Singh Abstract This paper analyses provable security proofs, using the EDL signature scheme as its case study, and interprets
More information