Rounding and Chaining LLL: Finding Faster Small Roots of Univariate Polynomial Congruences
|
|
- Sharleen Stevens
- 5 years ago
- Views:
Transcription
1 Rounding and Chaining LLL: Finding Faster Small Roots of Univariate Polynomial Congruences J. Bi, J-S. Coron, J-C. Faugère, P. Nguyen, G. Renault, R. Zeitoun Public Key Cryptography March, Buenos Aires, Argentina
2 1 Coppersmith s Method 2 Speeding up Coppersmith s Algorithm by Rounding 3 Speeding up Exhaustive Search by Chaining PKC / 27
3 Core Ideas of Rounding and Chaining Rounding: The problem: a f b Rather consider a/c instead of a. Chaining: f f f The problem: a 1 b 1, a 2 b 2, a 3 b 3,... Rather do a 1 f b 1, f (b 1 ) f b 2, f (b 2 ) f b 3,... Rounding and Chaining can also be combined. PKC / 27
4 Coppersmith s Theorem The Problem (Univariate Modular Case): Input: A polynomial f (x) = x δ + a δ 1 x δ a 1 x + a 0. N an integer of unknown factorization. Find: All integers x 0 such that f (x 0 ) 0 mod N. PKC / 27
5 Coppersmith s Theorem The Problem (Univariate Modular Case): Input: A polynomial f (x) = x δ + a δ 1 x δ a 1 x + a 0. N an integer of unknown factorization. Find: All integers x 0 such that f (x 0 ) 0 mod N. Coppersmith s Method (1996) Find small integer roots. PKC / 27
6 Coppersmith s Theorem The Problem (Univariate Modular Case): Input: A polynomial f (x) = x δ + a δ 1 x δ a 1 x + a 0. N an integer of unknown factorization. Find: All integers x 0 such that f (x 0 ) 0 mod N. Coppersmith s Theorem for the Univariate Modular case The solutions x 0 can be found in time poly (log N, δ) if: x 0 < N 1/δ. PKC / 27
7 Coppersmith s Theorem The Problem (Univariate Modular Case): Input: A polynomial f (x) = x δ + a δ 1 x δ a 1 x + a 0. N an integer of unknown factorization. Find: All integers x 0 such that f (x 0 ) 0 mod N. The problem is easy without the modulo N. Find a polynomial g such that g(x 0 ) = 0 over Z. PKC / 27
8 Applications in cryptology Cryptanalysis of RSA Factoring with high bits known. Coppersmith, Security proof of RSA-OAEP. Shoup, Equivalence: factoring / computing d. Coron, May, Stereotyped messages. Coppersmith, RSA Pseudorandom Generator Fischlin, Schnorr, Affine Padding. Coppersmith, Franklin, Patarin, Reiter, Polynomially related messages (Hastad). Coppersmith, Finding smooth numbers and Factoring. Boneh, Coppersmith in the wild. Bernstein et al., PKC / 27
9 About Coppersmith s Method Euclidean Lattices Find a new small polynomial equation LLL Reduction. A matter of Bound Coppersmith s bound x 0 < N 1/δ Exhaustive search. PKC / 27
10 About Coppersmith s Method Euclidean Lattices Find a new small polynomial equation LLL Reduction. A matter of Bound Coppersmith s bound x 0 < N 1/δ Exhaustive search. In practice The LLL-reduction can be costly. The exhaustive search can be prohibitive. PKC / 27
11 Rounding and Chaining LLL Our Approach Use structure to improve Coppersmith s method. Two Speedups: Rounding and Chaining Asymptotical speed-up of LLL-reduction: δ 2 log 9 N log 7 N Heuristic speed-up of the exhaustive search. Core Ideas of Rounding and Chaining Rounding: Apply LLL on a matrix with smaller coefficients Divide all coefficients in Coppersmith s matrix. Chaining: Reuse previous computation Apply a small transformation on the last reduced matrix. PKC / 27
12 Rounding and Chaining LLL Our Approach Use structure to improve Coppersmith s method. Two Speedups: Rounding and Chaining Asymptotical speed-up of LLL-reduction: δ 2 log 9 N log 7 N Heuristic speed-up of the exhaustive search. Timings for a typical instance ( log 2 (N) = 2048 and δ = 3) Original method: 4 years. Our new method: 2.6 days. PKC / 27
13 Coppersmith s Method (Howgrave-Graham) The problem: find all small integers x 0 s.t. f (x 0 ) 0 mod N. The idea: find a small polynomial g s.t. g(x 0 ) = 0 over Z. How to find the polynomial g: Family of Polynomials (with parameter h) B LLL B R g g(x 0 ) 0 mod N h 1 g(x 0 ) < N h 1 } g(x 0 ) = 0 over Z. PKC / 27
14 Complexity / Practical Results of Coppersmith s Method State-of-the-art Analysis Complexity using L 2 : O(log 9 (N)/δ 2 ). In practice, for log 2 (N) = 1024 and δ = 2 Upper bound for x Lattice Dimension n = hδ NA Size of elements in B (bits) NA Time for LLL (seconds) NA Remark: All tests were performed using Magma V [L 2 ] An LLL Algorithm with Quadratic Complexity. P. Q. Nguyen and D. Stehlé, SIAM J. of Computing, PKC / 27
15 Using Structure: A First Result State-of-the-art Analysis Complexity using L 2 : O(log 9 (N)/δ 2 ). New Preliminary Result Using Structure [1] Complexity using L 2 : O(log 8 (N)/δ). [1] An Upper Bound on the Average Number of Iterations of the LLL Algorithm. Hervé Daudé, Brigitte Vallée, PKC / 27
16 Speeding up Coppersmith s Algorithm by Rounding Use Coppersmith s matrix structure. PKC / 27
17 Speeding up Coppersmith s Algorithm by Rounding The idea: Perform computations with most significant bits A B A c B c PKC / 27
18 B = N h 1 XN h 1 Speeding up Coppersmith s Algorithm by Rounding... X δ 1 N h 1 a 0 N h 2... X δ N h 2 a 0 XN h 2... X δ+1 N h a 0 X δ 1 N h 2... X 2δ 1 N h Largest a δ X δ(h 1) a δ 0 X X δ(h 1) a δ 0 X δ X δh 1... Smallest Since X < N 1 δ, all diagonal elements lie between N h 2 and N h. PKC / 27
19 Speeding up Coppersmith s Algorithm by Rounding First step of rounding method Size-reduce B so that subdiagonal coefficients are smaller than diagonal coefficients. B = Size-Reduce(B) = b 1 < b 1 b 2 < b 1 < b 2 b 3 < b 1 < b 2 < b < b 1 < b 2 < b 3... b n PKC / 27
20 Speeding up Coppersmith s Algorithm by Rounding Second step of the rounding method Create a new rounded matrix B/c. Apply LLL on B/c B /c B/c LLL T, B/c R PKC / 27
21 Speeding up Coppersmith s Algorithm by Rounding Second step of the rounding method Create a new rounded matrix B/c. Apply LLL on B/c B /c B/c LLL T B/c PKC / 27
22 Speeding up Coppersmith s Algorithm by Rounding Second step of the rounding method Create a new rounded matrix B/c. Apply LLL on B/c : first vector of unimodular matrix is x. Compute v = xb and solve v over Z. B /c B/c LLL x T B/c ( x ) B = ( v ) PKC / 27
23 Complexity of Rounding Method Theorem: Rounding Method Complexity using L 2 : O(log 7 N). Remainder on Coppersmith s method complexity: State-of-the-art complexity: O(log 9 (N)/δ 2 ). New preliminary complexity: O(log 8 (N)/δ). PKC / 27
24 Timings with Rounding Improvement In practice, for log 2 (N) = 1024 and δ = 2 Upper bound for x Lattice Dimension NA Size of elements in B (bits) NA Size of elements in B/c NA Original LLL (seconds) NA Rounding LLL (seconds) NA Dim 77: Speed-up of 30. PKC / 27
25 Speeding up Exhaustive Search by Chaining Use hidden algebraic structure. PKC / 27
26 Exhaustive Search Performing exhaustive search Split the variable x into α and x. x α x The new variable is x. Perform an exhaustive search on α. PKC / 27
27 Exhaustive Search Coppersmith Matrices α = 0 α = 1 α = 2... α = 255 B 1 B 2... B 255 B 0... LLL-Reduced Matrices B R 0 B R 1 B R 2... B R 255 x 0... PKC / 27
28 Exhaustive Search Coppersmith Matrices α = 0 α = 1 α = 2... α = 255 B 1 B 2... B 255 B 0... Costly Costly Costly Costly LLL-Reduced Matrices B R 0 B R 1 B R 2... B R 255 x 0... PKC / 27
29 A New Exhaustive Search Scheme α = 0 α = 1 α = 2... B 0 B 1 P B 2 P... LLL-Reduced Matrices B R 0 B R 1 B R 2 PKC / 27
30 Transformation P is the Pascal Matrix Proposition The matrix B R i P is a basis for the case α = i + 1, where P = is the Lower Triangular Pascal Matrix. Consequence on B R i P Vectors in B R i P are close to the ones of B R i. PKC / 27
31 Combining Chaining and Rounding α = 0 α = 1 α = 2... B 0 B 1 P B 2 P... LLL-Reduced Matrices B R 0 B R 1 B R 2 x 0 PKC / 27
32 Combining Chaining and Rounding Chaining and Rounding Method Create a new rounded matrix B 1 /c. Apply LLL on matrix B 1 /c : Get T 1 and B 1 /c R. Compute B1 R = T 1 B 1. B 1 /c B 1 /c LLL T 1 B 1 /c T 1 B 1 = B R 1 PKC / 27
33 Complexity of Rounding+Chaining Method Heuristic: Rounding+Chaining Method Complexity using L 2 : O(log 7 N). Remark: Same complexity as for Rounding Method alone. PKC / 27
34 Timings with Rounding and Chaining Improvements In practice, for log 2 (N) = 1024 and δ = 2 Upper bound for x Lattice Dimension NA Original LLL (sec.) NA Rounding LLL (sec.) NA Rounding + Chaining (sec.) NA Dim 77: Speed-up of 300. PKC / 27
35 Conclusion/Perspectives Conclusion This work reduces: the complexity of performing LLL on Coppersmith matrix, the time of exhaustive search to reach Coppersmith bound. It allows to reach Coppersmith s bound. It is easy to implement. PKC / 27
36 Conclusion/Perspectives Conclusion This work reduces: the complexity of performing LLL on Coppersmith matrix, the time of exhaustive search to reach Coppersmith bound. It allows to reach Coppersmith s bound. It is easy to implement. Perspectives Generalization to the multivariate case (approximate gcd). Refine complexity for Chaining + Rounding method. PKC / 27
Rounding and Chaining LLL: Finding Faster Small Roots of Univariate Polynomial Congruences
Rounding and Chaining LLL: Finding Faster Small Roots of Univariate Polynomial Congruences Jingguo Bi 1, Jean-Sébastien Coron 2, Jean-Charles Faugère 3,4,5, Phong Q. Nguyen 6,1, Guénaël Renault 4,3,5,
More informationComputing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring
Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring Alexander May Faculty of Computer Science, Electrical Engineering and Mathematics University of Paderborn 33102 Paderborn,
More informationSolving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know?
Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know? Alexander May, Maike Ritzenhofen Faculty of Mathematics Ruhr-Universität Bochum, 44780 Bochum,
More informationDeterministic Polynomial Time Equivalence between Factoring and Key-Recovery Attack on Takagi s RSA
Deterministic Polynomial Time Equivalence between Factoring and Key-Recovery Attack on Takagi s RSA Noboru Kunihiro 1 and Kaoru Kurosawa 2 1 The University of Electro-Communications, Japan kunihiro@iceuecacjp
More informationDeterministic Polynomial Time Equivalence of Computing the RSA Secret Key and Factoring
Deterministic Polynomial Time Equivalence of Computing the RSA Secret Key and Factoring Jean-Sébastien Coron and Alexander May Gemplus Card International 34 rue Guynemer, 92447 Issy-les-Moulineaux, France
More informationCryptanalysis via Lattice Techniques
Cryptanalysis via Lattice Techniques Alexander May Horst Görtz Institute for IT-Security Faculty of Mathematics Ruhr-University Bochum crypt@b-it 2010, Aug 2010, Bonn Lecture 1, Mon Aug 2 Introduction
More informationAlgorithmic Number Theory and Public-key Cryptography
Algorithmic Number Theory and Public-key Cryptography Course 3 University of Luxembourg March 22, 2018 The RSA algorithm The RSA algorithm is the most widely-used public-key encryption algorithm Invented
More informationCryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg
Course 1: Remainder: RSA Université du Luxembourg September 21, 2010 Public-key encryption Public-key encryption: two keys. One key is made public and used to encrypt. The other key is kept private and
More informationA Polynomial Time Attack on RSA with Private CRT-Exponents Smaller Than N 0.073
A Polynomial Time Attack on RSA with Private CRT-Exponents Smaller Than N 0.073 Ellen Jochemsz 1 and Alexander May 2 1 Department of Mathematics and Computer Science, TU Eindhoven, 5600 MB Eindhoven, the
More informationCHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S. Ant nine J aux
CHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S Ant nine J aux (g) CRC Press Taylor 8* Francis Croup Boca Raton London New York CRC Press is an imprint of the Taylor &
More informationSecurity Level of Cryptography Integer Factoring Problem (Factoring N = p 2 q) December Summary 2
Security Level of Cryptography Integer Factoring Problem (Factoring N = p 2 ) December 2001 Contents Summary 2 Detailed Evaluation 3 1 The Elliptic Curve Method 3 1.1 The ECM applied to N = p d............................
More information2 reduction algorithms as shortest vector oracles, Coppersmith applied the LLL algorithm to determine a subspace containing all reasonably short latti
Public Key Cryptography '99 (March 1{3, 1999, Kamakura, Kanagawa, Japan) H. Imai and Y. Zheng (Eds.), vol.???? of Lecture Notes in Computer Science, pages???{??? cspringer-verlag (http://www.springer.de/comp/lncs/index.html)
More informationA new lattice construction for partial key exposure attack for RSA
A new lattice construction for partial key exposure attack for RSA Yoshinori Aono Dept. of Mathematical and Computing Sciences Tokyo Institute of Technology, Tokyo, Japan aono5@is.titech.ac.jp Abstract.
More informationLattice Reduction on Low-Exponent RSA
Lattice Reduction on Low-Exponent RSA Jason Dyer August 2002 1 Preliminaries to Coppersmith s Algorithm Coppersmith s algorithm relies on a simple flaw in the RSA algorithm when messages are small compared
More informationNew Partial Key Exposure Attacks on RSA
New Partial Key Exposure Attacks on RSA Johannes Blömer, Alexander May Faculty of Computer Science, Electrical Engineering and Mathematics Paderborn University 33102 Paderborn, Germany {bloemer,alexx}@uni-paderborn.de
More informationOn the Provable Security of an Efficient RSA-Based Pseudorandom Generator
On the Provable Security of an Efficient RSA-Based Pseudorandom Generator Ron Steinfeld and Josef Pieprzyk and Huaxiong Wang Dept. of Computing, Macquarie University, Australia {rons, josef, hwang}@ics.mq.edu.au
More informationSmall Private Exponent Partial Key-Exposure Attacks on Multiprime RSA
Small Private Exponent Partial Key-Exposure Attacks on Multiprime RSA M. Jason Hinek School of Computer Science, University of Waterloo, Waterloo, Ontario, N2L 3G1, Canada. mjhinek@alumni.uwaterloo.ca
More informationAn Attack Bound for Small Multiplicative Inverse of ϕ(n) mod e with a Composed Prime Sum p + q Using Sublattice Based Techniques
Preprints (wwwpreprintsorg) NOT PEER-REVIEWED Posted: 20 July 208 doi:020944/preprints208070379v An Attack Bound for Small Multiplicative Inverse of ϕ(n) mod e with a Composed Prime Sum p + q Using Sublattice
More informationPartial Key Exposure: Generalized Framework to Attack RSA
Partial Key Exposure: Generalized Framework to Attack RSA Cryptology Research Group Indian Statistical Institute, Kolkata 12 December 2011 Outline of the Talk 1 RSA - A brief overview 2 Partial Key Exposure
More informationLattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.
Lattices A Lattice is a discrete subgroup of the additive group of n-dimensional space R n. Lattices have many uses in cryptography. They may be used to define cryptosystems and to break other ciphers.
More informationApproximate Integer Common Divisor Problem relates to Implicit Factorization
Approximate Integer Common Divisor Problem relates to Implicit Factorization Santanu Sarar and Subhamoy Maitra Applied Statistics Unit, Indian Statistical Institute, 203 B T Road, Kolata 700 108, India
More informationNew Partial Key Exposure Attacks on RSA
New Partial Key Exposure Attacks on RSA Johannes Blömer, Alexander May Faculty of Computer Science, Electrical Engineering and Mathematics Paderborn University 33102 Paderborn, Germany {bloemer,alexx}@uni-paderborn.de
More informationOn the Optimality of Lattices for the Coppersmith Technique
On the Optimality of Lattices for the Coppersmith Technique Yoshinori Aono Manindra Agrawal Takakazu Satoh Osamu Watanabe December 18, 2015 Abstract We investigate a method for finding small integer solutions
More informationOn Deterministic Polynomial-Time Equivalence of Computing the CRT-RSA Secret Keys and Factoring
On Deterministic Polynomial-Time Equivalence of Computing the CRT-RSA Secret Keys and Factoring Subhamoy Maitra and Santanu Sarkar Applied Statistics Unit, Indian Statistical Institute, 203 B T Road, Kolkata
More informationCryptanalysis of Unbalanced RSA with Small CRT-Exponent
Cryptanalysis of Unbalanced RSA with Small CRT-Exponent Alexander May Department of Mathematics and Computer Science University of Paderborn 3310 Paderborn, Germany alexx@uni-paderborn.de Abstract. We
More informationNew attacks on RSA with Moduli N = p r q
New attacks on RSA with Moduli N = p r q Abderrahmane Nitaj 1 and Tajjeeddine Rachidi 2 1 Laboratoire de Mathématiques Nicolas Oresme Université de Caen Basse Normandie, France abderrahmane.nitaj@unicaen.fr
More informationLattice-Based Fault Attacks on RSA Signatures
Lattice-Based Fault Attacks on RSA Signatures Mehdi Tibouchi École normale supérieure Workshop on Applied Cryptography, Singapore, 2010-12-03 Gist of this talk Review a classical attack on RSA signatures
More informationOn the Provable Security of an Efficient RSA-Based Pseudorandom Generator
On the Provable Security of an Efficient RSA-Based Pseudorandom Generator Ron Steinfeld, Josef Pieprzyk, and Huaxiong Wang Centre for Advanced Computing Algorithms and Cryptography (ACAC) Dept. of Computing,
More informationMaTRU: A New NTRU-Based Cryptosystem
MaTRU: A New NTRU-Based Cryptosystem Michael Coglianese 1 and Bok Min Goi 2 1 Macgregor, 321 Summer Street Boston, MA 02210, USA mcoglian@comcast.net 2 Centre for Cryptography and Information Security
More informationFinding Small Solutions of the Equation Bx Ay = z and Its Applications to Cryptanalysis of the RSA Cryptosystem
Finding Small Solutions of the Equation Bx Ay = z and Its Applications to Cryptanalysis of the RSA Cryptosystem Shixiong Wang 1, Longjiang Qu 2,3, Chao Li 1,3, and Shaojing Fu 1,2 1 College of Computer,
More informationCryptanalysis of RSA with Small Multiplicative Inverse of (p 1) or (q 1) Modulo e
Cryptanalysis of RSA with Small Multiplicative Inverse of (p 1) or (q 1) Modulo e P Anuradha Kameswari, L Jyotsna Department of Mathematics, Andhra University, Visakhapatnam - 5000, Andhra Pradesh, India
More informationNew Partial Key Exposure Attacks on RSA Revisited
New Partial Key Exposure Attacks on RSA Revisited M. Jason Hinek School of Computer Science, University of Waterloo Waterloo, Ontario, N2L-3G, Canada mjhinek@alumni.uwaterloo.ca March 7, 2004 Abstract
More informationOn the Design of Rebalanced RSA-CRT
On the Design of Rebalanced RSA-CRT Hung-Min Sun 1, M. Jason Hinek 2, Mu-En Wu 3 1, 3 Department of Computer Science National Tsing Hua University, Hsinchu, Taiwan 300 E-mail: 1 hmsun@cs.nthu.edu.tw; 3
More informationOn the Security of Multi-prime RSA
On the Security of Multi-prime RSA M. Jason Hinek David R. Cheriton School of Computer Science University of Waterloo Waterloo, Ontario, N2L 3G, Canada mjhinek@alumni.uwaterloo.ca June 3, 2006 Abstract.
More informationFault Attacks Against emv Signatures
Fault Attacks Against emv Signatures Jean-Sébastien Coron 1, David Naccache 2, and Mehdi Tibouchi 2 1 Université du Luxembourg 6, rue Richard Coudenhove-Kalergi l-1359 Luxembourg, Luxembourg {jean-sebastien.coron,
More informationLattice Reduction of Modular, Convolution, and NTRU Lattices
Summer School on Computational Number Theory and Applications to Cryptography Laramie, Wyoming, June 19 July 7, 2006 Lattice Reduction of Modular, Convolution, and NTRU Lattices Project suggested by Joe
More informationHidden Field Equations
Security of Hidden Field Equations (HFE) 1 The security of Hidden Field Equations ( H F E ) Nicolas T. Courtois INRIA, Paris 6 and Toulon University courtois@minrank.org Permanent HFE web page : hfe.minrank.org
More informationOn the cryptographic applications of Gröbner bases and Lattice Theory
. On the cryptographic applications of Gröbner bases and Lattice Theory University of Maria Curie-Sklodowska Faculty of Mathematics, Physics and Computer Science Lublin, 2-14 December 2012 Jaime Gutierrez
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University March 15 2018 Review Hash functions Collision resistance Merkle-Damgaard
More informationApplications of Lattice Reduction in Cryptography
Applications of Lattice Reduction in Cryptography Abderrahmane Nitaj University of Caen Basse Normandie, France Kuala Lumpur, Malaysia, June 27, 2014 AK Q ËAÓ Abderrahmane Nitaj (LMNO) Applications of
More informationA new attack on RSA with a composed decryption exponent
A new attack on RSA with a composed decryption exponent Abderrahmane Nitaj and Mohamed Ould Douh,2 Laboratoire de Mathématiques Nicolas Oresme Université de Caen, Basse Normandie, France abderrahmane.nitaj@unicaen.fr
More informationPseudo-random Number Generation. Qiuliang Tang
Pseudo-random Number Generation Qiuliang Tang Random Numbers in Cryptography The keystream in the one-time pad The secret key in the DES encryption The prime numbers p, q in the RSA encryption The private
More informationIntroduction to Cybersecurity Cryptography (Part 5)
Introduction to Cybersecurity Cryptography (Part 5) Prof. Dr. Michael Backes 13.01.2017 February 17 th Special Lecture! 45 Minutes Your Choice 1. Automotive Security 2. Smartphone Security 3. Side Channel
More informationFactoring N = p 2 q. Abstract. 1 Introduction and Problem Overview. =±1 and therefore
Factoring N = p 2 Nathan Manohar Ben Fisch Abstract We discuss the problem of factoring N = p 2 and survey some approaches. We then present a specialized factoring algorithm that runs in time Õ( 0.1 ),
More informationA New Related Message Attack on RSA
A New Related Message Attack on RSA Oded Yacobi 1 and Yacov Yacobi 2 1 Department of Mathematics, University of California San Diego, 9500 Gilman Drive, La Jolla, CA 92093, USA oyacobi@math.ucsd.edu 2
More informationA NEW ATTACK ON RSA WITH A COMPOSED DECRYPTION EXPONENT
A NEW ATTACK ON RSA WITH A COMPOSED DECRYPTION EXPONENT Abderrahmane Nitaj 1 and Mohamed Ould Douh 1,2 1 Laboratoire de Mathématiques Nicolas Oresme, Université de Caen, Basse Normandie, France Université
More informationIntegers and Division
Integers and Division Notations Z: set of integers N : set of natural numbers R: set of real numbers Z + : set of positive integers Some elements of number theory are needed in: Data structures, Random
More informationHow to Generalize RSA Cryptanalyses
How to Generalize RSA Cryptanalyses Atsushi Takayasu and Noboru Kunihiro The University of Tokyo, Japan AIST, Japan {a-takayasu@it., kunihiro@}k.u-tokyo.ac.jp Abstract. Recently, the security of RSA variants
More informationTwenty Years of Attacks on the RSA Cryptosystem
Twenty Years of Attacks on the RSA Cryptosystem Dan Boneh Dan Boneh is an assistant professor of computer science at Stanford University. His e-mail address is dabo@cs.stanford.edu. Introduction The RSA
More informationBreaking Plain ElGamal and Plain RSA Encryption
Breaking Plain ElGamal and Plain RSA Encryption (Extended Abstract) Dan Boneh Antoine Joux Phong Nguyen dabo@cs.stanford.edu joux@ens.fr pnguyen@ens.fr Abstract We present a simple attack on both plain
More informationA New Attack on RSA with Two or Three Decryption Exponents
A New Attack on RSA with Two or Three Decryption Exponents Abderrahmane Nitaj Laboratoire de Mathématiques Nicolas Oresme Université de Caen, France nitaj@math.unicaen.fr http://www.math.unicaen.fr/~nitaj
More informationCryptanalysis of RSA Signatures with Fixed-Pattern Padding
Cryptanalysis of RSA Signatures with Fixed-Pattern Padding [Published in J. Kilian Ed., Advances in Cryptology CRYPTO 2001, vol. 2139 of Lecture Notes in Computer Science, pp. 433 439, Springer-Verlag,
More informationAttacking Power Generators Using Unravelled Linearization: When Do We Output Too Much?
Attacking Power Generators Using Unravelled Linearization: When Do We Output Too Much? Mathias Herrmann, Alexander May Horst Görtz Institute for IT-Security Faculty of Mathematics Ruhr University Bochum,
More informationIntroduction to Cryptology. Lecture 20
Introduction to Cryptology Lecture 20 Announcements HW9 due today HW10 posted, due on Thursday 4/30 HW7, HW8 grades are now up on Canvas. Agenda More Number Theory! Our focus today will be on computational
More informationA Strategy for Finding Roots of Multivariate Polynomials with New Applications in Attacking RSA Variants
A Strategy for Finding Roots of Multivariate Polynomials with New Applications in Attacking RSA Variants Ellen Jochemsz 1, and Alexander May 2 1 Department of Mathematics and Computer Science, TU Eindhoven,
More informationLattice Reduction Algorithms: Theory and Practice
Lattice Reduction Algorithms: Theory and Practice Phong Q. Nguyen INRIA and ENS, Département d informatique, 45 rue d Ulm, 75005 Paris, France http://www.di.ens.fr/~pnguyen/ Abstract. Lattice reduction
More informationThéorie de l'information et codage. Master de cryptographie Cours 10 : RSA. 20,23 et 27 mars Université Rennes 1
Théorie de l'information et codage Master de cryptographie Cours 10 : RSA 20,23 et 27 mars 2009 Université Rennes 1 Master Crypto (2008-2009) Théorie de l'information et codage 20,23 et 27 mars 2009 1
More informationPublic Key Cryptography
Public Key Cryptography Spotlight on Science J. Robert Buchanan Department of Mathematics 2011 What is Cryptography? cryptography: study of methods for sending messages in a form that only be understood
More informationLecture 6: Cryptanalysis of public-key algorithms.,
T-79.159 Cryptography and Data Security Lecture 6: Cryptanalysis of public-key algorithms. Helsinki University of Technology mjos@tcs.hut.fi 1 Outline Computational complexity Reminder about basic number
More informationAn Efficient Broadcast Attack against NTRU
An Efficient Broadcast Attack against NTRU Jianwei Li, Yanbin Pan, Mingjie Liu, Guizhen Zhu Institute for Advanced Study, Tsinghua University Beijing 00084, China {lijianwei0, liu-mj07, zhugz08}@mailstsinghuaeducn
More informationFinding Small Solutions to Small Degree Polynomials
Finding Small Solutions to Small Degree Polynomials Don Coppersmith IBM Research, T.J. Watson Research Center Yorktown Heights, NY 10598, USA copper@watson.ibm.com Abstract. This talk is a brief survey
More informationOn estimating the lattice security of NTRU
On estimating the lattice security of NTRU Nick Howgrave-Graham, Jeff Hoffstein, Jill Pipher, William Whyte NTRU Cryptosystems Abstract. This report explicitly refutes the analysis behind a recent claim
More informationApplied Cryptography and Computer Security CSE 664 Spring 2018
Applied Cryptography and Computer Security Lecture 12: Introduction to Number Theory II Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline This time we ll finish the
More informationHybrid Approach : a Tool for Multivariate Cryptography
Hybrid Approach : a Tool for Multivariate Cryptography Luk Bettale, Jean-Charles Faugère and Ludovic Perret INRIA, Centre Paris-Rocquencourt, SALSA Project UPMC, Univ. Paris 06, LIP6 CNRS, UMR 7606, LIP6
More informationPractical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits
Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits Damien Vergnaud École normale supérieure CHES September, 15th 2015 (with Aurélie Bauer) Damien Vergnaud
More informationMathematics for Cryptography
Mathematics for Cryptography Douglas R. Stinson David R. Cheriton School of Computer Science University of Waterloo Waterloo, Ontario, N2L 3G1, Canada March 15, 2016 1 Groups and Modular Arithmetic 1.1
More informationIn fact, 3 2. It is not known whether 3 1. All three problems seem hard, although Shor showed that one can solve 3 quickly on a quantum computer.
Attacks on RSA, some using LLL Recall RSA: N = pq hard to factor. Choose e with gcd(e,φ(n)) = 1, where φ(n) = (p 1)(q 1). Via extended Euclid, find d with ed 1 (mod φ(n)). Discard p and q. Public key is
More informationAn Algebraic Approach to NTRU (q = 2 n ) via Witt Vectors and Overdetermined Systems of Nonlinear Equations
An Algebraic Approach to NTRU (q = 2 n ) via Witt Vectors and Overdetermined Systems of Nonlinear Equations J.H. Silverman 1, N.P. Smart 2, and F. Vercauteren 2 1 Mathematics Department, Box 1917, Brown
More informationA variant of Coppersmith s Algorithm with Improved Complexity and Efficient Exhaustive Search
A variant of Coppersmith s Algorithm with Improved Complexity and Effiient Exhaustive Searh Jean-Sébastien Coron 1, Jean-Charles Faugère 2, Guénaël Renault 2, and Rina Zeitoun 2,3 1 University of Luxembourg
More informationRSA. Ramki Thurimella
RSA Ramki Thurimella Public-Key Cryptography Symmetric cryptography: same key is used for encryption and decryption. Asymmetric cryptography: different keys used for encryption and decryption. Public-Key
More informationInoculating Multivariate Schemes Against Differential Attacks
Inoculating Multivariate Schemes Against Differential Attacks Jintai Ding and Jason E. Gower Department of Mathematical Sciences University of Cincinnati Cincinnati, OH 45221-0025 USA Email: ding@math.uc.edu,
More informationNew RSA Vulnerabilities Using Lattice Reduction Methods
New RSA Vulnerabilities Using Lattice Reduction Methods Dissertation Thesis by Alexander May October 19, 2003 Reviewer: Prof. Dr. Johannes Blömer (University of Paderborn) Prof. Dr. Joachim von zur Gathen
More informationFast Cryptanalysis of the Matsumoto-Imai Public Key Scheme
Fast Cryptanalysis of the Matsumoto-Imai Public Key Scheme P. Delsarte Philips Research Laboratory, Avenue Van Becelaere, 2 B-1170 Brussels, Belgium Y. Desmedt Katholieke Universiteit Leuven, Laboratorium
More informationImplicit Factoring with Shared Most Significant and Middle Bits
Implicit Factoring with Shared Most Significant and Middle Bits Jean-Charles Faugère, Raphaël Marinier, and Guénaël Renault UPMC, Université Paris 06, LIP6 INRIA, Centre Paris-Rocquencourt, SALSA Project-team
More informationPartial Key Exposure Attacks on RSA: Achieving the Boneh-Durfee Bound
Partial Key Exposure Attacks on RSA: Achieving the Boneh-Durfee Bound Atsushi Takayasu and Noboru Kunihiro May 25, 2018 Abstract Thus far, several lattice-based algorithms for partial key exposure attacks
More informationpart 2: detecting smoothness part 3: the number-field sieve
Integer factorization, part 1: the Q sieve Integer factorization, part 2: detecting smoothness Integer factorization, part 3: the number-field sieve D. J. Bernstein Problem: Factor 611. The Q sieve forms
More informationPartial Key Exposure Attacks on RSA Up to Full Size Exponents
Partial Key Exposure Attacks on RSA Up to Full Size Exponents Matthias Ernst, Ellen Jochemsz 2,, Alexander May,, and Benne de Weger 2, Faculty of Computer Science, Electrical Engineering and Mathematics,
More informationCode-based post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago
Code-based post-quantum cryptography D. J. Bernstein University of Illinois at Chicago Once the enormous energy boost that quantum computers are expected to provide hits the street, most encryption security
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationSolving Linear Equations Modulo Divisors: On Factoring Given Any Bits
Solving Linear Equations Modulo Divisors: On Factoring Given Any Bits Mathias Herrmann and Alexander May Horst Görtz Institute for IT-Security Faculty of Mathematics Ruhr Universität Bochum, Germany mathiasherrmann@rubde,
More informationChapter 4 Finite Fields
Chapter 4 Finite Fields Introduction will now introduce finite fields of increasing importance in cryptography AES, Elliptic Curve, IDEA, Public Key concern operations on numbers what constitutes a number
More informationMathematics of Cryptography
UNIT - III Mathematics of Cryptography Part III: Primes and Related Congruence Equations 1 Objectives To introduce prime numbers and their applications in cryptography. To discuss some primality test algorithms
More informationOn the Security of EPOC and TSH-ESIGN
On the Security of EPOC and TSH-ESIGN Tatsuaki Okamoto Tetsutaro Kobayashi NTT Laboratories 1-1 Hikarinooka, Yokosuka-shi, 239-0847 Japan Email: {okamoto, kotetsu }@isl.ntt.co.jp Abstract We submitted
More informationFinding small factors of integers. Speed of the number-field sieve. D. J. Bernstein University of Illinois at Chicago
The number-field sieve Finding small factors of integers Speed of the number-field sieve D. J. Bernstein University of Illinois at Chicago Prelude: finding denominators 87366 22322444 in R. Easily compute
More informationDouble-Moduli Gaussian Encryption/Decryption with Primary Residues and Secret Controls
Int. J. Communications, Network and System Sciences, 011, 4, 475-481 doi:10.436/ijcns.011.47058 Published Online July 011 (http://www.scirp.org/journal/ijcns) Double-Moduli Gaussian Encryption/Decryption
More informationPublic-Key Cryptosystems CHAPTER 4
Public-Key Cryptosystems CHAPTER 4 Introduction How to distribute the cryptographic keys? Naïve Solution Naïve Solution Give every user P i a separate random key K ij to communicate with every P j. Disadvantage:
More informationPartial Key Exposure Attack on RSA Improvements for Limited Lattice Dimensions
Partial Key Exposure Attack on RSA Improvements for Limited Lattice Dimensions Santanu Sarkar, Sourav Sen Gupta, and Subhamoy Maitra Applied Statistics Unit, Indian Statistical Institute, 203 B T Road,
More informationNew Directions in Multivariate Public Key Cryptography
New Directions in Shuhong Gao Joint with Ray Heindl Clemson University The 4th International Workshop on Finite Fields and Applications Beijing University, May 28-30, 2010. 1 Public Key Cryptography in
More informationOn the Bit Security of Elliptic Curve Diffie Hellman
On the Bit Security of Elliptic Curve Diffie Hellman Barak Shani Department of Mathematics, University of Auckland, New Zealand Abstract This paper gives the first bit security result for the elliptic
More informationShortest Vector Problem (1982; Lenstra, Lenstra, Lovasz)
Shortest Vector Problem (1982; Lenstra, Lenstra, Lovasz) Daniele Micciancio, University of California at San Diego, www.cs.ucsd.edu/ daniele entry editor: Sanjeev Khanna INDEX TERMS: Point lattices. Algorithmic
More informationThe attack of the RSA Subgroup Assumption
The attack of the RSA Subgroup Assumption Jiang Weng 1,2, Yunqi Dou 1,2, and Chuangui Ma 1,2 1 Zhengzhou Information Science and Technology Institute,Zhengzhou 450002, China 2 State Key Laboratory of Mathematical
More informationCS 355: Topics in Cryptography Spring Problem Set 5.
CS 355: Topics in Cryptography Spring 2018 Problem Set 5 Due: June 8, 2018 at 5pm (submit via Gradescope) Instructions: You must typeset your solution in LaTeX using the provided template: https://crypto.stanford.edu/cs355/homework.tex
More informationPoly Dragon: An efficient Multivariate Public Key Cryptosystem
Poly Dragon: An efficient Multivariate Public Key Cryptosystem Rajesh P Singh, A.Saikia, B.K.Sarma Department of Mathematics Indian Institute of Technology Guwahati Guwahati -781039, India May 19, 2010
More informationGröbner Bases in Public-Key Cryptography
Gröbner Bases in Public-Key Cryptography Ludovic Perret SPIRAL/SALSA LIP6, Université Paris 6 INRIA ludovic.perret@lip6.fr ECRYPT PhD SUMMER SCHOOL Emerging Topics in Cryptographic Design and Cryptanalysis
More informationLittle Dragon Two: An efficient Multivariate Public Key Cryptosystem
Little Dragon Two: An efficient Multivariate Public Key Cryptosystem Rajesh P Singh, A.Saikia, B.K.Sarma Department of Mathematics Indian Institute of Technology Guwahati Guwahati -781039, India October
More informationThe Hardness of Hensel Lifting: The Case of RSA and Discrete Logarithm
The Hardness of Hensel Lifting: The Case of RSA and Discrete Logarithm Dario Catalano, Phong Q. Nguyen, and Jacques Stern École normale supérieure Département d informatique 45 rue d Ulm, 75230 Paris Cedex
More informationNumber Theory. CSS322: Security and Cryptography. Sirindhorn International Institute of Technology Thammasat University CSS322. Number Theory.
CSS322: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 29 December 2011 CSS322Y11S2L06, Steve/Courses/2011/S2/CSS322/Lectures/number.tex,
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationWhat is The Continued Fraction Factoring Method
What is The Continued Fraction Factoring Method? Slide /7 What is The Continued Fraction Factoring Method Sohail Farhangi June 208 What is The Continued Fraction Factoring Method? Slide 2/7 Why is Factoring
More informationAnother Generalization of Wiener s Attack on RSA
Another Generalization of Wiener s Attack on RSA Abderrahmane Nitaj Laboratoire de Mathématiques Nicolas Oresme Université de Caen, France BP 586, 4032 Caen Cedex, France http://www.math.unicaen.fr/~nitaj
More information