The Cryptanalysis of a New Public-Key Cryptosystem based on Modular Knapsacks
|
|
- Sophia Cummings
- 5 years ago
- Views:
Transcription
1 The Cryptanalysis of a New Pblic-Key Cryptosystem based on Modlar Knapsacks Yeow Meng Chee Antoine Jox National Compter Systems DMI-GRECC Center for Information Technology 45 re d Ulm 73 Science Park Drive, S Paris Cedex 5 REPUBLIC OF SINGAPORE FRANCE yeowmeng@itivax.bitnet jox@dmi.ens.fr Jacqes Stern DMI-GRECC 45 re d Ulm 7523 Paris Cedex 5 FRANCE stern@dmi.ens.fr Abstract At the 199 EroCrypt Conference, Niemi proposed a new pblic-key cryptosystem based on modlar knapsacks. Y.M. Chee in Singapore, A. Jox and J. Stern in Paris independently fond that this cryptosystem is insecre. Or two cryptanalytic methods are slightly different, bt they are both based on the LLL algorithm. This is one more example of a cryptosystem that can be broken sing this powerfl algorithm. 1 Introdction Let p be a prime and denote by Z/pZ the field of integers modlo p. Unless otherwise stated, all vectors shall be assmed to be colmn vectors. The MODULAR KNAPSACK problem is defined as follows: MODULAR KNAPSACKS INSTANCE: A prime p, a matrix E (Z/pZ) n m and a vector c (Z/pZ) n. QUESTION: Is there a vector x {, 1} m sch that Ex = c over Z/pZ? The MODULAR KNAPSACK problem is a decision problem that is NP-complete in the strong sense, even nder the restriction m = 2n [Nie91]. The related NP-hard algorithmic problem is considered here: Find a vector x {, 1} m that satisfies Ex = c over Z/pZ when one exists. At the 199 EroCrypt Conference, Niemi proposed a new pblic-key cryptosystem
2 based on this problem [Nie91]. Y.M. Chee in Singapore, A. Jox and J. Stern in Paris independently discovered that this cryptosystem is insecre. The prpose of this paper is to present or cryptanalysis on Niemi s cryptosystem. Or attacks are based on the LLL algorithm [LLL82]. This is one more example of a cryptosystem that can be broken sing this powerfl algorithm (see [Adl83, Ste87, ST91]). 2 The Proposed Cryptosystem We briefly review Niemi s pblic-key cryptosystem in this section. The basic idea is a notion of absolte vales in Z/pZ. The absolte vale g of g Z/pZ is the minimm of the least non-negative resides modlo p of the two integers g and g. We call g k-small if g k and g k-large if g p/2 k. We typically speak of small and large nmbers, ths leaving k nfixed. The constrction of the cryptosystem is as follows. Fix a prime p, and positive integers n and k p. We randomly select matrices C, D, S (Z/pZ) n n with k-small entries, a non-singlar matrix R (Z/pZ) n n, and a diagonal matrix (Z/pZ) n n with k-large entries. The pblic information is p and the n 2n matrix E = ( A B ), where A = R 1 ( SC), (1) B = R 1 SD. (2) The private key is R. The matrices C, D, S, and shold also be kept secret bt they are not needed after the initial constrction. The message space is M = { x {, 1} 2n}, and the ciphertext space is C = {c (Z/pZ) n }. The encryption fnction is E : M C defined by E(x) = Ex, arithmetic being done modlo p. To decrypt a ciphertext c, we compte l = Rc. From (1) and (2) we can show that ( ) x = l + S ( C D ) x. Since the entries of C, D, and S are k-small and x {, 1} 2n, the entries of S ( C D ) x shold be small as well. Hence, i,i x i = l i + α i for some small α i, 1 i n. It follows that or decryption rle is: {, if li is small; x i = 1, if l i is large; for 1 i n. The bits x i, n+1 i 2n can be obtained by solving the matrix eqation Bx (2) = c Ax (1), where x (1) = (x 1,..., x n ) T and x (2) = (x n+1,..., x 2n ) T. This can easily be done since we have n eqations in n nknowns.
3 The decryption rle for x i, 1 i n, does not always yield the correct plain bits since its correctness depends on the size of the entries of S ( C D ) x. Niemi restricts himself to the case S = I, where I denotes the identity matrix, and claims that in this case, the sfficient condition to ensre correct decryption is p > 4kn. Niemi also claims that k = 1 is a good choice. In the seqel, we show how the plaintext can be recovered from the ciphertext withot the knowledge of the secret key R. 3 The Cryptanalytic Principle An integer lattice L of dimension m is an additive sbgrop of Z n that contains m linearly independent vectors over R n (hence m n). An ordered basis (v 1,..., v m ) of a lattice L of dimension m is a list of elements of L sch that L = Zv 1 Zv 2 Zv m. We represent an ordered basis of an m-dimensional lattice L by the n m basis matrix V = ( v 1 v 2 v m ), whose colmns are the basis vectors. A lattice with basis matrix V is simply denoted by L(V ). The main idea behind the attacks we are going to describe is the following. It is well-known that the LLL algorithm [LLL82] is a polynomial time algorithm designed to find a short (non-zero) vector in an integer lattice. More precisely, if the dimension of the lattice is n, then the LLL algorithm can find a vector in the lattice whose length is no more than 2 (n 1)/2 times the length of the shortest vector in the lattice. In particlar, if the length of the shortest vector in the lattice is 2 (n 1)/2 times smaller than that of the other vectors, then the LLL algorithm will find the shortest vector. In practice, the LLL algorithm is mch more effective and finds vectors whose lengths are mch smaller than that garanteed by the theoretical bond; and other algorithms exist, that are even more powerfl [ScE91]. In or attacks, we transform the problem of finding the plaintext to that of finding short vectors in certain lattices. Then we show that the short vector is mch shorter than the average short vectors. This gives heristical evidence that the short vector can be fond in polynomial time.
4 4 The Attack of Y.M. Chee An observer of Niemi s cryptosystem who sees a ciphertext c, and has knowledge of pblic information p and E, can recover the corresponding plaintext by solving for a vector x {, 1} 2n in the matrix eqation Ex = c over Z/pZ. The eqivalent problem over Z is to find x {, 1} 2n sch that for some y Z n. ( E pi ) x = c, (3) y I Lemma 4.1 Let L be the lattice with basis matrix V =. Then M = λc for M c some λ Z if and only if L. Proof: The lattice L contains a vector and integral vector v sch that ( I = M c ) ( v = λ if and only if there exist some integer λ v Mv λc ) M = λc. It is easy to see that Lemma 4.1 implies that solving for( x ){, 1} n satisfying (3) for some y Z n is eqivalent to finding a vector of the form, first 2n components of being either or 1, in the lattice L with basis matrix I E pi c sch that the first 2n components of constittes a ({, ) 1}-vector x satisfying Ex = c. Since the first 2n components of is either or 1, is a reasonably short vector
5 in L. Given an ordered basis of a lattice, the LLL algorithm comptes another ordered basis, containing relatively short vectors, for the lattice. This new ordered basis is called a redced ( basis. ) Or hope is that by rnning the LLL algorithm on the lattice L, the vector we are looking for appears in the redced basis. Unfortnately, becase the last n components of may be large, sch a vector is often too long to appear in any redced bases. In order to remedy this sitation, we adopt the following strategy. Let ɛ i,j = (,...,, 2 j 1 p,,..., ) T, }{{} i 1 for 1 i n. Then x {, 1} 2n satisfies (3) for some y Z n if and only if x satisfies x ( E ɛ 1,1 ɛ 1,j1 ɛ 2,1 ɛ 2,j2 ɛ n,1 ɛ n,jn ) = c, (4) y for some y Z j1+j2+ +jn, where j i > for all 1 i n. Let s i = 2n j=1 E i,j denote the sm of all entries in row i of E. It is easy to see that if we choose j i = log 2 (s i /p), 1 i n, then x satisfies (4) for some y {, ±1} j1+j2+ +jn. We now consider a new lattice with the (3n + n i=1 j 1) (2n n i=1 j i) basis matrix G = I E E c where E = ( ɛ 1,1 ɛ 1,j1 ɛ 2,1 ɛ 2,j2 ɛ( n,1 ) ɛ n,jn ). It follows from previos discssions that we are looking for a vector L(G) sch that its first n components consittes a {, 1}-vector x satisfying Ex = c. There exists sch a vector whose components are either, or ±1. This short vector very often appears in the redced basis of L(G).
6 5 The Attack of A. Jox and J. Stern Given a ciphertext c and pblic information p and E, we choose a large scaling factor λ and define: λc λe λpi H = I Lemma 5.1 If x Z 2n satisfies (3) for some y Z n, then lattice L(H). 1 is a vector in the x Proof: The lattice L(H) contains the vector λc λe λpi 1 1 λc λex + λpy x = 1. I y x By the hypothesis of the lemma, c Ex + py =. Hence 1 is a vector in L(H). x As a conseqence of Lemma 5.1, we see that if x {, 1} 2n is the plaintext corresponding to a ciphertext c, then v(x) = fact, 1 is a short vector in the lattice L(H). In x v(x) 2 = x n + 1. Let s now discss the other short vectors in L(H). Since λ is large, the first n components of the first vector of the redced basis for L(H) will almost srely all be zero. A random vector of this form has average length n(p 2 1). This shows that with p = 4kn, v(x) is approximately 2kn 2 times shorter than an average vector with first n components all zero. This provides heristical evidence that the vector v(x) appears
7 in the redced basis for L(H) with high probability. It is also interesting to remark that there are other vectors which may provide a decryption of c, since they increase the probability of finding x. Let s explain informally what these vectors are, and why they are sefl. First, we can say that smming p a few small nmbers gives a small nmber (with a different constant k of corse) and that smming p a few large nmbers can give either a small nmber or a large nmber, depending on the parity of the nmber of nmbers we sm p. Ths, if we obtain in the redced basis a short vector of the form µ, where µ is a small odd nmber, we can write E(µx x ) = and ths, x if µx x is small enogh, we can infer that the first n components of this vector are all even, and therefore that the first n components of x and x have the same parity. 6 Conclsion The previos sections gave heristical and nmerical evidence that Niemi s proposed pblic-key cryptosystem is not secre. We wold like to remark that it gets less and less secre. The reason for this is that a recent improvement of attacks against low-density knapsacks [CLJ91] can be sed to improve the attacks described here. The idea is to replace the identity part of the basis matrices as described in [CLJ91]. We plan to carry ot systematic experiments with this improved version. Acknowledgement. The first named athor wold like to thank K. H. Lim for helpfl discssions. References [Adl83] [CLJ91] [LLL82] L. Adleman. On Breaking the Iterated Merkle-Hellman Pblic Key Cryptosystem, in: Advances in Cryptology, Proceedings of CRYPTO 82, Plenm Press, New York, 1983, A. J. Coster, B. LaMacchia, A. Jox, A. Odlyzko, C. P. Schnorr and J. Stern. Improved Low-Density Sbset Sm Algorithms, to appear. A. K. Lenstra, H. W. Lenstra Jr. and L. Lovász. Factoring Polynomials with Rational Coefficients, Mathematische Annalen 261 (1982),
8 [Nie91] [ScE91] [Sha82] [Ste87] [ST91] V. Niemi. A New Trapdoor in Knapsacks, in: Advances in Cryptology, Proceedings of EUROCRYPT 9, Lectre Notes in Compter Science 473, Springer-Verlag, Berlin, 1991, C. P. Schnorr, M. Echner. Lattice Basis Redction: Improved Practical Algorithms and Solving Sbset Sm Problems. to appear in: Proceedings of the FCT 91, Springer Lectre Notes in Compter Science. A. Shamir. A Polynomial-Time Algorithm for Breaking the Basic Merkle- Hellman Cryptosystem, in: Proceedings of the 23rd IEEE Symposim on Fondations of Compter Science, IEEE, New York, 1982, J. Stern. Secret Linear Congrential Generators are Not Cryptographically Secre, in: Proceedings of the 28th IEEE Symposim on Fondations of Compter Science, IEEE, New York, 1987, J. Stern and P. Toffin. Cryptanalysis of a Pblic-Key Cryptosystem Based on Approximations by Rational Nmbers, in: Advances in Cryptology, Proceedings of EUROCRYPT 9, Lectre Notes in Compter Science 473, Springer- Verlag, Berlin, 1991,
Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97
Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97 Phong Nguyen and Jacques Stern École Normale Supérieure, Laboratoire d Informatique 45, rue d Ulm, F 75230 Paris Cedex 05 {Phong.Nguyen,Jacques.Stern}@ens.fr
More informationLattice Reduction Attack on the Knapsack
Lattice Reduction Attack on the Knapsack Mark Stamp 1 Merkle Hellman Knapsack Every private in the French army carries a Field Marshal wand in his knapsack. Napoleon Bonaparte The Merkle Hellman knapsack
More informationA New Trapdoor in Modular Knapsack Public-Key Cryptosystem
A New Trapdoor in Modular Knapsack Public-Key Cryptosystem Takeshi Nasako Yasuyuki Murakami Abstract. Merkle and Hellman proposed a first knapsack cryptosystem. However, it was broken because the density
More informationComputers and Mathematics with Applications
Computers and Mathematics with Applications 61 (2011) 1261 1265 Contents lists available at ScienceDirect Computers and Mathematics with Applications journal homepage: wwwelseviercom/locate/camwa Cryptanalysis
More informationCryptanalysis of two knapsack public-key cryptosystems
Cryptanalysis of two knapsack public-key cryptosystems Jingguo Bi 1, Xianmeng Meng 2, and Lidong Han 1 {jguobi,hanlidong}@sdu.edu.cn mengxm@sdfi.edu.cn 1 Key Laboratory of Cryptologic Technology and Information
More informationLow-Density Attack Revisited
Low-Density Attack Revisited Tetsuya Izu Jun Kogure Takeshi Koshiba Takeshi Shimoyama Secure Comuting Laboratory, FUJITSU LABORATORIES Ltd., 4-1-1, Kamikodanaka, Nakahara-ku, Kawasaki 211-8588, Japan.
More informationLooking back at lattice-based cryptanalysis
September 2009 Lattices A lattice is a discrete subgroup of R n Equivalently, set of integral linear combinations: α 1 b1 + + α n bm with m n Lattice reduction Lattice reduction looks for a good basis
More informationA Knapsack Cryptosystem Secure Against Attacks Using Basis Reduction and Integer Programming
A Knapsack Cryptosystem Secure Against Attacks Using Basis Reduction and Integer Programming Bala Krishnamoorthy William Webb Nathan Moyer Washington State University ISMP 2006 August 2, 2006 Public Key
More information1. Tractable and Intractable Computational Problems So far in the course we have seen many problems that have polynomial-time solutions; that is, on
. Tractable and Intractable Comptational Problems So far in the corse we have seen many problems that have polynomial-time soltions; that is, on a problem instance of size n, the rnning time T (n) = O(n
More informationCryptanalysis of a Public Key Cryptosystem Proposed at ACISP 2000
Cryptanalysis of a Public Key Cryptosystem Proposed at ACISP 2000 Amr Youssef 1 and Guang Gong 2 1 Center for Applied Cryptographic Research Department of Combinatorics & Optimization 2 Department of Electrical
More informationA Note on the Density of the Multiple Subset Sum Problems
A Note on the Density of the Multiple Subset Sum Problems Yanbin Pan and Feng Zhang Key Laboratory of Mathematics Mechanization, Academy of Mathematics and Systems Science, Chinese Academy of Sciences,
More informationA New Class of Product-sum Type Public Key Cryptosystem, K(V)ΣΠPKC, Constructed Based on Maximum Length Code
A New Class of Product-sum Type Public Key Cryptosystem, K(V)ΣΠPKC, Constructed Based on Maximum Length Code Masao KASAHARA Abstract The author recently proposed a new class of knapsack type PKC referred
More informationA Knapsack Cryptosystem Based on The Discrete Logarithm Problem
A Knapsack Cryptosystem Based on The Discrete Logarithm Problem By K.H. Rahouma Electrical Technology Department Technical College in Riyadh Riyadh, Kingdom of Saudi Arabia E-mail: kamel_rahouma@yahoo.com
More informationMasao KASAHARA. Graduate School of Osaka Gakuin University
Abstract Construction of New Classes of Knapsack Type Public Key Cryptosystem Using Uniform Secret Sequence, K(II)ΣΠPKC, Constructed Based on Maximum Length Code Masao KASAHARA Graduate School of Osaka
More informationComputing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring
Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring Alexander May Faculty of Computer Science, Electrical Engineering and Mathematics University of Paderborn 33102 Paderborn,
More informationNew attacks on RSA with Moduli N = p r q
New attacks on RSA with Moduli N = p r q Abderrahmane Nitaj 1 and Tajjeeddine Rachidi 2 1 Laboratoire de Mathématiques Nicolas Oresme Université de Caen Basse Normandie, France abderrahmane.nitaj@unicaen.fr
More informationDiophantine equations via weighted LLL algorithm
Cryptanalysis of a public key cryptosystem based on Diophantine equations via weighted LLL algorithm Momonari Kudo Graduate School of Mathematics, Kyushu University, JAPAN Kyushu University Number Theory
More informationCryptanalysis of a public-key cryptosystem based on approximations by rational numbers *
Cryptanalysis of a public-key cryptosystem based on approximations by rational numbers * Jacques Stern 6quipe de Logique Universitk de Paris 7 et Departement de mathematiques et informatique l?cole Normale
More informationSolving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know?
Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know? Alexander May, Maike Ritzenhofen Faculty of Mathematics Ruhr-Universität Bochum, 44780 Bochum,
More informationA new attack on RSA with a composed decryption exponent
A new attack on RSA with a composed decryption exponent Abderrahmane Nitaj and Mohamed Ould Douh,2 Laboratoire de Mathématiques Nicolas Oresme Université de Caen, Basse Normandie, France abderrahmane.nitaj@unicaen.fr
More informationLattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.
Lattices A Lattice is a discrete subgroup of the additive group of n-dimensional space R n. Lattices have many uses in cryptography. They may be used to define cryptosystems and to break other ciphers.
More informationA New Knapsack Public-Key Cryptosystem Based on Permutation Combination Algorithm
A New Knapsack Public-Key Cryptosystem Based on Permutation Combination Algorithm Min-Shiang Hwang Cheng-Chi Lee Shiang-Feng Tzeng Department of Management Information System National Chung Hsing University
More informationBLOOM S TAXONOMY. Following Bloom s Taxonomy to Assess Students
BLOOM S TAXONOMY Topic Following Bloom s Taonomy to Assess Stdents Smmary A handot for stdents to eplain Bloom s taonomy that is sed for item writing and test constrction to test stdents to see if they
More informationA NEW ATTACK ON RSA WITH A COMPOSED DECRYPTION EXPONENT
A NEW ATTACK ON RSA WITH A COMPOSED DECRYPTION EXPONENT Abderrahmane Nitaj 1 and Mohamed Ould Douh 1,2 1 Laboratoire de Mathématiques Nicolas Oresme, Université de Caen, Basse Normandie, France Université
More informationAdapting Density Attacks to Low-Weight Knapsacks
Adapting Density Attacks to Low-Weight Knapsacks Phong Q. Nguy ên 1 and Jacques Stern 2 1 CNRS & École normale supérieure, DI, 45 rue d Ulm, 75005 Paris, France. Phong.Nguyen@di.ens.fr http://www.di.ens.fr/
More informationDecoder Error Probability of MRD Codes
Decoder Error Probability of MRD Codes Maximilien Gadolea Department of Electrical and Compter Engineering Lehigh University Bethlehem, PA 18015 USA E-mail: magc@lehigh.ed Zhiyan Yan Department of Electrical
More informationOptimal Control of a Heterogeneous Two Server System with Consideration for Power and Performance
Optimal Control of a Heterogeneos Two Server System with Consideration for Power and Performance by Jiazheng Li A thesis presented to the University of Waterloo in flfilment of the thesis reqirement for
More informationWorst-case analysis of the LPT algorithm for single processor scheduling with time restrictions
OR Spectrm 06 38:53 540 DOI 0.007/s009-06-043-5 REGULAR ARTICLE Worst-case analysis of the LPT algorithm for single processor schedling with time restrictions Oliver ran Fan Chng Ron Graham Received: Janary
More informationCryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)
Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R) Eli Biham Computer Science Department Technion Israel Institute of Technology Haifa 32000, Israel biham@cs.technion.ac.il http://www.cs.technion.ac.il/~biham/
More informationWhen are Two Numerical Polynomials Relatively Prime?
J Symbolic Comptation (1998) 26, 677 689 Article No sy980234 When are Two Nmerical Polynomials Relatively Prime? BERNHARD BECKERMANN AND GEORGE LABAHN Laboratoire d Analyse Nmériqe et d Optimisation, Université
More informationA Note on Irreducible Polynomials and Identity Testing
A Note on Irrecible Polynomials an Ientity Testing Chanan Saha Department of Compter Science an Engineering Inian Institte of Technology Kanpr Abstract We show that, given a finite fiel F q an an integer
More informationLecture Notes On THEORY OF COMPUTATION MODULE - 2 UNIT - 2
BIJU PATNAIK UNIVERSITY OF TECHNOLOGY, ODISHA Lectre Notes On THEORY OF COMPUTATION MODULE - 2 UNIT - 2 Prepared by, Dr. Sbhend Kmar Rath, BPUT, Odisha. Tring Machine- Miscellany UNIT 2 TURING MACHINE
More informationPublic Key Cryptography
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Public Key Cryptography EECE 412 1 What is it? Two keys Sender uses recipient s public key to encrypt Receiver uses his private key to decrypt
More information9 Knapsack Cryptography
9 Knapsack Cryptography In the past four weeks, we ve discussed public-key encryption systems that depend on various problems that we believe to be hard: prime factorization, the discrete logarithm, and
More informationDeterministic Polynomial Time Equivalence between Factoring and Key-Recovery Attack on Takagi s RSA
Deterministic Polynomial Time Equivalence between Factoring and Key-Recovery Attack on Takagi s RSA Noboru Kunihiro 1 and Kaoru Kurosawa 2 1 The University of Electro-Communications, Japan kunihiro@iceuecacjp
More informationDiscussion Papers Department of Economics University of Copenhagen
Discssion Papers Department of Economics University of Copenhagen No. 10-06 Discssion of The Forward Search: Theory and Data Analysis, by Anthony C. Atkinson, Marco Riani, and Andrea Ceroli Søren Johansen,
More information3.4-Miscellaneous Equations
.-Miscellaneos Eqations Factoring Higher Degree Polynomials: Many higher degree polynomials can be solved by factoring. Of particlar vale is the method of factoring by groping, however all types of factoring
More informationThe Linear Quadratic Regulator
10 The Linear Qadratic Reglator 10.1 Problem formlation This chapter concerns optimal control of dynamical systems. Most of this development concerns linear models with a particlarly simple notion of optimality.
More information4.2 First-Order Logic
64 First-Order Logic and Type Theory The problem can be seen in the two qestionable rles In the existential introdction, the term a has not yet been introdced into the derivation and its se can therefore
More informationCryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg
Course 1: Remainder: RSA Université du Luxembourg September 21, 2010 Public-key encryption Public-key encryption: two keys. One key is made public and used to encrypt. The other key is kept private and
More informationDecoder Error Probability of MRD Codes
Decoder Error Probability of MRD Codes Maximilien Gadolea Department of Electrical and Compter Engineering Lehigh University Bethlehem, PA 18015 USA E-mail: magc@lehighed Zhiyan Yan Department of Electrical
More informationDouble-Moduli Gaussian Encryption/Decryption with Primary Residues and Secret Controls
Int. J. Communications, Network and System Sciences, 011, 4, 475-481 doi:10.436/ijcns.011.47058 Published Online July 011 (http://www.scirp.org/journal/ijcns) Double-Moduli Gaussian Encryption/Decryption
More informationDeterministic Polynomial Time Equivalence of Computing the RSA Secret Key and Factoring
Deterministic Polynomial Time Equivalence of Computing the RSA Secret Key and Factoring Jean-Sébastien Coron and Alexander May Gemplus Card International 34 rue Guynemer, 92447 Issy-les-Moulineaux, France
More information1 Undiscounted Problem (Deterministic)
Lectre 9: Linear Qadratic Control Problems 1 Undisconted Problem (Deterministic) Choose ( t ) 0 to Minimize (x trx t + tq t ) t=0 sbject to x t+1 = Ax t + B t, x 0 given. x t is an n-vector state, t a
More informationOn estimating the lattice security of NTRU
On estimating the lattice security of NTRU Nick Howgrave-Graham, Jeff Hoffstein, Jill Pipher, William Whyte NTRU Cryptosystems Abstract. This report explicitly refutes the analysis behind a recent claim
More informationModelling by Differential Equations from Properties of Phenomenon to its Investigation
Modelling by Differential Eqations from Properties of Phenomenon to its Investigation V. Kleiza and O. Prvinis Kanas University of Technology, Lithania Abstract The Panevezys camps of Kanas University
More informationMaTRU: A New NTRU-Based Cryptosystem
MaTRU: A New NTRU-Based Cryptosystem Michael Coglianese 1 and Bok Min Goi 2 1 Macgregor, 321 Summer Street Boston, MA 02210, USA mcoglian@comcast.net 2 Centre for Cryptography and Information Security
More informationThe Shortest Vector Problem (Lattice Reduction Algorithms)
The Shortest Vector Problem (Lattice Reduction Algorithms) Approximation Algorithms by V. Vazirani, Chapter 27 - Problem statement, general discussion - Lattices: brief introduction - The Gauss algorithm
More informationConstructive Root Bound for k-ary Rational Input Numbers
Constrctive Root Bond for k-ary Rational Inpt Nmbers Sylvain Pion, Chee Yap To cite this version: Sylvain Pion, Chee Yap. Constrctive Root Bond for k-ary Rational Inpt Nmbers. 19th Annal ACM Symposim on
More informationDiscussion of The Forward Search: Theory and Data Analysis by Anthony C. Atkinson, Marco Riani, and Andrea Ceroli
1 Introdction Discssion of The Forward Search: Theory and Data Analysis by Anthony C. Atkinson, Marco Riani, and Andrea Ceroli Søren Johansen Department of Economics, University of Copenhagen and CREATES,
More informationOn a class of topological groups. Key Words: topological groups, linearly topologized groups. Contents. 1 Introduction 25
Bol. Soc. Paran. Mat. (3s.) v. 24 1-2 (2006): 25 34. c SPM ISNN-00378712 On a class of topological grops Dinamérico P. Pombo Jr. abstract: A topological grop is an SNS-grop if its identity element possesses
More informationCryptanalysis of the Chor-Rivest Cryptosystem
Cryptanalysis of the Chor-Rivest Cryptosystem Serge Vaudenay Ecole Normale Supérieure CNRS Serge.Vaudenay@ens.fr Abstract. Knapsack-based cryptosystems used to be popular in the beginning of public key
More informationPulses on a Struck String
8.03 at ESG Spplemental Notes Plses on a Strck String These notes investigate specific eamples of transverse motion on a stretched string in cases where the string is at some time ndisplaced, bt with a
More informationRSA. Ramki Thurimella
RSA Ramki Thurimella Public-Key Cryptography Symmetric cryptography: same key is used for encryption and decryption. Asymmetric cryptography: different keys used for encryption and decryption. Public-Key
More informationA Disaggregation Approach for Solving Linear Diophantine Equations 1
Applied Mathematical Sciences, Vol. 12, 2018, no. 18, 871-878 HIKARI Ltd, www.m-hikari.com https://doi.org/10.12988/ams.2018.8687 A Disaggregation Approach for Solving Linear Diophantine Equations 1 Baiyi
More informationNonlinear parametric optimization using cylindrical algebraic decomposition
Proceedings of the 44th IEEE Conference on Decision and Control, and the Eropean Control Conference 2005 Seville, Spain, December 12-15, 2005 TC08.5 Nonlinear parametric optimization sing cylindrical algebraic
More informationA Characterization of Interventional Distributions in Semi-Markovian Causal Models
A Characterization of Interventional Distribtions in Semi-Markovian Casal Models Jin Tian and Changsng Kang Department of Compter Science Iowa State University Ames, IA 50011 {jtian, cskang}@cs.iastate.ed
More informationBreaking Plain ElGamal and Plain RSA Encryption
Breaking Plain ElGamal and Plain RSA Encryption (Extended Abstract) Dan Boneh Antoine Joux Phong Nguyen dabo@cs.stanford.edu joux@ens.fr pnguyen@ens.fr Abstract We present a simple attack on both plain
More informationClassify by number of ports and examine the possible structures that result. Using only one-port elements, no more than two elements can be assembled.
Jnction elements in network models. Classify by nmber of ports and examine the possible strctres that reslt. Using only one-port elements, no more than two elements can be assembled. Combining two two-ports
More informationA Large Block Cipher using an Iterative Method and the Modular Arithmetic Inverse of a key Matrix
A Large Block Cipher using an Iterative Method and the Modular Arithmetic Inverse of a key Matrix S. Udaya Kumar V. U. K. Sastry A. Vinaya babu Abstract In this paper, we have developed a block cipher
More informationduring transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL
THE MATHEMATICAL BACKGROUND OF CRYPTOGRAPHY Cryptography: used to safeguard information during transmission (e.g., credit card number for internet shopping) as opposed to Coding Theory: used to transmit
More informationNotes on Alekhnovich s cryptosystems
Notes on Alekhnovich s cryptosystems Gilles Zémor November 2016 Decisional Decoding Hypothesis with parameter t. Let 0 < R 1 < R 2 < 1. There is no polynomial-time decoding algorithm A such that: Given
More informationA Single Species in One Spatial Dimension
Lectre 6 A Single Species in One Spatial Dimension Reading: Material similar to that in this section of the corse appears in Sections 1. and 13.5 of James D. Mrray (), Mathematical Biology I: An introction,
More informationIntrodction Finite elds play an increasingly important role in modern digital commnication systems. Typical areas of applications are cryptographic sc
A New Architectre for a Parallel Finite Field Mltiplier with Low Complexity Based on Composite Fields Christof Paar y IEEE Transactions on Compters, Jly 996, vol 45, no 7, pp 856-86 Abstract In this paper
More informationTechnical Note. ODiSI-B Sensor Strain Gage Factor Uncertainty
Technical Note EN-FY160 Revision November 30, 016 ODiSI-B Sensor Strain Gage Factor Uncertainty Abstract Lna has pdated or strain sensor calibration tool to spport NIST-traceable measrements, to compte
More informationA New Attack on RSA with Two or Three Decryption Exponents
A New Attack on RSA with Two or Three Decryption Exponents Abderrahmane Nitaj Laboratoire de Mathématiques Nicolas Oresme Université de Caen, France nitaj@math.unicaen.fr http://www.math.unicaen.fr/~nitaj
More informationLinear Bandwidth Naccache-Stern Encryption
Linear Bandwidth Naccache-Stern Encryption Benoît Chevallier-Mames 1, David Naccache 2, and Jacques Stern 2 1 dcssi, Laboratoire de cryptographie, 51, Boulevard de la Tour Maubourg, f-75700 Paris, France
More informationSuccess Probability of the Hellman Trade-off
This is the accepted version of Information Processing Letters 109(7 pp.347-351 (2009. https://doi.org/10.1016/j.ipl.2008.12.002 Abstract Success Probability of the Hellman Trade-off Daegun Ma 1 and Jin
More informationCommunication security: Formal models and proofs
Commnication secrity: Formal models and proofs Hbert Comon September 1, 2016 1 Introdction to protocol secrity The context (I) credit cards contactless cards telephones online transactions cars, fridges,...
More information10 Modular Arithmetic and Cryptography
10 Modular Arithmetic and Cryptography 10.1 Encryption and Decryption Encryption is used to send messages secretly. The sender has a message or plaintext. Encryption by the sender takes the plaintext and
More informationOn oriented arc-coloring of subcubic graphs
On oriented arc-coloring of sbcbic graphs Alexandre Pinlo Alexandre.Pinlo@labri.fr LaBRI, Université Bordeax I, 351, Cors de la Libération, 33405 Talence, France Janary 17, 2006 Abstract. A homomorphism
More informationCryptanalysis of RSA with Small Multiplicative Inverse of (p 1) or (q 1) Modulo e
Cryptanalysis of RSA with Small Multiplicative Inverse of (p 1) or (q 1) Modulo e P Anuradha Kameswari, L Jyotsna Department of Mathematics, Andhra University, Visakhapatnam - 5000, Andhra Pradesh, India
More informationLemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).
1 Background 1.1 The group of units MAT 3343, APPLIED ALGEBRA, FALL 2003 Handout 3: The RSA Cryptosystem Peter Selinger Let (R, +, ) be a ring. Then R forms an abelian group under addition. R does not
More informationOn relative errors of floating-point operations: optimal bounds and applications
On relative errors of floating-point operations: optimal bonds and applications Clade-Pierre Jeannerod, Siegfried M. Rmp To cite this version: Clade-Pierre Jeannerod, Siegfried M. Rmp. On relative errors
More informationFixed points for discrete logarithms
Fixed points for discrete logarithms Mariana Levin 1, Carl Pomerance 2, and and K. Sondararajan 3 1 Gradate Grop in Science and Mathematics Edcation University of California Berkeley, CA 94720, USA levin@berkeley.ed
More informationLattice Reduction of Modular, Convolution, and NTRU Lattices
Summer School on Computational Number Theory and Applications to Cryptography Laramie, Wyoming, June 19 July 7, 2006 Lattice Reduction of Modular, Convolution, and NTRU Lattices Project suggested by Joe
More informationCryptanalysis of a Knapsack Based Two-Lock Cryptosystem
Cryptanalysis of a Knapsack Based Two-Lock Cryptosystem Bin Zhang 1,2, Hongjun Wu 1, Dengguo Feng 2, and Feng Bao 1 1 Institute for Infocomm Research, Singapore 119613 2 State Key Laboratory of Information
More informationPAPER On the Hardness of Subset Sum Problem from Different Intervals
IEICE TRANS FUNDAMENTALS, VOLE95 A, NO5 MAY 202 903 PAPER On the Hardness of Subset Sum Problem from Different Intervals Jun KOGURE a), Noboru KUNIHIRO, Members, and Hirosuke YAMAMOTO, Fellow SUMMARY The
More informationThe Brauer Manin obstruction
The Braer Manin obstrction Martin Bright 17 April 2008 1 Definitions Let X be a smooth, geometrically irredcible ariety oer a field k. Recall that the defining property of an Azmaya algebra A is that,
More informationLecture Notes: Finite Element Analysis, J.E. Akin, Rice University
9. TRUSS ANALYSIS... 1 9.1 PLANAR TRUSS... 1 9. SPACE TRUSS... 11 9.3 SUMMARY... 1 9.4 EXERCISES... 15 9. Trss analysis 9.1 Planar trss: The differential eqation for the eqilibrim of an elastic bar (above)
More informationUniversal Scheme for Optimal Search and Stop
Universal Scheme for Optimal Search and Stop Sirin Nitinawarat Qalcomm Technologies, Inc. 5775 Morehose Drive San Diego, CA 92121, USA Email: sirin.nitinawarat@gmail.com Vengopal V. Veeravalli Coordinated
More informationGraph-Modeled Data Clustering: Fixed-Parameter Algorithms for Clique Generation
Graph-Modeled Data Clstering: Fied-Parameter Algorithms for Cliqe Generation Jens Gramm Jiong Go Falk Hüffner Rolf Niedermeier Wilhelm-Schickard-Institt für Informatik, Universität Tübingen, Sand 13, D-72076
More informationMixed-radix Naccache Stern encryption
Mixed-radix Naccache Stern encryption Rémi Géraud and David Naccache Information security group, Département d informatique de l ÉNS, École normale supérieure, CNRS, PSL Research University, Paris, France.
More informationCharacterizations of probability distributions via bivariate regression of record values
Metrika (2008) 68:51 64 DOI 10.1007/s00184-007-0142-7 Characterizations of probability distribtions via bivariate regression of record vales George P. Yanev M. Ahsanllah M. I. Beg Received: 4 October 2006
More informationAdmissibility under the LINEX loss function in non-regular case. Hidekazu Tanaka. Received November 5, 2009; revised September 2, 2010
Scientiae Mathematicae Japonicae Online, e-2012, 427 434 427 Admissibility nder the LINEX loss fnction in non-reglar case Hidekaz Tanaka Received November 5, 2009; revised September 2, 2010 Abstract. In
More informationOptimization via the Hamilton-Jacobi-Bellman Method: Theory and Applications
Optimization via the Hamilton-Jacobi-Bellman Method: Theory and Applications Navin Khaneja lectre notes taken by Christiane Koch Jne 24, 29 1 Variation yields a classical Hamiltonian system Sppose that
More informationSources of Non Stationarity in the Semivariogram
Sorces of Non Stationarity in the Semivariogram Migel A. Cba and Oy Leangthong Traditional ncertainty characterization techniqes sch as Simple Kriging or Seqential Gassian Simlation rely on stationary
More informationFast Correlation Attacks: an Algorithmic Point of View
Fast Correlation Attacks: an Algorithmic Point of View Philippe Chose, Antoine Joux, and Michel Mitton DCSSI, 18 rue du Docteur Zamenhof F-92131 Issy-les-Moulineaux cedex, France Philippe.Chose@ens.fr,
More informationSolving ECDLP via List Decoding
Solving ECDLP via List Decoding Fanggo Zhang 1,2 and Shengli Li 3 1 School of Data and Compter Science, Sn Yat-sen University, Gangzho 510006, China 2 Gangdong Key Laboratory of Information Secrity, Gangzho
More informationOn the Security of EPOC and TSH-ESIGN
On the Security of EPOC and TSH-ESIGN Tatsuaki Okamoto Tetsutaro Kobayashi NTT Laboratories 1-1 Hikarinooka, Yokosuka-shi, 239-0847 Japan Email: {okamoto, kotetsu }@isl.ntt.co.jp Abstract We submitted
More informationCryptanalysis of Unbalanced RSA with Small CRT-Exponent
Cryptanalysis of Unbalanced RSA with Small CRT-Exponent Alexander May Department of Mathematics and Computer Science University of Paderborn 3310 Paderborn, Germany alexx@uni-paderborn.de Abstract. We
More informationSubcritical bifurcation to innitely many rotating waves. Arnd Scheel. Freie Universitat Berlin. Arnimallee Berlin, Germany
Sbcritical bifrcation to innitely many rotating waves Arnd Scheel Institt fr Mathematik I Freie Universitat Berlin Arnimallee 2-6 14195 Berlin, Germany 1 Abstract We consider the eqation 00 + 1 r 0 k2
More informationGurgen Khachatrian Martun Karapetyan
34 International Journal Information Theories and Applications, Vol. 23, Number 1, (c) 2016 On a public key encryption algorithm based on Permutation Polynomials and performance analyses Gurgen Khachatrian
More informationElliptic Curves Spring 2013
18.783 Elliptic Crves Spring 2013 Lectre #25 05/14/2013 In or final lectre we give an overview of the proof of Fermat s Last Theorem. Or goal is to explain exactly what Andrew Wiles [14], with the assistance
More information8.1 Principles of Public-Key Cryptosystems
Public-key cryptography is a radical departure from all that has gone before. Right up to modern times all cryptographic systems have been based on the elementary tools of substitution and permutation.
More informationA Note on Johnson, Minkoff and Phillips Algorithm for the Prize-Collecting Steiner Tree Problem
A Note on Johnson, Minkoff and Phillips Algorithm for the Prize-Collecting Steiner Tree Problem Palo Feofiloff Cristina G. Fernandes Carlos E. Ferreira José Coelho de Pina September 04 Abstract The primal-dal
More informationOn Deterministic Polynomial-Time Equivalence of Computing the CRT-RSA Secret Keys and Factoring
On Deterministic Polynomial-Time Equivalence of Computing the CRT-RSA Secret Keys and Factoring Subhamoy Maitra and Santanu Sarkar Applied Statistics Unit, Indian Statistical Institute, 203 B T Road, Kolkata
More informationA Computational Study with Finite Element Method and Finite Difference Method for 2D Elliptic Partial Differential Equations
Applied Mathematics, 05, 6, 04-4 Pblished Online November 05 in SciRes. http://www.scirp.org/jornal/am http://d.doi.org/0.46/am.05.685 A Comptational Stdy with Finite Element Method and Finite Difference
More informationThe Dual of the Maximum Likelihood Method
Department of Agricltral and Resorce Economics University of California, Davis The Dal of the Maximm Likelihood Method by Qirino Paris Working Paper No. 12-002 2012 Copyright @ 2012 by Qirino Paris All
More informationFormal Methods for Deriving Element Equations
Formal Methods for Deriving Element Eqations And the importance of Shape Fnctions Formal Methods In previos lectres we obtained a bar element s stiffness eqations sing the Direct Method to obtain eact
More information