Sliding right into disaster - Left-to-right sliding windows leak
|
|
- Martina Taylor
- 5 years ago
- Views:
Transcription
1 Sliding right into disaster - Left-to-right sliding windows leak Daniel J. Bernstein, Joachim Breitner, Daniel Genkin, Leon Groot Bruinderink, Nadia Heninger, Tanja Lange, Christine van Vredendaal and Yuval Yarom November 17th, 2017 Sliding right into disaster - Left-to-right sliding windows leak 1
2 Side-channel attacks on RSA Side-channel attacks on RSA: modular exponentiation Constant-time implementations cannot use sliding windows Common belief: sliding windows do not leak enough for key recovery Sliding right into disaster - Left-to-right sliding windows leak 2
3 This work We show that right-to-left sliding window method does not leak enough Sliding right into disaster - Left-to-right sliding windows leak 3
4 This work We show that right-to-left sliding window method does not leak enough We show that left-to-right sliding window method does leak enough Two methods to extract information from square and multiply sequence Demonstrated real-world applicability by attacking Libgcrypt We analyze the reasons why left-to-right leaks more than right-to-left Sliding right into disaster - Left-to-right sliding windows leak 3
5 Cache Timing Attacks Sliding right into disaster - Left-to-right sliding windows leak 4
6 Cache (Timing) Attacks Cache-memory: small, fast memory shared among all threads. Bridge the gap between processor speed and memory speed. Data is stored in cache-lines, typically 64 Bytes. L1 Cache Thread 1 Thread 2 Thread 3 Sliding right into disaster - Left-to-right sliding windows leak 5
7 Cache (Timing) Attacks Attacker fills specific cache lines with his data. Cache Memory Attacker Data Victim Data Sliding right into disaster - Left-to-right sliding windows leak 5
8 Cache (Timing) Attacks Attacker notices that victim uses some part of cache. Learns cache-line of data used by victim. Cache Memory Attacker Data Victim Data Victim Table Sliding right into disaster - Left-to-right sliding windows leak 5
9 RSA Sliding right into disaster - Left-to-right sliding windows leak 6
10 RSA signatures Keygen: Public key (e, N) where N = pq for primes p, q Secret key (d, p, q) where ed 1 mod φ(n) and φ(n) = (p 1)(q 1) Sliding right into disaster - Left-to-right sliding windows leak 7
11 RSA signatures Keygen: Public key (e, N) where N = pq for primes p, q Secret key (d, p, q) where ed 1 mod φ(n) and φ(n) = (p 1)(q 1) Sign and verify: Let H be a padded secure hash-function Signature: s of message m: s = H(m) d mod N Verification: compute z = s e mod N and verify z? = H(m) Sliding right into disaster - Left-to-right sliding windows leak 7
12 RSA signatures Keygen: Public key (e, N) where N = pq for primes p, q Secret key (d, p, q) where ed 1 mod φ(n) and φ(n) = (p 1)(q 1) Sign and verify: CRT: Let H be a padded secure hash-function Signature: s of message m: s = H(m) d mod N Verification: compute z = s e mod N and verify z? = H(m) Common optimization based on Chinese Remainder Theorem (CRT) Compute s p H(m) dp mod p and s q H(m) dq mod q Combine to s using CRT Sliding right into disaster - Left-to-right sliding windows leak 7
13 Sliding-window method Implement modular exponentiation using sliding-windows Window size w, sliding-window form d n 1... d 0 s.t. d = n 1 i=0 d i2 i for d i = 0 or odd 1 d i 2 w 1 In general, compute b d mod p as follows: Sliding right into disaster - Left-to-right sliding windows leak 8
14 Sliding-window method Implement modular exponentiation using sliding-windows Window size w, sliding-window form d n 1... d 0 s.t. d = n 1 i=0 d i2 i for d i = 0 or odd 1 d i 2 w 1 In general, compute b d mod p as follows: 1 Precompute small, odd powers of b mod p (i.e. b mod p, b 3 mod p,..., b 2w 1 mod p). Sliding right into disaster - Left-to-right sliding windows leak 8
15 Sliding-window method Implement modular exponentiation using sliding-windows Window size w, sliding-window form d n 1... d 0 s.t. d = n 1 i=0 d i2 i for d i = 0 or odd 1 d i 2 w 1 In general, compute b d mod p as follows: 1 Precompute small, odd powers of b mod p (i.e. b mod p, b 3 mod p,..., b 2w 1 mod p). 2 Set a = 1 3 For i n 1 to 0: 4 a = a a mod p (Square) 5 If d i 0: 6 a = a b d i mod p (Multiply) 7 Return a Sliding right into disaster - Left-to-right sliding windows leak 8
16 Sliding-window method Implement modular exponentiation using sliding-windows Window size w, sliding-window form d n 1... d 0 s.t. d = n 1 i=0 d i2 i for d i = 0 or odd 1 d i 2 w 1 In general, compute b d mod p as follows: 1 Precompute small, odd powers of b mod p (i.e. b mod p, b 3 mod p,..., b 2w 1 mod p). 2 Set a = 1 3 For i n 1 to 0: 4 a = a a mod p (Square) 5 If d i 0: 6 a = a b d i mod p (Multiply) 7 Return a This leaks a Square and Multiply Sequence For sufficiently large w, too many options to try Sliding right into disaster - Left-to-right sliding windows leak 8
17 Sliding-window form How to compute sliding-window form d n 1... d 0 s.t. d = n 1 i=0 d i2 i Example with w = 4, d = 9059 = Sliding right into disaster - Left-to-right sliding windows leak 9
18 Sliding-window form How to compute sliding-window form d n 1... d 0 s.t. d = n 1 i=0 d i2 i Example with w = 4, d = 9059 = Right-to-left Windowed form Binary form Sliding right into disaster - Left-to-right sliding windows leak 9
19 Sliding-window form How to compute sliding-window form d n 1... d 0 s.t. d = n 1 i=0 d i2 i Example with w = 4, d = 9059 = Right-to-left Windowed form Binary form Sliding right into disaster - Left-to-right sliding windows leak 9
20 Sliding-window form How to compute sliding-window form d n 1... d 0 s.t. d = n 1 i=0 d i2 i Example with w = 4, d = 9059 = Right-to-left Windowed form Binary form Sliding right into disaster - Left-to-right sliding windows leak 9
21 Sliding-window form How to compute sliding-window form d n 1... d 0 s.t. d = n 1 i=0 d i2 i Example with w = 4, d = 9059 = Right-to-left Windowed form Binary form Sliding right into disaster - Left-to-right sliding windows leak 9
22 Sliding-window form How to compute sliding-window form d n 1... d 0 s.t. d = n 1 i=0 d i2 i Example with w = 4, d = 9059 = Right-to-left Windowed form Binary form Sliding right into disaster - Left-to-right sliding windows leak 9
23 Sliding-window form How to compute sliding-window form d n 1... d 0 s.t. d = n 1 i=0 d i2 i Example with w = 4, d = 9059 = Right-to-left Windowed form Binary form Leaking on average a fraction of 2 w+1 bits Sliding right into disaster - Left-to-right sliding windows leak 9
24 Sliding-window form How to compute sliding-window form d n 1... d 0 s.t. d = n 1 i=0 d i2 i Example with w = 4, d = 9059 = Left-to-right Windowed form Binary form Sliding right into disaster - Left-to-right sliding windows leak 9
25 Sliding-window form How to compute sliding-window form d n 1... d 0 s.t. d = n 1 i=0 d i2 i Example with w = 4, d = 9059 = Left-to-right Windowed form Binary form Sliding right into disaster - Left-to-right sliding windows leak 9
26 Sliding-window form How to compute sliding-window form d n 1... d 0 s.t. d = n 1 i=0 d i2 i Example with w = 4, d = 9059 = Left-to-right Windowed form 1 Binary form Sliding right into disaster - Left-to-right sliding windows leak 9
27 Sliding-window form How to compute sliding-window form d n 1... d 0 s.t. d = n 1 i=0 d i2 i Example with w = 4, d = 9059 = Left-to-right Windowed form 1 0 Binary form Sliding right into disaster - Left-to-right sliding windows leak 9
28 Sliding-window form How to compute sliding-window form d n 1... d 0 s.t. d = n 1 i=0 d i2 i Example with w = 4, d = 9059 = Left-to-right Windowed form Binary form Sliding right into disaster - Left-to-right sliding windows leak 9
29 Sliding-window form How to compute sliding-window form d n 1... d 0 s.t. d = n 1 i=0 d i2 i Example with w = 4, d = 9059 = Left-to-right Windowed form Binary form Sliding right into disaster - Left-to-right sliding windows leak 9
30 Sliding-window form How to compute sliding-window form d n 1... d 0 s.t. d = n 1 i=0 d i2 i Example with w = 4, d = 9059 = Left-to-right Windowed form Binary form Sliding right into disaster - Left-to-right sliding windows leak 9
31 Sliding-window form How to compute sliding-window form d n 1... d 0 s.t. d = n 1 i=0 d i2 i Example with w = 4, d = 9059 = Left-to-right Windowed form Binary form Sliding right into disaster - Left-to-right sliding windows leak 9
32 Sliding-window form How to compute sliding-window form d n 1... d 0 s.t. d = n 1 i=0 d i2 i Example with w = 4, d = 9059 = Left-to-right Windowed form Binary form Sliding right into disaster - Left-to-right sliding windows leak 9
33 Sliding-window form How to compute sliding-window form d n 1... d 0 s.t. d = n 1 i=0 d i2 i Example with w = 4, d = 9059 = Left-to-right Windowed form Binary form Enables on-the-fly encoding and exponentiation Not obvious how many bits are leaking... Sliding right into disaster - Left-to-right sliding windows leak 9
34 Sliding Right versus Sliding Left Analysis Sliding right into disaster - Left-to-right sliding windows leak 10
35 First observations Right-to-left: guaranteed w 1 zero indices after non-zero index Left-to-right: two non-zero indices can be as close as adjacent This allows for many more recovered bits from Square and Multiply sequence First method: deduce more known bits from 4 bit recovery rules Second method: uses knowledge not directly translatable to known bits Sliding right into disaster - Left-to-right sliding windows leak 11
36 Applying bit recovery rules d = 9059 S = smssssssssmsmssssssm with w = 4 Convert sm x, s x D 1 = xxxxxxxxxxxxxx Sliding right into disaster - Left-to-right sliding windows leak 12
37 Applying bit recovery rules d = 9059 S = smssssssssmsmssssssm with w = 4 Convert sm x, s x D 1 = xxxxxxxxxxxxxx Rule 0: Multiplication bits x 1 D 2 = 1xxxxxx11xxxx1 Sliding right into disaster - Left-to-right sliding windows leak 12
38 Applying bit recovery rules d = 9059 S = smssssssssmsmssssssm with w = 4 Convert sm x, s x D 1 = xxxxxxxxxxxxxx Rule 0: Multiplication bits x 1 D 2 = 1xxxxxx11xxxx1 Rule 1: Trailing zeros 1x i 1x w i 1 1x i 10 w i 1 D 3 = 1xxxxxx11000x1 Sliding right into disaster - Left-to-right sliding windows leak 12
39 Applying bit recovery rules d = 9059 S = smssssssssmsmssssssm with w = 4 Convert sm x, s x D 1 = xxxxxxxxxxxxxx Rule 0: Multiplication bits x 1 D 2 = 1xxxxxx11xxxx1 Rule 1: Trailing zeros 1x i 1x w i 1 1x i 10 w i 1 D 3 = 1xxxxxx11000x1 Rule 2: Leading one xxx11 1xx11 D 4 = 1xxx1xx11000x1 Sliding right into disaster - Left-to-right sliding windows leak 12
40 Applying bit recovery rules d = 9059 S = smssssssssmsmssssssm with w = 4 Convert sm x, s x D 1 = xxxxxxxxxxxxxx Rule 0: Multiplication bits x 1 D 2 = 1xxxxxx11xxxx1 Rule 1: Trailing zeros 1x i 1x w i 1 1x i 10 w i 1 D 3 = 1xxxxxx11000x1 Rule 2: Leading one xxx11 1xx11 D 4 = 1xxx1xx11000x1 Rule 3: Leading zeros 1x i x w i x w 1 1 D 5 = 10001xx11000x1 Sliding right into disaster - Left-to-right sliding windows leak 12
41 Results of using bit recovery rules Conform Libgcrypt s implementation of RSA-1024: n = 512, w = 4 Rule 0 Rule 1 Rule 2 Rule Distribution of number of recovered bits per rule Sliding right into disaster - Left-to-right sliding windows leak 13
42 Results of using bit recovery rules Conform Libgcrypt s implementation of RSA-1024: n = 512, w = 4 Rule 0 Rule 1 Rule 2 Rule Distribution of number of recovered bits per rule Is this the best we can do? No! Sliding right into disaster - Left-to-right sliding windows leak 13
43 A small example where bitrecovery misses a bit of bits Example with d = and w = 4 S = smsssmssssmssssmssssmssssmssmssssssmssssm Sliding right into disaster - Left-to-right sliding windows leak 14
44 A small example where bitrecovery misses a bit of bits Example with d = and w = 4 S = smsssmssssmssssmssssmssssmssmssssssmssssm After applying rules 0-3, we get: 1xx10xx1xxx1xxx1xxx1x100xxx1xxx1 a c e b d Sliding right into disaster - Left-to-right sliding windows leak 14
45 A small example where bitrecovery misses a bit of bits Example with d = and w = 4 S = smsssmssssmssssmssssmssssmssmssssssmssssm After applying rules 0-3, we get: 1xx10xx1xxx1xxx1xxx1x100xxx1xxx1 a b c d e Let s try x = 0: 1xx10xx1x0x1xxx1xxx1x100xxx1xxx1 a c e b d Sliding right into disaster - Left-to-right sliding windows leak 14
46 A small example where bitrecovery misses a bit of bits Example with d = and w = 4 S = smsssmssssmssssmssssmssssmssmssssssmssssm After applying rules 0-3, we get: 1xx10xx1xxx1xxx1xxx1x100xxx1xxx1 a b c d e Let s try x = 0: 1xx10xx1x0x100x1xxx1x100xxx1xxx1 a c e b d Sliding right into disaster - Left-to-right sliding windows leak 14
47 A small example where bitrecovery misses a bit of bits Example with d = and w = 4 S = smsssmssssmssssmssssmssssmssmssssssmssssm After applying rules 0-3, we get: 1xx10xx1xxx1xxx1xxx1x100xxx1xxx1 a b c d e Let s try x = 0: 1xx10xx1x0x100x100x1x100xxx1xxx1 a c e b d Sliding right into disaster - Left-to-right sliding windows leak 14
48 A small example where bitrecovery misses a bit of bits Example with d = and w = 4 S = smsssmssssmssssmssssmssssmssmssssssmssssm After applying rules 0-3, we get: 1xx10xx1xxx1xxx1xxx1x100xxx1xxx1 a b c d e x has to be a 1! These events are rare, but require a more iterative approach Sliding right into disaster - Left-to-right sliding windows leak 14
49 Revisiting multiplier locations Idea: keep track of the possible widths for each multiplication Suppose multiplication at position i = 5 and w = 4 Case 1: x1xx1xxxxx, multiplier width: 4 Case 2: xx1x10xxxx, multiplier width: 3 Case 3: xxx1100xxx, multiplier width: 2 Case 4: xxxx1000xx, multiplier width: 1 Sliding right into disaster - Left-to-right sliding windows leak 15
50 Revisiting multiplier locations Idea: keep track of the possible widths for each multiplication Suppose multiplication at position i = 5 and w = 4 Case 1: x1xx1xxxxx, multiplier width: 4 Case 2: xx1x10xxxx, multiplier width: 3 Case 3: xxx1100xxx, multiplier width: 2 Case 4: xxxx1000xx, multiplier width: 1 Key idea: multipliers do not overlap! Retrieve smallest m and largest m + possible width for each multiplier Sliding right into disaster - Left-to-right sliding windows leak 15
51 Revisiting multiplier locations Idea: keep track of the possible widths for each multiplication Suppose multiplication at position i = 5 and w = 4 Case 1: x1xx1xxxxx, multiplier width: 4 Case 2: xx1x10xxxx, multiplier width: 3 Case 3: xxx1100xxx, multiplier width: 2 Case 4: xxxx1000xx, multiplier width: 1 Key idea: multipliers do not overlap! Retrieve smallest m and largest m + possible width for each multiplier Gives more known bits: Input: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx m : m + : b i : 1xx11x101x101x101x101x101000xx10xx1. Sliding right into disaster - Left-to-right sliding windows leak 15
52 Revisiting multiplier locations Idea: keep track of the possible widths for each multiplication Suppose multiplication at position i = 5 and w = 4 Case 1: x1xx1xxxxx, multiplier width: 4 Case 2: xx1x10xxxx, multiplier width: 3 Case 3: xxx1100xxx, multiplier width: 2 Case 4: xxxx1000xx, multiplier width: 1 Key idea: multipliers do not overlap! Retrieve smallest m and largest m + possible width for each multiplier Gives more known bits: Input: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx m : m + : b i : 1xx11x101x101x101x101x101000xx10xx1. Is this the best we can do? Yes! Sliding right into disaster - Left-to-right sliding windows leak 15
53 Heninger-Shacham key-recovery attack Give random bits of d p = d mod (p 1) and d q = d mod (q 1), how to recover the remainders? Sliding right into disaster - Left-to-right sliding windows leak 16
54 Heninger-Shacham key-recovery attack Give random bits of d p = d mod (p 1) and d q = d mod (q 1), how to recover the remainders? Branch and prune over candidate keys using RSA equations: ed p = 1 + k p (p 1) ed q = 1 + k q (q 1) with k p, k q < e. k p, k q initially unknown, but related via (k p 1)(k q 1) k p k q N mod e Try at most e pairs of k p, k q Incorrect values for k p, k q quickly give no solutions Sliding right into disaster - Left-to-right sliding windows leak 16
55 Heninger-Shacham key-recovery attack Give random bits of d p = d mod (p 1) and d q = d mod (q 1), how to recover the remainders? At i th least significant bit, we have generated candidate solutions for bits 0,..., i 1, and then verify that: ed p = 1 + k p (p 1) mod 2 i ed q = 1 + k q (q 1) mod 2 i pq = N mod 2 i Prune a candidate solution if it does not satisfy equations Heuristically, this is efficient if > 50% of the bits are known Sliding right into disaster - Left-to-right sliding windows leak 16
56 Applying Heninger-Shacham after bitrecovery rules Conform Libgcrypt s implementation of RSA-1024: n = 512, w = 4, we recovered > 50% of the bits in 32% of the time Conform Libgcrypt s implementation of RSA-2048: n = 1024, w = 5, 50% was out of reach Sliding right into disaster - Left-to-right sliding windows leak 17
57 Applying Heninger-Shacham after bitrecovery rules Conform Libgcrypt s implementation of RSA-1024: n = 512, w = 4, we recovered > 50% of the bits in 32% of the time Conform Libgcrypt s implementation of RSA-2048: n = 1024, w = 5, 50% was out of reach Is this the best we can do? No! Sliding right into disaster - Left-to-right sliding windows leak 17
58 Direct pruning from SM-sequence Idea: prune based on Square and Multiply sequence of candidates! Given S p, S q {s, m} as ground truth sequence for d p, d q Let SM(d) = Σ be the function that maps a bit string d to its Square and Multiply sequence Σ {s, m} Sliding right into disaster - Left-to-right sliding windows leak 18
59 Direct pruning from SM-sequence Idea: prune based on Square and Multiply sequence of candidates! Given S p, S q {s, m} as ground truth sequence for d p, d q Let SM(d) = Σ be the function that maps a bit string d to its Square and Multiply sequence Σ {s, m} Basically the same as original Heninger-Shacham Also test i-bit candidate d i by comparing Σ = SM(d i ) from position 0 through i 1 of S p, S q Prune d i if it does not match Sliding right into disaster - Left-to-right sliding windows leak 18
60 Direct pruning from SM-sequence Idea: prune based on Square and Multiply sequence of candidates! Given S p, S q {s, m} as ground truth sequence for d p, d q Let SM(d) = Σ be the function that maps a bit string d to its Square and Multiply sequence Σ {s, m} Basically the same as original Heninger-Shacham Also test i-bit candidate d i by comparing Σ = SM(d i ) from position 0 through i 1 of S p, S q Prune d i if it does not match Better results: uses information not directly translatable to bits Is this the best we can do? Yes! Sliding right into disaster - Left-to-right sliding windows leak 18
61 Summary of results for RSA-1024 right-to-left left-to-right (known bits) left-to-right (self-information) Distribution of information recovered (w = 4) Direct pruning allows to recover RSA-2048 bit keys 13% of the time Sliding right into disaster - Left-to-right sliding windows leak 19
62 Attacking Libgcrypt Demonstrated vulnerability in Libgcrypt (fixed in version 1.7.8) Flush+Reload cache-attack using Mastik toolkit Read Time (cycles) Multiplication Multiplier selection Exponentiation loop Sample Number Libgcrypt Activity Trace Sliding right into disaster - Left-to-right sliding windows leak 20
63 A lot more in the paper! Theoretical analysis of bit-recovery rules using Renewal Reward processes Theoretical analysis of direct pruning using self-information and collision entropy More experimental results and details Full version online: Sliding right into disaster - Left-to-right sliding windows leak 21
64 Be careful when sliding right... Questions? Sliding right into disaster - Left-to-right sliding windows leak 22
Sliding right into disaster: Left-to-right sliding windows leak
Sliding right into disaster: Left-to-right sliding windows leak Full version Daniel J. Bernstein 2, Joachim Breitner 3, Daniel Genkin 3,4, Leon Groot Bruinderink 1, Nadia Heninger 3, Tanja Lange 1, Christine
More informationRSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis. Daniel Genkin, Adi Shamir, Eran Tromer
RSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis Daniel Genkin, Adi Shamir, Eran Tromer Mathematical Attacks Input Crypto Algorithm Key Output Goal: recover the key given access to the inputs
More informationSide Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents
Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents Santanu Sarkar and Subhamoy Maitra Leuven, Belgium 12 September, 2012 Outline of the Talk RSA Cryptosystem
More informationAlgorithmic Number Theory and Public-key Cryptography
Algorithmic Number Theory and Public-key Cryptography Course 3 University of Luxembourg March 22, 2018 The RSA algorithm The RSA algorithm is the most widely-used public-key encryption algorithm Invented
More informationIn fact, 3 2. It is not known whether 3 1. All three problems seem hard, although Shor showed that one can solve 3 quickly on a quantum computer.
Attacks on RSA, some using LLL Recall RSA: N = pq hard to factor. Choose e with gcd(e,φ(n)) = 1, where φ(n) = (p 1)(q 1). Via extended Euclid, find d with ed 1 (mod φ(n)). Discard p and q. Public key is
More informationNumber Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers
Number Theory: Applications Number Theory Applications Computer Science & Engineering 235: Discrete Mathematics Christopher M. Bourke cbourke@cse.unl.edu Results from Number Theory have many applications
More informationNotes. Number Theory: Applications. Notes. Number Theory: Applications. Notes. Hash Functions I
Number Theory: Applications Slides by Christopher M. Bourke Instructor: Berthe Y. Choueiry Fall 2007 Computer Science & Engineering 235 Introduction to Discrete Mathematics Sections 3.4 3.7 of Rosen cse235@cse.unl.edu
More informationLattice-Based Fault Attacks on RSA Signatures
Lattice-Based Fault Attacks on RSA Signatures Mehdi Tibouchi École normale supérieure Workshop on Applied Cryptography, Singapore, 2010-12-03 Gist of this talk Review a classical attack on RSA signatures
More informationA DPA attack on RSA in CRT mode
A DPA attack on RSA in CRT mode Marc Witteman Riscure, The Netherlands 1 Introduction RSA is the dominant public key cryptographic algorithm, and used in an increasing number of smart card applications.
More informationRSA meets DPA: Recovering RSA Secret Keys from Noisy Analog Data
RSA meets DPA: Recovering RSA Secret Keys from Noisy Analog Data Noboru Kunihiro and Junya Honda The University of Tokyo, Japan September 25th, 2014 The full version is available from http://eprint.iacr.org/2014/513.
More informationPublic Key Algorithms
Public Key Algorithms Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-09/
More informationEfficient Application of Countermeasures for Elliptic Curve Cryptography
Efficient Application of Countermeasures for Elliptic Curve Cryptography Vladimir Soukharev, Ph.D. Basil Hess, Ph.D. InfoSec Global Inc. May 19, 2017 Outline Introduction Brief Summary of ECC Arithmetic
More information5199/IOC5063 Theory of Cryptology, 2014 Fall
5199/IOC5063 Theory of Cryptology, 2014 Fall Homework 2 Reference Solution 1. This is about the RSA common modulus problem. Consider that two users A and B use the same modulus n = 146171 for the RSA encryption.
More informationPublic Key Cryptography
Public Key Cryptography Introduction Public Key Cryptography Unlike symmetric key, there is no need for Alice and Bob to share a common secret Alice can convey her public key to Bob in a public communication:
More informationIntegers and Division
Integers and Division Notations Z: set of integers N : set of natural numbers R: set of real numbers Z + : set of positive integers Some elements of number theory are needed in: Data structures, Random
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationIntroduction to Public-Key Cryptosystems:
Introduction to Public-Key Cryptosystems: Technical Underpinnings: RSA and Primality Testing Modes of Encryption for RSA Digital Signatures for RSA 1 RSA Block Encryption / Decryption and Signing Each
More information1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2
Contents 1 Recommended Reading 1 2 Public Key/Private Key Cryptography 1 2.1 Overview............................................. 1 2.2 RSA Algorithm.......................................... 2 3 A Number
More informationCSE 521: Design and Analysis of Algorithms I
CSE 521: Design and Analysis of Algorithms I Randomized Algorithms: Primality Testing Paul Beame 1 Randomized Algorithms QuickSelect and Quicksort Algorithms random choices make them fast and simple but
More informationPractical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits
Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits Damien Vergnaud École normale supérieure CHES September, 15th 2015 (with Aurélie Bauer) Damien Vergnaud
More informationSecurity II: Cryptography exercises
Security II: Cryptography exercises Markus Kuhn Lent 2015 Part II Some of the exercises require the implementation of short programs. The model answers use Perl (see Part IB Unix Tools course), but you
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationNumbers. Çetin Kaya Koç Winter / 18
Çetin Kaya Koç http://koclab.cs.ucsb.edu Winter 2016 1 / 18 Number Systems and Sets We represent the set of integers as Z = {..., 3, 2, 1,0,1,2,3,...} We denote the set of positive integers modulo n as
More informationIntroduction to cryptology (GBIN8U16) More on discrete-logarithm based schemes
Introduction to cryptology (GBIN8U16) More on discrete-logarithm based schemes Pierre Karpman pierre.karpman@univ-grenoble-alpes.fr https://www-ljk.imag.fr/membres/pierre.karpman/tea.html 2018 03 13 More
More information1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:
Today: Introduction to the class. Examples of concrete physical attacks on RSA A computational approach to cryptography Pseudorandomness 1 What are Physical Attacks Tampering/Leakage attacks Issue of how
More informationCosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks
1 Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks Michael Albert michael.albert@cs.otago.ac.nz 2 This week Arithmetic Knapsack cryptosystems Attacks on knapsacks Some
More informationDigital signature schemes
Digital signature schemes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Introduction digital signature scheme security of digital
More informationAttacks on RSA & Using Asymmetric Crypto
Attacks on RSA & Using Asymmetric Crypto Luke Anderson luke@lukeanderson.com.au 7 th April 2017 University Of Sydney Overview 1. Crypto-Bulletin 2. Breaking RSA 2.1 Chinese Remainder Theorem 2.2 Common
More informationSide-channel attacks on PKC and countermeasures with contributions from PhD students
basics Online Side-channel attacks on PKC and countermeasures (Tutorial @SPACE2016) with contributions from PhD students Lejla Batina Institute for Computing and Information Sciences Digital Security Radboud
More informationPublic-key cryptography and the Discrete-Logarithm Problem. Tanja Lange Technische Universiteit Eindhoven. with some slides by Daniel J.
Public-key cryptography and the Discrete-Logarithm Problem Tanja Lange Technische Universiteit Eindhoven with some slides by Daniel J. Bernstein Cryptography Let s understand what our browsers do. Schoolbook
More informationRSA. Ramki Thurimella
RSA Ramki Thurimella Public-Key Cryptography Symmetric cryptography: same key is used for encryption and decryption. Asymmetric cryptography: different keys used for encryption and decryption. Public-Key
More informationThéorie de l'information et codage. Master de cryptographie Cours 10 : RSA. 20,23 et 27 mars Université Rennes 1
Théorie de l'information et codage Master de cryptographie Cours 10 : RSA 20,23 et 27 mars 2009 Université Rennes 1 Master Crypto (2008-2009) Théorie de l'information et codage 20,23 et 27 mars 2009 1
More informationMcBits: Fast code-based cryptography
McBits: Fast code-based cryptography Peter Schwabe Radboud University Nijmegen, The Netherlands Joint work with Daniel Bernstein, Tung Chou December 17, 2013 IMA International Conference on Cryptography
More informationCOMP424 Computer Security
COMP424 Computer Security Prof. Wiegley jeffw@csun.edu Rivest, Shamir & Adelman (RSA) Implementation 1 Relatively prime Prime: n, is prime if its only two factors are 1 and n. (and n 1). Relatively prime:
More informationMessage Authentication Codes (MACs)
Message Authentication Codes (MACs) Tung Chou Technische Universiteit Eindhoven, The Netherlands October 8, 2015 1 / 22 About Me 2 / 22 About Me Tung Chou (Tony) 2 / 22 About Me Tung Chou (Tony) Ph.D.
More informationNumber Theory A focused introduction
Number Theory A focused introduction This is an explanation of RSA public key cryptography. We will start from first principles, but only the results that are needed to understand RSA are given. We begin
More information10 Public Key Cryptography : RSA
10 Public Key Cryptography : RSA 10.1 Introduction The idea behind a public-key system is that it might be possible to find a cryptosystem where it is computationally infeasible to determine d K even if
More informationBranch Prediction based attacks using Hardware performance Counters IIT Kharagpur
Branch Prediction based attacks using Hardware performance Counters IIT Kharagpur March 19, 2018 Modular Exponentiation Public key Cryptography March 19, 2018 Branch Prediction Attacks 2 / 54 Modular Exponentiation
More informationOn the Design of Rebalanced RSA-CRT
On the Design of Rebalanced RSA-CRT Hung-Min Sun 1, M. Jason Hinek 2, Mu-En Wu 3 1, 3 Department of Computer Science National Tsing Hua University, Hsinchu, Taiwan 300 E-mail: 1 hmsun@cs.nthu.edu.tw; 3
More informationIntroduction to Cryptology. Lecture 20
Introduction to Cryptology Lecture 20 Announcements HW9 due today HW10 posted, due on Thursday 4/30 HW7, HW8 grades are now up on Canvas. Agenda More Number Theory! Our focus today will be on computational
More informationElliptic Curve Cryptography and Security of Embedded Devices
Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil Institut de Mathématiques de Bordeaux Inside Secure June 13th, 2012 V. Verneuil - Elliptic Curve Cryptography
More informationICS141: Discrete Mathematics for Computer Science I
ICS141: Discrete Mathematics for Computer Science I Dept. Information & Computer Sci., Jan Stelovsky based on slides by Dr. Baek and Dr. Still Originals by Dr. M. P. Frank and Dr. J.L. Gross Provided by
More informationLecture 22: RSA Encryption. RSA Encryption
Lecture 22: Recall: RSA Assumption We pick two primes uniformly and independently at random p, q $ P n We define N = p q We shall work over the group (Z N, ), where Z N is the set of all natural numbers
More informationPost-quantum RSA. We built a great, great 1-terabyte RSA wall, and we had the university pay for the electricity
We built a great, great 1-terabyte RSA wall, and we had the university pay for the electricity Daniel J. Bernstein Joint work with: Nadia Heninger Paul Lou Luke Valenta The referees are questioning applicability...
More informationYALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Notes 13 (rev. 2) Professor M. J. Fischer October 22, 2008 53 Chinese Remainder Theorem Lecture Notes 13 We
More informationIntroduction to Modern Cryptography. Benny Chor
Introduction to Modern Cryptography Benny Chor RSA Public Key Encryption Factoring Algorithms Lecture 7 Tel-Aviv University Revised March 1st, 2008 Reminder: The Prime Number Theorem Let π(x) denote the
More informationSignatures and DLP-I. Tanja Lange Technische Universiteit Eindhoven
Signatures and DLP-I Tanja Lange Technische Universiteit Eindhoven How to compute ap Use binary representation of a to compute a(x; Y ) in blog 2 ac doublings and at most that many additions. E.g. a =
More informationCryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg
Course 1: Remainder: RSA Université du Luxembourg September 21, 2010 Public-key encryption Public-key encryption: two keys. One key is made public and used to encrypt. The other key is kept private and
More informationRSA RSA public key cryptosystem
RSA 1 RSA As we have seen, the security of most cipher systems rests on the users keeping secret a special key, for anyone possessing the key can encrypt and/or decrypt the messages sent between them.
More informationExam Security January 19, :30 11:30
Exam Security January 19, 2016. 8:30 11:30 You can score a maximum of 100. Each question indicates how many it is worth. You are NOT allowed to use books or notes, or a (smart) phone. You may answer in
More informationIntroduction to Modern Cryptography. Benny Chor
Introduction to Modern Cryptography Benny Chor RSA: Review and Properties Factoring Algorithms Trapdoor One Way Functions PKC Based on Discrete Logs (Elgamal) Signature Schemes Lecture 8 Tel-Aviv University
More informationAddition. Ch1 - Algorithms with numbers. Multiplication. al-khwārizmī. al-khwārizmī. Division 53+35=88. Cost? (n number of bits) 13x11=143. Cost?
Ch - Algorithms with numbers Addition Basic arithmetic Addition ultiplication Division odular arithmetic factoring is hard Primality testing 53+35=88 Cost? (n number of bits) O(n) ultiplication al-khwārizmī
More informationCOMS W4995 Introduction to Cryptography October 12, Lecture 12: RSA, and a summary of One Way Function Candidates.
COMS W4995 Introduction to Cryptography October 12, 2005 Lecture 12: RSA, and a summary of One Way Function Candidates. Lecturer: Tal Malkin Scribes: Justin Cranshaw and Mike Verbalis 1 Introduction In
More informationApplied Cryptography and Computer Security CSE 664 Spring 2018
Applied Cryptography and Computer Security Lecture 12: Introduction to Number Theory II Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline This time we ll finish the
More informationMa/CS 6a Class 4: Primality Testing
Ma/CS 6a Class 4: Primality Testing By Adam Sheffer Reminder: Euler s Totient Function Euler s totient φ(n) is defined as follows: Given n N, then φ n = x 1 x < n and GCD x, n = 1. In more words: φ n is
More informationPublic Key Algorithms
1 Public Key Algorithms ffl hash: irreversible transformation(message) ffl secret key: reversible transformation(block) encryption digital signatures authentication RSA yes yes yes El Gamal no yes no Zero-knowledge
More informationCorrecting Errors in Private Keys Obtained from Cold Boot Attacks
Correcting Errors in Private Keys Obtained from Cold Boot Attacks Hyung Tae Lee, HongTae Kim, Yoo-Jin Baek, and Jung Hee Cheon ISaC & Department of Mathmathical Sciences, SNU 2011. 11. 30. 1 / 17 Contents
More informationIntroduction to Cybersecurity Cryptography (Part 5)
Introduction to Cybersecurity Cryptography (Part 5) Prof. Dr. Michael Backes 13.01.2017 February 17 th Special Lecture! 45 Minutes Your Choice 1. Automotive Security 2. Smartphone Security 3. Side Channel
More informationRainbow Tables ENEE 457/CMSC 498E
Rainbow Tables ENEE 457/CMSC 498E How are Passwords Stored? Option 1: Store all passwords in a table in the clear. Problem: If Server is compromised then all passwords are leaked. Option 2: Store only
More informationPartial Key Exposure: Generalized Framework to Attack RSA
Partial Key Exposure: Generalized Framework to Attack RSA Cryptology Research Group Indian Statistical Institute, Kolkata 12 December 2011 Outline of the Talk 1 RSA - A brief overview 2 Partial Key Exposure
More informationThe security of RSA (part 1) The security of RSA (part 1)
The modulus n and its totient value φ(n) are known φ(n) = p q (p + q) + 1 = n (p + q) + 1 The modulus n and its totient value φ(n) are known φ(n) = p q (p + q) + 1 = n (p + q) + 1 i.e. q = (n φ(n) + 1)
More informationTHE CUBIC PUBLIC-KEY TRANSFORMATION*
CIRCUITS SYSTEMS SIGNAL PROCESSING c Birkhäuser Boston (2007) VOL. 26, NO. 3, 2007, PP. 353 359 DOI: 10.1007/s00034-006-0309-x THE CUBIC PUBLIC-KEY TRANSFORMATION* Subhash Kak 1 Abstract. This note proposes
More informationFormal Fault Analysis of Branch Predictors: Attacking countermeasures of Asymmetric key ciphers
Formal Fault Analysis of Branch Predictors: Attacking countermeasures of Asymmetric key ciphers Sarani Bhattacharya and Debdeep Mukhopadhyay Indian Institute of Technology Kharagpur PROOFS 2016 August
More informationLecture V : Public Key Cryptography
Lecture V : Public Key Cryptography Internet Security: Principles & Practices John K. Zao, PhD (Harvard) SMIEEE Amir Rezapoor Computer Science Department, National Chiao Tung University 2 Outline Functional
More informationChapter 4 Public Key Cryptology - Part I
Chapter 4 Public Key Cryptology - Part I February 15, 2010 4 The concept of public key cryptology (PKC) emerged in the early 1970 s in the British Government s communications center CESG, Cheltenham. (See
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 9 September 30, 2015 CPSC 467, Lecture 9 1/47 Fast Exponentiation Algorithms Number Theory Needed for RSA Elementary Number Theory
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 9 February 6, 2012 CPSC 467b, Lecture 9 1/53 Euler s Theorem Generating RSA Modulus Finding primes by guess and check Density of
More informationLecture 15 & 16: Trapdoor Permutations, RSA, Signatures
CS 7810 Graduate Cryptography October 30, 2017 Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures Lecturer: Daniel Wichs Scribe: Willy Quach & Giorgos Zirdelis 1 Topic Covered. Trapdoor Permutations.
More informationSide Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents
Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents Santanu Sarkar and Subhamoy Maitra Applied Statistics Unit, Indian Statistical Institute, 203 B. T. Road,
More informationCryptography CS 555. Topic 24: Finding Prime Numbers, RSA
Cryptography CS 555 Topic 24: Finding Prime Numbers, RSA 1 Recap Number Theory Basics Abelian Groups φφ pppp = pp 1 qq 1 for distinct primes p and q φφ NN = Z N gg xx mod N = gg [xx mmmmmm φφ NN ] mod
More informationcse 311: foundations of computing Fall 2015 Lecture 12: Primes, GCD, applications
cse 311: foundations of computing Fall 2015 Lecture 12: Primes, GCD, applications n-bit unsigned integer representation Represent integer x as sum of powers of 2: If x = n 1 i=0 b i 2 i where each b i
More informationReconstruction and Error Correction of RSA Secret Parameters from the MSB Side
Reconstruction and Error Correction of RSA Secret Parameters from the MSB Side Sarkar Santanu, Gupta Sourav Sen, Maitra Subhamoy To cite this version: Sarkar Santanu, Gupta Sourav Sen, Maitra Subhamoy.
More informationbasics of security/cryptography
RSA Cryptography basics of security/cryptography Bob encrypts message M into ciphertext C=P(M) using a public key; Bob sends C to Alice Alice decrypts ciphertext back into M using a private key (secret)
More informationAttacks on hash functions. Birthday attacks and Multicollisions
Attacks on hash functions Birthday attacks and Multicollisions Birthday Attack Basics In a group of 23 people, the probability that there are at least two persons on the same day in the same month is greater
More informationDiscrete Mathematics GCD, LCM, RSA Algorithm
Discrete Mathematics GCD, LCM, RSA Algorithm Abdul Hameed http://informationtechnology.pk/pucit abdul.hameed@pucit.edu.pk Lecture 16 Greatest Common Divisor 2 Greatest common divisor The greatest common
More informationPseudo-random Number Generation. Qiuliang Tang
Pseudo-random Number Generation Qiuliang Tang Random Numbers in Cryptography The keystream in the one-time pad The secret key in the DES encryption The prime numbers p, q in the RSA encryption The private
More information( c ) E p s t e i n, C a r t e r a n d B o l l i n g e r C h a p t e r 1 7 : I n f o r m a t i o n S c i e n c e P a g e 1
( c ) E p s t e i n, C a r t e r a n d B o l l i n g e r 2 0 1 6 C h a p t e r 1 7 : I n f o r m a t i o n S c i e n c e P a g e 1 CHAPTER 17: Information Science In this chapter, we learn how data can
More informationContinuing discussion of CRC s, especially looking at two-bit errors
Continuing discussion of CRC s, especially looking at two-bit errors The definition of primitive binary polynomials Brute force checking for primitivity A theorem giving a better test for primitivity Fast
More informationNumber theory (Chapter 4)
EECS 203 Spring 2016 Lecture 12 Page 1 of 8 Number theory (Chapter 4) Review Compute 6 11 mod 13 in an efficient way What is the prime factorization of 100? 138? What is gcd(100, 138)? What is lcm(100,138)?
More informationPublic Key Cryptography. All secret key algorithms & hash algorithms do the same thing but public key algorithms look very different from each other.
Public Key Cryptography All secret key algorithms & hash algorithms do the same thing but public key algorithms look very different from each other. The thing that is common among all of them is that each
More informationCryptanalysis of a Zero-Knowledge Identification Protocol of Eurocrypt 95
Cryptanalysis of a Zero-Knowledge Identification Protocol of Eurocrypt 95 Jean-Sébastien Coron and David Naccache Gemplus Card International 34 rue Guynemer, 92447 Issy-les-Moulineaux, France {jean-sebastien.coron,
More informationAsymmetric Encryption
-3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function
More informationCryptography. pieces from work by Gordon Royle
Cryptography pieces from work by Gordon Royle The set-up Cryptography is the mathematics of devising secure communication systems, whereas cryptanalysis is the mathematics of breaking such systems. We
More informationCPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems
CPE 776:DATA SECURITY & CRYPTOGRAPHY Some Number Theory and Classical Crypto Systems Dr. Lo ai Tawalbeh Computer Engineering Department Jordan University of Science and Technology Jordan Some Number Theory
More informationb = 10 a, is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a.
INTRODUCTION TO CRYPTOGRAPHY 5. Discrete Logarithms Recall the classical logarithm for real numbers: If we write b = 10 a, then a = log 10 b is the logarithm of b to the base 10. Changing the base to e
More informationDigital Signature Schemes and the Random Oracle Model. A. Hülsing
Digital Signature Schemes and the Random Oracle Model A. Hülsing Today s goal Review provable security of in use signature schemes. (PKCS #1 v2.x) PAGE 1 Digital Signature Source: http://hari-cio-8a.blog.ugm.ac.id/files/2013/03/dsa.jpg
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationTHE RSA ENCRYPTION SCHEME
THE RSA ENCRYPTION SCHEME Contents 1. The RSA Encryption Scheme 2 1.1. Advantages over traditional coding methods 3 1.2. Proof of the decoding procedure 4 1.3. Security of the RSA Scheme 4 1.4. Finding
More informationSecurity Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography
Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography Peter Schwabe October 21 and 28, 2011 So far we assumed that Alice and Bob both have some key, which nobody else has. How
More informationPublic-Key Encryption: ElGamal, RSA, Rabin
Public-Key Encryption: ElGamal, RSA, Rabin Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Public-Key Encryption Syntax Encryption algorithm: E. Decryption
More informationBreaking Plain ElGamal and Plain RSA Encryption
Breaking Plain ElGamal and Plain RSA Encryption (Extended Abstract) Dan Boneh Antoine Joux Phong Nguyen dabo@cs.stanford.edu joux@ens.fr pnguyen@ens.fr Abstract We present a simple attack on both plain
More informationLecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures
Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures Boaz Barak November 27, 2007 Quick review of homework 7 Existence of a CPA-secure public key encryption scheme such that oracle
More informationEfficient and Secure Algorithms for GLV-Based Scalar Multiplication and Their Implementation on GLV-GLS Curves
Efficient and Secure Algorithms for GLV-Based Scalar Multiplication and Their Implementation on GLV-GLS Curves SESSION ID: CRYP-T07 Patrick Longa Microsoft Research http://research.microsoft.com/en-us/people/plonga/
More informationCryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1
Cryptography CS 555 Topic 18: RSA Implementation and Security Topic 18 1 Outline and Readings Outline RSA implementation issues Factoring large numbers Knowing (e,d) enables factoring Prime testing Readings:
More informationFrom Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited
From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited Julien Cathalo 1, Jean-Sébastien Coron 2, and David Naccache 2,3 1 UCL Crypto Group Place du Levant 3, Louvain-la-Neuve, B-1348, Belgium
More informationChapter 4 Asymmetric Cryptography
Chapter 4 Asymmetric Cryptography Introduction Encryption: RSA Key Exchange: Diffie-Hellman [NetSec/SysSec], WS 2008/2009 4.1 Asymmetric Cryptography General idea: Use two different keys -K and +K for
More informationAsymmetric Cryptography
Asymmetric Cryptography Chapter 4 Asymmetric Cryptography Introduction Encryption: RSA Key Exchange: Diffie-Hellman General idea: Use two different keys -K and +K for encryption and decryption Given a
More informationCHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30
CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA35 (Chalmers) - DIT50 (GU) 11 April 017, 8:30-1:30 No extra material is allowed during the exam except for pens and a simple calculator (not smartphones).
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationCodes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII
Codes and Cryptography MAMME, Fall 2015 PART XII Outline 1 Symmetric Encryption (II) 2 Construction Strategies Construction Strategies Stream ciphers: For arbitrarily long messages (e.g., data streams).
More information