Sliding right into disaster - Left-to-right sliding windows leak
Size: px
Start display at page:

Download "Sliding right into disaster - Left-to-right sliding windows leak"

Transcription

1 Sliding right into disaster - Left-to-right sliding windows leak Daniel J. Bernstein, Joachim Breitner, Daniel Genkin, Leon Groot Bruinderink, Nadia Heninger, Tanja Lange, Christine van Vredendaal and Yuval Yarom November 17th, 2017 Sliding right into disaster - Left-to-right sliding windows leak 1

2 Side-channel attacks on RSA Side-channel attacks on RSA: modular exponentiation Constant-time implementations cannot use sliding windows Common belief: sliding windows do not leak enough for key recovery Sliding right into disaster - Left-to-right sliding windows leak 2

3 This work We show that right-to-left sliding window method does not leak enough Sliding right into disaster - Left-to-right sliding windows leak 3

4 This work We show that right-to-left sliding window method does not leak enough We show that left-to-right sliding window method does leak enough Two methods to extract information from square and multiply sequence Demonstrated real-world applicability by attacking Libgcrypt We analyze the reasons why left-to-right leaks more than right-to-left Sliding right into disaster - Left-to-right sliding windows leak 3

5 Cache Timing Attacks Sliding right into disaster - Left-to-right sliding windows leak 4

6 Cache (Timing) Attacks Cache-memory: small, fast memory shared among all threads. Bridge the gap between processor speed and memory speed. Data is stored in cache-lines, typically 64 Bytes. L1 Cache Thread 1 Thread 2 Thread 3 Sliding right into disaster - Left-to-right sliding windows leak 5

7 Cache (Timing) Attacks Attacker fills specific cache lines with his data. Cache Memory Attacker Data Victim Data Sliding right into disaster - Left-to-right sliding windows leak 5

8 Cache (Timing) Attacks Attacker notices that victim uses some part of cache. Learns cache-line of data used by victim. Cache Memory Attacker Data Victim Data Victim Table Sliding right into disaster - Left-to-right sliding windows leak 5

9 RSA Sliding right into disaster - Left-to-right sliding windows leak 6

10 RSA signatures Keygen: Public key (e, N) where N = pq for primes p, q Secret key (d, p, q) where ed 1 mod φ(n) and φ(n) = (p 1)(q 1) Sliding right into disaster - Left-to-right sliding windows leak 7

11 RSA signatures Keygen: Public key (e, N) where N = pq for primes p, q Secret key (d, p, q) where ed 1 mod φ(n) and φ(n) = (p 1)(q 1) Sign and verify: Let H be a padded secure hash-function Signature: s of message m: s = H(m) d mod N Verification: compute z = s e mod N and verify z? = H(m) Sliding right into disaster - Left-to-right sliding windows leak 7

12 RSA signatures Keygen: Public key (e, N) where N = pq for primes p, q Secret key (d, p, q) where ed 1 mod φ(n) and φ(n) = (p 1)(q 1) Sign and verify: CRT: Let H be a padded secure hash-function Signature: s of message m: s = H(m) d mod N Verification: compute z = s e mod N and verify z? = H(m) Common optimization based on Chinese Remainder Theorem (CRT) Compute s p H(m) dp mod p and s q H(m) dq mod q Combine to s using CRT Sliding right into disaster - Left-to-right sliding windows leak 7

13 Sliding-window method Implement modular exponentiation using sliding-windows Window size w, sliding-window form d n 1... d 0 s.t. d = n 1 i=0 d i2 i for d i = 0 or odd 1 d i 2 w 1 In general, compute b d mod p as follows: Sliding right into disaster - Left-to-right sliding windows leak 8

14 Sliding-window method Implement modular exponentiation using sliding-windows Window size w, sliding-window form d n 1... d 0 s.t. d = n 1 i=0 d i2 i for d i = 0 or odd 1 d i 2 w 1 In general, compute b d mod p as follows: 1 Precompute small, odd powers of b mod p (i.e. b mod p, b 3 mod p,..., b 2w 1 mod p). Sliding right into disaster - Left-to-right sliding windows leak 8

15 Sliding-window method Implement modular exponentiation using sliding-windows Window size w, sliding-window form d n 1... d 0 s.t. d = n 1 i=0 d i2 i for d i = 0 or odd 1 d i 2 w 1 In general, compute b d mod p as follows: 1 Precompute small, odd powers of b mod p (i.e. b mod p, b 3 mod p,..., b 2w 1 mod p). 2 Set a = 1 3 For i n 1 to 0: 4 a = a a mod p (Square) 5 If d i 0: 6 a = a b d i mod p (Multiply) 7 Return a Sliding right into disaster - Left-to-right sliding windows leak 8

16 Sliding-window method Implement modular exponentiation using sliding-windows Window size w, sliding-window form d n 1... d 0 s.t. d = n 1 i=0 d i2 i for d i = 0 or odd 1 d i 2 w 1 In general, compute b d mod p as follows: 1 Precompute small, odd powers of b mod p (i.e. b mod p, b 3 mod p,..., b 2w 1 mod p). 2 Set a = 1 3 For i n 1 to 0: 4 a = a a mod p (Square) 5 If d i 0: 6 a = a b d i mod p (Multiply) 7 Return a This leaks a Square and Multiply Sequence For sufficiently large w, too many options to try Sliding right into disaster - Left-to-right sliding windows leak 8

17 Sliding-window form How to compute sliding-window form d n 1... d 0 s.t. d = n 1 i=0 d i2 i Example with w = 4, d = 9059 = Sliding right into disaster - Left-to-right sliding windows leak 9

18 Sliding-window form How to compute sliding-window form d n 1... d 0 s.t. d = n 1 i=0 d i2 i Example with w = 4, d = 9059 = Right-to-left Windowed form Binary form Sliding right into disaster - Left-to-right sliding windows leak 9

19 Sliding-window form How to compute sliding-window form d n 1... d 0 s.t. d = n 1 i=0 d i2 i Example with w = 4, d = 9059 = Right-to-left Windowed form Binary form Sliding right into disaster - Left-to-right sliding windows leak 9

20 Sliding-window form How to compute sliding-window form d n 1... d 0 s.t. d = n 1 i=0 d i2 i Example with w = 4, d = 9059 = Right-to-left Windowed form Binary form Sliding right into disaster - Left-to-right sliding windows leak 9

21 Sliding-window form How to compute sliding-window form d n 1... d 0 s.t. d = n 1 i=0 d i2 i Example with w = 4, d = 9059 = Right-to-left Windowed form Binary form Sliding right into disaster - Left-to-right sliding windows leak 9

22 Sliding-window form How to compute sliding-window form d n 1... d 0 s.t. d = n 1 i=0 d i2 i Example with w = 4, d = 9059 = Right-to-left Windowed form Binary form Sliding right into disaster - Left-to-right sliding windows leak 9

23 Sliding-window form How to compute sliding-window form d n 1... d 0 s.t. d = n 1 i=0 d i2 i Example with w = 4, d = 9059 = Right-to-left Windowed form Binary form Leaking on average a fraction of 2 w+1 bits Sliding right into disaster - Left-to-right sliding windows leak 9

24 Sliding-window form How to compute sliding-window form d n 1... d 0 s.t. d = n 1 i=0 d i2 i Example with w = 4, d = 9059 = Left-to-right Windowed form Binary form Sliding right into disaster - Left-to-right sliding windows leak 9

25 Sliding-window form How to compute sliding-window form d n 1... d 0 s.t. d = n 1 i=0 d i2 i Example with w = 4, d = 9059 = Left-to-right Windowed form Binary form Sliding right into disaster - Left-to-right sliding windows leak 9

26 Sliding-window form How to compute sliding-window form d n 1... d 0 s.t. d = n 1 i=0 d i2 i Example with w = 4, d = 9059 = Left-to-right Windowed form 1 Binary form Sliding right into disaster - Left-to-right sliding windows leak 9

27 Sliding-window form How to compute sliding-window form d n 1... d 0 s.t. d = n 1 i=0 d i2 i Example with w = 4, d = 9059 = Left-to-right Windowed form 1 0 Binary form Sliding right into disaster - Left-to-right sliding windows leak 9

28 Sliding-window form How to compute sliding-window form d n 1... d 0 s.t. d = n 1 i=0 d i2 i Example with w = 4, d = 9059 = Left-to-right Windowed form Binary form Sliding right into disaster - Left-to-right sliding windows leak 9

29 Sliding-window form How to compute sliding-window form d n 1... d 0 s.t. d = n 1 i=0 d i2 i Example with w = 4, d = 9059 = Left-to-right Windowed form Binary form Sliding right into disaster - Left-to-right sliding windows leak 9

30 Sliding-window form How to compute sliding-window form d n 1... d 0 s.t. d = n 1 i=0 d i2 i Example with w = 4, d = 9059 = Left-to-right Windowed form Binary form Sliding right into disaster - Left-to-right sliding windows leak 9

31 Sliding-window form How to compute sliding-window form d n 1... d 0 s.t. d = n 1 i=0 d i2 i Example with w = 4, d = 9059 = Left-to-right Windowed form Binary form Sliding right into disaster - Left-to-right sliding windows leak 9

32 Sliding-window form How to compute sliding-window form d n 1... d 0 s.t. d = n 1 i=0 d i2 i Example with w = 4, d = 9059 = Left-to-right Windowed form Binary form Sliding right into disaster - Left-to-right sliding windows leak 9

33 Sliding-window form How to compute sliding-window form d n 1... d 0 s.t. d = n 1 i=0 d i2 i Example with w = 4, d = 9059 = Left-to-right Windowed form Binary form Enables on-the-fly encoding and exponentiation Not obvious how many bits are leaking... Sliding right into disaster - Left-to-right sliding windows leak 9

34 Sliding Right versus Sliding Left Analysis Sliding right into disaster - Left-to-right sliding windows leak 10

35 First observations Right-to-left: guaranteed w 1 zero indices after non-zero index Left-to-right: two non-zero indices can be as close as adjacent This allows for many more recovered bits from Square and Multiply sequence First method: deduce more known bits from 4 bit recovery rules Second method: uses knowledge not directly translatable to known bits Sliding right into disaster - Left-to-right sliding windows leak 11

36 Applying bit recovery rules d = 9059 S = smssssssssmsmssssssm with w = 4 Convert sm x, s x D 1 = xxxxxxxxxxxxxx Sliding right into disaster - Left-to-right sliding windows leak 12

37 Applying bit recovery rules d = 9059 S = smssssssssmsmssssssm with w = 4 Convert sm x, s x D 1 = xxxxxxxxxxxxxx Rule 0: Multiplication bits x 1 D 2 = 1xxxxxx11xxxx1 Sliding right into disaster - Left-to-right sliding windows leak 12

38 Applying bit recovery rules d = 9059 S = smssssssssmsmssssssm with w = 4 Convert sm x, s x D 1 = xxxxxxxxxxxxxx Rule 0: Multiplication bits x 1 D 2 = 1xxxxxx11xxxx1 Rule 1: Trailing zeros 1x i 1x w i 1 1x i 10 w i 1 D 3 = 1xxxxxx11000x1 Sliding right into disaster - Left-to-right sliding windows leak 12

39 Applying bit recovery rules d = 9059 S = smssssssssmsmssssssm with w = 4 Convert sm x, s x D 1 = xxxxxxxxxxxxxx Rule 0: Multiplication bits x 1 D 2 = 1xxxxxx11xxxx1 Rule 1: Trailing zeros 1x i 1x w i 1 1x i 10 w i 1 D 3 = 1xxxxxx11000x1 Rule 2: Leading one xxx11 1xx11 D 4 = 1xxx1xx11000x1 Sliding right into disaster - Left-to-right sliding windows leak 12

40 Applying bit recovery rules d = 9059 S = smssssssssmsmssssssm with w = 4 Convert sm x, s x D 1 = xxxxxxxxxxxxxx Rule 0: Multiplication bits x 1 D 2 = 1xxxxxx11xxxx1 Rule 1: Trailing zeros 1x i 1x w i 1 1x i 10 w i 1 D 3 = 1xxxxxx11000x1 Rule 2: Leading one xxx11 1xx11 D 4 = 1xxx1xx11000x1 Rule 3: Leading zeros 1x i x w i x w 1 1 D 5 = 10001xx11000x1 Sliding right into disaster - Left-to-right sliding windows leak 12

41 Results of using bit recovery rules Conform Libgcrypt s implementation of RSA-1024: n = 512, w = 4 Rule 0 Rule 1 Rule 2 Rule Distribution of number of recovered bits per rule Sliding right into disaster - Left-to-right sliding windows leak 13

42 Results of using bit recovery rules Conform Libgcrypt s implementation of RSA-1024: n = 512, w = 4 Rule 0 Rule 1 Rule 2 Rule Distribution of number of recovered bits per rule Is this the best we can do? No! Sliding right into disaster - Left-to-right sliding windows leak 13

43 A small example where bitrecovery misses a bit of bits Example with d = and w = 4 S = smsssmssssmssssmssssmssssmssmssssssmssssm Sliding right into disaster - Left-to-right sliding windows leak 14

44 A small example where bitrecovery misses a bit of bits Example with d = and w = 4 S = smsssmssssmssssmssssmssssmssmssssssmssssm After applying rules 0-3, we get: 1xx10xx1xxx1xxx1xxx1x100xxx1xxx1 a c e b d Sliding right into disaster - Left-to-right sliding windows leak 14

45 A small example where bitrecovery misses a bit of bits Example with d = and w = 4 S = smsssmssssmssssmssssmssssmssmssssssmssssm After applying rules 0-3, we get: 1xx10xx1xxx1xxx1xxx1x100xxx1xxx1 a b c d e Let s try x = 0: 1xx10xx1x0x1xxx1xxx1x100xxx1xxx1 a c e b d Sliding right into disaster - Left-to-right sliding windows leak 14

46 A small example where bitrecovery misses a bit of bits Example with d = and w = 4 S = smsssmssssmssssmssssmssssmssmssssssmssssm After applying rules 0-3, we get: 1xx10xx1xxx1xxx1xxx1x100xxx1xxx1 a b c d e Let s try x = 0: 1xx10xx1x0x100x1xxx1x100xxx1xxx1 a c e b d Sliding right into disaster - Left-to-right sliding windows leak 14

47 A small example where bitrecovery misses a bit of bits Example with d = and w = 4 S = smsssmssssmssssmssssmssssmssmssssssmssssm After applying rules 0-3, we get: 1xx10xx1xxx1xxx1xxx1x100xxx1xxx1 a b c d e Let s try x = 0: 1xx10xx1x0x100x100x1x100xxx1xxx1 a c e b d Sliding right into disaster - Left-to-right sliding windows leak 14

48 A small example where bitrecovery misses a bit of bits Example with d = and w = 4 S = smsssmssssmssssmssssmssssmssmssssssmssssm After applying rules 0-3, we get: 1xx10xx1xxx1xxx1xxx1x100xxx1xxx1 a b c d e x has to be a 1! These events are rare, but require a more iterative approach Sliding right into disaster - Left-to-right sliding windows leak 14

49 Revisiting multiplier locations Idea: keep track of the possible widths for each multiplication Suppose multiplication at position i = 5 and w = 4 Case 1: x1xx1xxxxx, multiplier width: 4 Case 2: xx1x10xxxx, multiplier width: 3 Case 3: xxx1100xxx, multiplier width: 2 Case 4: xxxx1000xx, multiplier width: 1 Sliding right into disaster - Left-to-right sliding windows leak 15

50 Revisiting multiplier locations Idea: keep track of the possible widths for each multiplication Suppose multiplication at position i = 5 and w = 4 Case 1: x1xx1xxxxx, multiplier width: 4 Case 2: xx1x10xxxx, multiplier width: 3 Case 3: xxx1100xxx, multiplier width: 2 Case 4: xxxx1000xx, multiplier width: 1 Key idea: multipliers do not overlap! Retrieve smallest m and largest m + possible width for each multiplier Sliding right into disaster - Left-to-right sliding windows leak 15

51 Revisiting multiplier locations Idea: keep track of the possible widths for each multiplication Suppose multiplication at position i = 5 and w = 4 Case 1: x1xx1xxxxx, multiplier width: 4 Case 2: xx1x10xxxx, multiplier width: 3 Case 3: xxx1100xxx, multiplier width: 2 Case 4: xxxx1000xx, multiplier width: 1 Key idea: multipliers do not overlap! Retrieve smallest m and largest m + possible width for each multiplier Gives more known bits: Input: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx m : m + : b i : 1xx11x101x101x101x101x101000xx10xx1. Sliding right into disaster - Left-to-right sliding windows leak 15

52 Revisiting multiplier locations Idea: keep track of the possible widths for each multiplication Suppose multiplication at position i = 5 and w = 4 Case 1: x1xx1xxxxx, multiplier width: 4 Case 2: xx1x10xxxx, multiplier width: 3 Case 3: xxx1100xxx, multiplier width: 2 Case 4: xxxx1000xx, multiplier width: 1 Key idea: multipliers do not overlap! Retrieve smallest m and largest m + possible width for each multiplier Gives more known bits: Input: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx m : m + : b i : 1xx11x101x101x101x101x101000xx10xx1. Is this the best we can do? Yes! Sliding right into disaster - Left-to-right sliding windows leak 15

53 Heninger-Shacham key-recovery attack Give random bits of d p = d mod (p 1) and d q = d mod (q 1), how to recover the remainders? Sliding right into disaster - Left-to-right sliding windows leak 16

54 Heninger-Shacham key-recovery attack Give random bits of d p = d mod (p 1) and d q = d mod (q 1), how to recover the remainders? Branch and prune over candidate keys using RSA equations: ed p = 1 + k p (p 1) ed q = 1 + k q (q 1) with k p, k q < e. k p, k q initially unknown, but related via (k p 1)(k q 1) k p k q N mod e Try at most e pairs of k p, k q Incorrect values for k p, k q quickly give no solutions Sliding right into disaster - Left-to-right sliding windows leak 16

55 Heninger-Shacham key-recovery attack Give random bits of d p = d mod (p 1) and d q = d mod (q 1), how to recover the remainders? At i th least significant bit, we have generated candidate solutions for bits 0,..., i 1, and then verify that: ed p = 1 + k p (p 1) mod 2 i ed q = 1 + k q (q 1) mod 2 i pq = N mod 2 i Prune a candidate solution if it does not satisfy equations Heuristically, this is efficient if > 50% of the bits are known Sliding right into disaster - Left-to-right sliding windows leak 16

56 Applying Heninger-Shacham after bitrecovery rules Conform Libgcrypt s implementation of RSA-1024: n = 512, w = 4, we recovered > 50% of the bits in 32% of the time Conform Libgcrypt s implementation of RSA-2048: n = 1024, w = 5, 50% was out of reach Sliding right into disaster - Left-to-right sliding windows leak 17

57 Applying Heninger-Shacham after bitrecovery rules Conform Libgcrypt s implementation of RSA-1024: n = 512, w = 4, we recovered > 50% of the bits in 32% of the time Conform Libgcrypt s implementation of RSA-2048: n = 1024, w = 5, 50% was out of reach Is this the best we can do? No! Sliding right into disaster - Left-to-right sliding windows leak 17

58 Direct pruning from SM-sequence Idea: prune based on Square and Multiply sequence of candidates! Given S p, S q {s, m} as ground truth sequence for d p, d q Let SM(d) = Σ be the function that maps a bit string d to its Square and Multiply sequence Σ {s, m} Sliding right into disaster - Left-to-right sliding windows leak 18

59 Direct pruning from SM-sequence Idea: prune based on Square and Multiply sequence of candidates! Given S p, S q {s, m} as ground truth sequence for d p, d q Let SM(d) = Σ be the function that maps a bit string d to its Square and Multiply sequence Σ {s, m} Basically the same as original Heninger-Shacham Also test i-bit candidate d i by comparing Σ = SM(d i ) from position 0 through i 1 of S p, S q Prune d i if it does not match Sliding right into disaster - Left-to-right sliding windows leak 18

60 Direct pruning from SM-sequence Idea: prune based on Square and Multiply sequence of candidates! Given S p, S q {s, m} as ground truth sequence for d p, d q Let SM(d) = Σ be the function that maps a bit string d to its Square and Multiply sequence Σ {s, m} Basically the same as original Heninger-Shacham Also test i-bit candidate d i by comparing Σ = SM(d i ) from position 0 through i 1 of S p, S q Prune d i if it does not match Better results: uses information not directly translatable to bits Is this the best we can do? Yes! Sliding right into disaster - Left-to-right sliding windows leak 18

61 Summary of results for RSA-1024 right-to-left left-to-right (known bits) left-to-right (self-information) Distribution of information recovered (w = 4) Direct pruning allows to recover RSA-2048 bit keys 13% of the time Sliding right into disaster - Left-to-right sliding windows leak 19

62 Attacking Libgcrypt Demonstrated vulnerability in Libgcrypt (fixed in version 1.7.8) Flush+Reload cache-attack using Mastik toolkit Read Time (cycles) Multiplication Multiplier selection Exponentiation loop Sample Number Libgcrypt Activity Trace Sliding right into disaster - Left-to-right sliding windows leak 20

63 A lot more in the paper! Theoretical analysis of bit-recovery rules using Renewal Reward processes Theoretical analysis of direct pruning using self-information and collision entropy More experimental results and details Full version online: Sliding right into disaster - Left-to-right sliding windows leak 21

64 Be careful when sliding right... Questions? Sliding right into disaster - Left-to-right sliding windows leak 22

Similar documents

Sliding right into disaster: Left-to-right sliding windows leak

Sliding right into disaster: Left-to-right sliding windows leak Sliding right into disaster: Left-to-right sliding windows leak Full version Daniel J. Bernstein 2, Joachim Breitner 3, Daniel Genkin 3,4, Leon Groot Bruinderink 1, Nadia Heninger 3, Tanja Lange 1, Christine

More information

RSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis. Daniel Genkin, Adi Shamir, Eran Tromer

RSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis. Daniel Genkin, Adi Shamir, Eran Tromer RSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis Daniel Genkin, Adi Shamir, Eran Tromer Mathematical Attacks Input Crypto Algorithm Key Output Goal: recover the key given access to the inputs

More information

Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents

Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents Santanu Sarkar and Subhamoy Maitra Leuven, Belgium 12 September, 2012 Outline of the Talk RSA Cryptosystem

More information

Algorithmic Number Theory and Public-key Cryptography

Algorithmic Number Theory and Public-key Cryptography Algorithmic Number Theory and Public-key Cryptography Course 3 University of Luxembourg March 22, 2018 The RSA algorithm The RSA algorithm is the most widely-used public-key encryption algorithm Invented

More information

In fact, 3 2. It is not known whether 3 1. All three problems seem hard, although Shor showed that one can solve 3 quickly on a quantum computer.

In fact, 3 2. It is not known whether 3 1. All three problems seem hard, although Shor showed that one can solve 3 quickly on a quantum computer. Attacks on RSA, some using LLL Recall RSA: N = pq hard to factor. Choose e with gcd(e,φ(n)) = 1, where φ(n) = (p 1)(q 1). Via extended Euclid, find d with ed 1 (mod φ(n)). Discard p and q. Public key is

More information

Number Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers

Number Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers Number Theory: Applications Number Theory Applications Computer Science & Engineering 235: Discrete Mathematics Christopher M. Bourke cbourke@cse.unl.edu Results from Number Theory have many applications

More information

Notes. Number Theory: Applications. Notes. Number Theory: Applications. Notes. Hash Functions I

Notes. Number Theory: Applications. Notes. Number Theory: Applications. Notes. Hash Functions I Number Theory: Applications Slides by Christopher M. Bourke Instructor: Berthe Y. Choueiry Fall 2007 Computer Science & Engineering 235 Introduction to Discrete Mathematics Sections 3.4 3.7 of Rosen cse235@cse.unl.edu

More information

Lattice-Based Fault Attacks on RSA Signatures

Lattice-Based Fault Attacks on RSA Signatures Lattice-Based Fault Attacks on RSA Signatures Mehdi Tibouchi École normale supérieure Workshop on Applied Cryptography, Singapore, 2010-12-03 Gist of this talk Review a classical attack on RSA signatures

More information

A DPA attack on RSA in CRT mode

A DPA attack on RSA in CRT mode A DPA attack on RSA in CRT mode Marc Witteman Riscure, The Netherlands 1 Introduction RSA is the dominant public key cryptographic algorithm, and used in an increasing number of smart card applications.

More information

RSA meets DPA: Recovering RSA Secret Keys from Noisy Analog Data

RSA meets DPA: Recovering RSA Secret Keys from Noisy Analog Data RSA meets DPA: Recovering RSA Secret Keys from Noisy Analog Data Noboru Kunihiro and Junya Honda The University of Tokyo, Japan September 25th, 2014 The full version is available from http://eprint.iacr.org/2014/513.

More information

Public Key Algorithms

Public Key Algorithms Public Key Algorithms Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-09/

More information

Efficient Application of Countermeasures for Elliptic Curve Cryptography

Efficient Application of Countermeasures for Elliptic Curve Cryptography Efficient Application of Countermeasures for Elliptic Curve Cryptography Vladimir Soukharev, Ph.D. Basil Hess, Ph.D. InfoSec Global Inc. May 19, 2017 Outline Introduction Brief Summary of ECC Arithmetic

More information

5199/IOC5063 Theory of Cryptology, 2014 Fall

5199/IOC5063 Theory of Cryptology, 2014 Fall 5199/IOC5063 Theory of Cryptology, 2014 Fall Homework 2 Reference Solution 1. This is about the RSA common modulus problem. Consider that two users A and B use the same modulus n = 146171 for the RSA encryption.

More information

Public Key Cryptography

Public Key Cryptography Public Key Cryptography Introduction Public Key Cryptography Unlike symmetric key, there is no need for Alice and Bob to share a common secret Alice can convey her public key to Bob in a public communication:

More information

Integers and Division

Integers and Division Integers and Division Notations Z: set of integers N : set of natural numbers R: set of real numbers Z + : set of positive integers Some elements of number theory are needed in: Data structures, Random

More information

1 Number Theory Basics

1 Number Theory Basics ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his

More information

Introduction to Public-Key Cryptosystems:

Introduction to Public-Key Cryptosystems: Introduction to Public-Key Cryptosystems: Technical Underpinnings: RSA and Primality Testing Modes of Encryption for RSA Digital Signatures for RSA 1 RSA Block Encryption / Decryption and Signing Each

More information

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2 Contents 1 Recommended Reading 1 2 Public Key/Private Key Cryptography 1 2.1 Overview............................................. 1 2.2 RSA Algorithm.......................................... 2 3 A Number

More information

CSE 521: Design and Analysis of Algorithms I

CSE 521: Design and Analysis of Algorithms I CSE 521: Design and Analysis of Algorithms I Randomized Algorithms: Primality Testing Paul Beame 1 Randomized Algorithms QuickSelect and Quicksort Algorithms random choices make them fast and simple but

More information

Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits

Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits Damien Vergnaud École normale supérieure CHES September, 15th 2015 (with Aurélie Bauer) Damien Vergnaud

More information

Security II: Cryptography exercises

Security II: Cryptography exercises Security II: Cryptography exercises Markus Kuhn Lent 2015 Part II Some of the exercises require the implementation of short programs. The model answers use Perl (see Part IB Unix Tools course), but you

More information

Lecture 1: Introduction to Public key cryptography

Lecture 1: Introduction to Public key cryptography Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means

More information

Numbers. Çetin Kaya Koç Winter / 18

Numbers. Çetin Kaya Koç Winter / 18 Çetin Kaya Koç http://koclab.cs.ucsb.edu Winter 2016 1 / 18 Number Systems and Sets We represent the set of integers as Z = {..., 3, 2, 1,0,1,2,3,...} We denote the set of positive integers modulo n as

More information

Introduction to cryptology (GBIN8U16) More on discrete-logarithm based schemes

Introduction to cryptology (GBIN8U16) More on discrete-logarithm based schemes Introduction to cryptology (GBIN8U16) More on discrete-logarithm based schemes Pierre Karpman pierre.karpman@univ-grenoble-alpes.fr https://www-ljk.imag.fr/membres/pierre.karpman/tea.html 2018 03 13 More

More information

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today: Today: Introduction to the class. Examples of concrete physical attacks on RSA A computational approach to cryptography Pseudorandomness 1 What are Physical Attacks Tampering/Leakage attacks Issue of how

More information

Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks

Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks 1 Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks Michael Albert michael.albert@cs.otago.ac.nz 2 This week Arithmetic Knapsack cryptosystems Attacks on knapsacks Some

More information

Digital signature schemes

Digital signature schemes Digital signature schemes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Introduction digital signature scheme security of digital

More information

Attacks on RSA & Using Asymmetric Crypto

Attacks on RSA & Using Asymmetric Crypto Attacks on RSA & Using Asymmetric Crypto Luke Anderson luke@lukeanderson.com.au 7 th April 2017 University Of Sydney Overview 1. Crypto-Bulletin 2. Breaking RSA 2.1 Chinese Remainder Theorem 2.2 Common

More information

Side-channel attacks on PKC and countermeasures with contributions from PhD students

Side-channel attacks on PKC and countermeasures with contributions from PhD students basics Online Side-channel attacks on PKC and countermeasures (Tutorial @SPACE2016) with contributions from PhD students Lejla Batina Institute for Computing and Information Sciences Digital Security Radboud

More information

Public-key cryptography and the Discrete-Logarithm Problem. Tanja Lange Technische Universiteit Eindhoven. with some slides by Daniel J.

Public-key cryptography and the Discrete-Logarithm Problem. Tanja Lange Technische Universiteit Eindhoven. with some slides by Daniel J. Public-key cryptography and the Discrete-Logarithm Problem Tanja Lange Technische Universiteit Eindhoven with some slides by Daniel J. Bernstein Cryptography Let s understand what our browsers do. Schoolbook

More information

RSA. Ramki Thurimella

RSA. Ramki Thurimella RSA Ramki Thurimella Public-Key Cryptography Symmetric cryptography: same key is used for encryption and decryption. Asymmetric cryptography: different keys used for encryption and decryption. Public-Key

More information

Théorie de l'information et codage. Master de cryptographie Cours 10 : RSA. 20,23 et 27 mars Université Rennes 1

Théorie de l'information et codage. Master de cryptographie Cours 10 : RSA. 20,23 et 27 mars Université Rennes 1 Théorie de l'information et codage Master de cryptographie Cours 10 : RSA 20,23 et 27 mars 2009 Université Rennes 1 Master Crypto (2008-2009) Théorie de l'information et codage 20,23 et 27 mars 2009 1

More information

McBits: Fast code-based cryptography

McBits: Fast code-based cryptography McBits: Fast code-based cryptography Peter Schwabe Radboud University Nijmegen, The Netherlands Joint work with Daniel Bernstein, Tung Chou December 17, 2013 IMA International Conference on Cryptography

More information

COMP424 Computer Security

COMP424 Computer Security COMP424 Computer Security Prof. Wiegley jeffw@csun.edu Rivest, Shamir & Adelman (RSA) Implementation 1 Relatively prime Prime: n, is prime if its only two factors are 1 and n. (and n 1). Relatively prime:

More information

Message Authentication Codes (MACs)

Message Authentication Codes (MACs) Message Authentication Codes (MACs) Tung Chou Technische Universiteit Eindhoven, The Netherlands October 8, 2015 1 / 22 About Me 2 / 22 About Me Tung Chou (Tony) 2 / 22 About Me Tung Chou (Tony) Ph.D.

More information

Number Theory A focused introduction

Number Theory A focused introduction Number Theory A focused introduction This is an explanation of RSA public key cryptography. We will start from first principles, but only the results that are needed to understand RSA are given. We begin

More information

10 Public Key Cryptography : RSA

10 Public Key Cryptography : RSA 10 Public Key Cryptography : RSA 10.1 Introduction The idea behind a public-key system is that it might be possible to find a cryptosystem where it is computationally infeasible to determine d K even if

More information

Branch Prediction based attacks using Hardware performance Counters IIT Kharagpur

Branch Prediction based attacks using Hardware performance Counters IIT Kharagpur Branch Prediction based attacks using Hardware performance Counters IIT Kharagpur March 19, 2018 Modular Exponentiation Public key Cryptography March 19, 2018 Branch Prediction Attacks 2 / 54 Modular Exponentiation

More information

On the Design of Rebalanced RSA-CRT

On the Design of Rebalanced RSA-CRT On the Design of Rebalanced RSA-CRT Hung-Min Sun 1, M. Jason Hinek 2, Mu-En Wu 3 1, 3 Department of Computer Science National Tsing Hua University, Hsinchu, Taiwan 300 E-mail: 1 hmsun@cs.nthu.edu.tw; 3

More information

Introduction to Cryptology. Lecture 20

Introduction to Cryptology. Lecture 20 Introduction to Cryptology Lecture 20 Announcements HW9 due today HW10 posted, due on Thursday 4/30 HW7, HW8 grades are now up on Canvas. Agenda More Number Theory! Our focus today will be on computational

More information

Elliptic Curve Cryptography and Security of Embedded Devices

Elliptic Curve Cryptography and Security of Embedded Devices Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil Institut de Mathématiques de Bordeaux Inside Secure June 13th, 2012 V. Verneuil - Elliptic Curve Cryptography

More information

ICS141: Discrete Mathematics for Computer Science I

ICS141: Discrete Mathematics for Computer Science I ICS141: Discrete Mathematics for Computer Science I Dept. Information & Computer Sci., Jan Stelovsky based on slides by Dr. Baek and Dr. Still Originals by Dr. M. P. Frank and Dr. J.L. Gross Provided by

More information

Lecture 22: RSA Encryption. RSA Encryption

Lecture 22: RSA Encryption. RSA Encryption Lecture 22: Recall: RSA Assumption We pick two primes uniformly and independently at random p, q $ P n We define N = p q We shall work over the group (Z N, ), where Z N is the set of all natural numbers

More information

Post-quantum RSA. We built a great, great 1-terabyte RSA wall, and we had the university pay for the electricity

Post-quantum RSA. We built a great, great 1-terabyte RSA wall, and we had the university pay for the electricity We built a great, great 1-terabyte RSA wall, and we had the university pay for the electricity Daniel J. Bernstein Joint work with: Nadia Heninger Paul Lou Luke Valenta The referees are questioning applicability...

More information

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Notes 13 (rev. 2) Professor M. J. Fischer October 22, 2008 53 Chinese Remainder Theorem Lecture Notes 13 We

More information

Introduction to Modern Cryptography. Benny Chor

Introduction to Modern Cryptography. Benny Chor Introduction to Modern Cryptography Benny Chor RSA Public Key Encryption Factoring Algorithms Lecture 7 Tel-Aviv University Revised March 1st, 2008 Reminder: The Prime Number Theorem Let π(x) denote the

More information

Signatures and DLP-I. Tanja Lange Technische Universiteit Eindhoven

Signatures and DLP-I. Tanja Lange Technische Universiteit Eindhoven Signatures and DLP-I Tanja Lange Technische Universiteit Eindhoven How to compute ap Use binary representation of a to compute a(x; Y ) in blog 2 ac doublings and at most that many additions. E.g. a =

More information

Cryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg

Cryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg Course 1: Remainder: RSA Université du Luxembourg September 21, 2010 Public-key encryption Public-key encryption: two keys. One key is made public and used to encrypt. The other key is kept private and

More information

RSA RSA public key cryptosystem

RSA RSA public key cryptosystem RSA 1 RSA As we have seen, the security of most cipher systems rests on the users keeping secret a special key, for anyone possessing the key can encrypt and/or decrypt the messages sent between them.

More information

Exam Security January 19, :30 11:30

Exam Security January 19, :30 11:30 Exam Security January 19, 2016. 8:30 11:30 You can score a maximum of 100. Each question indicates how many it is worth. You are NOT allowed to use books or notes, or a (smart) phone. You may answer in

More information

Introduction to Modern Cryptography. Benny Chor

Introduction to Modern Cryptography. Benny Chor Introduction to Modern Cryptography Benny Chor RSA: Review and Properties Factoring Algorithms Trapdoor One Way Functions PKC Based on Discrete Logs (Elgamal) Signature Schemes Lecture 8 Tel-Aviv University

More information

Addition. Ch1 - Algorithms with numbers. Multiplication. al-khwārizmī. al-khwārizmī. Division 53+35=88. Cost? (n number of bits) 13x11=143. Cost?

Addition. Ch1 - Algorithms with numbers. Multiplication. al-khwārizmī. al-khwārizmī. Division 53+35=88. Cost? (n number of bits) 13x11=143. Cost? Ch - Algorithms with numbers Addition Basic arithmetic Addition ultiplication Division odular arithmetic factoring is hard Primality testing 53+35=88 Cost? (n number of bits) O(n) ultiplication al-khwārizmī

More information

COMS W4995 Introduction to Cryptography October 12, Lecture 12: RSA, and a summary of One Way Function Candidates.

COMS W4995 Introduction to Cryptography October 12, Lecture 12: RSA, and a summary of One Way Function Candidates. COMS W4995 Introduction to Cryptography October 12, 2005 Lecture 12: RSA, and a summary of One Way Function Candidates. Lecturer: Tal Malkin Scribes: Justin Cranshaw and Mike Verbalis 1 Introduction In

More information

Applied Cryptography and Computer Security CSE 664 Spring 2018

Applied Cryptography and Computer Security CSE 664 Spring 2018 Applied Cryptography and Computer Security Lecture 12: Introduction to Number Theory II Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline This time we ll finish the

More information

Ma/CS 6a Class 4: Primality Testing

Ma/CS 6a Class 4: Primality Testing Ma/CS 6a Class 4: Primality Testing By Adam Sheffer Reminder: Euler s Totient Function Euler s totient φ(n) is defined as follows: Given n N, then φ n = x 1 x < n and GCD x, n = 1. In more words: φ n is

More information

Public Key Algorithms

Public Key Algorithms 1 Public Key Algorithms ffl hash: irreversible transformation(message) ffl secret key: reversible transformation(block) encryption digital signatures authentication RSA yes yes yes El Gamal no yes no Zero-knowledge

More information

Correcting Errors in Private Keys Obtained from Cold Boot Attacks

Correcting Errors in Private Keys Obtained from Cold Boot Attacks Correcting Errors in Private Keys Obtained from Cold Boot Attacks Hyung Tae Lee, HongTae Kim, Yoo-Jin Baek, and Jung Hee Cheon ISaC & Department of Mathmathical Sciences, SNU 2011. 11. 30. 1 / 17 Contents

More information

Introduction to Cybersecurity Cryptography (Part 5)

Introduction to Cybersecurity Cryptography (Part 5) Introduction to Cybersecurity Cryptography (Part 5) Prof. Dr. Michael Backes 13.01.2017 February 17 th Special Lecture! 45 Minutes Your Choice 1. Automotive Security 2. Smartphone Security 3. Side Channel

More information

Rainbow Tables ENEE 457/CMSC 498E

Rainbow Tables ENEE 457/CMSC 498E Rainbow Tables ENEE 457/CMSC 498E How are Passwords Stored? Option 1: Store all passwords in a table in the clear. Problem: If Server is compromised then all passwords are leaked. Option 2: Store only

More information

Partial Key Exposure: Generalized Framework to Attack RSA

Partial Key Exposure: Generalized Framework to Attack RSA Partial Key Exposure: Generalized Framework to Attack RSA Cryptology Research Group Indian Statistical Institute, Kolkata 12 December 2011 Outline of the Talk 1 RSA - A brief overview 2 Partial Key Exposure

More information

The security of RSA (part 1) The security of RSA (part 1)

The security of RSA (part 1) The security of RSA (part 1) The modulus n and its totient value φ(n) are known φ(n) = p q (p + q) + 1 = n (p + q) + 1 The modulus n and its totient value φ(n) are known φ(n) = p q (p + q) + 1 = n (p + q) + 1 i.e. q = (n φ(n) + 1)

More information

THE CUBIC PUBLIC-KEY TRANSFORMATION*

THE CUBIC PUBLIC-KEY TRANSFORMATION* CIRCUITS SYSTEMS SIGNAL PROCESSING c Birkhäuser Boston (2007) VOL. 26, NO. 3, 2007, PP. 353 359 DOI: 10.1007/s00034-006-0309-x THE CUBIC PUBLIC-KEY TRANSFORMATION* Subhash Kak 1 Abstract. This note proposes

More information

Formal Fault Analysis of Branch Predictors: Attacking countermeasures of Asymmetric key ciphers

Formal Fault Analysis of Branch Predictors: Attacking countermeasures of Asymmetric key ciphers Formal Fault Analysis of Branch Predictors: Attacking countermeasures of Asymmetric key ciphers Sarani Bhattacharya and Debdeep Mukhopadhyay Indian Institute of Technology Kharagpur PROOFS 2016 August

More information

Lecture V : Public Key Cryptography

Lecture V : Public Key Cryptography Lecture V : Public Key Cryptography Internet Security: Principles & Practices John K. Zao, PhD (Harvard) SMIEEE Amir Rezapoor Computer Science Department, National Chiao Tung University 2 Outline Functional

More information

Chapter 4 Public Key Cryptology - Part I

Chapter 4 Public Key Cryptology - Part I Chapter 4 Public Key Cryptology - Part I February 15, 2010 4 The concept of public key cryptology (PKC) emerged in the early 1970 s in the British Government s communications center CESG, Cheltenham. (See

More information

CPSC 467: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 9 September 30, 2015 CPSC 467, Lecture 9 1/47 Fast Exponentiation Algorithms Number Theory Needed for RSA Elementary Number Theory

More information

CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 9 February 6, 2012 CPSC 467b, Lecture 9 1/53 Euler s Theorem Generating RSA Modulus Finding primes by guess and check Density of

More information

Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures

Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures CS 7810 Graduate Cryptography October 30, 2017 Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures Lecturer: Daniel Wichs Scribe: Willy Quach & Giorgos Zirdelis 1 Topic Covered. Trapdoor Permutations.

More information

Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents

Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents Santanu Sarkar and Subhamoy Maitra Applied Statistics Unit, Indian Statistical Institute, 203 B. T. Road,

More information

Cryptography CS 555. Topic 24: Finding Prime Numbers, RSA

Cryptography CS 555. Topic 24: Finding Prime Numbers, RSA Cryptography CS 555 Topic 24: Finding Prime Numbers, RSA 1 Recap Number Theory Basics Abelian Groups φφ pppp = pp 1 qq 1 for distinct primes p and q φφ NN = Z N gg xx mod N = gg [xx mmmmmm φφ NN ] mod

More information

cse 311: foundations of computing Fall 2015 Lecture 12: Primes, GCD, applications

cse 311: foundations of computing Fall 2015 Lecture 12: Primes, GCD, applications cse 311: foundations of computing Fall 2015 Lecture 12: Primes, GCD, applications n-bit unsigned integer representation Represent integer x as sum of powers of 2: If x = n 1 i=0 b i 2 i where each b i

More information

Reconstruction and Error Correction of RSA Secret Parameters from the MSB Side

Reconstruction and Error Correction of RSA Secret Parameters from the MSB Side Reconstruction and Error Correction of RSA Secret Parameters from the MSB Side Sarkar Santanu, Gupta Sourav Sen, Maitra Subhamoy To cite this version: Sarkar Santanu, Gupta Sourav Sen, Maitra Subhamoy.

More information

basics of security/cryptography

basics of security/cryptography RSA Cryptography basics of security/cryptography Bob encrypts message M into ciphertext C=P(M) using a public key; Bob sends C to Alice Alice decrypts ciphertext back into M using a private key (secret)

More information

Attacks on hash functions. Birthday attacks and Multicollisions

Attacks on hash functions. Birthday attacks and Multicollisions Attacks on hash functions Birthday attacks and Multicollisions Birthday Attack Basics In a group of 23 people, the probability that there are at least two persons on the same day in the same month is greater

More information

Discrete Mathematics GCD, LCM, RSA Algorithm

Discrete Mathematics GCD, LCM, RSA Algorithm Discrete Mathematics GCD, LCM, RSA Algorithm Abdul Hameed http://informationtechnology.pk/pucit abdul.hameed@pucit.edu.pk Lecture 16 Greatest Common Divisor 2 Greatest common divisor The greatest common

More information

Pseudo-random Number Generation. Qiuliang Tang

Pseudo-random Number Generation. Qiuliang Tang Pseudo-random Number Generation Qiuliang Tang Random Numbers in Cryptography The keystream in the one-time pad The secret key in the DES encryption The prime numbers p, q in the RSA encryption The private

More information

( c ) E p s t e i n, C a r t e r a n d B o l l i n g e r C h a p t e r 1 7 : I n f o r m a t i o n S c i e n c e P a g e 1

( c ) E p s t e i n, C a r t e r a n d B o l l i n g e r C h a p t e r 1 7 : I n f o r m a t i o n S c i e n c e P a g e 1 ( c ) E p s t e i n, C a r t e r a n d B o l l i n g e r 2 0 1 6 C h a p t e r 1 7 : I n f o r m a t i o n S c i e n c e P a g e 1 CHAPTER 17: Information Science In this chapter, we learn how data can

More information

Continuing discussion of CRC s, especially looking at two-bit errors

Continuing discussion of CRC s, especially looking at two-bit errors Continuing discussion of CRC s, especially looking at two-bit errors The definition of primitive binary polynomials Brute force checking for primitivity A theorem giving a better test for primitivity Fast

More information

Number theory (Chapter 4)

Number theory (Chapter 4) EECS 203 Spring 2016 Lecture 12 Page 1 of 8 Number theory (Chapter 4) Review Compute 6 11 mod 13 in an efficient way What is the prime factorization of 100? 138? What is gcd(100, 138)? What is lcm(100,138)?

More information

Public Key Cryptography. All secret key algorithms & hash algorithms do the same thing but public key algorithms look very different from each other.

Public Key Cryptography. All secret key algorithms & hash algorithms do the same thing but public key algorithms look very different from each other. Public Key Cryptography All secret key algorithms & hash algorithms do the same thing but public key algorithms look very different from each other. The thing that is common among all of them is that each

More information

Cryptanalysis of a Zero-Knowledge Identification Protocol of Eurocrypt 95

Cryptanalysis of a Zero-Knowledge Identification Protocol of Eurocrypt 95 Cryptanalysis of a Zero-Knowledge Identification Protocol of Eurocrypt 95 Jean-Sébastien Coron and David Naccache Gemplus Card International 34 rue Guynemer, 92447 Issy-les-Moulineaux, France {jean-sebastien.coron,

More information

Asymmetric Encryption

Asymmetric Encryption -3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function

More information

Cryptography. pieces from work by Gordon Royle

Cryptography. pieces from work by Gordon Royle Cryptography pieces from work by Gordon Royle The set-up Cryptography is the mathematics of devising secure communication systems, whereas cryptanalysis is the mathematics of breaking such systems. We

More information

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems CPE 776:DATA SECURITY & CRYPTOGRAPHY Some Number Theory and Classical Crypto Systems Dr. Lo ai Tawalbeh Computer Engineering Department Jordan University of Science and Technology Jordan Some Number Theory

More information

b = 10 a, is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a.

b = 10 a, is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a. INTRODUCTION TO CRYPTOGRAPHY 5. Discrete Logarithms Recall the classical logarithm for real numbers: If we write b = 10 a, then a = log 10 b is the logarithm of b to the base 10. Changing the base to e

More information

Digital Signature Schemes and the Random Oracle Model. A. Hülsing

Digital Signature Schemes and the Random Oracle Model. A. Hülsing Digital Signature Schemes and the Random Oracle Model A. Hülsing Today s goal Review provable security of in use signature schemes. (PKCS #1 v2.x) PAGE 1 Digital Signature Source: http://hari-cio-8a.blog.ugm.ac.id/files/2013/03/dsa.jpg

More information

Lecture Notes, Week 6

Lecture Notes, Week 6 YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several

More information

THE RSA ENCRYPTION SCHEME

THE RSA ENCRYPTION SCHEME THE RSA ENCRYPTION SCHEME Contents 1. The RSA Encryption Scheme 2 1.1. Advantages over traditional coding methods 3 1.2. Proof of the decoding procedure 4 1.3. Security of the RSA Scheme 4 1.4. Finding

More information

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography Peter Schwabe October 21 and 28, 2011 So far we assumed that Alice and Bob both have some key, which nobody else has. How

More information

Public-Key Encryption: ElGamal, RSA, Rabin

Public-Key Encryption: ElGamal, RSA, Rabin Public-Key Encryption: ElGamal, RSA, Rabin Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Public-Key Encryption Syntax Encryption algorithm: E. Decryption

More information

Breaking Plain ElGamal and Plain RSA Encryption

Breaking Plain ElGamal and Plain RSA Encryption Breaking Plain ElGamal and Plain RSA Encryption (Extended Abstract) Dan Boneh Antoine Joux Phong Nguyen dabo@cs.stanford.edu joux@ens.fr pnguyen@ens.fr Abstract We present a simple attack on both plain

More information

Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures

Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures Boaz Barak November 27, 2007 Quick review of homework 7 Existence of a CPA-secure public key encryption scheme such that oracle

More information

Efficient and Secure Algorithms for GLV-Based Scalar Multiplication and Their Implementation on GLV-GLS Curves

Efficient and Secure Algorithms for GLV-Based Scalar Multiplication and Their Implementation on GLV-GLS Curves Efficient and Secure Algorithms for GLV-Based Scalar Multiplication and Their Implementation on GLV-GLS Curves SESSION ID: CRYP-T07 Patrick Longa Microsoft Research http://research.microsoft.com/en-us/people/plonga/

More information

Cryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1

Cryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1 Cryptography CS 555 Topic 18: RSA Implementation and Security Topic 18 1 Outline and Readings Outline RSA implementation issues Factoring large numbers Knowing (e,d) enables factoring Prime testing Readings:

More information

From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited

From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited Julien Cathalo 1, Jean-Sébastien Coron 2, and David Naccache 2,3 1 UCL Crypto Group Place du Levant 3, Louvain-la-Neuve, B-1348, Belgium

More information

Chapter 4 Asymmetric Cryptography

Chapter 4 Asymmetric Cryptography Chapter 4 Asymmetric Cryptography Introduction Encryption: RSA Key Exchange: Diffie-Hellman [NetSec/SysSec], WS 2008/2009 4.1 Asymmetric Cryptography General idea: Use two different keys -K and +K for

More information

Asymmetric Cryptography

Asymmetric Cryptography Asymmetric Cryptography Chapter 4 Asymmetric Cryptography Introduction Encryption: RSA Key Exchange: Diffie-Hellman General idea: Use two different keys -K and +K for encryption and decryption Given a

More information

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30 CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA35 (Chalmers) - DIT50 (GU) 11 April 017, 8:30-1:30 No extra material is allowed during the exam except for pens and a simple calculator (not smartphones).

More information

ECS 189A Final Cryptography Spring 2011

ECS 189A Final Cryptography Spring 2011 ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I

More information

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII Codes and Cryptography MAMME, Fall 2015 PART XII Outline 1 Symmetric Encryption (II) 2 Construction Strategies Construction Strategies Stream ciphers: For arbitrarily long messages (e.g., data streams).

More information
2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback