A New Baby-Step Giant-Step Algorithm and Some Applications to Cryptanalysis
|
|
- Marion Bridges
- 5 years ago
- Views:
Transcription
1 A New Baby-Step Giant-Step Algorithm and Some Applications to Cryptanalysis 30/08/2005 J.S. Coron, G. Poupard and D. Lefranc D1-09/11/2005
2 Overview Introduction : the GPS scheme A new type of private keys for GPS [CHES'04] Description Cryptanalysis First improvement of cryptanalysis Second improvement of cryptanalysis Conclusion Distribution of this document is subject to s authorization D2-09/11/2005
3 Introduction : the GPS scheme Distribution of this document is subject to s authorization D3-09/11/2005
4 Introduction : the GPS scheme (1) The scheme Introduced by Girault in 1991 Proved secure by Poupard and Stern in 1998 Parameters/keys Public key n a RSA modulus g an invertible element in (Z/nZ) * v an element of <g>; i.e. v = g s mod n Private key s in [0, ord(g)[ Distribution of this document is subject to s authorization D4-09/11/2005
5 Introduction : the GPS scheme (2) v = g s mod n r Off-line computation 0, 2 R r W = W g mod n c 0, 2 C k y r sc y = + On-line computation g y c v = W mod n Distribution of this document is subject to s authorization D5-09/11/2005
6 Introduction : the GPS scheme (3) If used with the precomputation of W=g r mod n Very efficient scheme for the prover : only y=r+sc Eventually in RFID tags few computation capabilities Improvement of GPS for a better integration? At CHES'04, Girault and Lefranc suggested 3 improvements : one is a new type of private keys Distribution of this document is subject to s authorization D6-09/11/2005
7 A new type of private keys for GPS Distribution of this document is subject to s authorization D7-09/11/2005
8 New private keys for GPS : description (1) The new type of private keys : s=s 1 s 2 with s 1 in X 1 and s 2 in X 2 s 1 and s 2 with a low Hamming weight the computation of sxc is improved Distribution of this document is subject to s authorization D8-09/11/2005
9 New private keys for GPS : security (1) The new type of private keys: s=s 1 s 2 with s 1 in X 1 and s 2 in X 2 Security? In a group of known order q 1 1 2mod 1 mod 2 ss q s q s v= g mod p v mod p= g mod p With a BSGS-like algorithm : recovers the key in O( X 1 + X 2 ) group exp. GPS : group order is unknown. This attack is not possible Distribution of this document is subject to s authorization D9-09/11/2005
10 New private keys for GPS : security (2) The new private key: s=s 1 s 2 with s 1 in X 1 and s 2 in X 2 Security? GPS uses a RSA modulus ord(g) unknown to the enemy s 1-1 mod ord(g) infeasible No better known attack than an exhaustive search In time O( X 1 x X 2 ) group exp. Note :Stinson's attack for low Hamming weight private keys Distribution of this document is subject to s authorization D10-09/11/2005
11 New private keys for GPS : security (3) we present here two new algorithms to better the cryptanalysis of such private keys One general improvement for product in groups of unknown order One specific improvement for such private keys Distribution of this document is subject to s authorization D11-09/11/2005
12 First improvement of cryptanalysis Distribution of this document is subject to s authorization D12-09/11/2005
13 First improvement of cryptanalysis (1) Basic idea : 1 1 2mod 1 mod 2 ss q s q s v= g mod p v mod p= g mod p Inverting is infeasible, but : ( ) j s mod q ( s v = g ) 1 1 j X 2 1 j X1 j j X1\{ s1} j X1 v = g BSGS-like algorithm can be performed j j s 2 Distribution of this document is subject to s authorization D13-09/11/2005
14 First improvement of cryptanalysis (2) BSGS algorithm 2 sets : v j j = g j X1\{ s1} j X1 s 2 j j X1 \{ a v }, a X 1 j b j X1 g, b X 2 Search a same element for a given a and b The private key is equal to axb Distribution of this document is subject to s authorization D14-09/11/2005
15 First improvement of cryptanalysis (3) j v, a X Complexity? j X1 Computation of \{ a }? With a basic method, in time O( X 1 2 ) group exp. j X1 Computation of? g j j X Once 1 is computed : in time O( X 2 ) group exp. b 1 j g, b X 2 Distribution of this document is subject to s authorization D15-09/11/2005
16 First improvement of cryptanalysis (4) The computation of in time O( X 1 2 ) group exp. must be improved j X1 \{ a v }, a X Otherwise : the BSGS algorithm in time O( X X 2 ) group exp. An exhaustive search in time O( X 1 x X 2 ) group exp. Not a better cryptanalysis! We present a new method in time O( X 1 ln( X 1 )) group exp. j 1 Distribution of this document is subject to s authorization D16-09/11/2005
17 First improvement of cryptanalysis (5) The trick for an efficient computation : Use of a binary tree structure The tree does not need to be saved Description for a set X ={x 1,x 2,.,x 8 } of cardinality 8=2 3 Distribution of this document is subject to s authorization D17-09/11/2005
18 First improvement of cryptanalysis (5) v v...x5xxx v xxxx x3x4 xx 5 6x7 x8 x1 x v 2..x x 6 x x v v xx 1 2xx x x 7 8 xx 1 2xx 3 4 xx v v xx xx xx. x v xx x x 4 xxx Distribution of this document is subject to s authorization D18-09/11/2005
19 First improvement of cryptanalysis (6) Analysis of the algorithm : Depth of the tree : ln X Each step involves exactly X group exp. Time complexity : O( X ln X ) group exp. Distribution of this document is subject to s authorization D19-09/11/2005
20 First improvement of cryptanalysis (7) Complexity of the full BSGS-like algorithm : O( X 2 + X 1 ln X 1 ) group exp. In comparison with the exhaustive search in O( X 2 x X 1 ) group exp. Distribution of this document is subject to s authorization D20-09/11/2005
21 First improvement of cryptanalysis (8) Numerical application s 2 a 142-bit number with 17 non-zero bits s 1 a 19-bit number with 6 non-zero bits Exhaustive search in 2 80 group exp. With the new BSGS-like algorithm : in time 2 69 group exp. Distribution of this document is subject to s authorization D21-09/11/2005
22 Second improvement of cryptanalysis Distribution of this document is subject to s authorization D22-09/11/2005
23 Second improvement of cryptanalysis (1) The new private key: s=s 1 s 2 with s 1 in X 1 and s 2 in X 2 s 1 and s 2 with a low Hamming weight s s s s s ( ) 2 v= g v= g = h in base h, v has a low hamming weight Stinson attack can be applied for each possible h Distribution of this document is subject to s authorization D23-09/11/2005
24 Second improvement of cryptanalysis (2) Numerical application s 2 a 142-bit number with 17 non-zero bits s 1 a 19-bit number with 6 non-zero bits Exhaustive search in 2 80 group exp. With the new BSGS-like algorithm : 2 69 group exp. The new attack : 2 54 group exp. Distribution of this document is subject to s authorization D24-09/11/2005
25 Conclusion 2 improvements of cryptanalysis for new GPS private keys One is a new BSGS algorithm for product in group of unknown order Almost the same complexity as in groups of known order One specific to the new private keys. Distribution of this document is subject to s authorization D25-09/11/2005
A New Baby-Step Giant-Step Algorithm and Some Applications to Cryptanalysis
A New Baby-Step Giant-Step Algorithm and Some Applications to Cryptanalysis Jean Sébastien Coron 1, David Lefranc 2 and Guillaume Poupard 3 1 Université du Luxembourg Luxembourg coron@clipper.ens.fr 2
More informationPublic Key Authentication with One (Online) Single Addition
Public Key Authentication with One (Online) Single Addition Marc Girault and David Lefranc France Télécom R&D 42 rue des Coutures F-14066 Caen, France {marc.girault,david.lefranc}@francetelecom.com Abstract.
More informationPractical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits
Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits Damien Vergnaud École normale supérieure CHES September, 15th 2015 (with Aurélie Bauer) Damien Vergnaud
More informationCryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg
Course 1: Remainder: RSA Université du Luxembourg September 21, 2010 Public-key encryption Public-key encryption: two keys. One key is made public and used to encrypt. The other key is kept private and
More informationSide Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents
Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents Santanu Sarkar and Subhamoy Maitra Leuven, Belgium 12 September, 2012 Outline of the Talk RSA Cryptosystem
More informationCryptanalysis of a Zero-Knowledge Identification Protocol of Eurocrypt 95
Cryptanalysis of a Zero-Knowledge Identification Protocol of Eurocrypt 95 Jean-Sébastien Coron and David Naccache Gemplus Card International 34 rue Guynemer, 92447 Issy-les-Moulineaux, France {jean-sebastien.coron,
More informationAlgorithmic Number Theory and Public-key Cryptography
Algorithmic Number Theory and Public-key Cryptography Course 3 University of Luxembourg March 22, 2018 The RSA algorithm The RSA algorithm is the most widely-used public-key encryption algorithm Invented
More informationCorrecting Errors in Private Keys Obtained from Cold Boot Attacks
Correcting Errors in Private Keys Obtained from Cold Boot Attacks Hyung Tae Lee, HongTae Kim, Yoo-Jin Baek, and Jung Hee Cheon ISaC & Department of Mathmathical Sciences, SNU 2011. 11. 30. 1 / 17 Contents
More informationPartial Key Exposure: Generalized Framework to Attack RSA
Partial Key Exposure: Generalized Framework to Attack RSA Cryptology Research Group Indian Statistical Institute, Kolkata 12 December 2011 Outline of the Talk 1 RSA - A brief overview 2 Partial Key Exposure
More informationExponent Blinding Does not Always Lift (Partial) SPA Resistance to Higher-Level Security
Exponent Blinding Does not Always Lift (Partial) SPA Resistance to Higher-Level Security Werner Schindler (Bundesamt für Sicherheit in der Informationstechnik (BSI)) and Kouichi Itoh (Fujitsu Laboratories
More informationRecovering Private Keys Generated With Weak PRNGs
Recovering Private Keys Generated With Weak PRNGs Pierre-Alain Fouque (Univ. Rennes 1) Mehdi Tibouchi (NTT Secure Platform Lab.) Jean-Christophe Zapalowicz (Inria) Journées C2 2014 Jean-Christophe Zapalowicz
More informationFactoring Algorithms Pollard s p 1 Method. This method discovers a prime factor p of an integer n whenever p 1 has only small prime factors.
Factoring Algorithms Pollard s p 1 Method This method discovers a prime factor p of an integer n whenever p 1 has only small prime factors. Input: n (to factor) and a limit B Output: a proper factor of
More informationLattice-Based Fault Attacks on RSA Signatures
Lattice-Based Fault Attacks on RSA Signatures Mehdi Tibouchi École normale supérieure Workshop on Applied Cryptography, Singapore, 2010-12-03 Gist of this talk Review a classical attack on RSA signatures
More informationAN AUTHENTICATION SCHEME BASED ON THE TWISTED CONJUGACY PROBLEM
AN AUTHENTICATION SCHEME BASED ON THE TWISTED CONJUGACY PROBLEM VLADIMIR SHPILRAIN AND ALEXANDER USHAKOV Abstract. The conjugacy search problem in a group G is the problem of recovering an x G from given
More information10 Public Key Cryptography : RSA
10 Public Key Cryptography : RSA 10.1 Introduction The idea behind a public-key system is that it might be possible to find a cryptosystem where it is computationally infeasible to determine d K even if
More informationPanHomc'r I'rui;* :".>r '.a'' W"»' I'fltolt. 'j'l :. r... Jnfii<on. Kslaiaaac. <.T i.. %.. 1 >
5 28 (x / &» )»(»»» Q ( 3 Q» (» ( (3 5» ( q 2 5 q 2 5 5 8) 5 2 2 ) ~ ( / x {» /»»»»» (»»» ( 3 ) / & Q ) X ] Q & X X X x» 8 ( &» 2 & % X ) 8 x & X ( #»»q 3 ( ) & X 3 / Q X»»» %» ( z 22 (»» 2» }» / & 2 X
More informationMANY BILLS OF CONCERN TO PUBLIC
- 6 8 9-6 8 9 6 9 XXX 4 > -? - 8 9 x 4 z ) - -! x - x - - X - - - - - x 00 - - - - - x z - - - x x - x - - - - - ) x - - - - - - 0 > - 000-90 - - 4 0 x 00 - -? z 8 & x - - 8? > 9 - - - - 64 49 9 x - -
More informationComputing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring
Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring Alexander May Faculty of Computer Science, Electrical Engineering and Mathematics University of Paderborn 33102 Paderborn,
More informationHorizontal and Vertical Side-Channel Attacks against Secure RSA Implementations
Introduction Clavier et al s Paper This Paper Horizontal and Vertical Side-Channel Attacks against Secure RSA Implementations Aurélie Bauer Éliane Jaulmes Emmanuel Prouff Justine Wild ANSSI Session ID:
More informationMathematics of Cryptography
UNIT - III Mathematics of Cryptography Part III: Primes and Related Congruence Equations 1 Objectives To introduce prime numbers and their applications in cryptography. To discuss some primality test algorithms
More informationLecture 14 More on Digital Signatures and Variants. COSC-260 Codes and Ciphers Adam O Neill Adapted from
Lecture 14 More on Digital Signatures and Variants COSC-260 Codes and Ciphers Adam O Neill Adapted from http://cseweb.ucsd.edu/~mihir/cse107/ Setting the Stage We will cover in more depth some issues for
More informationElliptic Curve Cryptography and Security of Embedded Devices
Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil Institut de Mathématiques de Bordeaux Inside Secure June 13th, 2012 V. Verneuil - Elliptic Curve Cryptography
More informationA Generic Algorithm for Small Weight Discrete Logarithms in Composite Groups
A Generic Algorithm for Small Weight Discrete Logarithms in Composite Groups Alexander May and Ilya Ozerov Horst Görtz Institute for IT-Security Ruhr-University Bochum, Germany Faculty of Mathematics alex.may@rub.de,
More informationUSING SHANKS BABY-STEP GIANT-STEP METHOD TO SOLVE THE GENERALIZED PELL EQUATION x 2 Dy 2 = N. Copyright 2009 by John P. Robertson. 1.
USING SHANKS BABY-STEP GIANT-STEP METHOD TO SOLVE THE GENERALIZED PELL EQUATION x 2 Dy 2 = N Abstract. For D > 0 not a square, and N 0, the continued fraction algorithm can be used to solve the generalized
More informationImplementation Tutorial on RSA
Implementation Tutorial on Maciek Adamczyk; m adamczyk@umail.ucsb.edu Marianne Magnussen; mariannemagnussen@umail.ucsb.edu Adamczyk and Magnussen Spring 2018 1 / 13 Overview Implementation Tutorial Introduction
More informationCryptography and Security Final Exam
Cryptography and Security Final Exam Serge Vaudenay 17.1.2017 duration: 3h no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices are not
More informationBlinded Fault Resistant Exponentiation FDTC 06
Previous Work Our Algorithm Guillaume Fumaroli 1 David Vigilant 2 1 Thales Communications guillaume.fumaroli@fr.thalesgroup.com 2 Gemalto david.vigilant@gemalto.com FDTC 06 Outline Previous Work Our Algorithm
More informationCombinatorics of p-ary Bent Functions
Combinatorics of p-ary Bent Functions MIDN 1/C Steven Walsh United States Naval Academy 25 April 2014 Objectives Introduction/Motivation Definitions Important Theorems Main Results: Connecting Bent Functions
More informationBreaking Plain ElGamal and Plain RSA Encryption
Breaking Plain ElGamal and Plain RSA Encryption (Extended Abstract) Dan Boneh Antoine Joux Phong Nguyen dabo@cs.stanford.edu joux@ens.fr pnguyen@ens.fr Abstract We present a simple attack on both plain
More informationPSS Is Secure against Random Fault Attacks
PSS Is Secure against Random Fault Attacks Jean-Sébastien Coron and Avradip Mandal University of Luxembourg Abstract. A fault attack consists in inducing hardware malfunctions in order to recover secrets
More informationBreaking the F-FCSR-H Stream Cipher in Real Time
Breaking the F-FCSR-H Stream Cipher in Real Time Martin Hell and Thomas Johansson Dept. of Electrical and Information Technology, Lund University, P.O. Box 118, 221 00 Lund, Sweden Abstract. The F-FCSR
More informationChapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations
Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 9.1 Chapter 9 Objectives
More informationDivision Property: a New Attack Against Block Ciphers
Division Property: a New Attack Against Block Ciphers Christina Boura (joint on-going work with Anne Canteaut) Séminaire du groupe Algèbre et Géometrie, LMV November 24, 2015 1 / 50 Symmetric-key encryption
More information8 Elliptic Curve Cryptography
8 Elliptic Curve Cryptography 8.1 Elliptic Curves over a Finite Field For the purposes of cryptography, we want to consider an elliptic curve defined over a finite field F p = Z/pZ for p a prime. Given
More information8.1 Principles of Public-Key Cryptosystems
Public-key cryptography is a radical departure from all that has gone before. Right up to modern times all cryptographic systems have been based on the elementary tools of substitution and permutation.
More informationLecture 22: RSA Encryption. RSA Encryption
Lecture 22: Recall: RSA Assumption We pick two primes uniformly and independently at random p, q $ P n We define N = p q We shall work over the group (Z N, ), where Z N is the set of all natural numbers
More informationSide Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents
Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents Santanu Sarkar and Subhamoy Maitra Applied Statistics Unit, Indian Statistical Institute, 203 B. T. Road,
More informationSecurity Analysis of XTR Exponentiation Algorithms Against Simple Power Analysis Attack
Security Analysis of XTR Exponentiation Algorithms Against Simple Power Analysis Attack Jaewook Chung and Anwar Hasan j4chung@uwaterloo.ca ahasan@secure.uwaterloo.ca Center for Applied Cryptographic Research
More informationHomomorphic Encryption. Liam Morris
Homomorphic Encryption Liam Morris Topics What Is Homomorphic Encryption? Partially Homomorphic Cryptosystems Fully Homomorphic Cryptosystems Benefits of Homomorphism Drawbacks of Homomorphism What Is
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 11 February 21, 2013 CPSC 467b, Lecture 11 1/27 Discrete Logarithm Diffie-Hellman Key Exchange ElGamal Key Agreement Primitive Roots
More informationA DPA attack on RSA in CRT mode
A DPA attack on RSA in CRT mode Marc Witteman Riscure, The Netherlands 1 Introduction RSA is the dominant public key cryptographic algorithm, and used in an increasing number of smart card applications.
More informationComputing Discrete Logarithms. Many cryptosystems could be broken if we could compute discrete logarithms quickly.
Computing Discrete Logarithms Many cryptosystems could be broken if we could compute discrete logarithms quickly. The first discrete logarithm algorithms below apply in any group. They are about the best
More informationRSA and Rabin Signatures Signcryption
T-79.5502 Advanced Course in Cryptology RSA and Rabin Signatures Signcryption Alessandro Tortelli 26-04-06 Overview Introduction Probabilistic Signature Scheme PSS PSS with message recovery Signcryption
More informationSliding right into disaster - Left-to-right sliding windows leak
Sliding right into disaster - Left-to-right sliding windows leak Daniel J. Bernstein, Joachim Breitner, Daniel Genkin, Leon Groot Bruinderink, Nadia Heninger, Tanja Lange, Christine van Vredendaal and
More informationIntroduction to Modern Cryptography. Lecture RSA Public Key CryptoSystem 2. One way Trapdoor Functions
Introduction to Modern Cryptography Lecture 7 1. RSA Public Key CryptoSystem 2. One way Trapdoor Functions Diffie and Hellman (76) New Directions in Cryptography Split the Bob s secret key K to two parts:
More informationCSc 466/566. Computer Security. 5 : Cryptography Basics
1/84 CSc 466/566 Computer Security 5 : Cryptography Basics Version: 2012/03/03 10:44:26 Department of Computer Science University of Arizona collberg@gmail.com Copyright c 2012 Christian Collberg Christian
More informationIn fact, 3 2. It is not known whether 3 1. All three problems seem hard, although Shor showed that one can solve 3 quickly on a quantum computer.
Attacks on RSA, some using LLL Recall RSA: N = pq hard to factor. Choose e with gcd(e,φ(n)) = 1, where φ(n) = (p 1)(q 1). Via extended Euclid, find d with ed 1 (mod φ(n)). Discard p and q. Public key is
More informationOn the Design of Rebalanced RSA-CRT
On the Design of Rebalanced RSA-CRT Hung-Min Sun 1, M. Jason Hinek 2, Mu-En Wu 3 1, 3 Department of Computer Science National Tsing Hua University, Hsinchu, Taiwan 300 E-mail: 1 hmsun@cs.nthu.edu.tw; 3
More informationCryptography. pieces from work by Gordon Royle
Cryptography pieces from work by Gordon Royle The set-up Cryptography is the mathematics of devising secure communication systems, whereas cryptanalysis is the mathematics of breaking such systems. We
More informationL7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015
L7. Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang, 5 March 2015 1 Outline The basic foundation: multiplicative group modulo prime The basic Diffie-Hellman (DH) protocol The discrete logarithm
More informationRSA: Genesis, Security, Implementation & Key Generation
ECE 646 Lecture 8 RSA: Genesis, Security, Implementation & Key Generation Public Key (Asymmetric) Cryptosystems Public key of Bob - K B Private key of Bob - k B Network Alice Encryption Decryption Bob
More informationECE 646 Lecture 8. RSA: Genesis, Security, Implementation & Key Generation
ECE 646 Lecture 8 RSA: Genesis, Security, Implementation & Key Generation Public Key (Asymmetric) Cryptosystems Public key of Bob - K B Private key of Bob - k B Network Alice Encryption Decryption Bob
More informationCryptanalysis of Achterbahn-128/80. Maria Naya-Plasencia. INRIA-Projet CODES FRANCE
Cryptanalysis of Achterbahn-128/80 Maria Naya-Plasencia INRIA-Projet CODES FRANCE Outline 1 Achterbahn 2 Tools used in our cryptanalysis 3 Cryptanalysis of Achterbahn-128/80 Achterbahn [Gammel-Göttfert-Kniffler05]...
More informationTECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019
Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019 Name : TU/e student number : Exercise 1 2 3 4 5 total points Notes: Please hand in all sheets at the end of the exam.
More informationAn Algebraic Approach to NTRU (q = 2 n ) via Witt Vectors and Overdetermined Systems of Nonlinear Equations
An Algebraic Approach to NTRU (q = 2 n ) via Witt Vectors and Overdetermined Systems of Nonlinear Equations J.H. Silverman 1, N.P. Smart 2, and F. Vercauteren 2 1 Mathematics Department, Box 1917, Brown
More informationPhysically Unclonable Functions
Physically Unclonable Functions Rajat Subhra Chakraborty Associate Professor Department of Computer Science and Engineering IIT Kharagpur E-mail: rschakraborty@cse.iitkgp.ernet.in ISEA Workshop IIT Kharagpur,
More informationCS 355: Topics in Cryptography Spring Problem Set 5.
CS 355: Topics in Cryptography Spring 2018 Problem Set 5 Due: June 8, 2018 at 5pm (submit via Gradescope) Instructions: You must typeset your solution in LaTeX using the provided template: https://crypto.stanford.edu/cs355/homework.tex
More informationAn average case analysis of a dierential attack. on a class of SP-networks. Distributed Systems Technology Centre, and
An average case analysis of a dierential attack on a class of SP-networks Luke O'Connor Distributed Systems Technology Centre, and Information Security Research Center, QUT Brisbane, Australia Abstract
More informationDeterministic Polynomial Time Equivalence of Computing the RSA Secret Key and Factoring
Deterministic Polynomial Time Equivalence of Computing the RSA Secret Key and Factoring Jean-Sébastien Coron and Alexander May Gemplus Card International 34 rue Guynemer, 92447 Issy-les-Moulineaux, France
More informationHash Functions. A hash function h takes as input a message of arbitrary length and produces as output a message digest of fixed length.
Hash Functions 1 Hash Functions A hash function h takes as input a message of arbitrary length and produces as output a message digest of fixed length. 0 1 1 0 1 0 0 1 Long Message Hash Function 1 1 1
More informationTunable balancing of RSA
Tunable balancing of RSA S. D. Galbraith, C. Heneghan and J. F. McKee Department of Mathematics, Royal Holloway, University of London, Egham, Surrey TW20 0EX, UK. [Steven.Galbraith,C.Heneghan,James.McKee]@rhul.ac.uk
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationA fast modular multiplication algorithm for calculating the product AB modulo N
Information Processing Letters 72 (1999) 77 81 A fast modular multiplication algorithm for calculating the product AB modulo N Chien-Yuan Chen a,, Chin-Chen Chang b,1 a Department of Information Engineering,
More informationFast Cryptanalysis of the Matsumoto-Imai Public Key Scheme
Fast Cryptanalysis of the Matsumoto-Imai Public Key Scheme P. Delsarte Philips Research Laboratory, Avenue Van Becelaere, 2 B-1170 Brussels, Belgium Y. Desmedt Katholieke Universiteit Leuven, Laboratorium
More informationBachet s equation and groups formed from solutions in Z p
Bachet s equation and groups formed from solutions in Z p Boise State University April 30, 2015 Elliptic Curves and Bachet s Equation Elliptic curves are of the form y 2 = x 3 + ax + b Bachet equations
More informationProblem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed
Problem 1 n bits k zero bits IV Block Block Block Block removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Missing bits January 27, 2011 Practical
More information2 Description of McEliece s Public-Key Cryptosystem
1 A SOFTWARE IMPLEMENTATION OF THE McELIECE PUBLIC-KEY CRYPTOSYSTEM Bart Preneel 1,2, Antoon Bosselaers 1, René Govaerts 1 and Joos Vandewalle 1 A software implementation of the McEliece public-key cryptosystem
More informationReduce-by-Feedback: Timing resistant and DPA-aware Modular Multiplication plus: How to Break RSA by DPA
Reduce-by-Feedback: Timing resistant and DPA-aware Modular Multiplication plus: How to Break RSA by DPA M. Vielhaber vielhaber@gmail.com Hochschule Bremerhaven und/y Universidad Austral de Chile CHES 2012
More informationEfficient encryption and decryption. ECE646 Lecture 10. RSA Implementation: Efficient Encryption & Decryption. Required Reading
ECE646 Lecture 10 RSA Implementation: Efficient Encryption & Decryption Required Reading W. Stallings, "Cryptography and etwork-security, Chapter 9.2 The RSA Algorithm Chapter 8.4 The Chinese Remainder
More informationPractice Assignment 2 Discussion 24/02/ /02/2018
German University in Cairo Faculty of MET (CSEN 1001 Computer and Network Security Course) Dr. Amr El Mougy 1 RSA 1.1 RSA Encryption Practice Assignment 2 Discussion 24/02/2018-29/02/2018 Perform encryption
More informationBasic Algorithms in Number Theory
Basic Algorithms in Number Theory Algorithmic Complexity... 1 Basic Algorithms in Number Theory Francesco Pappalardi Discrete Logs, Modular Square Roots & Euclidean Algorithm. July 20 th 2010 Basic Algorithms
More informationFinding Small Solutions of the Equation Bx Ay = z and Its Applications to Cryptanalysis of the RSA Cryptosystem
Finding Small Solutions of the Equation Bx Ay = z and Its Applications to Cryptanalysis of the RSA Cryptosystem Shixiong Wang 1, Longjiang Qu 2,3, Chao Li 1,3, and Shaojing Fu 1,2 1 College of Computer,
More informationRSA-OAEP and Cramer-Shoup
RSA-OAEP and Cramer-Shoup Olli Ahonen Laboratory of Physics, TKK 11th Dec 2007 T-79.5502 Advanced Cryptology Part I: Outline RSA, OAEP and RSA-OAEP Preliminaries for the proof Proof of IND-CCA2 security
More information2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms
CRYPTOGRAPHY 19 Cryptography 5 ElGamal cryptosystems and Discrete logarithms Definition Let G be a cyclic group of order n and let α be a generator of G For each A G there exists an uniue 0 a n 1 such
More informationCryptography & Data Security - Comp 547. Assignment 5. Maxime CHAMBREUIL McGill ID:
Assignment 5 Maxime CHAMBREUIL McGill ID: 260067572 maxime.chambreuil@mail.mcgill.ca Contents 1 Exercises from Stinson s book 1 1.1 Exercise 5.11 p 220............................................ 1 1.1.1
More informationLower Bounds of Shortest Vector Lengths in Random NTRU Lattices
Lower Bounds of Shortest Vector Lengths in Random NTRU Lattices Jingguo Bi 1,2 and Qi Cheng 2 1 School of Mathematics Shandong University Jinan, 250100, P.R. China. Email: jguobi@mail.sdu.edu.cn 2 School
More informationA Knapsack Cryptosystem Based on The Discrete Logarithm Problem
A Knapsack Cryptosystem Based on The Discrete Logarithm Problem By K.H. Rahouma Electrical Technology Department Technical College in Riyadh Riyadh, Kingdom of Saudi Arabia E-mail: kamel_rahouma@yahoo.com
More informationRSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis. Daniel Genkin, Adi Shamir, Eran Tromer
RSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis Daniel Genkin, Adi Shamir, Eran Tromer Mathematical Attacks Input Crypto Algorithm Key Output Goal: recover the key given access to the inputs
More informationDifferential Cryptanalysis for Multivariate Schemes
Differential Cryptanalysis for Multivariate Schemes Jacques Stern Joint work with P. A. Fouque and L. Granboulan École normale supérieure Differential Cryptanalysis for Multivariate Schemes p.1/23 MI Cryptosystem
More informationExercise Sheet Cryptography 1, 2011
Cryptography 1 http://www.cs.ut.ee/~unruh/crypto1-11/ Exercise Sheet Cryptography 1, 2011 Exercise 1 DES The Data Encryption Standard (DES) is a very famous and widely used block cipher. It maps 64-bit
More informationCryptanalysis of RSA Signatures with Fixed-Pattern Padding
Cryptanalysis of RSA Signatures with Fixed-Pattern Padding [Published in J. Kilian Ed., Advances in Cryptology CRYPTO 2001, vol. 2139 of Lecture Notes in Computer Science, pp. 433 439, Springer-Verlag,
More informationIntroduction to Modern Cryptography. Benny Chor
Introduction to Modern Cryptography Benny Chor RSA Public Key Encryption Factoring Algorithms Lecture 7 Tel-Aviv University Revised March 1st, 2008 Reminder: The Prime Number Theorem Let π(x) denote the
More informationIntroduction to Cryptology. Lecture 20
Introduction to Cryptology Lecture 20 Announcements HW9 due today HW10 posted, due on Thursday 4/30 HW7, HW8 grades are now up on Canvas. Agenda More Number Theory! Our focus today will be on computational
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 12 Markus Bläser, Saarland University Digital signature schemes Goal: integrity of messages Signer signs a message using a private key
More informationImplementation of the RSA algorithm and its cryptanalysis. Abstract. Introduction
Implementation of the RSA algorithm and its cryptanalysis Chandra M. Kota and Cherif Aissi 1 University of Louisiana at Lafayette, College of Engineering Lafayette, LA 70504, USA Abstract Session IVB4
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 9 February 14, 2013 CPSC 467b, Lecture 9 1/42 Integer Division (cont.) Relatively prime numbers, Z n, and φ(n) Computing in Z n
More informationCHAPTER 12 CRYPTOGRAPHY OF A GRAY LEVEL IMAGE USING A MODIFIED HILL CIPHER
177 CHAPTER 12 CRYPTOGRAPHY OF A GRAY LEVEL IMAGE USING A MODIFIED HILL CIPHER 178 12.1 Introduction The study of cryptography of gray level images [110, 112, 118] by using block ciphers has gained considerable
More informationCryptanalysis of a Public Key Cryptosystem Proposed at ACISP 2000
Cryptanalysis of a Public Key Cryptosystem Proposed at ACISP 2000 Amr Youssef 1 and Guang Gong 2 1 Center for Applied Cryptographic Research Department of Combinatorics & Optimization 2 Department of Electrical
More informationOne can use elliptic curves to factor integers, although probably not RSA moduli.
Elliptic Curves Elliptic curves are groups created by defining a binary operation (addition) on the points of the graph of certain polynomial equations in two variables. These groups have several properties
More informationAnother Look at Inversions over Binary Fields
Another Look at Inversions over Binary Fields Vassil Dimitrov 1 Kimmo Järvinen 2 1 Department of Electrical and Computer Engineering University of Calgary, Canada 2 Department of Information and Computer
More informationSignatures and DLP-I. Tanja Lange Technische Universiteit Eindhoven
Signatures and DLP-I Tanja Lange Technische Universiteit Eindhoven How to compute ap Use binary representation of a to compute a(x; Y ) in blog 2 ac doublings and at most that many additions. E.g. a =
More informationQuotient Rings. is defined. Addition of cosets is defined by adding coset representatives:
Quotient Rings 4-21-2018 Let R be a ring, and let I be a (two-sided) ideal. Considering just the operation of addition, R is a group and I is a subgroup. In fact, since R is an abelian group under addition,
More informationSome Comments on the Security of RSA. Debdeep Mukhopadhyay
Some Comments on the Security of RSA Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Computing
More informationA new version of the RC6 algorithm, stronger against χ 2 cryptanalysis
A new version of the RC6 algorithm, stronger against χ 2 cryptanalysis Routo Terada 1 Eduardo T. Ueda 2 1 Dept. of Computer Science University of São Paulo, Brazil Email: rt@ime.usp.br 2 Dept. of Computer
More informationbasics of security/cryptography
RSA Cryptography basics of security/cryptography Bob encrypts message M into ciphertext C=P(M) using a public key; Bob sends C to Alice Alice decrypts ciphertext back into M using a private key (secret)
More informationDeterministic Polynomial Time Equivalence between Factoring and Key-Recovery Attack on Takagi s RSA
Deterministic Polynomial Time Equivalence between Factoring and Key-Recovery Attack on Takagi s RSA Noboru Kunihiro 1 and Kaoru Kurosawa 2 1 The University of Electro-Communications, Japan kunihiro@iceuecacjp
More informationPublic-Key Cryptosystems CHAPTER 4
Public-Key Cryptosystems CHAPTER 4 Introduction How to distribute the cryptographic keys? Naïve Solution Naïve Solution Give every user P i a separate random key K ij to communicate with every P j. Disadvantage:
More informationXMX: A Firmware-oriented Block Cipher Based on Modular Multiplications
XMX: A Firmware-oriented Block Cipher Based on Modular Multiplications [Published in E. Biham, Ed., Fast Software Encrytion, vol. 1267 of Lecture Notes in Computer Science, pp. 166 171, Springer-Verlag,
More informationCHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S. Ant nine J aux
CHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S Ant nine J aux (g) CRC Press Taylor 8* Francis Croup Boca Raton London New York CRC Press is an imprint of the Taylor &
More informationMersenne factorization factory
Mersenne factorization factory Thorsten Kleinjung Arjen K. Lenstra & Joppe W. Bos* École Polytechnique Fédérale de Lausanne laboratory for cryptologic algorithms Microsoft Research presented by: Rob Granger
More information