easy to make g by æ èp,1è=q where æ generates Zp. æ We can use a secure prime modulus p such that èp, 1è=2q is also prime or each prime factor of èp,
|
|
- Rudolf Miles
- 6 years ago
- Views:
Transcription
1 Additional Notes to ëultimate Solution to Authentication via Memorable Password" May 1, 2000 version Taekyoung Kwon æ May 25, 2000 Abstract This short letter adds informative discussions to our previous contribution, ëultimate Solution to Authentication via Memorable Password"ë1ë. 1 Introduction Message 2 of AMP, G 2, is structured that G 2 = èg 1 çè y while the agreed secret key is g xy è= æ = æè. Note that G 1 = g x and ç = g ç ë1ë. Therefore, a care must be taken in regarding how much information G 2 è= g xy g çy è could leak about g xy, though the probability of ç y = 1 is very low. In this letter, we propose a method to avoid the argument about the information leakage by slightly modifying the protocol. Note that we abbreviate mod p. Hints : 1. Let G 2 be èg e 1 çèy with random e. 2. Let parties agree on g èx 1+ex2èy rather than g xy. 2 Avoiding Information Leakage We propose two extended protocols from original AMP for avoiding the information leakage argument. They are AMP + èhint 1è and AMP ++ èhint 2è. Numerical Assumption. Bob chooses g which generates a prime-order subgroup Z q where p = qr + 1. Note that a prime q must be suæciently large èé lèkèèë1ë to resist Pohlig-Hellman decomposition and various index-calculus methods but much smaller than pë5, 6, 7ë. It is æ 741 Soda Hall, Computer Science Division, EECS, University of California, Berkeley, CA 94720, tkwon@cs.berkeley.edu or ktk@emerald.yonsei.ac.kr. 1
2 easy to make g by æ èp,1è=q where æ generates Zp. æ We can use a secure prime modulus p such that èp, 1è=2q is also prime or each prime factor of èp, 1è=2q is larger than q, or a safe prime modulus p such that p =2q + 1ë3ë. However, we strongly recommend to use a secure prime modulus p. Such a modulus should makes our modiæed protocol secure and eæcient. 2.1 AMP + Our ærst extention is AMP + based on hint 1. Protocol setup of AMP + is exactly the same to that of AMP so that its description is skipped here èsee ë1ë for protocol setupè. Note that Bob stores èid; ç; ç = g ç è where ç = h 1 èç; çè, ç 2 R f0; 1g tèkè, and ç 2 R f0; 1g!èkè. Protocol Run. The following describes how to run AMP +. Note that the cases, x 2f0; 1g 1, y 2f0; 1g 1, g x 2f0; 1g 1,èg xe çè y 2f0; 1g 1, and their small subgroup conænements must be avoided for a security reason. Alice and Bob can easily detect and discard such insecure parameters in the protocol. Alice input èid; çè Bob store èid; ç; çè x 2 R Z q G 1 = g x id;g x,! f etch èid; ç; çè y 2 R Z q e = h 2 èg 1 ; id; Alice; Bobè ç = h 1 èç; çè ç;èg xe çè y è, G 2 = G ey 1 çy e = h 2 èg 1 ; id; Alice; Bobè ç =èxe + çè,1 x mod q æ =èg 2 è ç K 1 = h 3 èæè H 11 = h 4 èg 1 ; K 1 è H 21 = h 5 èg 2 ; K 1 è hèg x ;Kè æ =èg 1 è y K 2 = h 3 èæè,! H 12 = h 4 èg 1 ; K 2 è verify H 11 : = H12 hèèg x çè y ;Kè è, H 22 = h 5 èg 2 ; K 2 è verify H 21 : = H22 Figure 1: AMP + Protocol The following steps explain how the protocol is executed in Figure 1. 2
3 1. Alice computes G 1 = g x bychoosing x 2 R Z q and sends èid; G 1 ètobob. 2. After receiving message 1, Bob loads ç and ç, and computes e = h 2 èg 1 ; id; Alice; Bobè and G 2 = G ey 1 çy bychoosing y 2 R Z q. This can be done by the simultaneous exponentiation method. Note that G 2 =èg xe çè y = g èxe+çèy. He sends èç;g 2 ètoalice. 3. While waiting for message 2, Alice computes e = h 2 èg 1 ; id; Alice; Bobè. After receiving message 2, Alice computes ç = h 1 èç; çè, ç =èxe + çè,1 x mod q and æ =èg 2 è ç. Note that æ =èg èxe+çèy è èxe+çè,1 x = g yx. She computes K 1 = h 3 èæè and H 11 = h 4 èg 1 ; K 1 è. She sends H 11 to Bob. 4. While waiting for message 3, Bob computes æ = èg x è y = g xy, K 2 = h 2 èæè and H 12 = h 4 èg 1 ; K 2 è. After receiving message 3, Bob compares H 12 with H 11. If they are matched, then he computes H 22 = h 5 èg 2 ; K 2 è and sends H 22 to Alice. This means he authenticated Alice who knows ç èactually, çè, and agreed upon Kè= K 1 = K 2 è. 5. While waiting for message 4 from Bob, Alice computes H 21 = h 5 èg 2 ; K 1 è. After receiving message 4, she compares H 21 with H 22. If they are matched, Alice also agrees on Kè= K 1 = K 2 è with authenticating Bob who knows ç. Whole structure of AMP + is exactly the same to that of AMP except that G 2 includes a randomizer e for avoiding the information leakage of g xy ; only computing e has been added to AMP. Therefore, security and eæciency are approximately bounded by AMP. AMP + also passes four messages between Alice and Bob, and beneæts from the simultaneous multiple exponentiation method; æ a æ b needs 16è more multi-precision multiplications than æ a does on the averageë8, 4ë. Therefore, each party's exponentiation number is still two while parallel exponenetiation is still 3E. The randomness of e is totally dependent upon the randomness of g x so that Bob cannot contribute to its randomness. The information leakage argument has been clearly avoided since G 2 = g èxe+çèy related to the agreed key any more without solving log g g ç while the agreed key is still g xy. Now G 2 is not and log g g y. AMP + is a simple extention of AMP for avoiding the information leakage and is as practical as AMP. 2.2 AMP ++ Our second extention is AMP ++ based on hints 2. AMP ++ has a little diæerent protocol setup procedure from AMP and AMP +. Protocol Setup. This step determines and publishes global parameters of AMP Alice and Bob shares g, p and q. 2. Alice chooses ç 2 R f0; 1g!èkè and notify Bob, in an authentic manner. 3. id indicates an identiæer or name of Alice; more precisely a user name. 3
4 4. Bob stores èid; ç = g,ç è where ç = h 1 èid; Bob; çè 1. Bob should throw away ç and ç but keep id and ç. Protocol Run. The following describes how to run AMP ++. Note that the cases, x 1 2 f0; 1g 1, x 2 2 f0; 1g 1, y 2 f0; 1g 1, g x 2 f0; 1g 1, èg x çè y 2 f0; 1g 1, and their small subgroup conænements must be avoided for a security reason. Alice and Bob can easily detect and discard such insecure parameters in the protocol. Alice input èid; çè Bob store èid; çè x 1 ;x 2 2 R Z q ç = h 1 èid; Bob; çè G 0 = x 1 + ç mod q G 1 = g x 2 id; x1+ç; g x 2,! f etch èid; çè e = h 2 èg 0 ; G 1 ; G 2 ; id; Alice; Bobè y 2 R Z q èg x 2 çè y è, G 2 =èg 1 çè y e = h 2 èg 0 ; G 1 ; G 2 ; id; Alice; Bobè ç =èx 2, çè,1 èx 1 + ex 2 èmodq æ =èg 2 è ç K 1 = h 3 èæè H 11 = h 4 èg 0 ; G 1 ; K 1 è H 21 = h 5 èg 2 ; K 1 è hèg x 2 ;Kè æ =ègè G 0y èçè y èg 1 è ey K 2 = h 3 èæè,! H 12 = h 4 èg 0 ; G 1 ; K 2 è verify H 11 : = H12 hèèg x 2 çè y ;Kè è, H 22 = h 5 èg 2 ; K 2 è verify H 21 : = H22 Figure 2: AMP ++ Protocol The following steps describe how the protocol is executed in Figure Alice computes ç = h 1 èid; Bob; çè, G 0 = x 1 + ç mod q, and G 1 = g x 2 by choosing x 1 ;x 2 2 R Z q and sends èid; G 0 ; G 1 ètobob. 2. After receiving message 1, Bob loads ç, and computes G 2 =èg 1 çè y bychoosing y 2 R Z q. 1 We can also use the conventional salt scheme such that ç = h1èç; çè where ç 2 R f0; 1g tèkè. See later part. 4
5 This can be done by the simultaneous exponentiation method, i.e., G y 1 ç y. Note that G 2 =èg x2 çè y = g èx 2,çèy. He sends G 2 to Alice. 3. After receiving message 2, Alice computes e = h 2 èg 0 ; G 1 ; G 2 ; id; Alice; Bobè, ç =èx 2, çè,1 èx 1 + ex 2 èmod q, and æ = èg 2 è ç. Note that æ = èg èx 2,çèy è èx 2,çè,1 èx1+ex2è = g yèx 1+ex2è. She computes K 1 = h 3 èæè and H 11 = h 4 èg 0 ; G 1 ; K 1 è. She sends H 11 to Bob. 4. While waiting for message 3, Bob computes e = h 2 èg 0 ; G 1 ; G 2 ; id; Alice; Bobè, æ = ègè G 0y èçè y èg 1 è ey, K 2 = h 3 èæè and H 12 = h 4 èg 0 ; G 1 ; K 2 è. Note æ = g èx1+çèy g,çy g x 2ey = g èx 1+ex2èy. After receiving message 3, Bob compares H 11 with H 12. If they are equal to each other, then he computes H 22 = h 5 èg 2 ; K 2 è and sends it to Alice. This means he authenticated Alice who knows ç èactually, çè, and agreed upon Kè= K 1 = K 2 è. 5. While waiting for message 4, Alice computes H 21 = h 5 èg 2 ; K 1 è. After receiving message 4, she compares H 12 with H 22. If H 12 = H 12, Alice also agrees on Kè= K 1 = K 2 è with authenticating Bob who knows ç. The information leakage argument has been clearly avoided since the agreed key is g èx 1+ex2èy while G 2 = g èx 2,çèy. AMP ++ also passes four messages between Alice and Bob, and beneæts from the simultaneous multiple exponentiation method; æ a æ b needs 16è and æ a æ b æ c needs 25è more multi-precision multiplications than æ a does on the averageë8, 4ë. Considering the beneæt of the simultaneous method, it can be said that each party of our modiæed protocol needs the exponentiation, Oèèlog nè 3 è, still for two times, respectively. In addition, the parallel exponentiation is still three times è3eèë1ë. Several mod q operations and one mod p exponentiation in æ must compensate for the mod p simultaneous exponentiation in æ, and they are bounded by Oèèlog nè 3 è+æ for negligible expense æ. The use of a secure prime allows qèç lèkèè to be 160 bits long. It is helpful for eæciency in message size and Z q operation. Conventional Salt in AMP ++. For eæciency è3eè, we considered the salt scheme discussed in Bellare and Rogawayë2ë. However, we can accommodate the conventional salt scheme at the cost of parallel exponentiation è4eè. Instead of id-based implicit salt, Bob chooses ç 2 R f0; 1g tèkè and stores èid; ç; ç = g,ç è where ç = h 1 èç; çè on setup phase. Bob should send Alice salt ç with G 2 in step 2. Alice should compute ç after receiving message 2 so that she could compute and pass G 0 with H 1 in step 3. Therefore, Bob is able to compute æ after receiving message 3. That is, the conventional salt protocol loses the parallel compution of æ and æ so that the parallel exponentiation cost is to be 4E rather than 3E. However, it is still comparable to other protocols such asampè3eè, AMP + è3eè, and SRPè4Eèë1, 9ë. 3 Conclusion In this document, we have shown how to avoid the information leakage argument in our previous contribution, ëultimate Solution to Authentication via Memorable Password"ë1ë, 5
6 though we would like to urge it is not critical even in the original AMP. We proposed two extended AMP such asamp + and AMP ++. Note that G 2 = g èxe+çèy while the agreed key was still g xy in AMP +. Also note that the agreed key was g èx 1+ex2èy while G 2 = g èx 2,çèy. Both are clearly preventing the information leakage of the agreed key in G 2 in the way that G 2 and the agreed key are exactly unrelated regading the intractability of the discrete logarithm problem and the Diæe-Hellman problem. The implicit salt scheme discussed in Bellare and Rogawayë2ë and the secure prime modulusë3ë have been helpful for preserving the eæciency of AMP in AMP ++ while AMP + intrinsically preserved the eæciency of AMP. References ë1ë Taekyoung Kwon, ëultimate Solution to Authentication via Memorable Password," Contribution to the IEEE P1363 study group for Future PKC Standards, available from ë2ë M.Bellare and P.Rogaway, ëthe AuthA protocol for password-based authenticated key exchange", Contribution to the IEEE P1363 study group for Future PKC Standards, available from Groupèsubmissions.htmlèautha. ë3ë C.Lim and P.Lee, ëa key recovery attack on discrete log-based schemes using a prime order subgroup," Crypto 97, pp , 1997 ë4ë A.Menezes, P.van Oorschot, S.Vanstone, Handbook of applied cryptography, CRC Press,Inc., 1997 ë5ë P.van Oorschot and M.Wiener, ëon Diæe-Hellman key agreement with short exponents," Eurocrypt 96, pp , 1996 ë6ë S.Pohlig and M.Hellman, ëan improved algorithm for computing logarithms over GF èpè and its cryptographic signiæcance," IEEE Transactions on Information Theory, vol.24, no.1, pp , 1978 ë7ë J.Pollard, ëmonte carlo methods for index computation mod p," Mathematics of Computation, vol.32, pp , 1978 ë8ë C.P.Schnorr, ëeæcient identiæcation and signatures for smart cards," Crypto 89, LNCS 435, pp , 1989 ë9ë T.Wu, ësecure remote password protocol," Internet Society Symposium on Network and Distributed System Security,
L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015
L7. Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang, 5 March 2015 1 Outline The basic foundation: multiplicative group modulo prime The basic Diffie-Hellman (DH) protocol The discrete logarithm
More informationCryptography IV: Asymmetric Ciphers
Cryptography IV: Asymmetric Ciphers Computer Security Lecture 7 David Aspinall School of Informatics University of Edinburgh 31st January 2011 Outline Background RSA Diffie-Hellman ElGamal Summary Outline
More informationPublic-Key Cryptosystems CHAPTER 4
Public-Key Cryptosystems CHAPTER 4 Introduction How to distribute the cryptographic keys? Naïve Solution Naïve Solution Give every user P i a separate random key K ij to communicate with every P j. Disadvantage:
More informationIntro to Public Key Cryptography Diffie & Hellman Key Exchange
Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie & Hellman Key Exchange Course Summary - Math Part
More information14 Diffie-Hellman Key Agreement
14 Diffie-Hellman Key Agreement 14.1 Cyclic Groups Definition 14.1 Example Let д Z n. Define д n = {д i % n i Z}, the set of all powers of д reduced mod n. Then д is called a generator of д n, and д n
More informationCIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography
CIS 6930/4930 Computer and Network Security Topic 5.2 Public Key Cryptography 1 Diffie-Hellman Key Exchange 2 Diffie-Hellman Protocol For negotiating a shared secret key using only public communication
More informationDiscrete Logarithm Problem
Discrete Logarithm Problem Finite Fields The finite field GF(q) exists iff q = p e for some prime p. Example: GF(9) GF(9) = {a + bi a, b Z 3, i 2 = i + 1} = {0, 1, 2, i, 1+i, 2+i, 2i, 1+2i, 2+2i} Addition:
More informationLecture 17: Constructions of Public-Key Encryption
COM S 687 Introduction to Cryptography October 24, 2006 Lecture 17: Constructions of Public-Key Encryption Instructor: Rafael Pass Scribe: Muthu 1 Secure Public-Key Encryption In the previous lecture,
More informationA Small Subgroup Attack on Arazi s Key Agreement Protocol
Small Subgroup ttack on razi s Key greement Protocol Dan Brown Certicom Research, Canada dbrown@certicom.com lfred Menezes Dept. of C&O, University of Waterloo, Canada ajmeneze@uwaterloo.ca bstract In
More informationduring transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL
THE MATHEMATICAL BACKGROUND OF CRYPTOGRAPHY Cryptography: used to safeguard information during transmission (e.g., credit card number for internet shopping) as opposed to Coding Theory: used to transmit
More informationarxiv: v3 [cs.cr] 15 Jun 2017
Use of Signed Permutations in Cryptography arxiv:1612.05605v3 [cs.cr] 15 Jun 2017 Iharantsoa Vero RAHARINIRINA ihvero@yahoo.fr Department of Mathematics and computer science, Faculty of Sciences, BP 906
More informationDefinition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University
Number Theory, Public Key Cryptography, RSA Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr The Euler Phi Function For a positive integer n, if 0
More informationPublic Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy
Symmetric Cryptography Review Alice Bob Public Key x e K (x) y d K (y) x K K Instructor: Dr. Wei (Lisa) Li Department of Computer Science, GSU Two properties of symmetric (secret-key) crypto-systems: The
More informationA Knapsack Cryptosystem Based on The Discrete Logarithm Problem
A Knapsack Cryptosystem Based on The Discrete Logarithm Problem By K.H. Rahouma Electrical Technology Department Technical College in Riyadh Riyadh, Kingdom of Saudi Arabia E-mail: kamel_rahouma@yahoo.com
More informationOther Public-Key Cryptosystems
Other Public-Key Cryptosystems Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-11/
More informationQuestion: Total Points: Score:
University of California, Irvine COMPSCI 134: Elements of Cryptography and Computer and Network Security Midterm Exam (Fall 2016) Duration: 90 minutes November 2, 2016, 7pm-8:30pm Name (First, Last): Please
More informationLecture V : Public Key Cryptography
Lecture V : Public Key Cryptography Internet Security: Principles & Practices John K. Zao, PhD (Harvard) SMIEEE Amir Rezapoor Computer Science Department, National Chiao Tung University 2 Outline Functional
More informationIntroduction to Modern Cryptography. Benny Chor
Introduction to Modern Cryptography Benny Chor RSA: Review and Properties Factoring Algorithms Trapdoor One Way Functions PKC Based on Discrete Logs (Elgamal) Signature Schemes Lecture 8 Tel-Aviv University
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationOn the Key-collisions in the Signature Schemes
On the Key-collisions in the Signature Schemes Tomáš Rosa ICZ a.s., Prague, CZ Dept. of Computer Science, FEE, CTU in Prague, CZ tomas.rosa@i.cz Motivation to study k-collisions Def. Non-repudiation [9,10].
More informationElliptic Curve Cryptography
The State of the Art of Elliptic Curve Cryptography Ernst Kani Department of Mathematics and Statistics Queen s University Kingston, Ontario Elliptic Curve Cryptography 1 Outline 1. ECC: Advantages and
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationPrevention of Exponential Equivalence in Simple Password Exponential Key Exchange (SPEKE)
Symmetry 2015, 7, 1587-1594; doi:10.3390/sym7031587 OPEN ACCESS symmetry ISSN 2073-8994 www.mdpi.com/journal/symmetry Article Prevention of Exponential Equivalence in Simple Password Exponential Key Exchange
More informationNew Variant of ElGamal Signature Scheme
Int. J. Contemp. Math. Sciences, Vol. 5, 2010, no. 34, 1653-1662 New Variant of ElGamal Signature Scheme Omar Khadir Department of Mathematics Faculty of Science and Technology University of Hassan II-Mohammedia,
More informationBlind Signature Protocol Based on Difficulty of. Simultaneous Solving Two Difficult Problems
Applied Mathematical Sciences, Vol. 6, 202, no. 39, 6903-690 Blind Signature Protocol Based on Difficulty of Simultaneous Solving Two Difficult Problems N. H. Minh, D. V. Binh 2, N. T. Giang 3 and N. A.
More informationCryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05
Cryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05 Fangguo Zhang 1 and Xiaofeng Chen 2 1 Department of Electronics and Communication Engineering, Sun Yat-sen
More informationBlind Collective Signature Protocol
Computer Science Journal of Moldova, vol.19, no.1(55), 2011 Blind Collective Signature Protocol Nikolay A. Moldovyan Abstract Using the digital signature (DS) scheme specified by Belarusian DS standard
More informationAn Introduction to Pairings in Cryptography
An Introduction to Pairings in Cryptography Craig Costello Information Security Institute Queensland University of Technology INN652 - Advanced Cryptology, October 2009 Outline 1 Introduction to Pairings
More informationOne can use elliptic curves to factor integers, although probably not RSA moduli.
Elliptic Curves Elliptic curves are groups created by defining a binary operation (addition) on the points of the graph of certain polynomial equations in two variables. These groups have several properties
More informationAsymmetric Encryption
-3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Instructor: Michael Fischer Lecture by Ewa Syta Lecture 13 March 3, 2013 CPSC 467b, Lecture 13 1/52 Elliptic Curves Basics Elliptic Curve Cryptography CPSC
More informationShort Exponent Diffie-Hellman Problems
Short Exponent Diffie-Hellman Problems Takeshi Koshiba 12 and Kaoru Kurosawa 3 1 Secure Computing Lab., Fujitsu Laboratories Ltd. 2 ERATO Quantum Computation and Information Project, Japan Science and
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 11 February 21, 2013 CPSC 467b, Lecture 11 1/27 Discrete Logarithm Diffie-Hellman Key Exchange ElGamal Key Agreement Primitive Roots
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More information2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms
CRYPTOGRAPHY 19 Cryptography 5 ElGamal cryptosystems and Discrete logarithms Definition Let G be a cyclic group of order n and let α be a generator of G For each A G there exists an uniue 0 a n 1 such
More informationCryptography and Security Final Exam
Cryptography and Security Final Exam Serge Vaudenay 17.1.2017 duration: 3h no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices are not
More informationCrypto math II. Alin Tomescu May 27, Abstract A quick overview on group theory from Ron Rivest s course in Spring 2015.
Crypto math II Alin Tomescu alinush@mit.edu May 7, 015 Abstract A quick overview on group theory from Ron Rivest s 6.857 course in Spring 015. 1 Overview Group theory review Diffie-Hellman (DH) key exchange
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationSharing a Secret in Plain Sight. Gregory Quenell
Sharing a Secret in Plain Sight Gregory Quenell 1 The Setting: Alice and Bob want to have a private conversation using email or texting. Alice Bob 2 The Setting: Alice and Bob want to have a private conversation
More informationIntroduction to Modern Cryptography. Benny Chor
Introduction to Modern Cryptography Benny Chor RSA Public Key Encryption Factoring Algorithms Lecture 7 Tel-Aviv University Revised March 1st, 2008 Reminder: The Prime Number Theorem Let π(x) denote the
More informationOn the Big Gap Between p and q in DSA
On the Big Gap Between p and in DSA Zhengjun Cao Department of Mathematics, Shanghai University, Shanghai, China, 200444. caozhj@shu.edu.cn Abstract We introduce a message attack against DSA and show that
More informationPUBLIC KEY EXCHANGE USING MATRICES OVER GROUP RINGS
PUBLIC KEY EXCHANGE USING MATRICES OVER GROUP RINGS DELARAM KAHROBAEI, CHARALAMBOS KOUPPARIS, AND VLADIMIR SHPILRAIN Abstract. We offer a public key exchange protocol in the spirit of Diffie-Hellman, but
More informationG Advanced Cryptography April 10th, Lecture 11
G.30-001 Advanced Cryptography April 10th, 007 Lecturer: Victor Shoup Lecture 11 Scribe: Kristiyan Haralambiev We continue the discussion of public key encryption. Last time, we studied Hash Proof Systems
More informationOther Public-Key Cryptosystems
Other Public-Key Cryptosystems Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: 10-1 Overview 1. How to exchange
More informationNotes for Lecture 17
U.C. Berkeley CS276: Cryptography Handout N17 Luca Trevisan March 17, 2009 Notes for Lecture 17 Scribed by Matt Finifter, posted April 8, 2009 Summary Today we begin to talk about public-key cryptography,
More informationCPSC 467b: Cryptography and Computer Security
Outline Authentication CPSC 467b: Cryptography and Computer Security Lecture 18 Michael J. Fischer Department of Computer Science Yale University March 29, 2010 Michael J. Fischer CPSC 467b, Lecture 18
More informationPractice Assignment 2 Discussion 24/02/ /02/2018
German University in Cairo Faculty of MET (CSEN 1001 Computer and Network Security Course) Dr. Amr El Mougy 1 RSA 1.1 RSA Encryption Practice Assignment 2 Discussion 24/02/2018-29/02/2018 Perform encryption
More informationCRYPTOGRAPHY AND NUMBER THEORY
CRYPTOGRAPHY AND NUMBER THEORY XINYU SHI Abstract. In this paper, we will discuss a few examples of cryptographic systems, categorized into two different types: symmetric and asymmetric cryptography. We
More informationPolynomial Interpolation in the Elliptic Curve Cryptosystem
Journal of Mathematics and Statistics 7 (4): 326-331, 2011 ISSN 1549-3644 2011 Science Publications Polynomial Interpolation in the Elliptic Curve Cryptosystem Liew Khang Jie and Hailiza Kamarulhaili School
More informationCPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems
CPE 776:DATA SECURITY & CRYPTOGRAPHY Some Number Theory and Classical Crypto Systems Dr. Lo ai Tawalbeh Computer Engineering Department Jordan University of Science and Technology Jordan Some Number Theory
More informationThe odd couple: MQV and HMQV
The odd couple: MQV and HMQV Jean-Philippe Aumasson 1 / 49 Summary MQV = EC-DH-based key agreement protocol, proposed by Menezes, Qu and Vanstone (1995), improved with Law and Solinas (1998), widely standardized
More informationIntroduction to Cryptography Lecture 13
Introduction to Cryptography Lecture 13 Benny Pinkas June 5, 2011 Introduction to Cryptography, Benny Pinkas page 1 Electronic cash June 5, 2011 Introduction to Cryptography, Benny Pinkas page 2 Simple
More informationA DPA attack on RSA in CRT mode
A DPA attack on RSA in CRT mode Marc Witteman Riscure, The Netherlands 1 Introduction RSA is the dominant public key cryptographic algorithm, and used in an increasing number of smart card applications.
More informationEvidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs
Evidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs Jonah Brown-Cohen 1 Introduction The Diffie-Hellman protocol was one of the first methods discovered for two people, say Alice
More informationIntroduction to Modern Cryptography. Lecture RSA Public Key CryptoSystem 2. One way Trapdoor Functions
Introduction to Modern Cryptography Lecture 7 1. RSA Public Key CryptoSystem 2. One way Trapdoor Functions Diffie and Hellman (76) New Directions in Cryptography Split the Bob s secret key K to two parts:
More informationCS-E4320 Cryptography and Data Security Lecture 11: Key Management, Secret Sharing
Lecture 11: Key Management, Secret Sharing Céline Blondeau Email: celine.blondeau@aalto.fi Department of Computer Science Aalto University, School of Science Key Management Secret Sharing Shamir s Threshold
More informationrecover the secret key [14]. More recently, the resistance of smart-card implementations of the AES candidates against monitoring power consumption wa
Resistance against Dierential Power Analysis for Elliptic Curve Cryptosystems Jean-Sebastien Coron Ecole Normale Superieure Gemplus Card International 45 rue d'ulm 34 rue Guynemer Paris, F-75230, France
More informationAsymmetric Pairings. Alfred Menezes (joint work with S. Chatterjee, D. Hankerson & E. Knapp)
Asymmetric Pairings Alfred Menezes (joint work with S. Chatterjee, D. Hankerson & E. Knapp) 1 Overview In their 2006 paper "Pairings for cryptographers", Galbraith, Paterson and Smart identified three
More informationExam Security January 19, :30 11:30
Exam Security January 19, 2016. 8:30 11:30 You can score a maximum of 100. Each question indicates how many it is worth. You are NOT allowed to use books or notes, or a (smart) phone. You may answer in
More informationAn Anonymous Authentication Scheme for Trusted Computing Platform
An Anonymous Authentication Scheme for Trusted Computing Platform He Ge Abstract. The Trusted Computing Platform is the industrial initiative to implement computer security. However, privacy protection
More informationStrongly Unforgeable Signatures Based on Computational Diffie-Hellman
Strongly Unforgeable Signatures Based on Computational Diffie-Hellman Dan Boneh 1, Emily Shen 1, and Brent Waters 2 1 Computer Science Department, Stanford University, Stanford, CA {dabo,emily}@cs.stanford.edu
More informationFinal Exam Math 105: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 30 April :30 11:00 a.m.
Final Exam Math 10: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 0 April 2002 :0 11:00 a.m. Instructions: Please be as neat as possible (use a pencil), and show
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer 1 Lecture 13 October 16, 2017 (notes revised 10/23/17) 1 Derived from lecture notes by Ewa Syta. CPSC 467, Lecture 13 1/57 Elliptic Curves
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationBreaking Plain ElGamal and Plain RSA Encryption
Breaking Plain ElGamal and Plain RSA Encryption (Extended Abstract) Dan Boneh Antoine Joux Phong Nguyen dabo@cs.stanford.edu joux@ens.fr pnguyen@ens.fr Abstract We present a simple attack on both plain
More informationElGamal type signature schemes for n-dimensional vector spaces
ElGamal type signature schemes for n-dimensional vector spaces Iwan M. Duursma and Seung Kook Park Abstract We generalize the ElGamal signature scheme for cyclic groups to a signature scheme for n-dimensional
More informationSharing DSS by the Chinese Remainder Theorem
Sharing DSS by the Chinese Remainder Theorem Kamer Kaya,a, Ali Aydın Selçuk b a Ohio State University, Columbus, 43210, OH, USA b Bilkent University, Ankara, 06800, Turkey Abstract In this paper, we propose
More informationSecurity Analysis of Some Batch Verifying Signatures from Pairings
International Journal of Network Security, Vol.3, No.2, PP.138 143, Sept. 2006 (http://ijns.nchu.edu.tw/) 138 Security Analysis of Some Batch Verifying Signatures from Pairings Tianjie Cao 1,2,3, Dongdai
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationPublic-key Cryptography and elliptic curves
Public-key Cryptography and elliptic curves Dan Nichols University of Massachusetts Amherst nichols@math.umass.edu WINRS Research Symposium Brown University March 4, 2017 Cryptography basics Cryptography
More informationLecture 10: Zero-Knowledge Proofs
Lecture 10: Zero-Knowledge Proofs Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Some of these slides are based on note by Boaz Barak. Quo vadis? Eo Romam
More informationPublic Key Cryptography
Public Key Cryptography Introduction Public Key Cryptography Unlike symmetric key, there is no need for Alice and Bob to share a common secret Alice can convey her public key to Bob in a public communication:
More informationOptimal Use of Montgomery Multiplication on Smart Cards
Optimal Use of Montgomery Multiplication on Smart Cards Arnaud Boscher and Robert Naciri Oberthur Card Systems SA, 71-73, rue des Hautes Pâtures, 92726 Nanterre Cedex, France {a.boscher, r.naciri}@oberthurcs.com
More informationFrom Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited
From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited Julien Cathalo 1, Jean-Sébastien Coron 2, and David Naccache 2,3 1 UCL Crypto Group Place du Levant 3, Louvain-la-Neuve, B-1348, Belgium
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 7, 2015 CPSC 467, Lecture 11 1/37 Digital Signature Algorithms Signatures from commutative cryptosystems Signatures from
More informationPublic-Key Encryption: ElGamal, RSA, Rabin
Public-Key Encryption: ElGamal, RSA, Rabin Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Public-Key Encryption Syntax Encryption algorithm: E. Decryption
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationA SIMPLE GENERALIZATION OF THE ELGAMAL CRYPTOSYSTEM TO NON-ABELIAN GROUPS
Communications in Algebra, 3: 3878 3889, 2008 Copyright Taylor & Francis Group, LLC ISSN: 0092-7872 print/132-12 online DOI: 10.1080/0092787080210883 A SIMPLE GENERALIZATION OF THE ELGAMAL CRYPTOSYSTEM
More informationChapter 10 Elliptic Curves in Cryptography
Chapter 10 Elliptic Curves in Cryptography February 15, 2010 10 Elliptic Curves (ECs) can be used as an alternative to modular arithmetic in all applications based on the Discrete Logarithm (DL) problem.
More informationID-based Encryption Scheme Secure against Chosen Ciphertext Attacks
ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks ongxing Lu and Zhenfu Cao Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai 200030, P.. China {cao-zf,
More informationNetwork Security Based on Quantum Cryptography Multi-qubit Hadamard Matrices
Global Journal of Computer Science and Technology Volume 11 Issue 12 Version 1.0 July Type: Double Blind Peer Reviewed International Research Journal Publisher: Global Journals Inc. (USA) Online ISSN:
More informationElliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.
Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem. Elisa Lorenzo García Université de Rennes 1 14-09-2017 Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 1 /
More informationb = 10 a, is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a.
INTRODUCTION TO CRYPTOGRAPHY 5. Discrete Logarithms Recall the classical logarithm for real numbers: If we write b = 10 a, then a = log 10 b is the logarithm of b to the base 10. Changing the base to e
More information8 Elliptic Curve Cryptography
8 Elliptic Curve Cryptography 8.1 Elliptic Curves over a Finite Field For the purposes of cryptography, we want to consider an elliptic curve defined over a finite field F p = Z/pZ for p a prime. Given
More informationCryptography: A Fairy Tale for Mathematicians and Starring Mathematicians!
Cryptography: A Fairy Tale for Mathematicians and Starring Mathematicians! University of California, Berkeley Mathematics Undergraduate Student Association October 27, 2014 Why Crypto? So why on earth
More information10 Public Key Cryptography : RSA
10 Public Key Cryptography : RSA 10.1 Introduction The idea behind a public-key system is that it might be possible to find a cryptosystem where it is computationally infeasible to determine d K even if
More informationThe Elliptic Curve in https
The Elliptic Curve in https Marco Streng Universiteit Leiden 25 November 2014 Marco Streng (Universiteit Leiden) The Elliptic Curve in https 25-11-2014 1 The s in https:// HyperText Transfer Protocol
More informationRSA. Ramki Thurimella
RSA Ramki Thurimella Public-Key Cryptography Symmetric cryptography: same key is used for encryption and decryption. Asymmetric cryptography: different keys used for encryption and decryption. Public-Key
More informationFundamentals of Modern Cryptography
Fundamentals of Modern Cryptography BRUCE MOMJIAN This presentation explains the fundamentals of modern cryptographic methods. Creative Commons Attribution License http://momjian.us/presentations Last
More informationduring signature generation the secret key is never reconstructed at a single location. To provide fault tolerance, one slightly modies the above tech
Generating a Product of Three Primes with an Unknown Factorization Dan Boneh and Jeremy Horwitz Computer Science Department, Stanford University, Stanford, CA 94305-9045 fdabo,horwitzg@cs.stanford.edu
More informationCryptanalysis of a Zero-Knowledge Identification Protocol of Eurocrypt 95
Cryptanalysis of a Zero-Knowledge Identification Protocol of Eurocrypt 95 Jean-Sébastien Coron and David Naccache Gemplus Card International 34 rue Guynemer, 92447 Issy-les-Moulineaux, France {jean-sebastien.coron,
More informationPAPER An Identification Scheme with Tight Reduction
IEICE TRANS. FUNDAMENTALS, VOL.Exx A, NO.xx XXXX 200x PAPER An Identification Scheme with Tight Reduction Seiko ARITA, Member and Natsumi KAWASHIMA, Nonmember SUMMARY There are three well-known identification
More informationP.B. Stark. January 29, 1998
Statistics 210B, Spring 1998 Class Notes P.B. Stark stark@stat.berkeley.edu www.stat.berkeley.eduèçstarkèindex.html January 29, 1998 Second Set of Notes 1 More on Testing and Conædence Sets See Lehmann,
More informationPublic key exchange using semidirect product of (semi)groups
Public key exchange using semidirect product of (semi)groups Maggie Habeeb 1, Delaram Kahrobaei 2, Charalambos Koupparis 3, and Vladimir Shpilrain 4 1 California University of Pennsylvania habeeb@calu.edu
More informationPublic Key Algorithms
Public Key Algorithms Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-09/
More informationMATH 158 FINAL EXAM 20 DECEMBER 2016
MATH 158 FINAL EXAM 20 DECEMBER 2016 Name : The exam is double-sided. Make sure to read both sides of each page. The time limit is three hours. No calculators are permitted. You are permitted one page
More informationHidden Number Problem Given Bound of Secret Jia-ning LIU and Ke-wei LV *
2017 2nd International Conference on Artificial Intelligence: Techniques and Applications (AITA 2017) ISBN: 978-1-60595-491-2 Hidden Number Problem Given Bound of Secret Jia-ning LIU and Ke-wei LV * DCS
More informationCryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups
Great Theoretical Ideas in CS V. Adamchik CS 15-251 Upcoming Interview? Lecture 24 Carnegie Mellon University Cryptography and RSA How the World's Smartest Company Selects the Most Creative Thinkers Groups
More informationChapter 4 Asymmetric Cryptography
Chapter 4 Asymmetric Cryptography Introduction Encryption: RSA Key Exchange: Diffie-Hellman [NetSec/SysSec], WS 2008/2009 4.1 Asymmetric Cryptography General idea: Use two different keys -K and +K for
More informationIntroduction to Elliptic Curve Cryptography. Anupam Datta
Introduction to Elliptic Curve Cryptography Anupam Datta 18-733 Elliptic Curve Cryptography Public Key Cryptosystem Duality between Elliptic Curve Cryptography and Discrete Log Based Cryptography Groups
More information