The Polynomial Composition Problem in (Z/nZ)[X]
|
|
- Juniper Gaines
- 6 years ago
- Views:
Transcription
1 The Polynomial Composition Problem in (Z/nZ)[X] Marc Joye 1, David Naccache 2, and Stéphanie Porte 3 1 Thomson R&D, Security Competence Center 1 avenue de Belle Fontaine, Cesson-Sévigné Cedex, France marc.joye@thomson.net 2 Ecole normale supérieure, Département d informatique 45 rue d Ulm, Paris Cedex 05, France david.naccache@ens.fr 3 Smart Consulting 2 rue Louis Vignol, La Ciotat, France stef.porte@gmail.com Abstract. Let n be an RSA modulus and let P, Q (Z/nZ)[X]. This paper explores the following problem: Given polynomials Q and Q(P), find polynomial P. We shed light on the connections between the above problem and the RSA problem and derive from it new zero-knowledge protocols suited to smart-card applications. Keywords: Polynomial composition, zero-knowledge protocols, Fiat- Shamir protocol, Guillou-Quisquater protocol, smart cards. 1 Introduction Smart cards play an active role in security systems. Their salient features make them attractive in numerous applications, including to name a few the areas of banking, telephone, health, pay TV, home computers, and communication networks. One of the primary use of smart cards resides in authentication. There exist basically two families of methods currently used for authenticating purposes. The first family relies on secret-key one-way functions while the second one makes use of public-key techniques. Both families have their own advantages. This paper focuses on the second family. In particular, we study zero-knowledge techniques. In a typical scenario, the smart card, characterized by a set of credentials, plays the role of the proving entity. The first practical zero-knowledge protocol is due to Fiat and Shamir [3]. Remarkably, the protocol is rather efficient, computation-wise. It amounts to at most two modular multiplications per interaction. However, in order to reach a level of confidence of (1 2 k ), the basic protocol has to be repeated k times a typical value for k is k = 40. In order to reduce the communication overhead, there is also a multiple-key protocol, at the expense of more key material. Another zero-knowledge protocol well suited to smart-card applications is the
2 Guillou-Quisquater protocol [4] (a.k.a. GQ protocol). The GQ protocol features small storage requirements and needs a single interaction. In this paper we introduce a new problem, the Polynomial Composition Problem, which can be stated as follows. Let P and Q be two polynomials in (Z/nZ)[X] where n is an RSA modulus. Given polynomials Q and S := Q(P), find P. Most public-key cryptographic schemes base their security on the difficulty of solving a hard mathematical problem. Given that the number of hard problems harnessable to cryptographic applications is rather limited, the investigation of new problems is of central importance in cryptography. To understand the Polynomial Composition Problem and its variants, we explore in the following sections the way in which the PCP relates to the celebrated RSA problem. The Polynomial Composition Problem in (Z/nZ)[X] does not imply the RSA Problem, that is, the computation of roots in Z/nZ. Nevertheless, we exhibit a related problem that we call Reducible Polynomial Composition Problem (RPCP) and prove that RPCP RSA. In particular, we prove that when Q(X) = X q then the Polynomial Composition Problem is equivalent to the problem of extracting q th roots in Z/nZ. These new problems allow us to broaden the view of existing cryptographic constructions. Namely, we describe a general PCP-based zero-knowledge protocol of which the Fiat-Shamir and the Guillou-Quisquater protocols are particular instances. As will be seen later, if s denotes the secret, they respectively correspond to the cases Q(X) = vx 2 and Q(X) = vx ν (ν 3), with Q(s) = 1. The rest of this paper is organized as follows. In Section 2, we formally define the Polynomial Composition Problem and introduce the notations used throughout this paper. The hardness of the problem and its comparison with RSA are analyzed in Section 3. Finally, in Section 4, we show that the PCP allows one to generalize several zero-knowledge protocols. 2 The Polynomial Composition Problem We suggest the following problem as a basis for building cryptographic protocols. Problem 1 (Polynomial Composition Problem (PCP)). Let P and Q be two polynomials in (Z/nZ)[X] where n is an RSA modulus. Given polynomials Q and S := Q(P), find P. Throughout this paper p and q denote the degrees of P and Q, respectively. Let p P(X) = u i X i i=0
3 where the u i s denote the unknowns we are looking for. We assume that is known. Hence, S (X) = Q(Y) = q k j Y j j=0 q ( p ) j k j u i X i. j=0 If, given polynomials Q (Y) := Q(Y) k 0 and S (X) := Q (P(X)), an attacker can recover P then the same attacker can also recover P from {Q, S } by first forming polynomials Q (Y) = Q(Y) k 0 and S (X) = S (X) k 0. Therefore the problem is reduced to that of decomposing polynomials where Q has no constant term, i.e., Q(Y) = q j=1 k jy j. Similarly, once this has been done, the attacker can divide Q by a proper constant and replace one of the coefficients k j by one. Consequently and without loss of generality we restrict our attention to monic polynomials Q with no constant term, that is, i=0 Q(Y) = Y q + k q 1 Y q k 1 Y. (1) Noting that q = 1 implies that S = Q(P) = P, we also assume that q 2. 3 Analyzing the Polynomial Composition Problem As before, let P(X) = p i=0 u ix i and let Q(Y) = Y q + q 1 j=1 k jy j. Generalizing Newton s binomial formula and letting k q := 1, we get S (X) = q ( p ) j k j u i X i j=1 pq = t=0 i=0 1 i 0 + +i p q i 1 +2i 2 + +pi p =t k i0 + +i p (i 0 + +i p )! i 0!...i p! } {{ } :=c t i0 i u 0 u p p X t, (2) where the second sum is extended over all nonnegative integers i j satisfying 1 p j=0 i j q and p j=0 j i j = t. 3.1 RSA Problem Polynomial Composition Problem We define polynomials P 0,..., P pq (Z/nZ)[U 0,..., U p ] as P t (U 0,..., U p ) := 1 i 0 + +i p q i 1 +2i 2 + +pi p =t k i0 + +i p (i i p )! i 0!... i p! Note that P t (u 0,..., u p ) = 0 for all 0 t pq. U 0 i0 U p i p c t. (3)
4 Proposition 1. For all 0 r p, P pq r (Z/nZ)[U p r,..., U p ]. Furthermore, for all 1 r p, P pq r is of degree exactly one in variable U p r. Proof. For r = 0, we have P pq (U 0,..., U p ) = U p q c pq. For r = p, the condition P pq r (Z/nZ)[U p r,..., U p ] is trivially satisfied. Fix r in [1, p). By contradiction, suppose that P pq r (Z/nZ)[U p r,..., U p ]. So from Eq. (3), there exists some i j 0 with 0 j p r 1. Since 1 i 0 + +i p q, it follows that i 1 + 2i pi p j 1 + p (q 1) < pq r; a contradiction because i 1 + 2i pi p = pq r for polynomial P pq r. Moreover, for all 1 r p, P pq r is of degree one in variable U p r since we cannot simultaneously have 1 p j=0 i j q, p j=0 j i j = pq r, and i p r 2. Indeed, i p r 2 implies i 1 + 2i pi p (p r) 2 + p (q 2) < pq r, a contradiction. When i p r = 1, i 1 + 2i pi p = pq r if i p = q 1 and i j = 0 for all 0 (j p r) p 1. This implies that the only term in U p r appearing in polynomial P pq r is qu p r U q 1 p, whatever the values of variables k i s are. Corollary 1. If the value of u p is known then the Polynomial Composition Problem can be solved in time O(p). Proof. Solving for U p 1 the relation P pq 1 (U p 1, u p ) = 0 (which is a univariate polynomial of degree exactly one in U p 1 by virtue of the previous proposition), the value of u p 1 is recovered. Next, the root of P pq 2 (U p 2, u p 1, u p ) gives the value of u p 2 and so on until the value of u 0 is found. Note that the running time of the resolution process is O(p) and is thus exponential in the bit-length of p. This means that for low degree polynomials, the Polynomial Composition Problem in Z/nZ is easier than the problem of computing q th roots in Z/nZ because if an attacker is able to compute a q th modular root (i.e., to solve the RSA Problem) then she can find u p from P pq (u p ) = u p q c pq = 0 and then apply the technique explained in the proof of Corollary 1 to recover u p 1,..., u 0. In other words, Corollary 2. RSA Problem Polynomial Composition Problem. There is a proposition similar to Proposition 1. It says that once u 0 is known, u 1,..., u p can be found successively thanks to polynomials P 1,..., P p, respectively. Proposition 2. For all 0 r p, P r (Z/nZ)[U 0,..., U r ]. Furthermore, for all 1 r p, P r is of degree exactly one in variable U r. Proof. We have P 0 (U 0 ) = q j=1 k ju j 0 c 0. For r [1, p], suppose that P r (Z/nZ)[U 0,..., U r ]. Therefore, i 1 + 2i pi p (r + 1) 1 > r; a contradiction since i 1 + 2i pi p = r. Moreover, we can easily see that P r (U 0,..., U r ) = qu q 1 U 0 r + q 1 j=1 k j j U j 1 0 U r + Q r (U 0,..., U r 1 ) for some polynomial Q r (Z/nZ)[U 0,..., U r 1 ].
5 3.2 Reducible Polynomial Composition Problem RSA Problem The Polynomial Composition Problem cannot be equivalent to the RSA Problem. Consider for example the case p = 2 and q = 3: we have P(X) = u 2 X 2 + u 1 X + u 0 and Q(X) = X 3 + k 2 X 2 + k 1 X, and S (X) = c 6 X 6 + c 5 X 5 + c 4 X 4 + c 3 X 3 + c 2 X 2 + c 1 X + c 0 c 0 = k 1 u 0 + k 2 u u3 0, c 1 = k 1 u 1 + 2k 2 u 0 u 1 + 3u 2 0 u 1, c 2 = k 2 u u 0u k 1u 2 + 2k 2 u 0 u 2 + 3u 2 0 u 2, with c 3 = u k 2u 1 u 2 + 6u 0 u 1 u 2, c 4 = 3u 2 1 u 2 + k 2 u u 0u 2 2, c 5 = 3u 1 u 2 2, c 6 = u 3 2. We define the polynomials P 0 (U 0 ) := k 1 U 0 + k 2 U U3 0 c 0, P 1 (U 0, U 1 ) := k 1 U 1 +2k 2 U 0 U 1 +3U 2 0 U 1 c 1, and P 5 (U 1, U 2 ) := 3U 1 U 2 2 c 5. Now we first compute the resultant of P 0 and P 1 with respect to variable U 0 and obtain a univariate polynomial in U 1, say R 0 = Res U0 (P 0, P 1 ). Next we compute the resultant of R 0 and P 5 with respect to variable U 1 and get a univariate polynomial in U 2, say R 1 = Res U1 (R 0, P 5 ). After computation, we get R 1 (U 2 ) = 27c 3 1 U6 2 + (27c2 1 c 5k 1 9c 2 1 c 5k 2 2 )U4 2 +( 4c 3 5 k3 1 + c3 5 k2 2 b2 18c 0 c 3 5 k 1k 2 + 4c 0 c 3 5 k3 2 27c2 0 c3 5 ). Since u 2 is a root of both R 1 (U 2 ) and P 6 (U 2 ) := U 3 2 c 6, u 2 will be a root of their greatest common divisor in (Z/nZ)[U 2 ], which is given by (27c 2 1 c 5k 1 9c 2 1 c 5k 2 2 )c 6U 2 + (27c 3 1 c2 6 4c3 5 k3 1 + c3 5 k2 1 k2 2 18c 0c 3 5 k 1k 2 + 4c 0 c 3 5 k3 2 27c2 0 c3 5 ), from which we derive the value of u 2. Once u 2 is known, the values of u 1 and u 0 trivially follow by Corollary 1. We now introduce a harder problem: the Reduced Polynomial Composition Problem in (Z/nZ)[X]. Problem 2 (Reduced Polynomial Composition Problem (RPCP)). Let P and Q be two polynomials in (Z/nZ)[X] where n is an RSA modulus. Given Q and the deg(p) + 1 most significant coefficients of S := Q(P), find P. Definition 1. When the Polynomial Composition Problem is equivalent to the Reduced Polynomial Composition Problem, it is said to be reducible.
6 Equivalently, the Polynomial Composition Problem is reducible when the values of c 0,..., c p(q 1) 1 can be derived from c p(q 1),..., c pq and k 1,..., k q 1. This is for example the case when p = q = 2, that is, when P(X) = u 2 X 2 + u 1 X + u 0, Q(X) = X 2 + k 1 X, and S (X) = c 4 X 4 + c 3 X 3 + c 2 X 2 + c 1 X + c 0 c 0 = k 1 u 0 + u 2 0, c 1 = k 1 u 1 + 2u 0 u 1, with c 2 = k 1 u 2 + 2u 0 u 2 + u 2 1, c 3 = 2u 1 u 2, c 4 = u 2 2. An astute algebraic manipulation yields: c 1 = 4c 2c 3 c 4 c 3 3 8c 2 4 (mod n) and c 0 = 4c2 1 c 4 c 2 3 k2 1 4c 2 3 (mod n). If follows that we can omit the first two relations (the information included therein is anyway contained in the remaining three as we had just shown) and the problem amounts to solving the Reduced Polynomial Composition Problem: c 2 = k 1 u 2 + 2u 0 u 2 + u 2 1, c 3 = 2u 1 u 2, c 4 = u 2 2. Theorem 1. Reducible Polynomial Composition Problem RSA Problem. Proof. Assume that we are given an oracle O PCP (k 1,..., k q 1 ; c 0,..., c pq ) which on input polynomials Q(X) = X q + q 1 j=1 k jx j and S (X) = pq t=0 c tx t returns the polynomial P(X) = p i=0 u ix i such that S (X) = Q(P(X)). When the polynomial composition is reducible, oracle O PCP can be used to compute a q th root of a given x Z/nZ, i.e., compute a y satisfying y q x (mod n). 1. choose p + q 1 random values k 1,..., k q 1, c p(q 1),..., c pq 1 Z/nZ; 2. compute c 0,..., c p(q 1) 1 ; 3. run O PCP (k 1,..., k q 1 ; c 0,..., c pq 1, x); 4. get u 0,..., u p ; 5. set y := u p and so y q x (mod n). Note that Step 2 can be executed since the composition is supposed to be reducible. Furthermore, note that the values of c pq 1,..., c p(q 1) uniquely determine the values of u p 1,..., u 0, respectively. Indeed, from Proposition 1, P pq r (U p r, u p r+1,..., u p ) (Z/nZ)[U p r ] is a polynomial of degree exactly one of which u p r is root, for all 1 r p.
7 3.3 A Practical Criterion In this section, we present a simple criterion allowing to decide if a given composition problem is reducible. During the proof of Proposition 1, we have shown that there exists a polynomial Q pq r (Z/nZ)[U p r+1,..., U p ] such that P pq r (U p r,..., U p ) = qu p r U p q 1 + Q pq r (U p r+1,..., U p ) for all 1 r p. From c pq = (u p ) q, we infer: u p r = Q pq r(u p r+1,..., u p ) q c pq u p, (1 r p). (4) Using Eq. (4), for r = 1,..., p, we now iteratively compute u p 1,..., u 0 as a polynomial function in u p. We let Υ p r denote this polynomial function, i.e., u p r = Υ p r (u p ) for all 1 r p. We then respectively replace u 0,..., u p 1 by Υ 0 (u p ),..., Υ p 1 (u p ) in the expressions of c 0,..., c pq p 1. If, for each c i (0 i pq p 1), the powers of u p cancel thanks to (u p ) q 1 = c pq then the problem is reducible. We illustrate the technique with the example P(X) = u 3 X 3 + u 2 X 2 + u 1 X + u 0 and Q(Y) = Y 3. Then S (X) = 9 t=0 c tx t with c 0 = u 3 0, c 1 = 3u 2 0 u 1, c 2 = 3u 2 0 u 2 + 3u 0 u 2 1, c 3 = 3u 2 0 u 3 + 6u 0 u 1 u 2 + u 3 1, c 4 = 6u 0 u 1 u 3 + 3u 0 u u2 1 u 2, c 5 = 6u 0 u 2 u 3 + 3u 2 1 u 3 + 3u 1 u 2 2, c 6 = 3u 0 u u 1u 2 u 3 + u 3 2, c 7 = 3u 1 u u2 2 u 3, c 8 = 3u 2 u 2 3, c 9 = u 3 3. From the respective expressions of c 8, c 7 and c 6, we successively find Υ 2 (u 3 ) = c 8 u 3, Υ 1 (u 3 ) = 3c 7c 9 c 8 u 3c 9 9c 2 3, 9 and Υ 0 (u 3 ) = 27c 6c 2 9 6c 8(3c 7 c 9 c 2 8 ) c3 8 u 81c Since c 0,..., c 5 are homogeneous in u 0, u 1, u 2, u 3 and of degree three, they can be evaluated by replacing u 0, u 1, u 2 by Υ 0 (u 3 ), Υ 1 (u 3 ), Υ 2 (u 3 ), respectively, and then replacing (u 3 ) 3 by c 9. Consequently, the composition is reducible: the values of
8 c 0,..., c 5 can be inferred from c 6,..., c 9 and the problem amounts to computing cubic roots in Z/nZ. This is not fortuitous and can easily be generalized as follows. Corollary 3. For Q(Y) = Y q, the Polynomial Composition Problem in Z/nZ is equivalent to the RSA Problem, i.e. to the problem of extracting q th roots in Z/nZ. Proof. From Eq. (2), it follows that S (X) = pq t=0 c tx t with c t = i 0 + +i p =q i 1 +2i 2 + +pi p =t q! i 0! i p! u 0 i0 u p i p, which is homogeneous in u 0,..., u p and of degree i i p = q. Moreover since by induction, for 1 r p, Υ p r (u p ) = K p r u p for some constant K p r, the corollary follows. 4 Cryptographic Applications Loosely speaking, a zero-knowledge protocol allows a prover to demonstrate the knowledge of a secret without revealing any useful information about the secret. We show how to construct such a protocol thanks to composition of polynomials. 4.1 A PCP-Based Zero-Knowledge Protocol A trusted third party selects and publishes an RSA modulus n. Each prover P chooses two polynomials P, Q in (Z/nZ)[X] and computes S = Q(P). {Q, S } is P s public key given to the verifier V so as to ascertain P s knowledge of the secret key P. Execute l times the following protocol: P selects a random r Z/nZ. P evaluates c = S (r) and sends c to V. V sends to P a random bit b. If b = 0, P reveals t = r and V checks that S (t) = c. If b = 1, P reveals t = P(r) and V checks that Q(t) = c. PCP-Based Protocol. 4.2 Improvements Efficiency can be increased by using the following trick: P chooses ν polynomials P 1,..., P ν 1, Q in (Z/nZ)[X], with ν 3. Her secret key is the set {P 1,..., P ν 1 } while her public key consists of the set {S 0 =
9 Q, S 1 = Q(P ν 1 ), S 2 = Q(P ν 1 (P ν 2 )),..., S j = Q(P ν 1 (... (P ν j ))),..., S ν 1 = Q(P ν 1 (... (P 1 )))}. The protocol is shown below: P selects a random r Z/nZ P evaluates c = S ν 1 (r) and sends c to V. V sends to P a random integer 0 b ν 1. If b = 0, P reveals t = r and V checks that S ν 1 (t) = c. If b 0, P reveals t = P b (... (P 1 (r))) and V checks that S ν b 1 (t) = c. Nested PCP Protocol. 4.3 Relations with Other Zero-Knowledge Protocols It is interesting to note that our first protocol coincides with the (simplified) Fiat-Shamir protocol [3] (see also [5, Protocol 10.24]) when P(X) = sx and Q(X) = vx 2 where vs 2 1 (mod n). The nested variant may be seen as a generalization of the Guillou-Quisquater protocol [4] by taking P 1 (X) = P 2 (X) = = P ν 1 (X) = sx where s is a secret value and Q(X) = vx ν so that vs ν 1 (mod n). Indeed, in this case we have P ν 1 (... (P ν j (X))) = s j X and hence S j (X) = v 1 j X ν. An interesting research direction would be to extend the above protocols to Dickson polynomials. 5 Conclusion This paper introduced the Polynomial Composition Problem (PCP) and the related Reducible Polynomial Composition Problem (RPCP). Relations between these two problems and the RSA Problem were explored. Further, two concrete zero-knowledge protocols suited to smart-card applications were given as particular instances of PCP-based constructs. Acknowledgments We are grateful to Jesper Buus Nielsen (ETHZ) for attracting our attention to an important detail in the proof of Corollary 1. We are also grateful to the anonymous referees for useful comments. References 1. Henri Cohen. A Course in Computational Algebraic Number Theory, GTM 138, Springer-Verlag, Don Coppersmith, Matthew Franklin, Jacques Patarin, and Michael Reiter. Lowexponent RSA with related messages. In U. Maurer, ed., Advances in Cryptology EUROCRYPT 96, LNCS 1070, pp. 1 9, Springer-Verlag, 1996.
10 3. Amos Fiat, and Adi Shamir. How to prove yourself: Practical solutions to identification and signature problems. In A. M. Odlyzko, ed., Advances in Cryptology CRYPTO 86, LNCS 263, pp , Springer-Verlag, Louis C. Guillou and Jean-Jacques Quisquater. A practical zero-knowledge protocol fitted to security microprocessor minimizing both transmission and memory. In C. Günther, ed., Advances in Cryptology EUROCRYPT 88, LNCS 330, pp , Springer-Verlag, Alfred J. Menezes, Paul C. van Oorschot, and Scott A. Vanstone. Handbook of Applied Cryptography, CRC Press, A Mathematical Background Let R be an integral domain with quotient field K. Definition 2. Given two polynomials A, B R[X], the resultant of A and B, denoted by Res(A, B), is defined as Res(A, B) = (a m ) n (b n ) m (α i β j ) (5) 1 i m,1 j n if A (X) = a m 1 i m(x α i ) and B(X) = b n 1 j n(x β j ) are the decompositions of A and B in the algebraic closure of K. From this definition, we see that Res(A, B) = 0 if and only if polynomials A and B have a common root (in K); hence if and only if A and B have a (non-trivial) common factor. Equivalently, we have Res(A, B) = (a m ) n B(α i ) = (b n ) m A (β j ). 1 i m 1 j n The resultant Res(A, B) can be evaluated without knowing the decomposition of A and B. Letting A (X) = 1 i m a i X i and B(X) = 1 j n b j X j, we have a m a m 1... a Res(A, B) = det This clearly shows that Res(A, B) R. 0 a m a m 1... a a m a m 1... a 0 b n b n 1... b n rows 0 b n b n 1... b m rows b n b n 1... b 0 A multivariate polynomial A R[X 1,..., X k ] (with k 2) may be viewed as a univariate polynomial in R[X 1,..., X k 1 ][X k ]. Consequently, it makes sense.
11 to compute the resultant of two multivariate polynomials with respect to one variable, say X k. If A, B R[X 1,..., X k ], we let Res Xk (A, B) denote the resultant of A and B with respect to X k. Lemma 1. Let A, B R[X 1,..., X k ] (with k 2). Then (α 1,..., α k ) is a common root (in K) of A and B if and only if (α 1,..., α k 1 ) is a root of Res Xk (A, B). B Additional Examples B.1 The case p = 3 and q = 2 Using the previous notations and simplifications, we write P(X) = u 3 X 3 + u 2 X 2 + u 1 X + u 0 and Q(Y) = Y 2 + k 1 Y. Expressing the c i s we get: c 0 = k 1 u 0 + u 2 0, c 1 = k 1 u 1 + 2u 0 u 1, c 2 = u k 1u 2 + 2u 0 u 2, c 3 = 2u 1 u 2 + k 1 u 3 + 2u 0 u 3, c 4 = u u 1u 3, c 5 = 2u 2 u 3, c 6 = u 2 3. Now using the criterion of 3.3, we find u 2 = c 5 2c 6 u 3, u 1 = Vu 3, and u 0 = k Lu 3 with V := 4c 4c 6 c 2 5 8c 2 6 and L := 8c 3c 2 6 c 5(4c 4 c 6 c 2 5 ). Hence, we derive: 16c 3 6 c 2 = c 6 V 2 + c 5 L, c 1 = 2c 6 LV, and c 0 = k L2 c 6. Being reducible, this proves that solving the PCP for p = 3 and q = 2 amounts to computing square roots in Z/nZ. B.2 The case p = 3 and q = 3 We have P(X) = u 3 X 3 + u 2 X 2 + u 1 X + u 0 and Q(X) = X 3 + k 2 X 2 + k 1 X. Defining polynomials P i as in Eq. (3), we successively compute R 0 := Res U0 (P 0, P 1 ), R 1 := Res U1 (R 0, P 7 ), and R 2 = Res U2 (R 1, P 8 ) wherefrom R 2 (u 3 ) = 19683c 3 1 u ( 6561c2 1 c 7k c2 1 c 7k 1 )u (2187c 2 1 c2 8 k c2 1 c2 8 k 1)u (2916c 0 c 3 7 k c3 7 k2 1 k c 0c 3 7 k 2k c 3 7 k3 1 = c 3 7 c2 0 )u ( 2916c 0 c 2 7 c2 8 k c2 8 c2 7 k2 2 k c2 8 c2 7 c 0k 2 k c 2 8 c2 7 k c 2 8 c2 7 c2 0 )u9 3 + (972c 4 8 c 7c 0 k c4 8 c 7k 2 1 k c4 8 c 7c 0 k 1 k 2 972c 4 8 c 7k c 4 8 c 7c 2 0 )u6 3 + ( 108c 6 8 c 0k c6 8 k2 1 k c6 8 c 0k 1 k c 6 8 k c6 8 c2 0 )u3 3
12 So, we obtain the value of u 3 by exploiting the additional relation c 9 = u 3 3 and hence the values of u 2, u 1, and u 0. Note that if we choose k 1 = k 2 /3 then the terms in u16 (= c u 3) and in u 13 3 (= c 4 9 u 3) disappear and consequently the value of u 3 cannot be recovered. In this case, the criterion shows again that the problem is equivalent to that of computing cubic roots in Z/nZ.
The Polynomial Composition Problem in (Z/nZ)[X]
The Polynomial Composition Problem in (Z/nZ)[X] Marc Joye 1, David Naccache 2, and Stéphanie Porte 1 1 Gemplus Card International Avenue du Jujubier, ZI Athélia IV, 13705 La Ciotat Cedex, France {marc.joye,
More informationCryptanalysis of a Zero-Knowledge Identification Protocol of Eurocrypt 95
Cryptanalysis of a Zero-Knowledge Identification Protocol of Eurocrypt 95 Jean-Sébastien Coron and David Naccache Gemplus Card International 34 rue Guynemer, 92447 Issy-les-Moulineaux, France {jean-sebastien.coron,
More informationPublic Key Authentication with One (Online) Single Addition
Public Key Authentication with One (Online) Single Addition Marc Girault and David Lefranc France Télécom R&D 42 rue des Coutures F-14066 Caen, France {marc.girault,david.lefranc}@francetelecom.com Abstract.
More informationA New Identification Scheme Based on the Perceptrons Problem
Advances in Cryptology Proceedings of EUROCRYPT 95 (may 21 25, 1995, Saint-Malo, France) L.C. Guillou and J.-J. Quisquater, Eds. Springer-Verlag, LNCS 921, pages 319 328. A New Identification Scheme Based
More informationFast Signature Generation with a. Fiat Shamir { Like Scheme. Fachbereich Mathematik / Informatik. Abstract
Fast Signature Generation with a Fiat Shamir { Like Scheme H. Ong Deutsche Bank AG Stuttgarter Str. 16{24 D { 6236 Eschborn C.P. Schnorr Fachbereich Mathematik / Informatik Universitat Frankfurt Postfach
More informationA New Baby-Step Giant-Step Algorithm and Some Applications to Cryptanalysis
A New Baby-Step Giant-Step Algorithm and Some Applications to Cryptanalysis Jean Sébastien Coron 1, David Lefranc 2 and Guillaume Poupard 3 1 Université du Luxembourg Luxembourg coron@clipper.ens.fr 2
More informationOptimal Use of Montgomery Multiplication on Smart Cards
Optimal Use of Montgomery Multiplication on Smart Cards Arnaud Boscher and Robert Naciri Oberthur Card Systems SA, 71-73, rue des Hautes Pâtures, 92726 Nanterre Cedex, France {a.boscher, r.naciri}@oberthurcs.com
More informationModular Multiplication in GF (p k ) using Lagrange Representation
Modular Multiplication in GF (p k ) using Lagrange Representation Jean-Claude Bajard, Laurent Imbert, and Christophe Nègre Laboratoire d Informatique, de Robotique et de Microélectronique de Montpellier
More informationCryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97
Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97 Phong Nguyen and Jacques Stern École Normale Supérieure, Laboratoire d Informatique 45, rue d Ulm, F 75230 Paris Cedex 05 {Phong.Nguyen,Jacques.Stern}@ens.fr
More informationbreakthrough, many generalizations were presented (e.g. using polynomials), and broken. Recently, it has been adapted to work with other structures. I
Published in M. Lomas, editor, \Security Protocols", vol. 1189 of Lecture Notes in Computer Science, pp. 93-100, Springer-Verlag, 1997. Protocol Failures for RSA-like Functions using Lucas Sequences and
More informationSolving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know?
Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know? Alexander May, Maike Ritzenhofen Faculty of Mathematics Ruhr-Universität Bochum, 44780 Bochum,
More informationBlind Signature Protocol Based on Difficulty of. Simultaneous Solving Two Difficult Problems
Applied Mathematical Sciences, Vol. 6, 202, no. 39, 6903-690 Blind Signature Protocol Based on Difficulty of Simultaneous Solving Two Difficult Problems N. H. Minh, D. V. Binh 2, N. T. Giang 3 and N. A.
More informationMontgomery-Suitable Cryptosystems
Montgomery-Suitable Cryptosystems [Published in G. Cohen, S. Litsyn, A. Lobstein, and G. Zémor, Eds., Algebraic Coding, vol. 781 of Lecture Notes in Computer Science, pp. 75-81, Springer-Verlag, 1994.]
More informationCryptography IV: Asymmetric Ciphers
Cryptography IV: Asymmetric Ciphers Computer Security Lecture 7 David Aspinall School of Informatics University of Edinburgh 31st January 2011 Outline Background RSA Diffie-Hellman ElGamal Summary Outline
More informationDeterministic Polynomial Time Equivalence between Factoring and Key-Recovery Attack on Takagi s RSA
Deterministic Polynomial Time Equivalence between Factoring and Key-Recovery Attack on Takagi s RSA Noboru Kunihiro 1 and Kaoru Kurosawa 2 1 The University of Electro-Communications, Japan kunihiro@iceuecacjp
More informationPAPER An Identification Scheme with Tight Reduction
IEICE TRANS. FUNDAMENTALS, VOL.Exx A, NO.xx XXXX 200x PAPER An Identification Scheme with Tight Reduction Seiko ARITA, Member and Natsumi KAWASHIMA, Nonmember SUMMARY There are three well-known identification
More informationFault Attacks Against emv Signatures
Fault Attacks Against emv Signatures Jean-Sébastien Coron 1, David Naccache 2, and Mehdi Tibouchi 2 1 Université du Luxembourg 6, rue Richard Coudenhove-Kalergi l-1359 Luxembourg, Luxembourg {jean-sebastien.coron,
More informationEvidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs
Evidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs Jonah Brown-Cohen 1 Introduction The Diffie-Hellman protocol was one of the first methods discovered for two people, say Alice
More informationCryptographical Security in the Quantum Random Oracle Model
Cryptographical Security in the Quantum Random Oracle Model Center for Advanced Security Research Darmstadt (CASED) - TU Darmstadt, Germany June, 21st, 2012 This work is licensed under a Creative Commons
More informationA Note on the Cramer-Damgård Identification Scheme
A Note on the Cramer-Damgård Identification Scheme Yunlei Zhao 1, Shirley H.C. Cheung 2,BinyuZang 1,andBinZhu 3 1 Software School, Fudan University, Shanghai 200433, P.R. China {990314, byzang}@fudan.edu.cn
More informationCryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)
Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R) Eli Biham Computer Science Department Technion Israel Institute of Technology Haifa 32000, Israel biham@cs.technion.ac.il http://www.cs.technion.ac.il/~biham/
More informationA DPA attack on RSA in CRT mode
A DPA attack on RSA in CRT mode Marc Witteman Riscure, The Netherlands 1 Introduction RSA is the dominant public key cryptographic algorithm, and used in an increasing number of smart card applications.
More informationAn Identification Scheme Based on KEA1 Assumption
All rights are reserved and copyright of this manuscript belongs to the authors. This manuscript has been published without reviewing and editing as received from the authors: posting the manuscript to
More informationAn Anonymous Authentication Scheme for Trusted Computing Platform
An Anonymous Authentication Scheme for Trusted Computing Platform He Ge Abstract. The Trusted Computing Platform is the industrial initiative to implement computer security. However, privacy protection
More informationNew Variant of ElGamal Signature Scheme
Int. J. Contemp. Math. Sciences, Vol. 5, 2010, no. 34, 1653-1662 New Variant of ElGamal Signature Scheme Omar Khadir Department of Mathematics Faculty of Science and Technology University of Hassan II-Mohammedia,
More informationDigital Signatures from Challenge-Divided Σ-Protocols
Digital Signatures from Challenge-Divided Σ-Protocols Andrew C. Yao Yunlei Zhao Abstract Digital signature is one of the basic primitives in cryptography. A common paradigm of obtaining signatures, known
More informationEfficient RSA Cryptosystem with Key Generation using Matrix
E f f i c i e n t R S A C r y p t o s y s t e m w i t h K e y G e n e r a t i o n u s i n g M a t r i x Efficient RSA Cryptosystem with Key Generation using Matrix Prerna Verma 1, Dindayal Mahto 2, Sudhanshu
More informationSecure and Practical Identity-Based Encryption
Secure and Practical Identity-Based Encryption David Naccache Groupe de Cyptographie, Deṕartement d Informatique École Normale Supérieure 45 rue d Ulm, 75005 Paris, France david.nacache@ens.fr Abstract.
More informationON DEFINING PROOFS OF KNOWLEDGE IN THE BARE PUBLIC-KEY MODEL
1 ON DEFINING PROOFS OF KNOWLEDGE IN THE BARE PUBLIC-KEY MODEL GIOVANNI DI CRESCENZO Telcordia Technologies, Piscataway, NJ, USA. E-mail: giovanni@research.telcordia.com IVAN VISCONTI Dipartimento di Informatica
More informationComparing With RSA. 1 ucl Crypto Group
Comparing With RSA Julien Cathalo 1, David Naccache 2, and Jean-Jacques Quisquater 1 1 ucl Crypto Group Place du Levant 3, Louvain-la-Neuve, b-1348, Belgium julien.cathalo@uclouvain.be, jean-jacques.quisquater@uclouvain.be
More informationModular Reduction without Pre-Computation for Special Moduli
Modular Reduction without Pre-Computation for Special Moduli Tolga Acar and Dan Shumow Extreme Computing Group, Microsoft Research, Microsoft One Microsoft Way, Redmond, WA 98052, USA {tolga,danshu}@microsoft.com
More informationThe odd couple: MQV and HMQV
The odd couple: MQV and HMQV Jean-Philippe Aumasson 1 / 49 Summary MQV = EC-DH-based key agreement protocol, proposed by Menezes, Qu and Vanstone (1995), improved with Law and Solinas (1998), widely standardized
More informationSecurity Proofs for Signature Schemes. Ecole Normale Superieure. 45, rue d'ulm Paris Cedex 05
Security Proofs for Signature Schemes David Pointcheval David.Pointcheval@ens.fr Jacques Stern Jacques.Stern@ens.fr Ecole Normale Superieure Laboratoire d'informatique 45, rue d'ulm 75230 Paris Cedex 05
More informationNOTICE WARNING CONCERNING COPYRIGHT RESTRICTIONS: The copyright law of the United States (title 17, U.S. Code) governs the making of photocopies or
NOTICE WARNING CONCERNING COPYRIGHT RESTRICTIONS: The copyright law of the United States (title 17, U.S. Code) governs the making of photocopies or other reproductions of copyrighted material. Any copying
More informationBreaking Plain ElGamal and Plain RSA Encryption
Breaking Plain ElGamal and Plain RSA Encryption (Extended Abstract) Dan Boneh Antoine Joux Phong Nguyen dabo@cs.stanford.edu joux@ens.fr pnguyen@ens.fr Abstract We present a simple attack on both plain
More informationOn the Big Gap Between p and q in DSA
On the Big Gap Between p and in DSA Zhengjun Cao Department of Mathematics, Shanghai University, Shanghai, China, 200444. caozhj@shu.edu.cn Abstract We introduce a message attack against DSA and show that
More informationSecure Delegation of Elliptic-Curve Pairing
Secure Delegation of Elliptic-Curve Pairing Benoît Chevallier-Mames, Jean-Sébastien Coron, Noel Mccullagh, David Naccache, Michael Scott To cite this version: Benoît Chevallier-Mames, Jean-Sébastien Coron,
More informationAn introduction to the algorithmic of p-adic numbers
An introduction to the algorithmic of p-adic numbers David Lubicz 1 1 Universté de Rennes 1, Campus de Beaulieu, 35042 Rennes Cedex, France Outline Introduction 1 Introduction 2 3 4 5 6 7 8 When do we
More informationCryptographic Protocols Notes 2
ETH Zurich, Department of Computer Science SS 2018 Prof. Ueli Maurer Dr. Martin Hirt Chen-Da Liu Zhang Cryptographic Protocols Notes 2 Scribe: Sandro Coretti (modified by Chen-Da Liu Zhang) About the notes:
More informationSELECTED APPLICATION OF THE CHINESE REMAINDER THEOREM IN MULTIPARTY COMPUTATION
Journal of Applied Mathematics and Computational Mechanics 2016, 15(1), 39-47 www.amcm.pcz.pl p-issn 2299-9965 DOI: 10.17512/jamcm.2016.1.04 e-issn 2353-0588 SELECTED APPLICATION OF THE CHINESE REMAINDER
More informationBasics in Cryptology. Outline. II Distributed Cryptography. Key Management. Outline. David Pointcheval. ENS Paris 2018
Basics in Cryptology II Distributed Cryptography David Pointcheval Ecole normale supérieure, CNRS & INRIA ENS Paris 2018 NS/CNRS/INRIA Cascade David Pointcheval 1/26ENS/CNRS/INRIA Cascade David Pointcheval
More informationEntity Authentication
Entity Authentication Sven Laur swen@math.ut.ee University of Tartu Formal Syntax Entity authentication pk (sk, pk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) Is it Charlie? α k The
More informationHash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34
Hash Functions Ali El Kaafarani Mathematical Institute Oxford University 1 of 34 Outline 1 Definition and Notions of Security 2 The Merkle-damgård Transform 3 MAC using Hash Functions 4 Cryptanalysis:
More informationDeterministic Polynomial Time Equivalence of Computing the RSA Secret Key and Factoring
Deterministic Polynomial Time Equivalence of Computing the RSA Secret Key and Factoring Jean-Sébastien Coron and Alexander May Gemplus Card International 34 rue Guynemer, 92447 Issy-les-Moulineaux, France
More informationFast arithmetic and pairing evaluation on genus 2 curves
Fast arithmetic and pairing evaluation on genus 2 curves David Freeman University of California, Berkeley dfreeman@math.berkeley.edu November 6, 2005 Abstract We present two algorithms for fast arithmetic
More informationXMX: A Firmware-oriented Block Cipher Based on Modular Multiplications
XMX: A Firmware-oriented Block Cipher Based on Modular Multiplications [Published in E. Biham, Ed., Fast Software Encrytion, vol. 1267 of Lecture Notes in Computer Science, pp. 166 171, Springer-Verlag,
More informationAsymmetric Cryptography
Asymmetric Cryptography Chapter 4 Asymmetric Cryptography Introduction Encryption: RSA Key Exchange: Diffie-Hellman General idea: Use two different keys -K and +K for encryption and decryption Given a
More informationChapter 4 Asymmetric Cryptography
Chapter 4 Asymmetric Cryptography Introduction Encryption: RSA Key Exchange: Diffie-Hellman [NetSec/SysSec], WS 2008/2009 4.1 Asymmetric Cryptography General idea: Use two different keys -K and +K for
More informationBlind Collective Signature Protocol
Computer Science Journal of Moldova, vol.19, no.1(55), 2011 Blind Collective Signature Protocol Nikolay A. Moldovyan Abstract Using the digital signature (DS) scheme specified by Belarusian DS standard
More informationCourse 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography
Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography David R. Wilkins Copyright c David R. Wilkins 2006 Contents 9 Introduction to Number Theory and Cryptography 1 9.1 Subgroups
More informationFrom Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited
From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited Julien Cathalo 1, Jean-Sébastien Coron 2, and David Naccache 2,3 1 UCL Crypto Group Place du Levant 3, Louvain-la-Neuve, B-1348, Belgium
More informationDefinition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University
Number Theory, Public Key Cryptography, RSA Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr The Euler Phi Function For a positive integer n, if 0
More informationComputers and Electrical Engineering
Computers and Electrical Engineering 36 (2010) 56 60 Contents lists available at ScienceDirect Computers and Electrical Engineering journal homepage: wwwelseviercom/locate/compeleceng Cryptanalysis of
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationDr George Danezis University College London, UK
Dr George Danezis University College London, UK Identity as a proxy to check credentials Username decides access in Access Control Matrix Sometime it leaks too much information Real world examples Tickets
More informationPublic Key Cryptography
Public Key Cryptography Spotlight on Science J. Robert Buchanan Department of Mathematics 2011 What is Cryptography? cryptography: study of methods for sending messages in a form that only be understood
More informationNew attacks on RSA with Moduli N = p r q
New attacks on RSA with Moduli N = p r q Abderrahmane Nitaj 1 and Tajjeeddine Rachidi 2 1 Laboratoire de Mathématiques Nicolas Oresme Université de Caen Basse Normandie, France abderrahmane.nitaj@unicaen.fr
More informationone eciently recover the entire key? There is no known method for doing so. Furthermore, the common belief is that no such ecient algorithm exists. Th
Exposing an RSA Private Key Given a Small Fraction of its Bits Dan Boneh Glenn Durfee y Yair Frankel dabo@cs.stanford.edu gdurf@cs.stanford.edu yfrankel@cs.columbia.edu Stanford University Stanford University
More informationNovel Approach to Factorize the RSA Public Key Encryption
Volume 6, No. 6, July - August 2015 International Journal of Advanced Research in Computer Science RESEARCH PAPER Available Online at www.ijarcs.info Novel Approach to Factorize the RSA Public Key Encryption
More informationA Sound Method for Switching between Boolean and Arithmetic Masking
A Sound Method for Switching between Boolean and Arithmetic Masking Louis Goubin CP8 Crypto Lab, SchlumbergerSema 36-38 rue de la Princesse, BP45 78430 Louveciennes Cedex, France Louis.Goubin@louveciennes.tt.slb.com
More informationLecture Notes. (electronic money/cash) Michael Nüsken b-it. IPEC winter 2008
Lecture Notes ee (electronic money/cash) Michael Nüsken b-it (Bonn-Aachen International Center for Information Technology) IPEC winter 2008 c 2008 Michael Nüsken Workshop
More informationrecover the secret key [14]. More recently, the resistance of smart-card implementations of the AES candidates against monitoring power consumption wa
Resistance against Dierential Power Analysis for Elliptic Curve Cryptosystems Jean-Sebastien Coron Ecole Normale Superieure Gemplus Card International 45 rue d'ulm 34 rue Guynemer Paris, F-75230, France
More informationKey Recovery on Hidden Monomial Multivariate Schemes
Key Recovery on Hidden Monomial Multivariate Schemes Pierre-Alain Fouque 1, Gilles Macario-Rat 2, and Jacques Stern 1 1 École normale supérieure, 45 rue d Ulm, 75005 Paris, France {Pierre-Alain.Fouque,
More informationQuestion: Total Points: Score:
University of California, Irvine COMPSCI 134: Elements of Cryptography and Computer and Network Security Midterm Exam (Fall 2016) Duration: 90 minutes November 2, 2016, 7pm-8:30pm Name (First, Last): Please
More informationCryptanalysis of a Message Authentication Code due to Cary and Venkatesan
Cryptanalysis of a Message Authentication Code due to Cary and Venkatesan Simon R. Blackburn and Kenneth G. Paterson Department of Mathematics Royal Holloway, University of London Egham, Surrey, TW20 0EX,
More informationPractical Fault Countermeasures for Chinese Remaindering Based RSA
Practical Fault Countermeasures for Chinese Remaindering Based RSA (Extended Abstract) Mathieu Ciet 1 and Marc Joye 2, 1 Gemplus R&D, Advanced Research and Security Centre La Vigie, ZI Athélia IV, Av.
More informationHomework 3 Solutions
5233/IOC5063 Theory of Cryptology, Fall 205 Instructor Prof. Wen-Guey Tzeng Homework 3 Solutions 7-Dec-205 Scribe Amir Rezapour. Consider an unfair coin with head probability 0.5. Assume that the coin
More informationCryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05
Cryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05 Fangguo Zhang 1 and Xiaofeng Chen 2 1 Department of Electronics and Communication Engineering, Sun Yat-sen
More informationCourse MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography
Course MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography David R. Wilkins Copyright c David R. Wilkins 2000 2013 Contents 9 Introduction to Number Theory 63 9.1 Subgroups
More informationCIS 551 / TCOM 401 Computer and Network Security
CIS 551 / TCOM 401 Computer and Network Security Spring 2008 Lecture 15 3/20/08 CIS/TCOM 551 1 Announcements Project 3 available on the web. Get the handout in class today. Project 3 is due April 4th It
More informationA New Attack on RSA with Two or Three Decryption Exponents
A New Attack on RSA with Two or Three Decryption Exponents Abderrahmane Nitaj Laboratoire de Mathématiques Nicolas Oresme Université de Caen, France nitaj@math.unicaen.fr http://www.math.unicaen.fr/~nitaj
More informationPAIRING-BASED IDENTIFICATION SCHEMES
PAIRING-BASED IDENTIFICATION SCHEMES DAVID FREEMAN Abstract. We propose four different identification schemes that make use of bilinear pairings, and prove their security under certain computational assumptions.
More informationAnalysis of SHA-1 in Encryption Mode
Analysis of SHA- in Encryption Mode [Published in D. Naccache, Ed., Topics in Cryptology CT-RSA 00, vol. 00 of Lecture Notes in Computer Science, pp. 70 83, Springer-Verlag, 00.] Helena Handschuh, Lars
More informationPairing-Based Identification Schemes
Pairing-Based Identification Schemes David Freeman Information Theory Research HP Laboratories Palo Alto HPL-2005-154 August 24, 2005* public-key cryptography, identification, zero-knowledge, pairings
More informationA New Generalization of the KMOV Cryptosystem
J Appl Math Comput manuscript No. (will be inserted by the editor) A New Generalization of the KMOV Cryptosystem Maher Boudabra Abderrahmane Nitaj Received: date / Accepted: date Abstract The KMOV scheme
More informationSecurity Level of Cryptography Integer Factoring Problem (Factoring N = p 2 q) December Summary 2
Security Level of Cryptography Integer Factoring Problem (Factoring N = p 2 ) December 2001 Contents Summary 2 Detailed Evaluation 3 1 The Elliptic Curve Method 3 1.1 The ECM applied to N = p d............................
More informationComputers and Mathematics with Applications
Computers and Mathematics with Applications 61 (2011) 1261 1265 Contents lists available at ScienceDirect Computers and Mathematics with Applications journal homepage: wwwelseviercom/locate/camwa Cryptanalysis
More informationElGamal type signature schemes for n-dimensional vector spaces
ElGamal type signature schemes for n-dimensional vector spaces Iwan M. Duursma and Seung Kook Park Abstract We generalize the ElGamal signature scheme for cyclic groups to a signature scheme for n-dimensional
More informationAitken and Neville Inverse Interpolation Methods over Finite Fields
Appl. Num. Anal. Comp. Math. 2, No. 1, 100 107 (2005) / DOI 10.1002/anac.200410027 Aitken and Neville Inverse Interpolation Methods over Finite Fields E.C. Laskari 1,3, G.C. Meletiou 2,3, and M.N. Vrahatis
More informationLecture 10: Zero-Knowledge Proofs
Lecture 10: Zero-Knowledge Proofs Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Some of these slides are based on note by Boaz Barak. Quo vadis? Eo Romam
More informationLittle Dragon Two: An efficient Multivariate Public Key Cryptosystem
Little Dragon Two: An efficient Multivariate Public Key Cryptosystem Rajesh P Singh, A.Saikia, B.K.Sarma Department of Mathematics Indian Institute of Technology Guwahati Guwahati -781039, India October
More informationLecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures
Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures Boaz Barak November 27, 2007 Quick review of homework 7 Existence of a CPA-secure public key encryption scheme such that oracle
More informationStrongly Unforgeable Signatures Based on Computational Diffie-Hellman
Strongly Unforgeable Signatures Based on Computational Diffie-Hellman Dan Boneh 1, Emily Shen 1, and Brent Waters 2 1 Computer Science Department, Stanford University, Stanford, CA {dabo,emily}@cs.stanford.edu
More informationOn the Key-collisions in the Signature Schemes
On the Key-collisions in the Signature Schemes Tomáš Rosa ICZ a.s., Prague, CZ Dept. of Computer Science, FEE, CTU in Prague, CZ tomas.rosa@i.cz Motivation to study k-collisions Def. Non-repudiation [9,10].
More informationA Knapsack Cryptosystem Based on The Discrete Logarithm Problem
A Knapsack Cryptosystem Based on The Discrete Logarithm Problem By K.H. Rahouma Electrical Technology Department Technical College in Riyadh Riyadh, Kingdom of Saudi Arabia E-mail: kamel_rahouma@yahoo.com
More informationNew Attacks against Standardized MACs
New Attacks against Standardized MACs Antoine Joux 1, Guillaume Poupard 1, and Jacques Stern 2 1 DCSSI Crypto Lab 51 Boulevard de La Tour-Maubourg 75700 Paris 07 SP, France {Antoine.Joux,Guillaume.Poupard}@m4x.org
More informationLow-Cost Solutions for Preventing Simple Side-Channel Analysis: Side-Channel Atomicity
Low-Cost Solutions for Preventing Simple Side-Channel Analysis: Side-Channel Atomicity [Published in IEEE Transactions on Computers 53(6):760-768, 00.] Benoît Chevallier-Mames 1, Mathieu Ciet, and Marc
More informationProtecting RSA Against Fault Attacks: The Embedding Method
Published in L. Breveglieri et al., Eds, Fault Diagnosis and Tolerance in Cryptography (FDTC 2009), IEEE Computer Society, pp. 41 45, 2009. Protecting RSA Against Fault Attacks: The Embedding Method Marc
More informationComputing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring
Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring Alexander May Faculty of Computer Science, Electrical Engineering and Mathematics University of Paderborn 33102 Paderborn,
More informationOn Rabin-type Signatures
On Rabin-type Signatures [Published in B. Honary, Ed., Cryptography and Coding, vol. 2260 of Lecture Notes in Computer Science, pp. 99 113, Springer-Verlag, 2001.] Marc Joye 1 and Jean-Jacques Quisquater
More informationEfficient Modular Exponentiation Based on Multiple Multiplications by a Common Operand
Efficient Modular Exponentiation Based on Multiple Multiplications by a Common Operand Christophe Negre, Thomas Plantard, Jean-Marc Robert Team DALI (UPVD) and LIRMM (UM2, CNRS), France CCISR, SCIT, (University
More informationA New Related Message Attack on RSA
A New Related Message Attack on RSA Oded Yacobi 1 and Yacov Yacobi 2 1 Department of Mathematics, University of California San Diego, 9500 Gilman Drive, La Jolla, CA 92093, USA oyacobi@math.ucsd.edu 2
More informationPublic key cryptography using Permutation P-Polynomials over Finite Fields
Public key cryptography using Permutation P-Polynomials over Finite Fields Rajesh P Singh 1 B. K. Sarma 2 A. Saikia 3 Department of Mathematics Indian Institute of Technology Guwahati Guwahati 781039,
More informationIntroduction to Cryptography Lecture 13
Introduction to Cryptography Lecture 13 Benny Pinkas June 5, 2011 Introduction to Cryptography, Benny Pinkas page 1 Electronic cash June 5, 2011 Introduction to Cryptography, Benny Pinkas page 2 Simple
More informationSecret Sharing for General Access Structures
SECRET SHARING FOR GENERAL ACCESS STRUCTURES 1 Secret Sharing for General Access Structures İlker Nadi Bozkurt, Kamer Kaya, and Ali Aydın Selçuk Abstract Secret sharing schemes (SSS) are used to distribute
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani 1 Mathematical Institute 2 PQShield Ltd. 1 of 44 Outline 1 Public Key Encryption: security notions 2 RSA Encryption Scheme 2 of 44 Course main reference 3 of 44
More informationWhy One Should Also Secure RSA Public Key Elements
Why One Should Also Secure RSA Public Key Elements [Published in L. Goubin and M. Matsui, Eds., Cryptographic Hardware and Embedded Systems CHES 2006, vol. 4249 of Lecture Notes in Computer Science, pp.
More informationCryptanalysis of the TTM Cryptosystem
Cryptanalysis of the TTM Cryptosystem Louis Goubin and Nicolas T Courtois SchlumbergerSema - CP8 36-38 rue de la Princesse BP45 78430 Louveciennes Cedex France LouisGoubin@bullnet,courtois@minrankorg Abstract
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 9 February 6, 2012 CPSC 467b, Lecture 9 1/53 Euler s Theorem Generating RSA Modulus Finding primes by guess and check Density of
More informationFrom Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes
From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes [Published in D. Naccache, Ed., Topics in Cryptology CT-RSA 2001, vol. 2020 of Lecture Notes in Computer
More information