* Supported by an IBM fellowship, partially supported by NSF grant DCR by Johan Hastad* MIT
|
|
- Eustace Barber
- 6 years ago
- Views:
Transcription
1 ?J USING RSA WITH LOW EXPONENT IN A PUBLIC KEY NETWORM by Johan Hasta* MIT Abstract: We consier the problem of solving systems of equations P;(z) = 0 (mo n;) i = 1... k where P; me polynomials of egree an the n, are istinct relatively prime numbers an z < minn,. We prove that if k > we can recover z in polynomial time provie n, >> 2k. This shows that RSA with low exponent is not a goo alternative to use as a public key cryptosystem in a large network. It also shows that a protocol by Broer an Dolev [4] is insecure if RSA with low exponent is use. 1. Introuction Let us start with some cryptographic motivation. The famous RSA function [8] is efine 89 f(z) = z (mo n). Here n is usually taken of the form n = pq where p an q are two large primes an is an integer relatively prime to (p l)(q 1). Using these parametera the function is 1 1 when restricte to 1 5 z 5 n, (2, n) = 1. Furthermore the function is wiely believe to be a trapoor function i.e. given n an it is easy to compute f(z) an given f(z) it is also easy to recover z provie you have some secret information but otherwise it is infeasible. In this case the secret information is the factorization of n. The RSA function can be use to construct a eterministic Public Key Cryp tosystem(pkc) in the following way: Each user B in a communication network chooeea two large primes p an q an multiplies them together an publishes the result nb together with a number e which is relatively prime to (p l)(q 1). He keeps the factorization as his private secret information. If any user A in the system wants to sen a secret message rn to another user B she retrievea B's publishe information computes y mb (mo ne) an sens y to B. B now obtains the original message using his secret information while someboy else presumably faces an intractable computational task. However PKC are ifferent an more complex objecta than trapoor functions. For example the use of RSA in a PKC may present obetaclea that i not occur when we consiere it as a trapoor function. Several people (at least Blum, Lieberherr an Williams) have observe the following attack. hume that 3 is chosen ae the exponent an that A wants to sen the same message rn to users U1,Ut an Us. She will compute an sen y; = m3 (mo n;) i = 1,2,3. But using the fact that nl, n2 an ns are relatively prime a listener who know the values of y1,yz an y3 can combine the messages by chinese remainering to get m3 (mo nlnang) an since ms < nlnzn3 he can recover m. In general if the exponent is the number of messages neee is. * Supporte by an IBM fellowship, partially supporte by NSF grant DCR H.C. Williams (E.): Avances in Cryptology CRYPT0 '85, LNCS 218, pp , SpringerVerlag Berlin Heielberg 1986
2 404 A natural question is therefore: Is there a better way to sen the same message to many people using thia PKC? A common heuristic tells us to use a time stamp. Instea of sening the same message m to everyboy one attaches the time an thus sens the encryption of 2i*lrn + t where 2Itlm is the shifte message an t is the time (which will be ifferent for the ifferent receivers). The previous attack fails an we are le to the following computational problem (for = 3). Given (aim + 6;) (mo n;) where all the % an b; are known is it possible to recover rn in polynomial time? We wil1 see in section 3 that the answer is YES if the number of similar messages is at least 7. In fact we will prove that given a set of equations P;(z) z 0 (mo n;) i= 1,..., k where we have k polynomial equations of egree 2 it is possible to recover the solution in time polynomial in both k an logn; if k > ( + 1)/2 provie n; >> 2. Therefore we conclue that if MA is to be use as a PKC we shoul use a large exponent or even better use a probabilistic encryption scheme [3],[6] base on RSA. By [1],[3] this can be one with as much efficiency as in the eterministic case. 2. The insecurity of a protocol by Broer an Dolev. Broer an Dolev propose a protocol for flipping a coin in a istribute system [4]. Some of their emential ingreients were Shamir s metho of sharing a secret an the use of a eterministic PKC. They propose to use the RSA. In 121 it is shown that what they really nee from the security of the cryptosystem is: Given the encryption of a;z + b, with ifferent keys it shoul be infeasible to ecie the parity of z with a better probability than flipping a coin. The analysis in the next section shows that given this information we can, not only fin the parity of z, but the exact value of z if the PKC is RSA with a small exponent. In the case of a large exponent the protocol is not known to be insecure but on the other han there is no proof of correctness. A provably secure protocol has been esigne by Awerbuch et. [Z]. 3. Main Theorem Let us start by fixing some notation. Let N = nf=, we can state the problem formally: n; an n = minn;. Now Problem: Given a set of k equations Cj=ou,,zj z 0 (mo n;), i = 1,...,k. Suppme that the system have a solution z < n. Can we fin such a solution efficiently? Before we give the theorem Iet us give the basic ieas. Define u, < N to be the Chinese remainering coefficients i.e. u, E S;, (mo n;) (6;, = 1 if i = j an 0 otherwise). We can combine the equations to a single equation using the Chinese remainer theorem. o ~ p zj = zfz1 ~ u,a,, G c,=~ zjc, (mo N )
3 405 One of the important parts of the entire paper is the following simple lemma. Lemma I: If lc,( < (+T)niz we can fin z in time polynomial in,k an log n;. Proof: Iflcjl < & then j=o j=o Thus the conition C;=, cjzj = 0. In other wors z solves the equation over the integers an to prove the lemma we just nee the fact that we can solve polynomial equations over the integers in polynomial time. This follows from [7] but there are more efficient algorithms. cjzj e 0 (mo N) implies cy'=, The conition of lemma 1 is quite unlikely to be fulfille when we start with a general set of equations. In spite of this lemma 1 will be one of our main tools for proving: Theorem: Given a set of equations c;=, a;j = 0 (mo n;), i = 1,2,..., k where z < n an gc((a,j)$,, n;) = 1 for all i. Then it is possible to recover z in time polynomial in, k an log n; if As before N = nf=, n;, n = min n,, is the egree of the equations an k is the number of equations. ProoT: The iea is to use lemma 1. However as we remarke it is quite unlikely that it will apply to our equations irectly. To get more possibilities we will multiply the ith equation by a constant a, before we combine them using Chinese remainering. If we have chosen the 8; carefully enough the resulting equation will have the esire small coefficients. We get Let cj enote the coefficient of zj in this equation. To apply lemma 1 we want Icj/nj < &. The main tool for achieving this will be the use of lattices. We first start by recalling some backgroun from the geometry of numbers. 3.1 Backgroun from geometry of numbers. A lattice L is efine to be the set of points where & are linearly inepenent vectors in R". The set 6 is calle a basis for the lattice an n is the imension. The eterminant of a lattice is efine to be the absolute value of the eterminant of the matrix with rows 6. It is not har to see that the eterminant is inepenent of the choice of basis. The length of the shortest nonzero vector in the lattice is enote by XI. Let us recall the following wellknown facts:
4 406 Theorem: (Minkowski) X1 5 7,, 3 (et(l))* where 7n is Hermite's constant. y, is not known explicitly but we have an upper boun 7,, 5 n [5]. Theorem: W e can fin a vector a' in polynomial time which satisfies I I W l This is boun you get from the famous algorithm in the paper by Lenstra,Lenstra ' an Lovasz [7]. By a result by Schnorr it is possible to replace the constant 2 by any number greater than 1 [9] but this is not important to us. Arme with this information we return to the original problem. 3.2 Continuation of Proof. Define the following lattice L of imension k by its base vectors: N bl = (aloul, ~ ~ 1 1 ~ 1 ~ n 2,n ~ alu1, 1 2 ~ 1 m701.., ~ ~ ~.,o). N b2 = (a20u2,na21u2,n2a22~5,...,n a2u2,0, n?(l)>**' '0) + 2 N bk = (akouk, nakluk, n ak2uk,..., n akuk, 0~0,.. I bk+l = (N,O,O,...,o,o, 0,...,o) bk+2 = (0, nn, 0,...,O,O,O,...,0) bk++l = (O,O, 0,..., n N, O,O,... 0) Observe that Observe that for 1 5 i 5 k + 1 the i'th coefficient is ivisible by n'. We multiply the ifferent coefficients by the corresponing powers of n since we want /cj/nj < &. The laat k coorinatea are there to make the multipliers 3; small in a short vector in the lattice a the last + 1 vectors reflect the fact that we have a moular equation. The only term in the expansion of the eterminant is the iagonal term an we get k fill J(f1) Det(L) = nnfk"( $. l)k n nil = ntnik( + l)k This also shows that the vectors are inepenent. Combining the two theorems in section 3.1 we know that we can fin a vector gin L that satisfies *=1 ila'il < ( k++ I)iZ*Det(C)h
5 407 Observe that to get the esire bouns for the c;'s we nee A simple calculation shows that to get this we nee exactly the boun from the theorem to get this. TO finish the proof we nee to prove that we get a nontrivial equation. Since 11gl1 C we know by the expressions for the last k coorinates that Is;] < n;. b' is also nonzero. This together with the boun for its length imply that there is at least one S; # 0. Look at the equation (mo n;) for the same i. Using that 0 # 1s.l < n; an gc((a,,)$o, n;) = 1 we see that this is a nontrivial equation. The proof is complete. 4. Cryptographic Corollaries We get some immeiate corollaries of the main theorem Corollary 1: Sening linearly relate messagee using RSA with low ex +l ponent 8 hecure. Sening more than messages enables an aversary to recover the messages. This follows irectly from our main the main theorem wuming that the constants epening on the imension is small compare to the mouli. In the same spirit we get Corollary 2: Sening linearly relate messages using the Rabin encryption function is insecure. If 4 such rnessage;s are sent it is possible to retrieve the message. If one oes a bit of extra work it is poaaible to say something about the cases of equality (9 an 3 mesaages respectively) but we omit the etails. Corollary 3: The protocol by Broer an Dolev ia insecure if RSA with low exponent is uae. Follows from the analysis in [2] an the main theorem. The theorem also proves that we shoul not encoe messages that are small known polynomials in some unknown but this seems quite farfetche. 5. Open questions One interesting open questions is whether we can solve the problem with fewer equations. It oes not seem possible to use this line of attack with substantially fewer equation. To see this one might argue as follows: The probability that lcjl < nkj for j = 1,..., for a fixe set of s, is approximately n(+l)/z an this woul inicate that we shoul have n(+l)/f sets of equations to choose between an therefore at least (+ 1)/2 equations.
6 405 There oes not seem to be any way to exten the above attack to RSA with large exponent. The reason being that the integers involve are too big even to write own. There is atill a large amount of atructure preaent an it woul be interesting to investigate whether this structure coul be use. Acknowlegments: I woul like to thank Silvio Micali, Sha6 Golwasser an Benny Chor for suggesting the problem, listening to early solutions an suggesting improvements an simplifications. They also pointe out the flaws in the argument of Broer an Dolev. References: + poly logn Secure FOCS 1984 pp [l] Alexi W., Chor B., Golreich 0. an Schnorr C.P. RSA/Rabin Bits are 3 + [2] Awerbuch B., Chor B., Golwasser S. an Micali S. Provably Secure Coin Flip in a Byzantine Environment, manuscript in preparation. [3] Blum M. an Golwaaser S. An efficient Probabilistic Public Key Encryption Scheme which Hiea all Partial Information Presente in Crypto 1984 [4] Broer A.Z. an Dolev D. Flipping Coins in Many Pockets FOCS 1984 pp [S] Casaels J.W.S. Geometry of Numbers Springer 1959 [6] Golwasser S. an Micali S. Probabilistic Encryption JSCC 28 27&299 (71 Lenstra A.K.,Lemtra H.W. an Lavasz L. Factorin6 Polynomials with Integer Coefficients Matematische Annalen 261 (1982) [S] Riveat R.L., Shamir A. an Aleman L. A Metho for Obtaining Digital Sig natures an Public Key Cryptoayetems CACM 212 February [9] Schnorr C.P. A Hierarchy of Polynomial Basis Reuction Algorithms, manuscript
A New Vulnerable Class of Exponents in RSA
A ew Vulnerable Class of Exponents in RSA Aberrahmane itaj Laboratoire e Mathématiues icolas Oresme Campus II, Boulevar u Maréchal Juin BP 586, 4032 Caen Ceex, France. nitaj@math.unicaen.fr http://www.math.unicaen.fr/~nitaj
More informationAttacking Unbalanced RSA-CRT Using SPA
Attacking Unbalance RSA-CRT Using SPA Pierre-Alain Fouque, Gwenaëlle Martinet, an Guillaume Poupar DCSSI Crypto Lab 51, Boulevar e Latour-Maubourg 75700 Paris 07 SP, France Pierre-Alain.Fouque@ens.fr Gwenaelle.Martinet@worlonline.fr
More informationExtension of de Weger s Attack on RSA with Large Public Keys
Extension of e Weger s Attack on RSA with Large Public Keys Nicolas T. Courtois, Theoosis Mourouzis an Pho V. Le Department of Computer Science, University College Lonon, Gower Street, Lonon, U.K. {n.courtois,
More informationPermanent vs. Determinant
Permanent vs. Determinant Frank Ban Introuction A major problem in theoretical computer science is the Permanent vs. Determinant problem. It asks: given an n by n matrix of ineterminates A = (a i,j ) an
More informationEfficient RNS bases for Cryptography
1 Efficient RNS bases for Cryptography Jean-Claue Bajar, Nicolas Meloni an Thomas Plantar LIRMM UMR 5506, University of Montpellier, France, {bajar,meloni,plantar}@lirmm.fr Abstract Resiue Number Systems
More informationPractical Analysis of Key Recovery Attack against Search-LWE Problem
Practical Analysis of Key Recovery Attack against Search-LWE Problem IMI Cryptography Seminar 28 th June, 2016 Speaker* : Momonari Kuo Grauate School of Mathematics, Kyushu University * This work is a
More informationPractical Analysis of Key Recovery Attack against Search-LWE Problem
Practical Analysis of Key Recovery Attack against Search-LWE Problem Royal Holloway an Kyushu University Workshop on Lattice-base cryptography 7 th September, 2016 Momonari Kuo Grauate School of Mathematics,
More informationAcute sets in Euclidean spaces
Acute sets in Eucliean spaces Viktor Harangi April, 011 Abstract A finite set H in R is calle an acute set if any angle etermine by three points of H is acute. We examine the maximal carinality α() of
More informationFrom Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited
From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited Julien Cathalo 1, Jean-Sébastien Coron 2, and David Naccache 2,3 1 UCL Crypto Group Place du Levant 3, Louvain-la-Neuve, B-1348, Belgium
More informationLecture 12: November 6, 2013
Information an Coing Theory Autumn 204 Lecturer: Mahur Tulsiani Lecture 2: November 6, 203 Scribe: Davi Kim Recall: We were looking at coes of the form C : F k q F n q, where q is prime, k is the message
More informationLower Bounds for the Smoothed Number of Pareto optimal Solutions
Lower Bouns for the Smoothe Number of Pareto optimal Solutions Tobias Brunsch an Heiko Röglin Department of Computer Science, University of Bonn, Germany brunsch@cs.uni-bonn.e, heiko@roeglin.org Abstract.
More informationu!i = a T u = 0. Then S satisfies
Deterministic Conitions for Subspace Ientifiability from Incomplete Sampling Daniel L Pimentel-Alarcón, Nigel Boston, Robert D Nowak University of Wisconsin-Maison Abstract Consier an r-imensional subspace
More informationCOUNTING VALUE SETS: ALGORITHM AND COMPLEXITY
COUNTING VALUE SETS: ALGORITHM AND COMPLEXITY QI CHENG, JOSHUA E. HILL, AND DAQING WAN Abstract. Let p be a prime. Given a polynomial in F p m[x] of egree over the finite fiel F p m, one can view it as
More informationSolving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know?
Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know? Alexander May, Maike Ritzenhofen Faculty of Mathematics Ruhr-Universität Bochum, 44780 Bochum,
More information9 Knapsack Cryptography
9 Knapsack Cryptography In the past four weeks, we ve discussed public-key encryption systems that depend on various problems that we believe to be hard: prime factorization, the discrete logarithm, and
More informationTwo formulas for the Euler ϕ-function
Two formulas for the Euler ϕ-function Robert Frieman A multiplication formula for ϕ(n) The first formula we want to prove is the following: Theorem 1. If n 1 an n 2 are relatively prime positive integers,
More informationFIRST YEAR PHD REPORT
FIRST YEAR PHD REPORT VANDITA PATEL Abstract. We look at some potential links between totally real number fiels an some theta expansions (these being moular forms). The literature relate to moular forms
More informationImplicit Differentiation
Implicit Differentiation Thus far, the functions we have been concerne with have been efine explicitly. A function is efine explicitly if the output is given irectly in terms of the input. For instance,
More informationMath Notes on differentials, the Chain Rule, gradients, directional derivative, and normal vectors
Math 18.02 Notes on ifferentials, the Chain Rule, graients, irectional erivative, an normal vectors Tangent plane an linear approximation We efine the partial erivatives of f( xy, ) as follows: f f( x+
More informationDiscrete Mathematics
Discrete Mathematics 309 (009) 86 869 Contents lists available at ScienceDirect Discrete Mathematics journal homepage: wwwelseviercom/locate/isc Profile vectors in the lattice of subspaces Dániel Gerbner
More informationIntroduction to Modern Cryptography. Benny Chor
Introduction to Modern Cryptography Benny Chor RSA Public Key Encryption Factoring Algorithms Lecture 7 Tel-Aviv University Revised March 1st, 2008 Reminder: The Prime Number Theorem Let π(x) denote the
More informationLecture Introduction. 2 Examples of Measure Concentration. 3 The Johnson-Lindenstrauss Lemma. CS-621 Theory Gems November 28, 2012
CS-6 Theory Gems November 8, 0 Lecture Lecturer: Alesaner Mąry Scribes: Alhussein Fawzi, Dorina Thanou Introuction Toay, we will briefly iscuss an important technique in probability theory measure concentration
More informationImplementing Gentry s Fully-Homomorphic Encryption Scheme Preliminary Report
Implementing Gentry s Fully-Homomorphic Encryption Scheme Preliminary Report Craig Gentry Shai Halevi August 5, 2010 Abstract We escribe a working implementation of a variant of Gentry s fully homomorphic
More informationLinear and quadratic approximation
Linear an quaratic approximation November 11, 2013 Definition: Suppose f is a function that is ifferentiable on an interval I containing the point a. The linear approximation to f at a is the linear function
More informationand from it produce the action integral whose variation we set to zero:
Lagrange Multipliers Monay, 6 September 01 Sometimes it is convenient to use reunant coorinates, an to effect the variation of the action consistent with the constraints via the metho of Lagrange unetermine
More informationEE 418: Network Security and Cryptography
Problem 1 EE 418: Network Security an Cryptography Homework 5 Assigne: Wenesay, November 23, 2016, Due: Tuesay, December 6, 2016 Instructor: Tamara Bonaci Department of Electrical Engineering University
More informationA Weak First Digit Law for a Class of Sequences
International Mathematical Forum, Vol. 11, 2016, no. 15, 67-702 HIKARI Lt, www.m-hikari.com http://x.oi.org/10.1288/imf.2016.6562 A Weak First Digit Law for a Class of Sequences M. A. Nyblom School of
More informationPROPERTIES OF THE EULER TOTIENT FUNCTION MODULO 24 AND SOME OF ITS CRYPTOGRAPHIC IMPLICATIONS
PROPERTIES OF THE EULER TOTIENT FUNCTION MODULO 24 AND SOME OF ITS CRYPTOGRAPHIC IMPLICATIONS Raouf N. Gorgui-Naguib and Satnam S. Dlay Cryptology Research Group Department of Electrical and Electronic
More informationTopic 7: Convergence of Random Variables
Topic 7: Convergence of Ranom Variables Course 003, 2016 Page 0 The Inference Problem So far, our starting point has been a given probability space (S, F, P). We now look at how to generate information
More informationUniversity of Tokyo: Advanced Algorithms Summer Lecture 6 27 May. Let s keep in mind definitions from the previous lecture:
University of Tokyo: Advanced Algorithms Summer 2010 Lecture 6 27 May Lecturer: François Le Gall Scribe: Baljak Valentina As opposed to prime factorization, primality testing is determining whether a given
More informationNOTES ON EULER-BOOLE SUMMATION (1) f (l 1) (n) f (l 1) (m) + ( 1)k 1 k! B k (y) f (k) (y) dy,
NOTES ON EULER-BOOLE SUMMATION JONATHAN M BORWEIN, NEIL J CALKIN, AND DANTE MANNA Abstract We stuy a connection between Euler-MacLaurin Summation an Boole Summation suggeste in an AMM note from 196, which
More informationRamsey numbers of some bipartite graphs versus complete graphs
Ramsey numbers of some bipartite graphs versus complete graphs Tao Jiang, Michael Salerno Miami University, Oxfor, OH 45056, USA Abstract. The Ramsey number r(h, K n ) is the smallest positive integer
More informationLECTURE NOTES ON DVORETZKY S THEOREM
LECTURE NOTES ON DVORETZKY S THEOREM STEVEN HEILMAN Abstract. We present the first half of the paper [S]. In particular, the results below, unless otherwise state, shoul be attribute to G. Schechtman.
More informationComputing Exact Confidence Coefficients of Simultaneous Confidence Intervals for Multinomial Proportions and their Functions
Working Paper 2013:5 Department of Statistics Computing Exact Confience Coefficients of Simultaneous Confience Intervals for Multinomial Proportions an their Functions Shaobo Jin Working Paper 2013:5
More informationOn the Enumeration of Double-Base Chains with Applications to Elliptic Curve Cryptography
On the Enumeration of Double-Base Chains with Applications to Elliptic Curve Cryptography Christophe Doche Department of Computing Macquarie University, Australia christophe.oche@mq.eu.au. Abstract. The
More informationG j dq i + G j. q i. = a jt. and
Lagrange Multipliers Wenesay, 8 September 011 Sometimes it is convenient to use reunant coorinates, an to effect the variation of the action consistent with the constraints via the metho of Lagrange unetermine
More informationA FURTHER REFINEMENT OF MORDELL S BOUND ON EXPONENTIAL SUMS
A FURTHER REFINEMENT OF MORDELL S BOUND ON EXPONENTIAL SUMS TODD COCHRANE, JEREMY COFFELT, AND CHRISTOPHER PINNER 1. Introuction For a prime p, integer Laurent polynomial (1.1) f(x) = a 1 x k 1 + + a r
More informationPublic-Key Encryption: ElGamal, RSA, Rabin
Public-Key Encryption: ElGamal, RSA, Rabin Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Public-Key Encryption Syntax Encryption algorithm: E. Decryption
More informationProof by Mathematical Induction.
Proof by Mathematical Inuction. Mathematicians have very peculiar characteristics. They like proving things or mathematical statements. Two of the most important techniques of mathematical proof are proof
More informationCalculus and optimization
Calculus an optimization These notes essentially correspon to mathematical appenix 2 in the text. 1 Functions of a single variable Now that we have e ne functions we turn our attention to calculus. A function
More informationLATTICE-BASED D-OPTIMUM DESIGN FOR FOURIER REGRESSION
The Annals of Statistics 1997, Vol. 25, No. 6, 2313 2327 LATTICE-BASED D-OPTIMUM DESIGN FOR FOURIER REGRESSION By Eva Riccomagno, 1 Rainer Schwabe 2 an Henry P. Wynn 1 University of Warwick, Technische
More informationLecture 22. Lecturer: Michel X. Goemans Scribe: Alantha Newman (2004), Ankur Moitra (2009)
8.438 Avance Combinatorial Optimization Lecture Lecturer: Michel X. Goemans Scribe: Alantha Newman (004), Ankur Moitra (009) MultiFlows an Disjoint Paths Here we will survey a number of variants of isjoint
More informationLectures - Week 10 Introduction to Ordinary Differential Equations (ODES) First Order Linear ODEs
Lectures - Week 10 Introuction to Orinary Differential Equations (ODES) First Orer Linear ODEs When stuying ODEs we are consiering functions of one inepenent variable, e.g., f(x), where x is the inepenent
More information19 Eigenvalues, Eigenvectors, Ordinary Differential Equations, and Control
19 Eigenvalues, Eigenvectors, Orinary Differential Equations, an Control This section introuces eigenvalues an eigenvectors of a matrix, an iscusses the role of the eigenvalues in etermining the behavior
More informationNew attacks on RSA with Moduli N = p r q
New attacks on RSA with Moduli N = p r q Abderrahmane Nitaj 1 and Tajjeeddine Rachidi 2 1 Laboratoire de Mathématiques Nicolas Oresme Université de Caen Basse Normandie, France abderrahmane.nitaj@unicaen.fr
More informationA new attack on RSA with a composed decryption exponent
A new attack on RSA with a composed decryption exponent Abderrahmane Nitaj and Mohamed Ould Douh,2 Laboratoire de Mathématiques Nicolas Oresme Université de Caen, Basse Normandie, France abderrahmane.nitaj@unicaen.fr
More informationSurvey Sampling. 1 Design-based Inference. Kosuke Imai Department of Politics, Princeton University. February 19, 2013
Survey Sampling Kosuke Imai Department of Politics, Princeton University February 19, 2013 Survey sampling is one of the most commonly use ata collection methos for social scientists. We begin by escribing
More informationComputing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring
Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring Alexander May Faculty of Computer Science, Electrical Engineering and Mathematics University of Paderborn 33102 Paderborn,
More informationLinear First-Order Equations
5 Linear First-Orer Equations Linear first-orer ifferential equations make up another important class of ifferential equations that commonly arise in applications an are relatively easy to solve (in theory)
More informationFLUCTUATIONS IN THE NUMBER OF POINTS ON SMOOTH PLANE CURVES OVER FINITE FIELDS. 1. Introduction
FLUCTUATIONS IN THE NUMBER OF POINTS ON SMOOTH PLANE CURVES OVER FINITE FIELDS ALINA BUCUR, CHANTAL DAVID, BROOKE FEIGON, MATILDE LALÍN 1 Introuction In this note, we stuy the fluctuations in the number
More informationSturm-Liouville Theory
LECTURE 5 Sturm-Liouville Theory In the three preceing lectures I emonstrate the utility of Fourier series in solving PDE/BVPs. As we ll now see, Fourier series are just the tip of the iceberg of the theory
More informationThe Principle of Least Action
Chapter 7. The Principle of Least Action 7.1 Force Methos vs. Energy Methos We have so far stuie two istinct ways of analyzing physics problems: force methos, basically consisting of the application of
More informationFrom Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes
From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes [Published in D. Naccache, Ed., Topics in Cryptology CT-RSA 2001, vol. 2020 of Lecture Notes in Computer
More informationALGEBRAIC AND ANALYTIC PROPERTIES OF ARITHMETIC FUNCTIONS
ALGEBRAIC AND ANALYTIC PROPERTIES OF ARITHMETIC FUNCTIONS MARK SCHACHNER Abstract. When consiere as an algebraic space, the set of arithmetic functions equippe with the operations of pointwise aition an
More informationYALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Notes 23 (rev. 1) Professor M. J. Fischer November 29, 2005 1 Oblivious Transfer Lecture Notes 23 In the locked
More informationCryptanalysis of a Zero-Knowledge Identification Protocol of Eurocrypt 95
Cryptanalysis of a Zero-Knowledge Identification Protocol of Eurocrypt 95 Jean-Sébastien Coron and David Naccache Gemplus Card International 34 rue Guynemer, 92447 Issy-les-Moulineaux, France {jean-sebastien.coron,
More informationDeterministic Polynomial Time Equivalence between Factoring and Key-Recovery Attack on Takagi s RSA
Deterministic Polynomial Time Equivalence between Factoring and Key-Recovery Attack on Takagi s RSA Noboru Kunihiro 1 and Kaoru Kurosawa 2 1 The University of Electro-Communications, Japan kunihiro@iceuecacjp
More informationMathematics 116 HWK 25a Solutions 8.6 p610
Mathematics 6 HWK 5a Solutions 8.6 p6 Problem, 8.6, p6 Fin a power series representation for the function f() = etermine the interval of convergence. an Solution. Begin with the geometric series = + +
More informationDiagonalization of Matrices Dr. E. Jacobs
Diagonalization of Matrices Dr. E. Jacobs One of the very interesting lessons in this course is how certain algebraic techniques can be use to solve ifferential equations. The purpose of these notes is
More informationPDE Notes, Lecture #11
PDE Notes, Lecture # from Professor Jalal Shatah s Lectures Febuary 9th, 2009 Sobolev Spaces Recall that for u L loc we can efine the weak erivative Du by Du, φ := udφ φ C0 If v L loc such that Du, φ =
More informationCryptanalysis of a Public Key Cryptosystem Proposed at ACISP 2000
Cryptanalysis of a Public Key Cryptosystem Proposed at ACISP 2000 Amr Youssef 1 and Guang Gong 2 1 Center for Applied Cryptographic Research Department of Combinatorics & Optimization 2 Department of Electrical
More informationLenny Jones Department of Mathematics, Shippensburg University, Shippensburg, Pennsylvania Daniel White
#A10 INTEGERS 1A (01): John Selfrige Memorial Issue SIERPIŃSKI NUMBERS IN IMAGINARY QUADRATIC FIELDS Lenny Jones Deartment of Mathematics, Shiensburg University, Shiensburg, Pennsylvania lkjone@shi.eu
More informationarxiv: v1 [math.mg] 10 Apr 2018
ON THE VOLUME BOUND IN THE DVORETZKY ROGERS LEMMA FERENC FODOR, MÁRTON NASZÓDI, AND TAMÁS ZARNÓCZ arxiv:1804.03444v1 [math.mg] 10 Apr 2018 Abstract. The classical Dvoretzky Rogers lemma provies a eterministic
More informationCMSC 313 Preview Slides
CMSC 33 Preview Slies These are raft slies. The actual slies presente in lecture may be ifferent ue to last minute changes, scheule slippage,... UMBC, CMSC33, Richar Chang CMSC 33 Lecture
More informationMath 1B, lecture 8: Integration by parts
Math B, lecture 8: Integration by parts Nathan Pflueger 23 September 2 Introuction Integration by parts, similarly to integration by substitution, reverses a well-known technique of ifferentiation an explores
More informationNew bounds on Simonyi s conjecture
New bouns on Simonyi s conjecture Daniel Soltész soltesz@math.bme.hu Department of Computer Science an Information Theory, Buapest University of Technology an Economics arxiv:1510.07597v1 [math.co] 6 Oct
More informationThe Ehrenfest Theorems
The Ehrenfest Theorems Robert Gilmore Classical Preliminaries A classical system with n egrees of freeom is escribe by n secon orer orinary ifferential equations on the configuration space (n inepenent
More informationApproximate Constraint Satisfaction Requires Large LP Relaxations
Approximate Constraint Satisfaction Requires Large LP Relaxations oah Fleming April 19, 2018 Linear programming is a very powerful tool for attacking optimization problems. Techniques such as the ellipsoi
More informationarxiv: v2 [cond-mat.stat-mech] 11 Nov 2016
Noname manuscript No. (will be inserte by the eitor) Scaling properties of the number of ranom sequential asorption iterations neee to generate saturate ranom packing arxiv:607.06668v2 [con-mat.stat-mech]
More informationOn colour-blind distinguishing colour pallets in regular graphs
J Comb Optim (2014 28:348 357 DOI 10.1007/s10878-012-9556-x On colour-blin istinguishing colour pallets in regular graphs Jakub Przybyło Publishe online: 25 October 2012 The Author(s 2012. This article
More informationLecture 5. Symmetric Shearer s Lemma
Stanfor University Spring 208 Math 233: Non-constructive methos in combinatorics Instructor: Jan Vonrák Lecture ate: January 23, 208 Original scribe: Erik Bates Lecture 5 Symmetric Shearer s Lemma Here
More informationConstruction of the Electronic Radial Wave Functions and Probability Distributions of Hydrogen-like Systems
Construction of the Electronic Raial Wave Functions an Probability Distributions of Hyrogen-like Systems Thomas S. Kuntzleman, Department of Chemistry Spring Arbor University, Spring Arbor MI 498 tkuntzle@arbor.eu
More informationPublic Key Cryptography
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Public Key Cryptography EECE 412 1 What is it? Two keys Sender uses recipient s public key to encrypt Receiver uses his private key to decrypt
More informationDiophantine Approximations: Examining the Farey Process and its Method on Producing Best Approximations
Diophantine Approximations: Examining the Farey Process an its Metho on Proucing Best Approximations Kelly Bowen Introuction When a person hears the phrase irrational number, one oes not think of anything
More informationA new security notion for asymmetric encryption Draft #12
A new security notion for asymmetric encryption Draft #12 Muhammad Rezal Kamel Ariffin 1,2 1 Al-Kindi Cryptography Research Laboratory, Institute for Mathematical Research, 2 Department of Mathematics,
More informationOn the Big Gap Between p and q in DSA
On the Big Gap Between p and in DSA Zhengjun Cao Department of Mathematics, Shanghai University, Shanghai, China, 200444. caozhj@shu.edu.cn Abstract We introduce a message attack against DSA and show that
More informationCryptanalysis of two knapsack public-key cryptosystems
Cryptanalysis of two knapsack public-key cryptosystems Jingguo Bi 1, Xianmeng Meng 2, and Lidong Han 1 {jguobi,hanlidong}@sdu.edu.cn mengxm@sdfi.edu.cn 1 Key Laboratory of Cryptologic Technology and Information
More informationThe chromatic number of graph powers
Combinatorics, Probability an Computing (19XX) 00, 000 000. c 19XX Cambrige University Press Printe in the Unite Kingom The chromatic number of graph powers N O G A A L O N 1 an B O J A N M O H A R 1 Department
More informationFinal Exam Study Guide and Practice Problems Solutions
Final Exam Stuy Guie an Practice Problems Solutions Note: These problems are just some of the types of problems that might appear on the exam. However, to fully prepare for the exam, in aition to making
More informationAn efficient quantum meet-in-the-middle attack against NTRU-2005
Article Quantum Information October 03 Vol58 o8-9: 354358 oi: 0007/s434-03-600-y An efficient quantum meet-in-the-mile attack against TRU-005 WAG Hong, MA Zhi * & MA huangui State Key Laboratory of Mathematical
More informationA Simulative Comparison of BB84 Protocol with its Improved Version
JCS&T Vol. 7 No. 3 October 007 A Simulative Comparison of BB84 Protocol with its Improve Version Mohsen Sharifi an Hooshang Azizi Computer Engineering Department Iran University of Science an Technology,
More informationLeast-Squares Regression on Sparse Spaces
Least-Squares Regression on Sparse Spaces Yuri Grinberg, Mahi Milani Far, Joelle Pineau School of Computer Science McGill University Montreal, Canaa {ygrinb,mmilan1,jpineau}@cs.mcgill.ca 1 Introuction
More informationAlgorithmic Number Theory and Public-key Cryptography
Algorithmic Number Theory and Public-key Cryptography Course 3 University of Luxembourg March 22, 2018 The RSA algorithm The RSA algorithm is the most widely-used public-key encryption algorithm Invented
More informationCryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97
Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97 Phong Nguyen and Jacques Stern École Normale Supérieure, Laboratoire d Informatique 45, rue d Ulm, F 75230 Paris Cedex 05 {Phong.Nguyen,Jacques.Stern}@ens.fr
More informationOn the Provable Security of an Efficient RSA-Based Pseudorandom Generator
On the Provable Security of an Efficient RSA-Based Pseudorandom Generator Ron Steinfeld, Josef Pieprzyk, and Huaxiong Wang Centre for Advanced Computing Algorithms and Cryptography (ACAC) Dept. of Computing,
More informationResistant Polynomials and Stronger Lower Bounds for Depth-Three Arithmetical Formulas
Resistant Polynomials an Stronger Lower Bouns for Depth-Three Arithmetical Formulas Maurice J. Jansen University at Buffalo Kenneth W.Regan University at Buffalo Abstract We erive quaratic lower bouns
More information2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms
CRYPTOGRAPHY 19 Cryptography 5 ElGamal cryptosystems and Discrete logarithms Definition Let G be a cyclic group of order n and let α be a generator of G For each A G there exists an uniue 0 a n 1 such
More informationLow-Dimensional Lattice Basis Reduction Revisited (Extended Abstract)
Algorithmic Number Theory Proceeings of ANTS-VI (June 13 18, 2004, Burlington, U.S.A.) D. Buell (E.), vol.???? of Lecture Notes in Computer Science, pages?????? c Springer-Verlag (http://www.springer.e/comp/lncs/inex.html)
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationOn Deterministic Polynomial-Time Equivalence of Computing the CRT-RSA Secret Keys and Factoring
On Deterministic Polynomial-Time Equivalence of Computing the CRT-RSA Secret Keys and Factoring Subhamoy Maitra and Santanu Sarkar Applied Statistics Unit, Indian Statistical Institute, 203 B T Road, Kolkata
More informationCryptographical Security in the Quantum Random Oracle Model
Cryptographical Security in the Quantum Random Oracle Model Center for Advanced Security Research Darmstadt (CASED) - TU Darmstadt, Germany June, 21st, 2012 This work is licensed under a Creative Commons
More informationAttacking unbalanced RSA-CRT using SPA. Our goal
Attacking unbalance RSA-CRT using SPA P.A. Fouque*, G. Martinet, G. Poupar (with the participation of Barnaby Martinet-Fouque) DCSSI Crypto ab, France (*) Ecole Normal Supérieure, France CHES 23 - P.A.
More information5 Public-Key Encryption: Rabin, Blum-Goldwasser, RSA
Leo Reyzin. Notes for BU CAS CS 538. 1 5 Public-Key Encryption: Rabin, Blum-Goldwasser, RSA 5.1 Public Key vs. Symmetric Encryption In the encryption we ve been doing so far, the sender and the recipient
More informationLEGENDRE TYPE FORMULA FOR PRIMES GENERATED BY QUADRATIC POLYNOMIALS
Ann. Sci. Math. Québec 33 (2009), no 2, 115 123 LEGENDRE TYPE FORMULA FOR PRIMES GENERATED BY QUADRATIC POLYNOMIALS TAKASHI AGOH Deicate to Paulo Ribenboim on the occasion of his 80th birthay. RÉSUMÉ.
More informationThe Principle of Least Action and Designing Fiber Optics
University of Southampton Department of Physics & Astronomy Year 2 Theory Labs The Principle of Least Action an Designing Fiber Optics 1 Purpose of this Moule We will be intereste in esigning fiber optic
More informationCryptanalysis of RSA with Small Multiplicative Inverse of (p 1) or (q 1) Modulo e
Cryptanalysis of RSA with Small Multiplicative Inverse of (p 1) or (q 1) Modulo e P Anuradha Kameswari, L Jyotsna Department of Mathematics, Andhra University, Visakhapatnam - 5000, Andhra Pradesh, India
More informationQuantum Mechanics in Three Dimensions
Physics 342 Lecture 20 Quantum Mechanics in Three Dimensions Lecture 20 Physics 342 Quantum Mechanics I Monay, March 24th, 2008 We begin our spherical solutions with the simplest possible case zero potential.
More informationBisecting Sparse Random Graphs
Bisecting Sparse Ranom Graphs Malwina J. Luczak,, Colin McDiarmi Mathematical Institute, University of Oxfor, Oxfor OX 3LB, Unite Kingom; e-mail: luczak@maths.ox.ac.uk Department of Statistics, University
More informationOptimization of Geometries by Energy Minimization
Optimization of Geometries by Energy Minimization by Tracy P. Hamilton Department of Chemistry University of Alabama at Birmingham Birmingham, AL 3594-140 hamilton@uab.eu Copyright Tracy P. Hamilton, 1997.
More informationEqual Sums of Three Powers
Equal Sums of Three Powers T.D. Browning an D.R. Heath-Brown Mathematical Institute, Oxfor 1 Introuction In this paper we shall be concerne with the number N (B) of positive integer solutions to the equation
More information