A brief survey of post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago
|
|
- Jared Morrison
- 6 years ago
- Views:
Transcription
1 A brief survey of post-quantum cryptography D. J. Bernstein University of Illinois at Chicago
2 Once the enormous energy boost that quantum computers are expected to provide hits the street, most encryption security standards and any other standard based on computational difficulty will fall, experts believe. (Magiq s web site, 2008; the experts aren t named)
3 Is cryptography dead? Imagine: 15 years from now someone announces successful construction of a large quantum computer. New York Times headline: INTERNET CRYPTOGRAPHY KILLED BY PHYSICISTS. Users panic. What happens to cryptography?
4 RSA: Dead.
5 RSA: Dead. DSA: Dead. ECDSA: Dead.
6 RSA: Dead. DSA: Dead. ECDSA: Dead. ECC in general: Dead. HECC in general: Dead.
7 RSA: Dead. DSA: Dead. ECDSA: Dead. ECC in general: Dead. HECC in general: Dead. Buchmann Williams: Dead. Class groups in general: Dead.
8 RSA: Dead. DSA: Dead. ECDSA: Dead. ECC in general: Dead. HECC in general: Dead. Buchmann Williams: Dead. Class groups in general: Dead. They re all dead, Dave.
9 RSA: Dead. DSA: Dead. ECDSA: Dead. ECC in general: Dead. HECC in general: Dead. Buchmann Williams: Dead. Class groups in general: Dead. They re all dead, Dave. But we have other types of cryptographic systems! Hash-based cryptography. Example: 1979 Merkle hash-tree public-key signature system.
10 Code-based cryptography. Example: 1978 McEliece hidden-goppa-code public-key encryption system. Lattice-based cryptography. Example: 1998 NTRU. Multivariate-quadraticequations cryptography. Example: 1996 Patarin HFE v public-key signature system. Secret-key cryptography. Example: 1998 Daemen Rijmen Rijndael cipher, aka AES.
11 Nobody has figured out a way to apply Shor s algorithm to any of these systems. Grover s algorithm does have some applications, but cryptographers can easily compensate by scaling up somewhat.
12 Maybe there s a better attack! This was already a familiar risk before quantum computers. This is why the community puts tremendous effort into cryptanalysis. Results of cryptanalysis: Some systems are killed. Some systems need larger keys. Some systems inspire confidence.
13 1978 RSA paper mentions Schroeppel s linear sieve for factorization. Need 2+Ó(1) -bit RSA key for -bit security Pollard et al.: Number-field sieve. Need 3+Ó(1) -bit RSA key for -bit security. Many improvements since then, but still 3+Ó(1) against classical computers Shor: Need intolerably large RSA key for -bit security against quantum computers.
14 1978 McEliece paper mentions a decoding algorithm. Need code dimension 1+Ó(1) for -bit security. Many improvements since then, but still dimension 1+Ó(1) against classical computers. Still dimension 1+Ó(1) against quantum computers. If McEliece security is so good, why are we still using RSA? Answer: McEliece key is huge.
15 Pre-quantum cryptography: Cryptographers design systems to scramble and unscramble data. RSA, McEliece, AES, many more. Cryptanalysts break some systems using 2 classical operations. Tools: NFS, LLL, F4, etc. Unbroken systems: RSA with 3+Ó(1) bits, McEliece with dimension 1+Ó(1), AES if 256, etc. Algorithm designers and implementors find the fastest unbroken systems.
16 Post-quantum cryptography: Cryptographers design systems to scramble and unscramble data. RSA, McEliece, AES, many more. Cryptanalysts break some systems using 2 quantum operations. Tools: NFS, LLL, F4, etc. plus Shor, Grover, etc. Unbroken systems: McEliece with dimension 1+Ó(1), AES if 128, etc. Algorithm designers and implementors find the fastest unbroken systems.
17 A hash-based signature system Standardize a 256-bit hash function À. Signer s public key: 512 strings Ý 1 [0] Ý 1 [1] Ý 256 [0] Ý 256 [1], each 256 bits. Total: bits. Signature of a message Ñ: 256-bit strings Ö Ü 1 Ü 256 such that the bits ( ) of À(Ö Ñ) satisfy Ý 1 [ 1 ] = À(Ü 1 ),, Ý 256 [ 256 ] = À(Ü 256 ).
18 Signer s secret key: 512 independent uniform random 256-bit strings Ü 1 [0] Ü 1 [1] Ü 256 [0] Ü 256 [1]. Signer computes Ý 1 [0] Ý 1 [1] Ý 256 [0] Ý 256 [1] as À(Ü 1 [0]) À(Ü 1 [1]) À(Ü 256 [0]) À(Ü 256 [1]). To sign Ñ: generate uniform random Ö; À(Ö Ñ) = ( ); reveal (Ö Ü 1 [ 1 ] Ü 256 [ 256 ]); discard remaining Ü values; refuse to sign more messages.
19 This is the Lamport Diffie one-time signature system. How to sign more than one message? Easy answer: Chaining. Signer expands Ñ to include a newly generated public key that will sign next message. More advanced answers (Merkle et al.) scale logarithmically with the number of messages signed.
20 A code-based encryption system Receiver s public key: bit matrix Ã. Messages suitable for encryption: 3600-bit strings of weight 150 ; i.e., 3600-bit strings with exactly 150 nonzero bits. Encryption of Ñ is 1800-bit string ÃÑ.
21 Attacker, by linear algebra, can easily work backwards from ÃÑ to some Ú such that ÃÚ = ÃÑ. Huge number of choices of Ú. Finding weight-150 choice ( syndrome-decoding à ) seems extremely difficult for most choices of Ã. Best attacks? See next talk.
22 Receiver secretly generates public key à with a hidden Goppa code structure that allows fast decoding. Detecting this structure seems even more difficult than syndrome-decoding random Ã.
23 Receiver starts with secret monic degree-150 irreducible polynomial ¾ F 4096 [Ü] and distinct «1 «3600 ¾ F Patterson s algorithm ¼ syndrome-decodes the matrix 1 («1 ) 1 («3600 ) ½ À = «1 («1 ) «3600 («3600 ) «149 1 «149 («1 ) 3600 («3600 )
24 Receiver also has a secret invertible matrix Ë and a secret permutation matrix È. Receiver s public key à is the product ËÀÈ. Given ciphertext ÃÑ = ËÀÈ Ñ: receiver computes ÀÈ Ñ; decodes À to obtain È Ñ; computes Ñ.
25 This is 1986 Niederreiter variant of McEliece s original system. Reducing à to systematic form reduces space to bits. Many other improvements. Lattice-based cryptography: similar; more complicated; maybe more attractive! See tomorrow s talk.
26 An MQ signature system Signer s public key: polynomials È 1 È 300 ¾ F 2 [Û 1 Û 600 ]. Extra requirements on each of these polynomials: degree 2, no squares; i.e., linear combination of 1 Û 1 Û 600 Û 1 Û 2 Û 1 Û 3 Û 599 Û 600. Overall bits.
27 Signature of Ñ: a 300-bit string Ö and values Û 1 Û 600 ¾ F 2 such that À(Ö Ñ) = (È 1 (Û 1 Û 600 ) È 300 (Û 1 Û 600 )). Only 900 bits! Verifying a signature uses one evaluation of À and millions of bit operations to evaluate È 1 È 300.
28 Main challenge for attacker: find bits Û 1 Û 600 producing specified outputs (È 1 (Û 1 Û 600 ) È 300 (Û 1 Û 600 )). Random guess: on average, only chance of success. XL etc.: fewer operations, but still not practical.
29 Signer generates public key with secret HFE v structure. Standardize a degree-450 irreducible polynomial ³ ¾ F 2 [Ø]. Define Ä = F 2 [Ø] ³. Critical step in signing: finding roots of a secret polynomial in Ä[Ü] of degree at most 300.
30 Secret polynomial is chosen with all nonzero exponents of the form or 2. (So degree 288.) If Ü 0 Ü 1 Ü 449 ¾ F 2 and Ü = Ü 0 + Ü 1 Ø + + Ü 449 Ø 449 then Ü 2 = Ü 0 + Ü 1 Ø Ü 449 Ø 898, Ü 4 = Ü 0 + Ü 1 Ø Ü 449 Ø 1796, etc. In general, Ü 2 +2 is a quadratic polynomial in the variables Ü 0 Ü 449.
31 Signer s secret key: invertible matrix Ë; matrix Ì of rank 300; É ¾ Ä[Ü Ú 1 Ú 2 Ú 150 ]. Each term in É has one of the forms Ü 2 +2 with ¾ Ä, 2 2, ; Ü 2 Ú with ¾ Ä, 2 300; Ú Ú ; Ü 2 ; Ú ;.
32 To compute public key: Compute Ë(Û 1 Û 600 ) = (Ü 0 Ü 449 Ú 1 Ú 150 ). In Ä[Û 1 Û È 600 ] compute Ü = Ü Ø and Ý = É(Ü Ú 1 Ú 2 Ú 150 ) modulo Û1 2 Û 1 Û600 2 Û 600. Write Ý = Ý Ý 449 Ø 449 with Ý ¾ F 2 [Û 1 Û 600 ]. Compute (È 1 È 300 ) = Ì(Ý 0 Ý 1 Ý 449 ).
33 Sign by working backwards. Given values (È 1 È 300 ), invert Ì to obtain values (Ý 0 Ý 449 ) choices; randomize. Choose (Ú 1 Ú 150 ) randomly. Substitute into É(Ü Ú 1 Ú 150 ) to obtain É(Ü) ¾ Ä[Ü]. Solve É(Ü) = Ý for Ü ¾ Ä. If several roots, randomize. If no roots, start over. Invert Ë to obtain signature.
34 This is an HFE v example. HFE : Hidden Field Equation É(Ü) = Ý. : publish only 300 equations instead of 450. v : vinegar variables Ú 1 Ú 150. State-of-the-art attack breaks a simplified system with 0 vinegar variables, 1 term in É. Can build MQ systems in many other ways.
35 Preparing for the future When someone announces a large quantum computer we ll switch to McEliece etc. Why worry about the switch now? Answer 1: We need time to improve efficiency. Answer 2: We need time to build confidence. Answer 3: We need time to improve usability.
36 Have you implemented a public-key system? Send your software to ebats: ECRYPT Benchmarking of Asymmetric Systems. Now integrated into ebacs: ECRYPT Benchmarking of Cryptographic Systems.
37 Bernstein, sci.crypt: I m thinking about publishing a paper on post-quantum cryptography. This isn t too early to start planning ahead for the very real possibility of quantum computers Buchmann et al., Post-Quantum Signatures : We would like to thank Dan Bernstein for inventing the notion post-quantum cryptography.
38 Silverberg to Bernstein: Hey, let s run a workshop Bernstein to Silverberg: How about a workshop on post-quantum cryptography? Independently, late 2004: Wolf proposes workshop on post-quantum cryptography. Independently, late 2004: Ding proposes workshop on Cryptology in the quantum computer era.
39 Lange manages to herd Bernstein, Ding, Nguyen, Wolf, et al.; ECRYPT starts organizing PQCrypto : PQCrypto 2006 in Leuven, Belgium : PQCrypto 2008 here in Cincinnati. End of 2008: Survey book!
40
41 Bernstein: Introduction to post-quantum cryptography. Hallgren, Vollmer: Quantum computing. Buchmann, Dahmen, Szydlo: Hash-based digital signature schemes. Overbeck, Sendrier: Code-based cryptography. Micciancio, Regev: Lattice-based cryptography. Ding, Yang: Multivariate public key cryptography.
Code-based post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago
Code-based post-quantum cryptography D. J. Bernstein University of Illinois at Chicago Once the enormous energy boost that quantum computers are expected to provide hits the street, most encryption security
More informationHigh-speed cryptography, part 3: more cryptosystems. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven
High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Cryptographers Working systems Cryptanalytic algorithm designers
More informationQuantum-resistant cryptography
Quantum-resistant cryptography Background: In quantum computers, states are represented as vectors in a Hilbert space. Quantum gates act on the space and allow us to manipulate quantum states with combination
More informationPost-Quantum Cryptography & Privacy. Andreas Hülsing
Post-Quantum Cryptography & Privacy Andreas Hülsing Privacy? Too abstract? How to achieve privacy? Under the hood... Public-key crypto ECC RSA DSA Secret-key crypto AES SHA2 SHA1... Combination of both
More informationWild McEliece Incognito
Wild McEliece Incognito Christiane Peters Technische Universiteit Eindhoven joint work with Daniel J. Bernstein and Tanja Lange Seminaire de Cryptographie Rennes April 1, 2011 Bad news Quantum computers
More informationPost-Quantum Cryptography
Post-Quantum Cryptography Sebastian Schmittner Institute for Theoretical Physics University of Cologne 2015-10-26 Talk @ U23 @ CCC Cologne This work is licensed under a Creative Commons Attribution-ShareAlike
More informationThe quantum threat to cryptography
The quantum threat to cryptography Ashley Montanaro School of Mathematics, University of Bristol 20 October 2016 Quantum computers University of Bristol IBM UCSB / Google University of Oxford Experimental
More informationFinding small factors of integers. Speed of the number-field sieve. D. J. Bernstein University of Illinois at Chicago
The number-field sieve Finding small factors of integers Speed of the number-field sieve D. J. Bernstein University of Illinois at Chicago Prelude: finding denominators 87366 22322444 in R. Easily compute
More informationDaniel J. Bernstein University of Illinois at Chicago. means an algorithm that a quantum computer can run.
Quantum algorithms 1 Daniel J. Bernstein University of Illinois at Chicago Quantum algorithm means an algorithm that a quantum computer can run. i.e. a sequence of instructions, where each instruction
More informationAdvances in code-based public-key cryptography. D. J. Bernstein University of Illinois at Chicago
Advances in code-based public-key cryptography D. J. Bernstein University of Illinois at Chicago Advertisements 1. pqcrypto.org: Post-quantum cryptography hash-based, lattice-based, code-based, multivariate
More informationIntroduction to Quantum Safe Cryptography. ENISA September 2018
Introduction to Quantum Safe Cryptography ENISA September 2018 Introduction This talk will introduce the mathematical background of the most popular PQC primitives Code-based Lattice-based Multivariate
More informationPost-Quantum Cryptography & Privacy. Andreas Hülsing
Post-Quantum Cryptography & Privacy Andreas Hülsing Privacy? Too abstract? How to achieve privacy? Under the hood... Asymmetric Crypto ECC RSA DSA Symmetric Crypto AES SHA2 SHA1... Combination of both
More informationComputational algebraic number theory tackles lattice-based cryptography
Computational algebraic number theory tackles lattice-based cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Moving to the left Moving to the right
More informationHow Fast can be Algebraic Attacks on Block Ciphers?
How Fast can be Algebraic Attacks on Block Ciphers? Nicolas T. Courtois Axalto mart Cards, 36-38 rue de la Princesse BP 45, 78430 Louveciennes Cedex, France http://www.nicolascourtois.net courtois@minrank.org
More informationOn the Complexity of the Hybrid Approach on HFEv-
On the Complexity of the Hybrid Approach on HFEv- Albrecht Petzoldt National Institute of Standards and Technology, Gaithersburg, Maryland, USA albrecht.petzoldt@gmail.com Abstract. The HFEv- signature
More informationAttacking and defending the McEliece cryptosystem
Attacking and defending the McEliece cryptosystem (Joint work with Daniel J. Bernstein and Tanja Lange) Christiane Peters Technische Universiteit Eindhoven PQCrypto 2nd Workshop on Postquantum Cryptography
More informationQuantum-Safe Crypto Why & How? JP Aumasson, Kudelski Security
Quantum-Safe Crypto Why & How? JP Aumasson, Kudelski Security Flight plan What s a quantum computer? How broken are your public keys? AES vs. quantum search Hidden quantum powers Defeating quantum computing
More information9 Knapsack Cryptography
9 Knapsack Cryptography In the past four weeks, we ve discussed public-key encryption systems that depend on various problems that we believe to be hard: prime factorization, the discrete logarithm, and
More informationLattice-Based Cryptography
Liljana Babinkostova Department of Mathematics Computing Colloquium Series Detecting Sensor-hijack Attacks in Wearable Medical Systems Krishna Venkatasubramanian Worcester Polytechnic Institute Quantum
More informationErrors, Eavesdroppers, and Enormous Matrices
Errors, Eavesdroppers, and Enormous Matrices Jessalyn Bolkema September 1, 2016 University of Nebraska - Lincoln Keep it secret, keep it safe Public Key Cryptography The idea: We want a one-way lock so,
More informationPublic-Key Cryptosystems CHAPTER 4
Public-Key Cryptosystems CHAPTER 4 Introduction How to distribute the cryptographic keys? Naïve Solution Naïve Solution Give every user P i a separate random key K ij to communicate with every P j. Disadvantage:
More informationElliptic Curve Cryptography
Elliptic Curve Cryptography Elliptic Curves An elliptic curve is a cubic equation of the form: y + axy + by = x 3 + cx + dx + e where a, b, c, d and e are real numbers. A special addition operation is
More informationBlockchain and Quantum Computing
M T R 1 7 0 4 8 7 M I T R E T E C H N I C A L R E P O R T Blockchain and Quantum Computing Project No.: 25SPI050-12 The views, opinions and/or findings contained in this report are those of The MITRE Corporation
More informationSide-channel analysis in code-based cryptography
1 Side-channel analysis in code-based cryptography Tania RICHMOND IMATH Laboratory University of Toulon SoSySec Seminar Rennes, April 5, 2017 Outline McEliece cryptosystem Timing Attack Power consumption
More informationAlgebraic Cryptanalysis of MQQ Public Key Cryptosystem by MutantXL
Algebraic Cryptanalysis of MQQ Public Key Cryptosystem by MutantXL Mohamed Saied Emam Mohamed 1, Jintai Ding 2, and Johannes Buchmann 1 1 TU Darmstadt, FB Informatik Hochschulstrasse 10, 64289 Darmstadt,
More informationPublic-key Cryptography and elliptic curves
Public-key Cryptography and elliptic curves Dan Nichols nichols@math.umass.edu University of Massachusetts Oct. 14, 2015 Cryptography basics Cryptography is the study of secure communications. Here are
More informationWhat are we talking about when we talk about post-quantum cryptography?
PQC Asia Forum Seoul, 2016 What are we talking about when we talk about post-quantum cryptography? Fang Song Portland State University PQC Asia Forum Seoul, 2016 A personal view on postquantum cryptography
More informationMcEliece and Niederreiter Cryptosystems That Resist Quantum Fourier Sampling Attacks
McEliece and Niederreiter Cryptosystems That Resist Quantum Fourier Sampling Attacks Hang Dinh Indiana Uniersity South Bend joint work with Cristopher Moore Uniersity of New Mexico Alexander Russell Uniersity
More informationCryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)
Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R) Eli Biham Computer Science Department Technion Israel Institute of Technology Haifa 32000, Israel biham@cs.technion.ac.il http://www.cs.technion.ac.il/~biham/
More informationAnalysis of Hidden Field Equations Cryptosystem over Odd-Characteristic Fields
Nonlinear Phenomena in Complex Systems, vol. 17, no. 3 (2014), pp. 278-283 Analysis of Hidden Field Equations Cryptosystem over Odd-Characteristic Fields N. G. Kuzmina and E. B. Makhovenko Saint-Petersburg
More informationHidden Field Equations
Security of Hidden Field Equations (HFE) 1 The security of Hidden Field Equations ( H F E ) Nicolas T. Courtois INRIA, Paris 6 and Toulon University courtois@minrank.org Permanent HFE web page : hfe.minrank.org
More informationMultivariate Public Key Cryptography or Why is there a rainbow hidden behind fields full of oil and vinegar?
Multivariate Public Key Cryptography or Why is there a rainbow hidden behind fields full of oil and vinegar? Christian Eder, Jean-Charles Faugère and Ludovic Perret Seminar on Fundamental Algorithms, University
More informationAlgebraic Aspects of Symmetric-key Cryptography
Algebraic Aspects of Symmetric-key Cryptography Carlos Cid (carlos.cid@rhul.ac.uk) Information Security Group Royal Holloway, University of London 04.May.2007 ECRYPT Summer School 1 Algebraic Techniques
More informationDecoding One Out of Many
Decoding One Out of Many Nicolas Sendrier INRIA Paris-Rocquencourt, équipe-projet SECRET Code-based Cryptography Workshop 11-12 May 2011, Eindhoven, The Netherlands Computational Syndrome Decoding Problem:
More informationCHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S. Ant nine J aux
CHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S Ant nine J aux (g) CRC Press Taylor 8* Francis Croup Boca Raton London New York CRC Press is an imprint of the Taylor &
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 7, 2015 CPSC 467, Lecture 11 1/37 Digital Signature Algorithms Signatures from commutative cryptosystems Signatures from
More informationMutantXL: Solving Multivariate Polynomial Equations for Cryptanalysis
MutantXL: Solving Multivariate Polynomial Equations for Cryptanalysis Johannes Buchmann 1, Jintai Ding 2, Mohamed Saied Emam Mohamed 1, and Wael Said Abd Elmageed Mohamed 1 1 TU Darmstadt, FB Informatik
More informationThe Shortest Signatures Ever
The Shortest Signatures Ever Mohamed Saied Emam Mohamed 1, Albrecht Petzoldt 2 1 Technische Universität Darmstadt, Germany 2 Kyushu University, Fukuoka, Japan mohamed@cdc.informatik.tu-darmstadt.de, petzoldt@imi.kyushu-u.ac.jp
More informationA New Algorithm to Construct. Secure Keys for AES
Int. J. Contemp. Math. Sciences, Vol. 5, 2010, no. 26, 1263-1270 A New Algorithm to Construct Secure Keys for AES Iqtadar Hussain Department of Mathematics Quaid-i-Azam University, Islamabad, Pakistan
More informationCIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography
CIS 6930/4930 Computer and Network Security Topic 5.2 Public Key Cryptography 1 Diffie-Hellman Key Exchange 2 Diffie-Hellman Protocol For negotiating a shared secret key using only public communication
More informationNew Directions in Multivariate Public Key Cryptography
New Directions in Shuhong Gao Joint with Ray Heindl Clemson University The 4th International Workshop on Finite Fields and Applications Beijing University, May 28-30, 2010. 1 Public Key Cryptography in
More informationImproving the efficiency of Generalized Birthday Attacks against certain structured cryptosystems
Improving the efficiency of Generalized Birthday Attacks against certain structured cryptosystems Robert Niebuhr 1, Pierre-Louis Cayrel 2, and Johannes Buchmann 1,2 1 Technische Universität Darmstadt Fachbereich
More informationHexi McEliece Public Key Cryptosystem
Appl Math Inf Sci 8, No 5, 2595-2603 (2014) 2595 Applied Mathematics & Information Sciences An International Journal http://dxdoiorg/1012785/amis/080559 Hexi McEliece Public Key Cryptosystem K Ilanthenral
More informationA Smart Card Implementation of the McEliece PKC
A Smart Card Implementation of the McEliece PKC Falko Strenzke 1 1 FlexSecure GmbH, Germany, strenzke@flexsecure.de 2 Cryptography and Computeralgebra, Department of Computer Science, Technische Universität
More informationSome Notes on Post-Quantum Cryptography
Some Notes on Post-Quantum Cryptography J. Maurice Rojas Texas A&M University October 9, 2013 150 B.C.E.: Reference to Śyena=Garuda =a Bird-like Hindu divinity in India 150 B.C.E.:...Garuda in India 100
More informationOil-Vinegar signature cryptosystems
Oil-Vinegar signature cryptosystems Jintai Ding University of Cincinnati Workshop on multivariate public key cryptosystems, 2006 Taiwan Information Security Center The National Taiwan University of Science
More informationMultivariate Quadratic Public-Key Cryptography Part 1: Basics
Multivariate Quadratic Public-Key Cryptography Part 1: Basics Bo-Yin Yang Academia Sinica PQCrypto Executive Summer School 2017 Eindhoven, the Netherlands Friday, 23.06.2017 B.-Y. Yang (Academia Sinica)
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationNotes 10: Public-key cryptography
MTH6115 Cryptography Notes 10: Public-key cryptography In this section we look at two other schemes that have been proposed for publickey ciphers. The first is interesting because it was the earliest such
More informationInformation Security
SE 4472 / ECE 9064 Information Security Week 12: Random Number Generators and Picking Appropriate Key Lengths Fall 2015 Prof. Aleksander Essex Random Number Generation Where do keys come from? So far we
More informationA Provably Secure Group Signature Scheme from Code-Based Assumptions
A Provably Secure Group Signature Scheme from Code-Based Assumptions Martianus Frederic Ezerman, Hyung Tae Lee, San Ling, Khoa Nguyen, Huaxiong Wang NTU, Singapore ASIACRYPT 15-01/12/15 Group Signatures
More informationCryptanalysis of the TTM Cryptosystem
Cryptanalysis of the TTM Cryptosystem Louis Goubin and Nicolas T Courtois SchlumbergerSema - CP8 36-38 rue de la Princesse BP45 78430 Louveciennes Cedex France LouisGoubin@bullnet,courtois@minrankorg Abstract
More informationMathematics of Public Key Cryptography
Mathematics of Public Key Cryptography Eric Baxter April 12, 2014 Overview Brief review of public-key cryptography Mathematics behind public-key cryptography algorithms What is Public-Key Cryptography?
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 10 February 19, 2013 CPSC 467b, Lecture 10 1/45 Primality Tests Strong primality tests Weak tests of compositeness Reformulation
More informationSome Notes on Post-Quantum Cryptography
Some Notes on Post-Quantum Cryptography J. Maurice Rojas Texas A&M University March 27, 2014 Historical Context... Flight 150 B.C.E.: Reference to Śyena=Garuda =a Bird-like Hindu divinity in India Historical
More informationPost-quantum RSA. We built a great, great 1-terabyte RSA wall, and we had the university pay for the electricity
We built a great, great 1-terabyte RSA wall, and we had the university pay for the electricity Daniel J. Bernstein Joint work with: Nadia Heninger Paul Lou Luke Valenta The referees are questioning applicability...
More informationChapter 8 Public-key Cryptography and Digital Signatures
Chapter 8 Public-key Cryptography and Digital Signatures v 1. Introduction to Public-key Cryptography 2. Example of Public-key Algorithm: Diffie- Hellman Key Exchange Scheme 3. RSA Encryption and Digital
More informationLecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures
Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures Boaz Barak November 27, 2007 Quick review of homework 7 Existence of a CPA-secure public key encryption scheme such that oracle
More informationFPGA-based Niederreiter Cryptosystem using Binary Goppa Codes
FPGA-based Niederreiter Cryptosystem using Binary Goppa Codes Wen Wang 1, Jakub Szefer 1, and Ruben Niederhagen 2 1. Yale University, USA 2. Fraunhofer Institute SIT, Germany April 9, 2018 PQCrypto 2018
More informationConstructive aspects of code-based cryptography
DIMACS Workshop on The Mathematics of Post-Quantum Cryptography Rutgers University January 12-16, 2015 Constructive aspects of code-based cryptography Marco Baldi Università Politecnica delle Marche Ancona,
More informationCryptography. P. Danziger. Transmit...Bob...
10.4 Cryptography P. Danziger 1 Cipher Schemes A cryptographic scheme is an example of a code. The special requirement is that the encoded message be difficult to retrieve without some special piece of
More informationCryptanalysis of a public key cryptosystem based on Diophantine equations via weighted LLL reduction
Cryptanalysis of a public key cryptosystem based on Diophantine equations via weighted LLL reduction Shinya Okumura Institute of Systems, Information Technologies and Nanotechnologies This is a joint work
More informationLattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.
Lattices A Lattice is a discrete subgroup of the additive group of n-dimensional space R n. Lattices have many uses in cryptography. They may be used to define cryptosystems and to break other ciphers.
More informationCryptanalysis of Simple Matrix Scheme for Encryption
Cryptanalysis of Simple Matrix Scheme for Encryption Chunsheng Gu School of Computer Engineering, Jiangsu University of Technology, Changzhou, 213001, China {chunsheng_gu}@163.com Abstract. Recently, Tao
More informationIn fact, 3 2. It is not known whether 3 1. All three problems seem hard, although Shor showed that one can solve 3 quickly on a quantum computer.
Attacks on RSA, some using LLL Recall RSA: N = pq hard to factor. Choose e with gcd(e,φ(n)) = 1, where φ(n) = (p 1)(q 1). Via extended Euclid, find d with ed 1 (mod φ(n)). Discard p and q. Public key is
More informationTOT, a Fast Multivariate Public Key Cryptosystem with Basic Secure Trapdoor
TOT, a Fast Multivariate Public Key Cryptosystem with Basic Secure Trapdoor Wuqiang Shen and Shaohua Tang School of Computer Science & Engineering, South China University of Technology, Guangzhou 510006,
More informationLemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).
1 Background 1.1 The group of units MAT 3343, APPLIED ALGEBRA, FALL 2003 Handout 3: The RSA Cryptosystem Peter Selinger Let (R, +, ) be a ring. Then R forms an abelian group under addition. R does not
More informationMcBits: fast constant-time code-based cryptography. (to appear at CHES 2013)
McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou Technische Universiteit
More informationImproved Cryptanalysis of HFEv- via Projection
Improved Cryptanalysis of HFEv- via Projection Jintai Ding, Ray Perlner, Albrecht Petzoldt, Daniel Smith-Tone PQ Crypto 2018 Fort Lauderdale, Florida 04/10/2018 A. Petzoldt Cryptanalysis of HFEv- via Projection
More informationAlternative Approaches: Bounded Storage Model
Alternative Approaches: Bounded Storage Model A. Würfl 17th April 2005 1 Motivation Description of the Randomized Cipher 2 Motivation Motivation Description of the Randomized Cipher Common practice in
More informationRGB, a Mixed Multivariate Signature Scheme
Advance Access publication on 7 August 2015 RGB, a Mixed Multivariate Signature Scheme Wuqiang Shen and Shaohua Tang c The British Computer Society 2015. All rights reserved. For Permissions, please email:
More information8 Elliptic Curve Cryptography
8 Elliptic Curve Cryptography 8.1 Elliptic Curves over a Finite Field For the purposes of cryptography, we want to consider an elliptic curve defined over a finite field F p = Z/pZ for p a prime. Given
More informationComputers and Electrical Engineering
Computers and Electrical Engineering 36 (2010) 56 60 Contents lists available at ScienceDirect Computers and Electrical Engineering journal homepage: wwwelseviercom/locate/compeleceng Cryptanalysis of
More informationPost-Quantum Cryptography
Post-Quantum Cryptography Code-Based Cryptography Tanja Lange with some slides by Tung Chou and Christiane Peters Technische Universiteit Eindhoven ASCrypto Summer School: 18 September 2017 Error correction
More informationCode-based cryptography
Code-based graphy Laboratoire Hubert Curien, UMR CNRS 5516, Bâtiment F 18 rue du professeur Benoît Lauras 42000 Saint-Etienne France pierre.louis.cayrel@univ-st-etienne.fr June 4th 2013 Pierre-Louis CAYREL
More informationHOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 1 / 51
HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY Abderrahmane Nitaj Laboratoire de Mathe matiques Nicolas Oresme Universite de Caen Normandie, France Nouakchott, February 15-26, 2016 Abderrahmane
More informationSPHINCS: practical stateless hash-based signatures
SPHINCS: practical stateless hash-based signatures D. J. Bernstein, D. Hopwood, A. Hülsing, T. Lange, R. Niederhagen, L. Papachristodoulou, P. Schwabe, and Z. Wilcox O'Hearn Digital Signatures are Important!
More informationAsymmetric Encryption
-3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function
More informationAES side channel attacks protection using random isomorphisms
Rostovtsev A.G., Shemyakina O.V., St. Petersburg State Polytechnic University AES side channel attacks protection using random isomorphisms General method of side-channel attacks protection, based on random
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 9 February 6, 2012 CPSC 467b, Lecture 9 1/53 Euler s Theorem Generating RSA Modulus Finding primes by guess and check Density of
More informationAlgorithmic Number Theory and Public-key Cryptography
Algorithmic Number Theory and Public-key Cryptography Course 3 University of Luxembourg March 22, 2018 The RSA algorithm The RSA algorithm is the most widely-used public-key encryption algorithm Invented
More informationA Key Recovery Attack on MDPC with CCA Security Using Decoding Errors
A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors Qian Guo Thomas Johansson Paul Stankovski Dept. of Electrical and Information Technology, Lund University ASIACRYPT 2016 Dec 8th, 2016
More informationCode-based Cryptography
a Hands-On Introduction Daniel Loebenberger Ηράκλειο, September 27, 2018 Post-Quantum Cryptography Various flavours: Lattice-based cryptography Hash-based cryptography Code-based
More informationShort generators without quantum computers: the case of multiquadratics
Short generators without quantum computers: the case of multiquadratics Daniel J. Bernstein University of Illinois at Chicago 31 July 2017 https://multiquad.cr.yp.to Joint work with: Jens Bauch & Henry
More informationThe Support Splitting Algorithm and its Application to Code-based Cryptography
The Support Splitting Algorithm and its Application to Code-based Cryptography Dimitris E. Simos (joint work with Nicolas Sendrier) Project-Team SECRET INRIA Paris-Rocquencourt May 9, 2012 3rd Code-based
More informationSpeeding up characteristic 2: I. Linear maps II. The Å(Ò) game III. Batching IV. Normal bases. D. J. Bernstein University of Illinois at Chicago
Speeding up characteristic 2: I. Linear maps II. The Å(Ò) game III. Batching IV. Normal bases D. J. Bernstein University of Illinois at Chicago NSF ITR 0716498 Part I. Linear maps Consider computing 0
More informationPost-Quantum Code-Based Cryptography
Big Data Photonics UCLA Post-Quantum Code-Based Cryptography 03-25-2016 Valérie Gauthier Umaña Assistant Professor valeriee.gauthier@urosario.edu.co Cryptography Alice 1 Cryptography Alice Bob 1 Cryptography
More informationAdvanced code-based cryptography. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven
Advanced code-based cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Lattice-basis reduction Define L = (0; 24)Z + (1; 17)Z = {(b; 24a + 17b) : a;
More informationTECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018
Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018 Name : TU/e student number : Exercise 1 2 3 4 5 total points Notes: Please hand in all sheets at the end of the exam.
More information5199/IOC5063 Theory of Cryptology, 2014 Fall
5199/IOC5063 Theory of Cryptology, 2014 Fall Homework 2 Reference Solution 1. This is about the RSA common modulus problem. Consider that two users A and B use the same modulus n = 146171 for the RSA encryption.
More informationMATH 158 FINAL EXAM 20 DECEMBER 2016
MATH 158 FINAL EXAM 20 DECEMBER 2016 Name : The exam is double-sided. Make sure to read both sides of each page. The time limit is three hours. No calculators are permitted. You are permitted one page
More informationAn Algebraic Framework for Cipher Embeddings
An Algebraic Framework for Cipher Embeddings C. Cid 1, S. Murphy 1, and M.J.B. Robshaw 2 1 Information Security Group, Royal Holloway, University of London, Egham, Surrey, TW20 0EX, U.K. 2 France Télécom
More informationA Five-Round Algebraic Property of the Advanced Encryption Standard
A Five-Round Algebraic Property of the Advanced Encryption Standard Jianyong Huang, Jennifer Seberry and Willy Susilo Centre for Computer and Information Security Research (CCI) School of Computer Science
More informationMcEliece type Cryptosystem based on Gabidulin Codes
McEliece type Cryptosystem based on Gabidulin Codes Joachim Rosenthal University of Zürich ALCOMA, March 19, 2015 joint work with Kyle Marshall Outline Traditional McEliece Crypto System 1 Traditional
More informationPost-Quantum Cryptography
Post-Quantum Cryptography Prof. Dr. J. Buchmann Written by: P. Schmidt Last updated: February 25, 2010 1 Contents 1. Introduction 5 2. Motivation 5 3. Quantum Algorithms and Quantum Computers 6 3.1. The
More informationPOST-QUANTUM CRYPTOGRAPHY HOW WILL WE ENCRYPT TOMORROW?
POST-QUANTUM CRYPTOGRAPHY HOW WILL WE ENCRYPT TOMORROW? Hanno Böck https://hboeck.de 1 INTRODUCTION Hanno Böck, freelance journalist and hacker. Writing for Golem.de and others. Fuzzing Project, funded
More informationShort generators without quantum computers: the case of multiquadratics
Short generators without quantum computers: the case of multiquadratics Daniel J. Bernstein & Christine van Vredendaal University of Illinois at Chicago Technische Universiteit Eindhoven 19 January 2017
More informationSide Channel Analysis and Protection for McEliece Implementations
Side Channel Analysis and Protection for McEliece Implementations Thomas Eisenbarth Joint work with Cong Chen, Ingo von Maurich and Rainer Steinwandt 9/27/2016 NATO Workshop- Tel Aviv University Overview
More informationPoints of High Order on Elliptic Curves ECDSA
! Independent thesis advanced level (degree of master (two years)) Points of High Order on Elliptic Curves ECDSA Author: Behnaz Kouchaki Barzi Supervisor: Per-Anders Svensson Examiner: Andrei Khrennikov
More information