Generating EIGamal Signatures Without Knowing the Secret Key
|
|
- Russell Booker
- 6 years ago
- Views:
Transcription
1 Generating EIGamal Signatures Without Knowing the Secret Key Daniel Bleichenbacher ETH Zurich Institute for Theoretical Computer Science CH-8092 Zurich, Switzerlan bleichenminf.ethz. ch Abstract. We present a new metho to forge EIGamal signatures if the public parameters of the system are not chosen properly. Since the secret key is hereby riot fouri this attack shows that forging ElGamal signatures is sometimes easier than the unerlying iscrete logarithm problem. 1 Introuction ElGamal's igital signature scheme [4] relies on the ifficulty of computing iscrete logarithm in the multiplicative group IF'; an can therefore be broken if the computation of iscrete logarithms is feasible. However, the converse has never been prove. In this paper we show that it is sometimes possible to forge signatures without breaking the unerlying iscrete logarithm problem. This shows that the ElGarrial signature scheme an some variants of the scheme must be use very carefully. The paper is organize as follows. Section 2 escribes the ElGamal signature scheme. In Section 3 we present a metho to forgc signatures if some aitional information on the generator is known. We show that signatures can be forge if the generator Q is smooth an ivies p- 1. Hence for example Q = 2 is a totally insecure choice. In Section 4 we iscuss the case where the public parameters are not chosen by the user itself. The authority that chooses these parameters may generate some trapoor information, which will allow it to sign arhit,rary messages for any user. Section 5 contains a brief escription of some possible countermeasures. In Section 6 we iscuss a variant of the ElGamal scheme over Z/nZ with n = pq, which was believe to be as har as factoring an computing iscrete logarithms. However, the factorization of n can often be erive from known signatures. Moreover, we show that in this case computation in only one of the groups IF'; or IF; is sufficient to forge signatures. Again it is not ncccssary to iscover the complete secret key of a user to generate signatures. U. Maurer (E.): Avances in Cryptology - EUROCRYPT '96, LNCS 1070, pp , Springer-Verlag Berlin Heielberg 1996
2 11 2 ElGarnal's signature scheme ElGamal's signature scheme can be escribe as follows. Public parameters. Let, p be a large prime an a a generator of the multiplicative group IF;. Secret key an public kev. Every user A chooses a secret key XA E (0,...,p - 2) an publishes YA G ax* (mo p) as his public key. Computation of a signature. Let 0 5 h < p - 1. To compute a signature on h user A procees as follows. First he chooses a ranom value k E (0,...,p - 2) relatively prime to p - 1 an computes 1 5 7' < p an s by r = a Ic (mo p) The pair (T, s) is a vali sigmture on 11. an s = (h - xar)k-' (mo p - 1). Verification of a signature. Any user knowing the public key IJA can vcrify the signature by checking that 1 5 r < p an the following equation are satisfie. The ElGamal signature scheme can bc broken when iscrete logarithms in IF'; can be compute. The prime p must therefore be chosen large enough to prevent the computation of iscrete logarithms by the number fiel sieve [6] an p - 1 must contain at least one large prime factor to isable the algorithm of Pohlig an Hellman [13]. The value h, that occurs in the signature is normally not equal to the message to sign, it is rather the result of a collision free hash function applie to the message. This avois the existential attack escribe in [4]. It is important that the verifier checks whether 1 5 r < p is satisfie. If he woul accept signatures where r is larger than p then any signature (r, s) on h coul be use to generate a signature (rz, s2) on an arbitrary hash value h2 by setting u = h2h-l (mo p - 1). This implies NOW (r2, s2) can be foun by setting.fa E su. (mo p - 1) an by computing 7'2 satisfying ~2 ru (mo p - 1) an r2 = r (mo p) by using the Chinese Remainer Theorem. This kin of attack will for example be use in Section 6.
3 12 3 Weak generators Thc security of the ElGamal signature scheme epens heavily on thc parameters p an a. The following theorem shows that, ElGarnal signatiires can be generate when some aitional information on the generator cy is available. Theorem 1. Let p - 1 = bw where b is smooth an let y~ be the public key of user A. If a generator /3 = ctu with 0 < c < b an an inte,qer t are known such that Pt G LY (mo p) then a vali ElGurnul signature (rl s) on a given h can be foun. Proof. First, we show that the eqiiat,ion ow' = ( y ~ (mo ) ~ p) can bc solve for z. It follows from p - 1 = bui that the subgroup H generate by IY" has orer b. Since b is smooth it is possible to corripute iscrete logarithms in H by using the algorithm of Pohlig an Hcllman [13], so that z can be foun. Now let r=/3 s E t(h - cwz) (mo p - 1). Then (T, s) is a vali signature on h since Corollary 2. If Q is smooth an ivies p - 1 th,en it is possible to generate a iinli ElGamal signature on an arbitrary mhre h. Proof. Let,L? = (p - 1)/u ari t = ( p - 3)/2. Then Pt = (-1)P-l = Q: (mo p). 0 Thus it follows by Theorem 1 that signatures for all h can be forge. Thus if the generator 01 is chosen baly then signatures on every given mcssage can bc foun without knowing the secret key. Choosing cy = 2 is exceptionally ba since it allows to forge signatures inepenently of the choice of p. Such small generators are sometimes chosen in orer t,o get ari efficient exponentiation. It shoul be note that this attack succees because of the special choice of rl which reuces the iscrete logarithm problem in IF'; to the iscrete logarithm problem in a subgroup of with smooth orer. Another attack that is base on the fact that iscrete logarithms in small subgroups are computable has been escribe recently by Menezes Qu ari Vanstone [ll].(their attack shows that authcnticity is not guarantee in a few Diffie-Hellman base key agreement protocols.)
4 13 4 Constructing a trapoor The public parameters 1) an a inay be fixe so that, every user in the system uses the same group ari generator. Such a convention is attractive because it allows the use of shorter public keys. Aitionally, signatures can be compute an verifie much faster by using precompute exponents [2]. However, the authority choosing the prirris p an the generator cy for a signature system may ait,ioiially generate some trapoor information that can be use to forge arbitrary messages later. One way to generate a prime p such that IF; has a trapoor has been pointe out in [l, p.501. The prime p can be generate together with a polynomial that is highly suita.ble for the number fiel sieve. The authority will then be able to compute iscrek logarithms faster than a user who oes not know the trapoor [5]. However, this gives only a moerate avantage an can be avoie by chosing the prime p sufficiently large. Moreover, such primes can be recognize fairly easily [14]. Here we present another way to generate a trapoor. An authority that can choose the public parameters p an (Y can generate these parameters such that it aitionally knows secret values p an t satisfying the constraints of Theorem 1. We illustrat,e t,his possibility by giving two ifferent methos to generate the trapoor. The first metho shows how a generator a an the trapoor information can be generate given a fixe prime p. The secon metho shows how a prime p an the trapoor information can be generate given a fixe small generator a. There is no guarantee t,ha.t, t,hpse methos succee. However, the probability of success is sufficiently high t,o threaten the security of the system. Metho A. Let, p - 1 = bw with b smooth. If b is not too small then we can fin a,,i3 an t in the following way. We choose c E { 1,..., b - 1) ranomly until p = cw is a generator of IF;. Finally we chose /, with gc(t,y - 1) = 1 an compute a = Pt. This attxk is practical when a generat,or /j = cw of IF; can be foun in reasonable time. When b is too small then no generator of the form cw may exist. However, the number of generators of I!?; is cp(p- 1). Sinw n/cp(n) = O(l~iln(rt)) (see for example [7]) we expect to fin a generator after O(ln ln(p)) trials. When t is chosen uniforrrily from the set of all 1 5 t < p- 1 that are relatively prirne to p - 1 then a = pt is a ranom generator of F;. Thus it is impossible to etmt the trapoor as long as no false signature has been publishe. However, the trapoor can be reconstructe from a given false signature (p, s) on h since ah z yips (mo p) implies h E ts (mo 711). In orer to fin t it is then sufficient to compute log,(p) (mo h) a.n this can be one efficiently as h is smooth. Metho 13. When the genemtor a is fixe then p,fi an t can be generate as follows. First three positive integers IL,V,C: are selecte such that 'u is o an cuau has approximately the size of the prime to construct. Next the smooth ivisors of cuau, - 1 are compute. This can be one easily using for example trial ivision or Pollar-rho factorization since only the small prime factors of
5 14 c"au - 1 are wante. If there exists a smooth ivisor > c of Pau - 1 such that p = PazL - " is prime, 9 - IL is relatively prime to p - 1 an a is a generator of IF; then it is possible to construct a trapoor as follows. t P-1 E u( ) ~ (mo ~ p - 1) 2 It follows from l(c"a" - 1) that ivies p- 1. Thus /3 satisfies the preconition of Theorem 1. Because of a"c" = " (mo p) we have Q? = (c-l)" (mo p) an therefore,!?" = (-c-l)" G (-l)~-~ : L Y ( P - ~ ) / ~ - ~ a (mo p). It follows that Theorem 1 can be applie. A heuristic analysis sliows that the runtime of this metho epens on the size of c an shoul fin a trapoor after trying O((lnp)(lnlnp)2) values for p of An example for such a trapoor, which has been generate in less than a ay on a SPARC IPC, is given by the values a = 5,u = 227,~ = 1,c = 1629 an = 22.7' 23 ' Countermeasures (mo p). Hence Pt = The attacks shown in Section 3 an 4 can be avoie if signatures (T,s) are consiere to be vali only if - aitionally to the other conitions -- T is not ivisible by a large prime ivisor q of p - 1. This conition shoul always be checke by the verifier. Moreover, an authorize signer will almost always generate a vali signature since it is very unlikely that he ranomly generates an r that is ivisible by q. Such a conition has been inclue in the igital signature stanar (DSS) [12]. Hence the DSS is not susceptible to the attacks presente in this paper. Alternatively trapoors may be avoie if the authority that is choosing the public parameters p an Q is force to use an algorithm like the one propose by NIST for the generation of p in DSS. The values prouce by this algorithm allow to verify publicly that the parameters have inee been generate by the algorithm. This woul make it very har for a ishonest authority to create a trapoor. The two methos to generate trapoors shown in Section 4 inicate that both p an a must, be generate with this algorithm if no other steps to prevent the attacks are taken. Yet another possibility to avoi the attacks might be to moify the equations for signature generation an verification (see for example [9] for an overview of ElGarnal variants). Such a variant must be chosen carefully since other problems may arise. For example if a signature on h is compute by T = ak (mo p) an s 3 ZA + IikT (mo p - 1) an therefore verifie by as z YAT~' (mo p ) then a chosen message attack is possible if the signer can be force to sign a message h where gc(p - 1, h) is large. Any such signature leaks information about the secret key ZA since s A special case of this attack has been iscusse in [9]. ZA + hkr (mo p - 1) implies s = XA (mo gc(p - 1, h)).
6 15 6 An ElGamal scheme over Z/nZ In [15] Saryazi has propose a variant of the ElGamal signature system using (Z/nZ)* where n is the prouct of two large primes p an q. The author hopcs that the security of the propose signature system relies on the factoring problem an the iscrete logarithm problem. Moreover, the existential attack shown in [4] seems not possible in that scheme, because this attack requires that the orer of the group (Z/nZ)* is known. However, Horster et al. observe in [lo] that the signatures leak information that can be use to factor the moulus. Even though thcir attack oes not work as escribe it, is possible to moify the attack in such a way that it works for Saryazi s scheme as well as the improve scheme propose in [lo]. Moreover, we show that computing iscret,e logarithms in only one of the two groups TF; or IF; is sufficient to break the scheme. Description of the scheme. In Saryazi s variation of the ElGamal signature scheme every user A chooses two large primes p an q an computes n = pq. Then she tries to fin an integer a E (Z/nZ)* with orer A(n). Furthermore he chooses a ranom element XA an computes 9~ = aza (mo n). p, q an ZA are kept secret whereas n, a an y are publishe as A s public key. To sign h. E Z/nZ user A chooses a ranom number k E ( H/)* an computes Then (T, s) is the signature on h where h is either the message or the hash value of a message. A verifyer accepts a signature (r, s) on h if 1 5 T < n an Q = (yait~ (mo n). This scheme oes not allow a moulus n that is common to all users, since every user has to know p(n) in orer to be able to compute signatures. Description of the attack. Assume that t is a small prime that ivies p - 1 but not q - 1. Assume further that (T,,s,) : 1 5 i 5 are known signatures on h, such that t ivies s, an such that the system xc,h, -- 0 (mo t) (3) an ~ I :, T c, 0 (mo t) (4) i= 1 has a nontrivial solution (i.e. ci $ 0 (mo t) for at least one i) in the coefficients ci. Such a solution to (3) an (4) can always be foun when at least 3 signatures ciri then we have with tlsi are known. If we set B := zt=l cih, an C := xt=l
7 16 Since t ivies all exponents in (5) we can compute the gc of n an (pit - (ya)c'/t ~ p ' / t This will factor 71 if exactly one of the following two equations are satisfic. 2= 1 2x1 7=1 (mo P) (6) (mo q) (7) Since t is relatively prime to q - 1 it, follows from (5) that (7) is satisfie. Since Q is a generator moulo p it follows that (6) is satisfie if an o~ily if or equivalcntly ~ / = t za(~/t) + C ~c,ci(si/t) i= I (mo p - 1) u = x,,~c + C liic,s, (mo t (p- 1)) (8) 1=l + ztzl is satisfie. From (2) follows only R 3 ~ AC k,c2s2 (mo cp(n)). Let, tz be the maximal power of t iviing cp(n). It follo~s that tz ivies p - 1 an hcncc tz+' ivies t(p - I). Thus wc expect that (8) is only satisfie with probability about 1 / t. It shoul bc iiotc that an attackel- oes not know which primes t may be successful since lie oes riot know p ari q an can generally not etermine whether a given t ivies p - 1 but not y - 1. But this is not a big problem because an attacker can simply try all small primes t that are a ivisor of somc s, 's. If the fact,orizat,ion of n (:;in he (1isc:overe then signatures can be foun if computing iscrete logaritlinis in 'IF; but riot necessarily in IF; is feasible, provie that p is not much slrialler than q. This can be one as follows. We may assume that the at,tac:ker knows a vali signature (r, s) on 11. This may bc a prcviously given signature or one that was generate using the existential forgery escribe in [4]. If he waiit,s to generate a signature on h' then he uses the Chinese Remainer Theorem to compute 0 5 r' < q(q - 1) such that T' s rh--li~' (mo q - 1) 7' = T (mo q) If p is not much smaller than y then he will fin an T' < n in reasonable time. If we set sq G sh- 'h' (mo y - 1) then we have - ~ I. '.IS,, = (%I) 7 (IIlo 4)
8 17 Assuming that the iscrete logarithm in IF ; is feasible it is possible t,o.wlvc h = logo(ya)t + log,(r )s, (mo p - 1) for sp if 1oga(r ) is rehtively prime to p - 1. If aitionally t,he system s E s, (mo p - 1) s = sg (n1o (1-1) is solvable then (T, s ) is a vali signature on h. Remarks. If t ivies both p - 1 ari q - 1 then it follows from (2) that B = x*c + c Ic,czsz (rno cp(n)) 2-1 is satisfie. This implies that (8) ari the analogous equation moulo y - 1 arc satisfie. The at,tack oes thercfore riot work when t ivies p - 1 an q - 1. The attack escribe in [lo] consicrs the case t = 2 only an oes not work therefore. However., it woul wciik when equation (2) is reuce moulo X(n) instea of cp(n) provie that the maximal powers of 2 in p - 1 an q - 1 are not the sarrie. The authors of [lo] propose that only signatures (T, s) where s is o arc allowe. This proposal ocs not prevent, the attack escribe here since s can still be ivisible by a small prime ivisor t. Another consequence of the note above is that the attack oes not work when the smooth parts of p - 1 an q - 1 are equal. Thus the at,t>ack presente here can be avoie by choosing p - 1 an q - 1 such that (p - 1)/2 ari (q - 1)/2 a.rc prime, since then no small prime t exist,s iviing p - 1 but not q - 1. Some of the extensions propose in [lo] scem to avoi the attack presente here too. 0t)her variants of ElGarn base on t,he iscrete logarithm problem an the fact,oring problem that are rriore practical than Saryazi s scheme have been proposc hy Brickell an McCurley [3] an Harn [S]. 7 Conclusion The results presente in this paper show that ElGamal signatures can be forge in some cases without knowing the secret key. The attacks presente can be avoie by restricting the valucs of signatures that are consiere to be vali. The ElGamal igital signature scheme has t,herefore not been broken but it has heen shown that, the system must be use very carefully. Acknowlegments I m grateful to Ueli Maurer, Markus Staler, Holger Pctersen Markus Michels an some members of the EUROCRYPT program committee for their cornmerits ari suggestions.
9 References 1. T. Beth, M. Frisch, an G.J. Simmons (es). Public-key Cryptography, State of the Art an Future Directions, volurrie 578 of Lecture Notes in Computer Science. Springer-Verlag, Berlin, E. F. Brickell, D. M. Goron, K. S. McCurley, an D. B. Wilson. Fast exponentiation with precomputation. Avances in Cryptology - EUROCRYPT '92, volume 658 of Lecture Notes in Computer Sczence, pages , E. F. Rrickell an K. S. McCurley. An interactive ientification scheme base on iscrete logarithms an factoring. Journal 01 Cryptology, 5(1):29-39, T. El Gamal. A public key cryptosystwii aiitl a sigrialure scheme base OII iscrete logarithms. Avances in Cryptology: Proceeings of CRYPT0 '84, volume 196 of Lecture Notes in Co*mputer Science, pages Springer-Verlag, D. M. Goron. Designing an etecting trapoors for iscrete log cryptosystems. Avances in Cryptology- CRYPT0 '92, volume 740 of Lecture Notes in Computer Science, pages Springer-Verlag, D. M. Goron. Discrete logarithms in GF(p) iising the mlmher fiel sieve. SIAM,J. Disc. Math., 6(1): , February G. H. Hary an E. M. Wright. An introuction to the theory of numbers. Clarenon Press, Oxfor, 5th eition, L. Harn. Public-key cryptosystem esign base 011 factoring an iscrete logarithm. IEE Proc. Comput. Digit. Tech., 141(3): , P. Horster, M. Michels, an H. Petersen. Generalize ElGamal signatures for one message block. Technical Report TR-94-3, University of Technology Chemnitz- Zwickau, May P. Horster, M. Michels, an H. Petersen. Meta-ElGamal signature schemes USing a composite moule. Technical Report TR-Y4-16-E, IJniversity of Technology Chemnitz-Zwickau, November A. Menezes, M. Qu, an S. Vanstone. Key agreement an the nee for authentication. PKS, November National Institute of Stanars an Technology (NIST). FIPS Publication 186: Digital Signature Stanar, May 19, S. C. Pohlig an M. E. Hellman. An irriprovc algorithm for computing logarithms over GF(p) an its cryptographic significance. IEEB 7'mns. Inform. Theory, IT- 24: , January R. A. Rueppel, A. K. Lerwtra, M. 15. Smi, K. S. McCurley, Y. Desmet, A. Olyzko, an P. Timrock. Panel iscussion: Trapoor primes an mouli. Avances in Cryptology - EUROCRYPT '92, volume 658 of Lecture Notes in Computer Science, pages Springer-Verlag, S. Saryazi. An extension to ElGamal public key cryptnsyst,em with a new signature scheme. Communication, Control, an Signal Processing, pages Elsevier, 1'390.
Generating ElGamal signatures without. knowing the secret key??? Daniel Bleichenbacher. ETH Zurich.
Generating ElGamal signatures without knowing the secret key??? Daniel Bleichenbacher ETH Zurich Institute for Theoretical Computer Science CH-8092 Zurich, Switzerland email: bleichen@inf.ethz.ch Abstract.
More informationEE 418: Network Security and Cryptography
Problem 1 EE 418: Network Security an Cryptography Homework 5 Assigne: Wenesay, November 23, 2016, Due: Tuesay, December 6, 2016 Instructor: Tamara Bonaci Department of Electrical Engineering University
More informationNew Variant of ElGamal Signature Scheme
Int. J. Contemp. Math. Sciences, Vol. 5, 2010, no. 34, 1653-1662 New Variant of ElGamal Signature Scheme Omar Khadir Department of Mathematics Faculty of Science and Technology University of Hassan II-Mohammedia,
More informationEE 595 (PMP) Introduction to Security and Privacy Homework 4
EE 595 (PMP) Introuction to Security an Privacy Homework 4 Assigne: Monay, February 12, 2017, Due: Sunay, March 5, 2017 Instructor: Tamara Bonaci Department of Electrical Engineering University of Washington,
More informationOn the Big Gap Between p and q in DSA
On the Big Gap Between p and in DSA Zhengjun Cao Department of Mathematics, Shanghai University, Shanghai, China, 200444. caozhj@shu.edu.cn Abstract We introduce a message attack against DSA and show that
More informationTwo formulas for the Euler ϕ-function
Two formulas for the Euler ϕ-function Robert Frieman A multiplication formula for ϕ(n) The first formula we want to prove is the following: Theorem 1. If n 1 an n 2 are relatively prime positive integers,
More informationA New Vulnerable Class of Exponents in RSA
A ew Vulnerable Class of Exponents in RSA Aberrahmane itaj Laboratoire e Mathématiues icolas Oresme Campus II, Boulevar u Maréchal Juin BP 586, 4032 Caen Ceex, France. nitaj@math.unicaen.fr http://www.math.unicaen.fr/~nitaj
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 7, 2015 CPSC 467, Lecture 11 1/37 Digital Signature Algorithms Signatures from commutative cryptosystems Signatures from
More informationDiophantine Approximations: Examining the Farey Process and its Method on Producing Best Approximations
Diophantine Approximations: Examining the Farey Process an its Metho on Proucing Best Approximations Kelly Bowen Introuction When a person hears the phrase irrational number, one oes not think of anything
More informationA new conic curve digital signature scheme with message recovery and without one-way hash functions
Annals of the University of Craiova, Mathematics and Computer Science Series Volume 40(2), 2013, Pages 148 153 ISSN: 1223-6934 A new conic curve digital signature scheme with message recovery and without
More informationChapter 8 Public-key Cryptography and Digital Signatures
Chapter 8 Public-key Cryptography and Digital Signatures v 1. Introduction to Public-key Cryptography 2. Example of Public-key Algorithm: Diffie- Hellman Key Exchange Scheme 3. RSA Encryption and Digital
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationAttacking Unbalanced RSA-CRT Using SPA
Attacking Unbalance RSA-CRT Using SPA Pierre-Alain Fouque, Gwenaëlle Martinet, an Guillaume Poupar DCSSI Crypto Lab 51, Boulevar e Latour-Maubourg 75700 Paris 07 SP, France Pierre-Alain.Fouque@ens.fr Gwenaelle.Martinet@worlonline.fr
More informationExtension of de Weger s Attack on RSA with Large Public Keys
Extension of e Weger s Attack on RSA with Large Public Keys Nicolas T. Courtois, Theoosis Mourouzis an Pho V. Le Department of Computer Science, University College Lonon, Gower Street, Lonon, U.K. {n.courtois,
More informationDigital signature schemes
Digital signature schemes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Introduction digital signature scheme security of digital
More informationOn the Enumeration of Double-Base Chains with Applications to Elliptic Curve Cryptography
On the Enumeration of Double-Base Chains with Applications to Elliptic Curve Cryptography Christophe Doche Department of Computing Macquarie University, Australia christophe.oche@mq.eu.au. Abstract. The
More informationLecture 7: ElGamal and Discrete Logarithms
Lecture 7: ElGamal and Discrete Logarithms Johan Håstad, transcribed by Johan Linde 2006-02-07 1 The discrete logarithm problem Recall that a generator g of a group G is an element of order n such that
More informationA message recovery signature scheme equivalent to DSA over elliptic curves
A message recovery signature scheme equivalent to DSA over elliptic curves Atsuko Miyaji Multimedia Development Center Matsushita Electric Industrial Co., LTD. E-mail : miyaji@isl.mei.co.jp Abstract. The
More informationGCD of Random Linear Combinations
JOACHIM VON ZUR GATHEN & IGOR E. SHPARLINSKI (2006). GCD of Ranom Linear Combinations. Algorithmica 46(1), 137 148. ISSN 0178-4617 (Print), 1432-0541 (Online). URL https://x.oi.org/10.1007/s00453-006-0072-1.
More informationEfficient RNS bases for Cryptography
1 Efficient RNS bases for Cryptography Jean-Claue Bajar, Nicolas Meloni an Thomas Plantar LIRMM UMR 5506, University of Montpellier, France, {bajar,meloni,plantar}@lirmm.fr Abstract Resiue Number Systems
More informationTable of Common Derivatives By David Abraham
Prouct an Quotient Rules: Table of Common Derivatives By Davi Abraham [ f ( g( ] = [ f ( ] g( + f ( [ g( ] f ( = g( [ f ( ] g( g( f ( [ g( ] Trigonometric Functions: sin( = cos( cos( = sin( tan( = sec
More informationPseudo-Free Families of Finite Computational Elementary Abelian p-groups
Pseuo-Free Families of Finite Computational Elementary Abelian p-groups Mikhail Anokhin Information Security Institute, Lomonosov University, Moscow, Russia anokhin@mccme.ru Abstract We initiate the stuy
More informationOn the Key-collisions in the Signature Schemes
On the Key-collisions in the Signature Schemes Tomáš Rosa ICZ a.s., Prague, CZ Dept. of Computer Science, FEE, CTU in Prague, CZ tomas.rosa@i.cz Motivation to study k-collisions Def. Non-repudiation [9,10].
More informationGOST A Brief Overview of Russia s DSA
GOST 34.10 A Brief Overview of Russia s DSA [Published in Computers & Security 15(8):725-732, 1996.] Markus Michels 1,, David Naccache 2, and Holger Petersen 1, 1 Theoretical Computer Science and Information
More informationPractical Analysis of Key Recovery Attack against Search-LWE Problem
Practical Analysis of Key Recovery Attack against Search-LWE Problem IMI Cryptography Seminar 28 th June, 2016 Speaker* : Momonari Kuo Grauate School of Mathematics, Kyushu University * This work is a
More informationPractical Analysis of Key Recovery Attack against Search-LWE Problem
Practical Analysis of Key Recovery Attack against Search-LWE Problem Royal Holloway an Kyushu University Workshop on Lattice-base cryptography 7 th September, 2016 Momonari Kuo Grauate School of Mathematics,
More informationLinear First-Order Equations
5 Linear First-Orer Equations Linear first-orer ifferential equations make up another important class of ifferential equations that commonly arise in applications an are relatively easy to solve (in theory)
More informationUNDERSTANDING INTEGRATION
UNDERSTANDING INTEGRATION Dear Reaer The concept of Integration, mathematically speaking, is the "Inverse" of the concept of result, the integration of, woul give us back the function f(). This, in a way,
More informationLectures - Week 10 Introduction to Ordinary Differential Equations (ODES) First Order Linear ODEs
Lectures - Week 10 Introuction to Orinary Differential Equations (ODES) First Orer Linear ODEs When stuying ODEs we are consiering functions of one inepenent variable, e.g., f(x), where x is the inepenent
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationBlind Signature Protocol Based on Difficulty of. Simultaneous Solving Two Difficult Problems
Applied Mathematical Sciences, Vol. 6, 202, no. 39, 6903-690 Blind Signature Protocol Based on Difficulty of Simultaneous Solving Two Difficult Problems N. H. Minh, D. V. Binh 2, N. T. Giang 3 and N. A.
More informationCryptography IV: Asymmetric Ciphers
Cryptography IV: Asymmetric Ciphers Computer Security Lecture 7 David Aspinall School of Informatics University of Edinburgh 31st January 2011 Outline Background RSA Diffie-Hellman ElGamal Summary Outline
More informationb = 10 a, is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a.
INTRODUCTION TO CRYPTOGRAPHY 5. Discrete Logarithms Recall the classical logarithm for real numbers: If we write b = 10 a, then a = log 10 b is the logarithm of b to the base 10. Changing the base to e
More informationBlind Collective Signature Protocol
Computer Science Journal of Moldova, vol.19, no.1(55), 2011 Blind Collective Signature Protocol Nikolay A. Moldovyan Abstract Using the digital signature (DS) scheme specified by Belarusian DS standard
More informationHidden Number Problem Given Bound of Secret Jia-ning LIU and Ke-wei LV *
2017 2nd International Conference on Artificial Intelligence: Techniques and Applications (AITA 2017) ISBN: 978-1-60595-491-2 Hidden Number Problem Given Bound of Secret Jia-ning LIU and Ke-wei LV * DCS
More informationThe Principle of Least Action
Chapter 7. The Principle of Least Action 7.1 Force Methos vs. Energy Methos We have so far stuie two istinct ways of analyzing physics problems: force methos, basically consisting of the application of
More informationSolving DLP with Auxiliary Input over an Elliptic Curve Used in TinyTate Library
Solving DLP with Auxiliary Input over an Elliptic Curve Use in TinyTate Library Yumi Sakemi 1,TetsuyaIzu 2, Masahiko Takenaka 2, an Masaya Yasua 2 1 Okayama University 3-1-1, Tsushima-naka, Kita-ku, Okayama,
More informationAitken and Neville Inverse Interpolation Methods over Finite Fields
Appl. Num. Anal. Comp. Math. 2, No. 1, 100 107 (2005) / DOI 10.1002/anac.200410027 Aitken and Neville Inverse Interpolation Methods over Finite Fields E.C. Laskari 1,3, G.C. Meletiou 2,3, and M.N. Vrahatis
More informationA Knapsack Cryptosystem Based on The Discrete Logarithm Problem
A Knapsack Cryptosystem Based on The Discrete Logarithm Problem By K.H. Rahouma Electrical Technology Department Technical College in Riyadh Riyadh, Kingdom of Saudi Arabia E-mail: kamel_rahouma@yahoo.com
More informationd dx But have you ever seen a derivation of these results? We ll prove the first result below. cos h 1
Lecture 5 Some ifferentiation rules Trigonometric functions (Relevant section from Stewart, Seventh Eition: Section 3.3) You all know that sin = cos cos = sin. () But have you ever seen a erivation of
More informationLemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).
1 Background 1.1 The group of units MAT 3343, APPLIED ALGEBRA, FALL 2003 Handout 3: The RSA Cryptosystem Peter Selinger Let (R, +, ) be a ring. Then R forms an abelian group under addition. R does not
More informationinflow outflow Part I. Regular tasks for MAE598/494 Task 1
MAE 494/598, Fall 2016 Project #1 (Regular tasks = 20 points) Har copy of report is ue at the start of class on the ue ate. The rules on collaboration will be release separately. Please always follow the
More informationLEGENDRE TYPE FORMULA FOR PRIMES GENERATED BY QUADRATIC POLYNOMIALS
Ann. Sci. Math. Québec 33 (2009), no 2, 115 123 LEGENDRE TYPE FORMULA FOR PRIMES GENERATED BY QUADRATIC POLYNOMIALS TAKASHI AGOH Deicate to Paulo Ribenboim on the occasion of his 80th birthay. RÉSUMÉ.
More information2Algebraic ONLINE PAGE PROOFS. foundations
Algebraic founations. Kick off with CAS. Algebraic skills.3 Pascal s triangle an binomial expansions.4 The binomial theorem.5 Sets of real numbers.6 Surs.7 Review . Kick off with CAS Playing lotto Using
More informationComputers and Mathematics with Applications
Computers and Mathematics with Applications 61 (2011) 1261 1265 Contents lists available at ScienceDirect Computers and Mathematics with Applications journal homepage: wwwelseviercom/locate/camwa Cryptanalysis
More informationThe Exact Form and General Integrating Factors
7 The Exact Form an General Integrating Factors In the previous chapters, we ve seen how separable an linear ifferential equations can be solve using methos for converting them to forms that can be easily
More informationSecurity Proofs for Signature Schemes. Ecole Normale Superieure. 45, rue d'ulm Paris Cedex 05
Security Proofs for Signature Schemes David Pointcheval David.Pointcheval@ens.fr Jacques Stern Jacques.Stern@ens.fr Ecole Normale Superieure Laboratoire d'informatique 45, rue d'ulm 75230 Paris Cedex 05
More informationPublic Key Algorithms
Public Key Algorithms Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-09/
More informationDiscrete logarithm and related schemes
Discrete logarithm and related schemes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Discrete logarithm problem examples, equivalent
More informationA Simulative Comparison of BB84 Protocol with its Improved Version
JCS&T Vol. 7 No. 3 October 007 A Simulative Comparison of BB84 Protocol with its Improve Version Mohsen Sharifi an Hooshang Azizi Computer Engineering Department Iran University of Science an Technology,
More informationElGamal type signature schemes for n-dimensional vector spaces
ElGamal type signature schemes for n-dimensional vector spaces Iwan M. Duursma and Seung Kook Park Abstract We generalize the ElGamal signature scheme for cyclic groups to a signature scheme for n-dimensional
More informationProof by Mathematical Induction.
Proof by Mathematical Inuction. Mathematicians have very peculiar characteristics. They like proving things or mathematical statements. Two of the most important techniques of mathematical proof are proof
More informationCIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography
CIS 6930/4930 Computer and Network Security Topic 5.2 Public Key Cryptography 1 Diffie-Hellman Key Exchange 2 Diffie-Hellman Protocol For negotiating a shared secret key using only public communication
More informationDigital Signature Scheme Based on a New Hard Problem
Computer Science Journal of Moldova, vol.16, no.2(47), 2008 Digital Signature Scheme Based on a New Hard Problem Niolay A. Moldovyan Abstract Factorizing composite number n = qr, where q and r are two
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationChapter 5. Factorization of Integers
Chapter 5 Factorization of Integers 51 Definition: For a, b Z we say that a ivies b (or that a is a factor of b, or that b is a multiple of a, an we write a b, when b = ak for some k Z 52 Theorem: (Basic
More informationJUST THE MATHS UNIT NUMBER DIFFERENTIATION 2 (Rates of change) A.J.Hobson
JUST THE MATHS UNIT NUMBER 10.2 DIFFERENTIATION 2 (Rates of change) by A.J.Hobson 10.2.1 Introuction 10.2.2 Average rates of change 10.2.3 Instantaneous rates of change 10.2.4 Derivatives 10.2.5 Exercises
More informationDiscrete Logarithm Problems with Auxiliary Inputs
Discrete Logarithm Problems with Auxiliary Inputs Jung Hee Cheon ISaC an Dept. of Mathematics, Seoul National University, Korea jhcheon@snu.ac.kr http://www.math.snu.ac.kr/~jhcheon Abstract. Let g be an
More informationLower Bounds for the Smoothed Number of Pareto optimal Solutions
Lower Bouns for the Smoothe Number of Pareto optimal Solutions Tobias Brunsch an Heiko Röglin Department of Computer Science, University of Bonn, Germany brunsch@cs.uni-bonn.e, heiko@roeglin.org Abstract.
More informationAlgorithmic Number Theory and Public-key Cryptography
Algorithmic Number Theory and Public-key Cryptography Course 3 University of Luxembourg March 22, 2018 The RSA algorithm The RSA algorithm is the most widely-used public-key encryption algorithm Invented
More informationBatch Verification of ECDSA Signatures AfricaCrypt 2012 Ifrane, Morocco
Batch Verification of ECDSA Signatures AfricaCrypt 2012 Ifrane, Morocco Department of Computer Science and Engineering Indian Institute of Technology Kharagpur, West Bengal, India. Outline Introduction
More informationThe derivative of a function f(x) is another function, defined in terms of a limiting expression: f(x + δx) f(x)
Y. D. Chong (2016) MH2801: Complex Methos for the Sciences 1. Derivatives The erivative of a function f(x) is another function, efine in terms of a limiting expression: f (x) f (x) lim x δx 0 f(x + δx)
More informationSharing DSS by the Chinese Remainder Theorem
Sharing DSS by the Chinese Remainder Theorem Kamer Kaya,a, Ali Aydın Selçuk b a Ohio State University, Columbus, 43210, OH, USA b Bilkent University, Ankara, 06800, Turkey Abstract In this paper, we propose
More informationGlobal Optimization for Algebraic Geometry Computing Runge Kutta Methods
Global Optimization for Algebraic Geometry Computing Runge Kutta Methos Ivan Martino 1 an Giuseppe Nicosia 2 1 Department of Mathematics, Stockholm University, Sween martino@math.su.se 2 Department of
More informationA secure approach for embedding message text on an elliptic curve defined over prime fields, and building 'EC-RSA-ELGamal' Cryptographic System
International Journal of Comuter Science an Information Security (IJCSIS), Vol. 5, No. 6, June 7 A secure aroach for embeing message tet on an ellitic curve efine over rime fiels, an builing 'EC-RSA-ELGamal'
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationCode_Aster. Detection of the singularities and calculation of a map of size of elements
Titre : Détection es singularités et calcul une carte [...] Date : 0/0/0 Page : /6 Responsable : DLMAS Josselin Clé : R4.0.04 Révision : Detection of the singularities an calculation of a map of size of
More informationLecture V : Public Key Cryptography
Lecture V : Public Key Cryptography Internet Security: Principles & Practices John K. Zao, PhD (Harvard) SMIEEE Amir Rezapoor Computer Science Department, National Chiao Tung University 2 Outline Functional
More informationPeriods of quadratic twists of elliptic curves
Perios of quaratic twists of elliptic curves Vivek Pal with an appenix by Amo Agashe Abstract In this paper we prove a relation between the perio of an elliptic curve an the perio of its real an imaginary
More informationLATTICE-BASED D-OPTIMUM DESIGN FOR FOURIER REGRESSION
The Annals of Statistics 1997, Vol. 25, No. 6, 2313 2327 LATTICE-BASED D-OPTIMUM DESIGN FOR FOURIER REGRESSION By Eva Riccomagno, 1 Rainer Schwabe 2 an Henry P. Wynn 1 University of Warwick, Technische
More informationWJEC Core 2 Integration. Section 1: Introduction to integration
WJEC Core Integration Section : Introuction to integration Notes an Eamples These notes contain subsections on: Reversing ifferentiation The rule for integrating n Fining the arbitrary constant Reversing
More informationTi Secured communications
Ti5318800 Secured communications Pekka Jäppinen September 20, 2007 Pekka Jäppinen, Lappeenranta University of Technology: September 20, 2007 Relies on use of two keys: Public and private Sometimes called
More informationFinite fields and cryptology
Computer Science Journal of Moldova, vol.11, no.2(32), 2003 Ennio Cortellini Abstract The problem of a computationally feasible method of finding the discrete logarithm in a (large) finite field is discussed,
More informationThis module is part of the. Memobust Handbook. on Methodology of Modern Business Statistics
This moule is part of the Memobust Hanbook on Methoology of Moern Business Statistics 26 March 2014 Metho: Balance Sampling for Multi-Way Stratification Contents General section... 3 1. Summary... 3 2.
More informationSafer parameters for the Chor-Rivest cryptosystem
Safer parameters for the Chor-Rivest cryptosystem L. Hernández Encinas, J. Muñoz Masqué and A. Queiruga Dios Applied Physics Institute, CSIC C/ Serrano 144, 28006-Madrid, Spain {luis, jaime, araceli}@iec.csic.es
More informationLecture 5. Symmetric Shearer s Lemma
Stanfor University Spring 208 Math 233: Non-constructive methos in combinatorics Instructor: Jan Vonrák Lecture ate: January 23, 208 Original scribe: Erik Bates Lecture 5 Symmetric Shearer s Lemma Here
More informationNAVAL POSTGRADUATE SCHOOL THESIS
NAVAL POSTGRADUATE SCHOOL MONTEREY, CALIFORNIA THESIS AN ANALYSIS OF ALGORITHMS FOR SOLVING DISCRETE LOGARITHMS IN FIXED GROUPS by Joseph Mihalcik March 2010 Thesis Advisor: Second Reader: Dennis Volpano
More information* Supported by an IBM fellowship, partially supported by NSF grant DCR by Johan Hastad* MIT
?J USING RSA WITH LOW EXPONENT IN A PUBLIC KEY NETWORM by Johan Hasta* MIT Abstract: We consier the problem of solving systems of equations P;(z) = 0 (mo n;) i = 1... k where P; me polynomials of egree
More informationFinal Exam Study Guide and Practice Problems Solutions
Final Exam Stuy Guie an Practice Problems Solutions Note: These problems are just some of the types of problems that might appear on the exam. However, to fully prepare for the exam, in aition to making
More informationSpectral Modular Arithmetic for Binary Extension Fields
2011 International Conference on Information an Computer Networks (ICICN 2011) Spectral Moular Arithmetic for Binary Extension Fiels Gokay Salamli MIS epartment, Bogazici University 34342 Bebek, Istanbul,
More informationProblem Sheet 2: Eigenvalues and eigenvectors and their use in solving linear ODEs
Problem Sheet 2: Eigenvalues an eigenvectors an their use in solving linear ODEs If you fin any typos/errors in this problem sheet please email jk28@icacuk The material in this problem sheet is not examinable
More information( 3x +1) 2 does not fit the requirement of the power rule that the base be x
Section 3 4A: The Chain Rule Introuction The Power Rule is state as an x raise to a real number If y = x n where n is a real number then y = n x n-1 What if we wante to fin the erivative of a variable
More informationShort Exponent Diffie-Hellman Problems
Short Exponent Diffie-Hellman Problems Takeshi Koshiba 12 and Kaoru Kurosawa 3 1 Secure Computing Lab., Fujitsu Laboratories Ltd. 2 ERATO Quantum Computation and Information Project, Japan Science and
More informationChapter 4 Asymmetric Cryptography
Chapter 4 Asymmetric Cryptography Introduction Encryption: RSA Key Exchange: Diffie-Hellman [NetSec/SysSec], WS 2008/2009 4.1 Asymmetric Cryptography General idea: Use two different keys -K and +K for
More informationFLUCTUATIONS IN THE NUMBER OF POINTS ON SMOOTH PLANE CURVES OVER FINITE FIELDS. 1. Introduction
FLUCTUATIONS IN THE NUMBER OF POINTS ON SMOOTH PLANE CURVES OVER FINITE FIELDS ALINA BUCUR, CHANTAL DAVID, BROOKE FEIGON, MATILDE LALÍN 1 Introuction In this note, we stuy the fluctuations in the number
More informationAsymmetric Cryptography
Asymmetric Cryptography Chapter 4 Asymmetric Cryptography Introduction Encryption: RSA Key Exchange: Diffie-Hellman General idea: Use two different keys -K and +K for encryption and decryption Given a
More informationCryptanalysis of Threshold-Multisignature Schemes
Cryptanalysis of Threshold-Multisignature Schemes Lifeng Guo Institute of Systems Science, Academy of Mathematics and System Sciences, Chinese Academy of Sciences, Beijing 100080, P.R. China E-mail address:
More informationTAYLOR S POLYNOMIAL APPROXIMATION FOR FUNCTIONS
MISN-0-4 TAYLOR S POLYNOMIAL APPROXIMATION FOR FUNCTIONS f(x ± ) = f(x) ± f ' (x) + f '' (x) 2 ±... 1! 2! = 1.000 ± 0.100 + 0.005 ±... TAYLOR S POLYNOMIAL APPROXIMATION FOR FUNCTIONS by Peter Signell 1.
More informationFrom Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes
From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes [Published in D. Naccache, Ed., Topics in Cryptology CT-RSA 2001, vol. 2020 of Lecture Notes in Computer
More informationConvergence of Random Walks
Chapter 16 Convergence of Ranom Walks This lecture examines the convergence of ranom walks to the Wiener process. This is very important both physically an statistically, an illustrates the utility of
More informationAcute sets in Euclidean spaces
Acute sets in Eucliean spaces Viktor Harangi April, 011 Abstract A finite set H in R is calle an acute set if any angle etermine by three points of H is acute. We examine the maximal carinality α() of
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationThermal conductivity of graded composites: Numerical simulations and an effective medium approximation
JOURNAL OF MATERIALS SCIENCE 34 (999)5497 5503 Thermal conuctivity of grae composites: Numerical simulations an an effective meium approximation P. M. HUI Department of Physics, The Chinese University
More informationPublic Key Cryptography with a Group of Unknown Order
Public Key Cryptography with a Group of Unknown Order Richard P. Brent 1 Oxford University rpb@comlab.ox.ac.uk Programming Research Group Report PRG TR 02 00 5 June 2000 Abstract We present algorithms
More informationCode_Aster. Detection of the singularities and computation of a card of size of elements
Titre : Détection es singularités et calcul une carte [...] Date : 0/0/0 Page : /6 Responsable : Josselin DLMAS Clé : R4.0.04 Révision : 9755 Detection of the singularities an computation of a car of size
More informationMath Notes on differentials, the Chain Rule, gradients, directional derivative, and normal vectors
Math 18.02 Notes on ifferentials, the Chain Rule, graients, irectional erivative, an normal vectors Tangent plane an linear approximation We efine the partial erivatives of f( xy, ) as follows: f f( x+
More informationDesign Validations for Discrete Logarithm Based Signature Schemes
Proceedings of the 2000 International Workshop on Practice and Theory in Public Key Cryptography (PKC 2000) (18 20 january 2000, Melbourne, Australia) H. Imai and Y. Zheng Eds. Springer-Verlag, LNCS 1751,
More informationMATH 158 FINAL EXAM 20 DECEMBER 2016
MATH 158 FINAL EXAM 20 DECEMBER 2016 Name : The exam is double-sided. Make sure to read both sides of each page. The time limit is three hours. No calculators are permitted. You are permitted one page
More informationMath 1271 Solutions for Fall 2005 Final Exam
Math 7 Solutions for Fall 5 Final Eam ) Since the equation + y = e y cannot be rearrange algebraically in orer to write y as an eplicit function of, we must instea ifferentiate this relation implicitly
More informationCONTROL CHARTS FOR VARIABLES
UNIT CONTOL CHATS FO VAIABLES Structure.1 Introuction Objectives. Control Chart Technique.3 Control Charts for Variables.4 Control Chart for Mean(-Chart).5 ange Chart (-Chart).6 Stanar Deviation Chart
More information