Applications of Lattice Reduction in Cryptography
|
|
- Malcolm Little
- 5 years ago
- Views:
Transcription
1 Applications of Lattice Reduction in Cryptography Abderrahmane Nitaj University of Caen Basse Normandie, France Kuala Lumpur, Malaysia, June 27, 2014 AK Q ËAÓ Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 1 / 42
2 Contents 1 Multivariate linear equations 2 Application to NTRU 3 Application to RSA Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 2 / 42
3 Multivariate linear equations Contents 1 Multivariate linear equations 2 Application to NTRU 3 Application to RSA Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 3 / 42
4 Multivariate linear equations Linear diophantine equation We want to solve x 1 e x n e n = S, for small values with max( x 1,, x n ) < X. We transform the equation x 1 e x n e n S = 0 using the matrix e e e 3 M(L) = e n S Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 4 / 42
5 Multivariate linear equations Linear diophantine equation From the matrix, we deduce the vectors b 1 = (1, 0, 0,, 0, e 1 ), b 2 = (0, 1, 0,, 0, e 2 ), b 3 = (0, 0, 1,, 0, e 3 ),... b n = (0, 0, 0,, 1, e n ), b n+1 = (0, 0, 0,, 0, S), Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 5 / 42
6 Multivariate linear equations Linear diophantine equation We have v 0 = x 1 b x n+1 b n+1 = (x 1, x 2,..., x n, x 1 e x n e n S). We define the lattice L := {v = a 1 b a n+1 b n+1 a i Z}. Then dim(l) = n + 1 and det(l) = S. We have v 0 = x x2 n nx 2 = X n. Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 6 / 42
7 Multivariate linear equations Linear diophantine equation By applying the LLL algorithm to the lattice L, it outputs a basis (u 1,..., u n+1 ) such that u 1 2 n 4 det(l) 1 n+1. To find v 0 among the vectors (u 1,..., u n+1 ), we set Since det(l) = S, we get v 0 X n 2 n 4 det(l) 1 n+1. X 2 n 4 n S 1 n+1. Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 7 / 42
8 Multivariate linear equations Linear diophantine equation Theorem Let x 1 e x n e n = S be a linear equation with max( x 1,, x n ) < X. If X 2 n 4 n S 1 n+1, then one can solve the equation in polynomial time. The LLL algorithm has been applied to break the knapsack cryptosystem. Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 8 / 42
9 Multivariate linear equations Example Let 340x x x x 4 = 9138 be a linear equation with max( x 1,, x 4 ) < X. We have 2 n 4 n S 1 n , Set b 1 := [1, 0, 0, 0, 340]; b 2 := [0, 1, 0, 0, 257]; b 3 := [0, 0, 1, 0, 378]; b 4 := [0, 0, 0, 1, 251]; b 5 := [0, 0, 0, 0, 9138]. Applying the LLL algorithm, we get the vectors [3, 2, 2, 1, 1]; [0, 1, 2, 2, 3]; [0, 0, 2, 3, 3]; The solution is [9, 7, 8, 5, 0] [ 4, 4, 3, 5, 1]; [9, 7, 8, 5, 0] Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 9 / 42
10 Application to NTRU Contents 1 Multivariate linear equations 2 Application to NTRU 3 Application to RSA Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 10 / 42
11 Application to NTRU NTRU NTRU Invented by Hoffstein, Pipher et Silverman in Security based on the Shortest Vector Problem (SVP). Various versions between 1996 and Definition The Shortest Vector Problem (SVP): Given a basis matrix B for L, compute a non-zero vector v L such that v is minimal, that is v = λ 1 (L). Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 11 / 42
12 Application to NTRU NTRU: Ring of Convolution P = Z[X]/(X N 1) Polynomials f = N 1 i=0 f ix i, g = N 1 i=0 g ix i, Sum f + g = (f 0 + g 0, f 1 + g 1,, f N 1 + g N 1 ). Product f g = h = (h 0, h 1,, h N 1 ) with h k = f i g j. i+j k (mod N) Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 12 / 42
13 Application to NTRU NTRU: Ring of Convolution P = Z[X]/(X N 1) Polynomials f = N 1 i=0 f ix i, g = N 1 i=0 g ix i, Sum f + g = (f 0 + g 0, f 1 + g 1,, f N 1 + g N 1 ). Product f g = h = (h 0, h 1,, h N 1 ) with h k = f i g j. i+j k (mod N) Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 12 / 42
14 Application to NTRU NTRU: Ring of Convolution P = Z[X]/(X N 1) Polynomials f = N 1 i=0 f ix i, g = N 1 i=0 g ix i, Sum f + g = (f 0 + g 0, f 1 + g 1,, f N 1 + g N 1 ). Product f g = h = (h 0, h 1,, h N 1 ) with h k = f i g j. i+j k (mod N) Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 12 / 42
15 Application to NTRU NTRU: Ring of Convolution P = Z[X]/(X N 1) Convolution f = (f 0, f 1,, f N 1 ), g = (g 0, g 1,, g N 1 ). }{{} f g = h = (h 0, h 1,, h N 1 ) 1 X X k X N 1 f 0 g 0 f 0 g 1 f 0 g k f 0 g N 1 + f 1 g N 1 f 1 g 0 f 1 g k 1 f 1 g N 2 + f 2 g N 2 f 2 g N 1 f 2 g k 2 f 2 g N f N 2 g 2 f N 2 g 3 f N 2 g k+2 f N 2 g 1 + f N 1 g 1 f N 1 g 2 f N 1 g k+1 f N 1 g 0 h = h 0 h 1 h k h N 1 Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 13 / 42
16 NTRU Parameters Application to NTRU N = a prime number (e.g. N = 167, 251, 347, 503). q = a large modulus (e.g. q = 128, 256). p = a small modulus (e.g. p = 3). Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 14 / 42
17 NTRU Algorithms Application to NTRU Key Generation: Randomly choose two private polynomials f and g. Compute the inverse of f modulo q: f f q = 1 (mod q). Compute the inverse of f modulo p: f f p = 1 (mod p). Compute the public key h = f q g (mod q). Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 15 / 42
18 NTRU Algorithms Application to NTRU Encryption: m is a plaintext in the form of a polynomial mod q. Randomly choose a private polynomial r. Compute the encrypted message e = m + pr h (mod q). Decryption: Compute a = f e = f (m + pr h) = f m + pr g (mod q). Compute a f p = (f m + pr g) f p = m (mod p). Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 16 / 42
19 NTRU Algorithms Application to NTRU Encryption: m is a plaintext in the form of a polynomial mod q. Randomly choose a private polynomial r. Compute the encrypted message e = m + pr h (mod q). Decryption: Compute a = f e = f (m + pr h) = f m + pr g (mod q). Compute a f p = (f m + pr g) f p = m (mod p). Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 16 / 42
20 NTRU Algorithms Application to NTRU Encryption: m is a plaintext in the form of a polynomial mod q. Randomly choose a private polynomial r. Compute the encrypted message e = m + pr h (mod q). Decryption: Compute a = f e = f (m + pr h) = f m + pr g (mod q). Compute a f p = (f m + pr g) f p = m (mod p). Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 16 / 42
21 Application to NTRU NTRU The lattice Using h f q g (mod q), we get h f g (mod q). Hence f h q u = g for a polynomial u P. Consider the lattice L = { (f, g) P 2 u P, f h q u = g }. Using a matrix, we get [ ] 1 h (f, u) = (f, g). 0 q Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 17 / 42
22 Application to NTRU NTRU Using f = (f 0, f 1,, f N 1 ), h = (h 0, h 1,, h N 1 ) and u = (u 0, u 1,, u N 1 ), we get f 0 f 1. f N 1 u 1 u 2. u N h 0 h 1 h N h N 1 h 0 h N h 1 h 2 h q q q = f 0 f 1. f N 1 g 0 g 1. g N 1 Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 18 / 42
23 Application to NTRU NTRU Hence the matrix of the lattice is h 0 h 1 h N h N 1 h 0 h N h 1 h 2 h q q q. with determinant dim(l) and det(l) = q N. Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 19 / 42
24 Application to NTRU NTRU The lattice Since f and g have d f and d g coefficient that are equal to ±1 and the the other coefficients are equal to 0, then (f, g) = ( N 1 i=0 ) N 1 1/2 fi 2 + g 2 i d f + d g. Applying the LLL algorithm, we get a basis with a vector v 1 such that v 1 2 2N 1 4 det(l) 1 2N. Hence, (f, g) will be among the vectors of the reduced basis if df + d g 2 2N 1 4 det(l) 1 2N i=0 = df + d g 2 2N 1 2 det(l) 1 2N 1 N = 2 2 q. Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 20 / 42
25 Application to NTRU NTRU Theorem (Coppersmith, Shamir) Let d f be the number of ±1 in f and d g the number of ±1 in g. If d f + d g 2 2N 1 2 q, Then f and g can be found in polynomial time. Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 21 / 42
26 Application to RSA Contents 1 Multivariate linear equations 2 Application to NTRU 3 Application to RSA Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 22 / 42
27 Application to RSA RSA The Key Equation Problem Given N = pq and e satisfying ed kφ(n) = 1. Find d, k and φ(n). Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 23 / 42
28 Application to RSA Coppersmith s method 1 Define the norm of f (x 1,..., x n ) = a i1...i n x i x in n to be f (x 1,..., x n ) = a 2 i 1...i n. 2 Consider the congruence equation f (x 1,..., x n ) 0 (mod N). We want to find the solutions (x (0) 1,..., x(0) n ) such that x (0) i < X i for i = 1,..., n. 3 Find an expression of each X i in terms of N so that X i = N δ i. Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 24 / 42
29 Application to RSA Coppersmith s method 1 Let l be the monomial in f with maximal weight. Usually, l, is called the leading monomial of f. If the coefficient of l is a l, then we can assume that gcd(n, al) = 1. Therefore, we can use fa 1 l (mod N) instead of f so that the coefficient of l becomes 1. Throughout this paper, we consider that the coefficient of l is 1. 2 Let m be a positive integer. Find the monomials x i 1 1 x in n of f m. 3 For 0 k m, find the monomials x i 1 1 xn in of f m k. 4 For t 0, find the set M k = {x i 1+j 1 xn in x i 1 1 xn in is a monomial of f m and 0 j t x i 1 1 xn in l k is a monomial of f m k }. Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 25 / 42
30 Application to RSA Coppersmith s method 1 Similarly, for t 0, find the set M k+1 = {x i 1+j 1 xn in x i 1 1 xn in monomial of f m and 0 j t 2 For 0 k m, find the set M k Mk+1. 3 For 0 k m, define the polynomials x i 1 1 xn in l k+1 monomial of f m (k+1) }. g k,i1,...,i n (x 1,..., x n ) = xi xn in f (x 1,..., x n ) k N m k 4 Then g k,i1,...,i n (x 1,..., x n ) 0 (mod N m ). l k with x i x in n M k Mk+1. 5 For 0 k m, define the polynomials g k,i1,...,i n (x 1 X 1,..., x n X n ). Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 26 / 42
31 Application to RSA Coppersmith s method 1 Let L denote the lattice spanned by the coefficient vectors of the polynomials g k,i1,...,i n (x 1 X 1,..., x n X n ). The ordering of the monomials is such that the matrix M is triangular. 2 Compute the dimension ω of the lattice L and its determinant det(l) = N en X e 1 1 Xen n. 3 Compute e N and the exponents e i, 1 i n, in terms of m and t. 4 Let t = mτ. Compute an approximation of e N and the exponents e i, 1 i n, in terms of m and τ by neglecting all terms of low degrees. 5 Apply the LLL algorithm to obtain a reduced basis (b 1,..., b n ) such that b 1 2 ω 2 det(l) 1 ω. Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 27 / 42
32 Application to RSA Coppermith s method Theorem (Howgrave-Graham) Let h(x 1,, x n ) Z[x 1,, x n ] be a polynomial with at most ω monomials. Suppose that ( ) 1 h x (0) 1,, x(0) n 0 (mod N m ) where x (0) i < X i for i = 1,..., n, ω. 2 h(x 1 X 1,, x n X n ) < Nm ( ) Then h x (0) 1,, x(0) n = 0 holds over the integers. Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 28 / 42
33 Application to RSA Coppersmith s method 1 Combine Howgrave-Graham s bound f (x 1 X 1,..., x n X n ) < Nm ω and LLL to form the inequation 2 ω 2 det(l) 1 ω < N m ω 2 Neglecting 2 ω 2 and ω, consider the condition or equivalently, det(l) < N mω, N en X e 1 1 Xen n = N en N e 1δ1 N enδn < N mω. 3 Taking logarithms, we get the inequation e N + e 1 δ e n δ n < mω. The next task is to solve this inequation. Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 29 / 42
34 Application to RSA Coppersmith s method: example We want to solve the equation ed kφ(n) = 1. 1 We have ed k(n + 1 p q) = 1 and then k(p + q) + (N + 1)k (mod e). 2 Set k = x, p + q = y and N + 1 = a. Then the congruence becomes f (x, y) = xy + ax Let e = N β, p + q = N 1/2 and d = N δ. Then Hence k = N δ. k = ed 1 φ(n) < ed φ(n) < d. (mod e). 4 Let l = xy be the leading monomial of f (x, y) = xy + ax + 1 Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 30 / 42
35 Application to RSA Coppersmith s method: example 1 We have f m (x, y) = (x(y + a) + 1)) m m ( ) m = x i 1 (y + a) i 1 = = i 1 =0 i 1 m ( ) m x i 1 i 1 =0 m i 1 i 1 i 1 =0 i 1 =0 ( m i 1 i 1 ( i1 i 2 i 2 =0 )( ) i1 2 Hence the monomials of f m are in the form i 2 ) y i 2 a i 1 i 2 x i 1 y i 2 a i 1 i 2. f m = { x i 1 y i 2, i 1 = 0,..., m, i 2 = 0,..., i 1 }. Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 31 / 42
36 Application to RSA Coppersmith s method: example 1 From the monomials of f m, we easily deduce the monomials of f m k : f m k = { x i 1 y i 2, i 1 = 0,..., m k, i 2 = 0,..., i 1 }. 2 For t 0 and k m, let consider extra shifts in y, that is, we consider the set M k = {x i 1 y i 2+j x i 1 y i 2 monomial of f m and 0 j t 0 j t x i 1y i 2 l k monomial of f m k }. 3 Since l = xy, then M k = {x i 1 y i 2+j x i 1 y i 2 monomial of f m and x i 1 k y i 2 k monomial of f m k }. Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 32 / 42
37 Application to RSA Coppersmith s method: example 1 Hence x i 1 y i 2 M k i 1 = k,..., m, i 2 = k,..., i 1 + t. 2 Similarly, for t 0, we get x i 1 y i 2 M k+1 i 1 = k + 1,..., m, i 2 = k + 1,..., i 1 + t. 3 For 0 k m, we find that x i 1 1 y i 2 M k Mk+1 if and only if { { i1 =k,..., m, i1 =k, or i 2 =k, i 2 =k + 1,..., i 1 + t. 4 For 0 k m, we define the polynomials g k,i1,i 2 (x, y) = xi 1y i 2 (xy) k f (x, y)k e m k with x i 1 y i 2 M k Mk+1. Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 33 / 42
38 Application to RSA Coppersmith s method: example 1 For i 1 = k,..., m and i 2 = k, the polynomials reduce to g k,i1,k(x, y) = G k,i1 (x, y) = x i 1 k f (x, y) k e m k for i 1 = k,..., m. For i 1 = k and i 2 = k + 1,..., i 1 + t = k + t, the polynomials reduce to g k,k,i2 (x 1, y) = H k,i2 (x, y) = y i 2 k f (x, y) k e m k for i 2 = k+1,..., k+t. 2 For 0 k m, we define the polynomials G k,i1 (xx, yy) = x i 1 k X i 1 k f (xx, yy) k e m k for i 1 = k,..., m, H k,i2 (xx, yy) = y i 2 k Y i 2 k f (xx, yy) k e m k for i 2 = k + 1,..., k + t. Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 34 / 42
39 Application to RSA Coppersmith s method: example 1 x x 2 x 3 y xy x 2 y x 3 y xy 2 x 2 y 2 x 3 y 2 x 2 y 3 x 3 y 3 x 3 y 4 G 0,0 e G 0,1 0 Xe G 0,2 0 0 X 2 e G 0, X 3 e H 0, Ye G 1, XYe G 1, X 2 Ye G 1, X 3 Ye H 1, XY 2 e G 2, X 2 Y G 2, X 3 Y 2 e H 2, X 2 Y 3 e 0 0 G 3, X 3 Y 3 0 H 3, X 3 Y 4 Table: The coefficient matrix for the case m = 3, t = 1. Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 35 / 42
40 Application to RSA Coppersmith s method: example 1 The dimension of L is ω = m k=0 i 1 =k m The determinant of L is m k+t k=0 i 2 =k+1 1 = 1 (m + 1)(m + 2t + 2). 2 det(l) = e e 0 X e 1 Y e 2. 3 From the construction of the polynomials G k,i1 (xx, yy) and H k,i2 (xx, yy), we get e 0 = m k=0 i 1 =k m (m k) + m k+t k=0 i 2 =k+1 (m k) = 1 m(m + 1)(2m + 3t + 4). 6 Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 36 / 42
41 Application to RSA Coppersmith s method: example 1 Similarly, we have and e 2 = e 1 = m m k=0 i 1 =k k=0 i 1 =k m k + m i 1 + m m k+t k=0 i 2 =k+1 k+t k=0 i 2 =k+1 k = 1 m(m + 1)(2m + 3t + 4), 6 i 2 = 1 6 (m + 1)(m2 + 3mt + 3t 2 + 2m + 3t). Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 37 / 42
42 Application to RSA Coppersmith s method: example 1 Let t = mτ. Then ω = 1 2 (m + 1)(m + 2mτ + 2) = 1 2 (1 + 2τ)m2 + o ( m 2), and e 0 = 1 6 m(m + 1)(2m + 3mτ + 4) = 1 6 (2 + 3τ)m3 + o ( m 3). Similarly, we have e 1 = 1 6 m(m + 1)(2m + 3mτ + 4) = 1 6 (2 + 3τ)m3 + o ( m 3), and e 2 = 1 6 (m + 1)(m2 + 3m 2 τ + 3m 2 τ 2 + 2m + 3mτ) = 1 6 (1 + 3τ + 3τ 2 )m 3 + o ( m 3). Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 38 / 42
43 Application to RSA Coppersmith s method: example 1 Apply the LLL algorithm to obtain a reduced basis (b 1,..., b n ) such that b 1 2 ω 2 det(l) 1 ω. 2 Combining Howgrave-Graham s bound f (x 1 X 1,..., x n X n ) < em ω and LLL, we get the inequation 2 ω 2 det(l) 1 ω 3 Neglecting 2 ω 2 and ω, we get or equivalently, < e m ω det(l) < e mω, e e 0 X e 1 Y e 2 < e mω. Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 39 / 42
44 Application to RSA Coppersmith s method: example 1 Since e = N β, Y = N 1/2 and X = N δ. Then N βe0 N δe1 N e 2/2 < N mβω. 2 Taking logarithms, we get the inequation βe 0 + δe 1 + e 2 2 < mβω. 3 Plugging the values of e 0, e 1 and ω, we get 1 6 (2 + 3τ)β (2 + 3τ)δ (1 + 3τ + 3τ 2 ) 1 (1 + 2τ)β < The optimal value for τ in the left side is τ = β δ 1 2, which leads to 12δ 2 + 4(1 + 6β)δ 12β 2 + 4β + 1 < 0. Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 40 / 42
45 Application to RSA Coppersmith s method: example 1 Solving for δ, we get δ < β β A typical example is the case e N, that is β = 1. Then, the former bound gives d < This is a famous bound found by Boneh and Durfee. Theorem (Boneh,Durfee, 1998) Let (N, e) be an RSA public key with private decryption exponent d. If d < , then one can factor the RSA modulus N. Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 41 / 42
46 Application to RSA Thank you Terima kasih Abderrahmane Nitaj (LMNO) Applications of Lattice Reduction in Cryptography 42 / 42
A new attack on RSA with a composed decryption exponent
A new attack on RSA with a composed decryption exponent Abderrahmane Nitaj and Mohamed Ould Douh,2 Laboratoire de Mathématiques Nicolas Oresme Université de Caen, Basse Normandie, France abderrahmane.nitaj@unicaen.fr
More informationA NEW ATTACK ON RSA WITH A COMPOSED DECRYPTION EXPONENT
A NEW ATTACK ON RSA WITH A COMPOSED DECRYPTION EXPONENT Abderrahmane Nitaj 1 and Mohamed Ould Douh 1,2 1 Laboratoire de Mathématiques Nicolas Oresme, Université de Caen, Basse Normandie, France Université
More informationCryptanalysis of RSA with Small Multiplicative Inverse of (p 1) or (q 1) Modulo e
Cryptanalysis of RSA with Small Multiplicative Inverse of (p 1) or (q 1) Modulo e P Anuradha Kameswari, L Jyotsna Department of Mathematics, Andhra University, Visakhapatnam - 5000, Andhra Pradesh, India
More informationA New Attack on RSA with Two or Three Decryption Exponents
A New Attack on RSA with Two or Three Decryption Exponents Abderrahmane Nitaj Laboratoire de Mathématiques Nicolas Oresme Université de Caen, France nitaj@math.unicaen.fr http://www.math.unicaen.fr/~nitaj
More informationAn Attack Bound for Small Multiplicative Inverse of ϕ(n) mod e with a Composed Prime Sum p + q Using Sublattice Based Techniques
Preprints (wwwpreprintsorg) NOT PEER-REVIEWED Posted: 20 July 208 doi:020944/preprints208070379v An Attack Bound for Small Multiplicative Inverse of ϕ(n) mod e with a Composed Prime Sum p + q Using Sublattice
More informationHOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 1 / 51
HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY Abderrahmane Nitaj Laboratoire de Mathe matiques Nicolas Oresme Universite de Caen Normandie, France Nouakchott, February 15-26, 2016 Abderrahmane
More informationNew attacks on RSA with Moduli N = p r q
New attacks on RSA with Moduli N = p r q Abderrahmane Nitaj 1 and Tajjeeddine Rachidi 2 1 Laboratoire de Mathématiques Nicolas Oresme Université de Caen Basse Normandie, France abderrahmane.nitaj@unicaen.fr
More informationNew Partial Key Exposure Attacks on RSA Revisited
New Partial Key Exposure Attacks on RSA Revisited M. Jason Hinek School of Computer Science, University of Waterloo Waterloo, Ontario, N2L-3G, Canada mjhinek@alumni.uwaterloo.ca March 7, 2004 Abstract
More informationComputing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring
Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring Alexander May Faculty of Computer Science, Electrical Engineering and Mathematics University of Paderborn 33102 Paderborn,
More informationLattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.
Lattices A Lattice is a discrete subgroup of the additive group of n-dimensional space R n. Lattices have many uses in cryptography. They may be used to define cryptosystems and to break other ciphers.
More informationDeterministic Polynomial Time Equivalence of Computing the RSA Secret Key and Factoring
Deterministic Polynomial Time Equivalence of Computing the RSA Secret Key and Factoring Jean-Sébastien Coron and Alexander May Gemplus Card International 34 rue Guynemer, 92447 Issy-les-Moulineaux, France
More informationCryptanalysis of Unbalanced RSA with Small CRT-Exponent
Cryptanalysis of Unbalanced RSA with Small CRT-Exponent Alexander May Department of Mathematics and Computer Science University of Paderborn 3310 Paderborn, Germany alexx@uni-paderborn.de Abstract. We
More informationOn Deterministic Polynomial-Time Equivalence of Computing the CRT-RSA Secret Keys and Factoring
On Deterministic Polynomial-Time Equivalence of Computing the CRT-RSA Secret Keys and Factoring Subhamoy Maitra and Santanu Sarkar Applied Statistics Unit, Indian Statistical Institute, 203 B T Road, Kolkata
More informationNew Partial Key Exposure Attacks on RSA
New Partial Key Exposure Attacks on RSA Johannes Blömer, Alexander May Faculty of Computer Science, Electrical Engineering and Mathematics Paderborn University 33102 Paderborn, Germany {bloemer,alexx}@uni-paderborn.de
More informationNew Partial Key Exposure Attacks on RSA
New Partial Key Exposure Attacks on RSA Johannes Blömer, Alexander May Faculty of Computer Science, Electrical Engineering and Mathematics Paderborn University 33102 Paderborn, Germany {bloemer,alexx}@uni-paderborn.de
More informationPartial Key Exposure Attacks on RSA Up to Full Size Exponents
Partial Key Exposure Attacks on RSA Up to Full Size Exponents Matthias Ernst, Ellen Jochemsz 2,, Alexander May,, and Benne de Weger 2, Faculty of Computer Science, Electrical Engineering and Mathematics,
More informationLattice Reduction of Modular, Convolution, and NTRU Lattices
Summer School on Computational Number Theory and Applications to Cryptography Laramie, Wyoming, June 19 July 7, 2006 Lattice Reduction of Modular, Convolution, and NTRU Lattices Project suggested by Joe
More informationOn the Security of Multi-prime RSA
On the Security of Multi-prime RSA M. Jason Hinek David R. Cheriton School of Computer Science University of Waterloo Waterloo, Ontario, N2L 3G, Canada mjhinek@alumni.uwaterloo.ca June 3, 2006 Abstract.
More informationCryptanalysis via Lattice Techniques
Cryptanalysis via Lattice Techniques Alexander May Horst Görtz Institute for IT-Security Faculty of Mathematics Ruhr-University Bochum crypt@b-it 2010, Aug 2010, Bonn Lecture 1, Mon Aug 2 Introduction
More informationFinding Small Solutions of the Equation Bx Ay = z and Its Applications to Cryptanalysis of the RSA Cryptosystem
Finding Small Solutions of the Equation Bx Ay = z and Its Applications to Cryptanalysis of the RSA Cryptosystem Shixiong Wang 1, Longjiang Qu 2,3, Chao Li 1,3, and Shaojing Fu 1,2 1 College of Computer,
More informationAnother Generalization of Wiener s Attack on RSA
Another Generalization of Wiener s Attack on RSA Abderrahmane Nitaj Laboratoire de Mathématiques Nicolas Oresme Université de Caen, France BP 586, 4032 Caen Cedex, France http://www.math.unicaen.fr/~nitaj
More informationDeterministic Polynomial Time Equivalence between Factoring and Key-Recovery Attack on Takagi s RSA
Deterministic Polynomial Time Equivalence between Factoring and Key-Recovery Attack on Takagi s RSA Noboru Kunihiro 1 and Kaoru Kurosawa 2 1 The University of Electro-Communications, Japan kunihiro@iceuecacjp
More informationNTRU Cryptosystem and Its Analysis
NTRU Cryptosystem and Its Analysis Overview 1. Introduction to NTRU Cryptosystem 2. A Brief History 3. How the NTRU Cryptosystem works? Examples 4. Why the Decryption Works? 5. The Advantages of NTRU 6.
More informationIn fact, 3 2. It is not known whether 3 1. All three problems seem hard, although Shor showed that one can solve 3 quickly on a quantum computer.
Attacks on RSA, some using LLL Recall RSA: N = pq hard to factor. Choose e with gcd(e,φ(n)) = 1, where φ(n) = (p 1)(q 1). Via extended Euclid, find d with ed 1 (mod φ(n)). Discard p and q. Public key is
More informationHow to Generalize RSA Cryptanalyses
How to Generalize RSA Cryptanalyses Atsushi Takayasu and Noboru Kunihiro The University of Tokyo, Japan AIST, Japan {a-takayasu@it., kunihiro@}k.u-tokyo.ac.jp Abstract. Recently, the security of RSA variants
More informationThe security of RSA (part 1) The security of RSA (part 1)
The modulus n and its totient value φ(n) are known φ(n) = p q (p + q) + 1 = n (p + q) + 1 The modulus n and its totient value φ(n) are known φ(n) = p q (p + q) + 1 = n (p + q) + 1 i.e. q = (n φ(n) + 1)
More informationCOMP4109 : Applied Cryptography
COMP409 : Applied Cryptography Fall 203 M. Jason Hinek Carleton University Applied Cryptography Day 3 public-key encryption schemes some attacks on RSA factoring small private exponent 2 RSA cryptosystem
More informationA new security notion for asymmetric encryption Draft #12
A new security notion for asymmetric encryption Draft #12 Muhammad Rezal Kamel Ariffin 1,2 1 Al-Kindi Cryptography Research Laboratory, Institute for Mathematical Research, 2 Department of Mathematics,
More informationarxiv: v3 [cs.it] 14 Nov 2012
A NEW EFFICIENT ASYMMETRIC CRYPTOSYSTEM BASED ON THE SQUARE ROOT PROBLEM arxiv:1207.1157v3 [cs.it] 14 Nov 2012 M.R.K. ARIFFIN, M.A.ASBULLAH, AND N.A. ABU Abstract. The square root modulo problem is a known
More informationA New Generalization of the KMOV Cryptosystem
J Appl Math Comput manuscript No. (will be inserted by the editor) A New Generalization of the KMOV Cryptosystem Maher Boudabra Abderrahmane Nitaj Received: date / Accepted: date Abstract The KMOV scheme
More informationPartial Key Exposure: Generalized Framework to Attack RSA
Partial Key Exposure: Generalized Framework to Attack RSA Cryptology Research Group Indian Statistical Institute, Kolkata 12 December 2011 Outline of the Talk 1 RSA - A brief overview 2 Partial Key Exposure
More informationLooking back at lattice-based cryptanalysis
September 2009 Lattices A lattice is a discrete subgroup of R n Equivalently, set of integral linear combinations: α 1 b1 + + α n bm with m n Lattice reduction Lattice reduction looks for a good basis
More information5199/IOC5063 Theory of Cryptology, 2014 Fall
5199/IOC5063 Theory of Cryptology, 2014 Fall Homework 2 Reference Solution 1. This is about the RSA common modulus problem. Consider that two users A and B use the same modulus n = 146171 for the RSA encryption.
More informationAn Algebraic Approach to NTRU (q = 2 n ) via Witt Vectors and Overdetermined Systems of Nonlinear Equations
An Algebraic Approach to NTRU (q = 2 n ) via Witt Vectors and Overdetermined Systems of Nonlinear Equations J.H. Silverman 1, N.P. Smart 2, and F. Vercauteren 2 1 Mathematics Department, Box 1917, Brown
More informationImplicit factorization of unbalanced RSA moduli
Implicit factorization of unbalanced RSA moduli Abderrahmane Nitaj 1 and Muhammad Rezal Kamel Ariffin 2 1 Laboratoire de Mathématiques Nicolas Oresme Université de Caen Basse Normandie, France abderrahmane.nitaj@unicaen.fr
More informationPartial Key Exposure Attacks on RSA: Achieving the Boneh-Durfee Bound
Partial Key Exposure Attacks on RSA: Achieving the Boneh-Durfee Bound Atsushi Takayasu and Noboru Kunihiro May 25, 2018 Abstract Thus far, several lattice-based algorithms for partial key exposure attacks
More informationMaTRU: A New NTRU-Based Cryptosystem
MaTRU: A New NTRU-Based Cryptosystem Michael Coglianese 1 and Bok Min Goi 2 1 Macgregor, 321 Summer Street Boston, MA 02210, USA mcoglian@comcast.net 2 Centre for Cryptography and Information Security
More informationLemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).
1 Background 1.1 The group of units MAT 3343, APPLIED ALGEBRA, FALL 2003 Handout 3: The RSA Cryptosystem Peter Selinger Let (R, +, ) be a ring. Then R forms an abelian group under addition. R does not
More informationA new security notion for asymmetric encryption Draft #10
A new security notion for asymmetric encryption Draft #10 Muhammad Rezal Kamel Ariffin 1,2 1 Al-Kindi Cryptography Research Laboratory, Institute for Mathematical Research, 2 Department of Mathematics,
More informationCryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg
Course 1: Remainder: RSA Université du Luxembourg September 21, 2010 Public-key encryption Public-key encryption: two keys. One key is made public and used to encrypt. The other key is kept private and
More informationLower Bounds of Shortest Vector Lengths in Random NTRU Lattices
Lower Bounds of Shortest Vector Lengths in Random NTRU Lattices Jingguo Bi 1,2 and Qi Cheng 2 1 School of Mathematics Shandong University Jinan, 250100, P.R. China. Email: jguobi@mail.sdu.edu.cn 2 School
More informationKey Encapsulation Mechanism From Modular Multivariate Linear Equations
Key Encapsulation Mechanism From Modular Multivariate Linear Equations Muhammad Rezal Kamel Ariffin 1,, Abderrahmane Nitaj 2, Yanbin Pan 3, Nur Azman Abu 4 1 Institute for Mathematical Research, Universiti
More informationA new security notion for asymmetric encryption Draft #8
A new security notion for asymmetric encryption Draft #8 Muhammad Rezal Kamel Ariffin 1,2 1 Al-Kindi Cryptography Research Laboratory, Institute for Mathematical Research, 2 Department of Mathematics,
More informationLower bounds of shortest vector lengths in random knapsack lattices and random NTRU lattices
Lower bounds of shortest vector lengths in random knapsack lattices and random NTRU lattices Jingguo Bi 1 and Qi Cheng 2 1 Lab of Cryptographic Technology and Information Security School of Mathematics
More informationOn the Design of Rebalanced RSA-CRT
On the Design of Rebalanced RSA-CRT Hung-Min Sun 1, M. Jason Hinek 2, Mu-En Wu 3 1, 3 Department of Computer Science National Tsing Hua University, Hsinchu, Taiwan 300 E-mail: 1 hmsun@cs.nthu.edu.tw; 3
More informationApproximate Integer Common Divisor Problem relates to Implicit Factorization
Approximate Integer Common Divisor Problem relates to Implicit Factorization Santanu Sarar and Subhamoy Maitra Applied Statistics Unit, Indian Statistical Institute, 203 B T Road, Kolata 700 108, India
More informationMATH 158 FINAL EXAM 20 DECEMBER 2016
MATH 158 FINAL EXAM 20 DECEMBER 2016 Name : The exam is double-sided. Make sure to read both sides of each page. The time limit is three hours. No calculators are permitted. You are permitted one page
More informationDefinition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University
Number Theory, Public Key Cryptography, RSA Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr The Euler Phi Function For a positive integer n, if 0
More informationRSA Algorithm. Factoring, EulerPhi, Breaking RSA. Çetin Kaya Koç Spring / 14
RSA Algorithm http://koclab.org Çetin Kaya Koç Spring 2018 1 / 14 Well-Known One-Way Functions Discrete Logarithm: Given p, g, and x, computing y in y = g x (mod p) is EASY Given p, g, y, computing x in
More informationRSA. Ramki Thurimella
RSA Ramki Thurimella Public-Key Cryptography Symmetric cryptography: same key is used for encryption and decryption. Asymmetric cryptography: different keys used for encryption and decryption. Public-Key
More informationSmall Private Exponent Partial Key-Exposure Attacks on Multiprime RSA
Small Private Exponent Partial Key-Exposure Attacks on Multiprime RSA M. Jason Hinek School of Computer Science, University of Waterloo, Waterloo, Ontario, N2L 3G1, Canada. mjhinek@alumni.uwaterloo.ca
More informationOn the Optimality of Lattices for the Coppersmith Technique
On the Optimality of Lattices for the Coppersmith Technique Yoshinori Aono Manindra Agrawal Takakazu Satoh Osamu Watanabe December 18, 2015 Abstract We investigate a method for finding small integer solutions
More informationPost-Quantum Cryptography
Post-Quantum Cryptography Sebastian Schmittner Institute for Theoretical Physics University of Cologne 2015-10-26 Talk @ U23 @ CCC Cologne This work is licensed under a Creative Commons Attribution-ShareAlike
More informationMathematics of Cryptography
UNIT - III Mathematics of Cryptography Part III: Primes and Related Congruence Equations 1 Objectives To introduce prime numbers and their applications in cryptography. To discuss some primality test algorithms
More informationCRYPTANALYSIS OF RSA WITH LATTICE ATTACKS ANDREW HOON SUK
c Copyright by Andrew Hoon Suk, 2003 CRYPTANALYSIS OF RSA WITH LATTICE ATTACKS BY ANDREW HOON SUK B.S., University of Illinois at Urbana-Champaign, 2001 THESIS Submitted in partial fulfillment of the requirements
More informationAn Attack Bound for Small Multiplicative Inverse of ϕ(n) mod e with a Composed Prime Sum p + q Using Sublattice Based Techniques
Article An Attack Bound for Sall Multiplicative Inverse of ϕn) od e with a Coposed Prie Su p + q Using Sublattice Based Techniques Pratha Anuradha Kaeswari * and Labadi Jyotsna Departent of Matheatics,
More informationDouble-Moduli Gaussian Encryption/Decryption with Primary Residues and Secret Controls
Int. J. Communications, Network and System Sciences, 011, 4, 475-481 doi:10.436/ijcns.011.47058 Published Online July 011 (http://www.scirp.org/journal/ijcns) Double-Moduli Gaussian Encryption/Decryption
More informationRSA Cryptosystem and Factorization
RSA Cryptosystem and Factorization D. J. Guan Department of Computer Science National Sun Yat Sen University Kaoshiung, Taiwan 80424 R. O. C. guan@cse.nsysu.edu.tw August 25, 2003 RSA Cryptosystem was
More informationA new lattice construction for partial key exposure attack for RSA
A new lattice construction for partial key exposure attack for RSA Yoshinori Aono Dept. of Mathematical and Computing Sciences Tokyo Institute of Technology, Tokyo, Japan aono5@is.titech.ac.jp Abstract.
More informationA Polynomial Time Attack on RSA with Private CRT-Exponents Smaller Than N 0.073
A Polynomial Time Attack on RSA with Private CRT-Exponents Smaller Than N 0.073 Ellen Jochemsz 1 and Alexander May 2 1 Department of Mathematics and Computer Science, TU Eindhoven, 5600 MB Eindhoven, the
More informationHigh-speed cryptography, part 3: more cryptosystems. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven
High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Cryptographers Working systems Cryptanalytic algorithm designers
More informationSlides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013
RSA Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013 Recap Recap Number theory o What is a prime number? o What is prime factorization? o What is a GCD? o What does relatively prime
More informationPartial Key Exposure Attack on RSA Improvements for Limited Lattice Dimensions
Partial Key Exposure Attack on RSA Improvements for Limited Lattice Dimensions Santanu Sarkar, Sourav Sen Gupta, and Subhamoy Maitra Applied Statistics Unit, Indian Statistical Institute, 203 B T Road,
More informationAlgorithmic Number Theory and Public-key Cryptography
Algorithmic Number Theory and Public-key Cryptography Course 3 University of Luxembourg March 22, 2018 The RSA algorithm The RSA algorithm is the most widely-used public-key encryption algorithm Invented
More informationOpen problems in lattice-based cryptography
University of Auckland, New Zealand Plan Goal: Highlight some hot topics in cryptography, and good targets for mathematical cryptanalysis. Approximate GCD Homomorphic encryption NTRU and Ring-LWE Multi-linear
More informationElliptic Curve Cryptography
Elliptic Curve Cryptography Elliptic Curves An elliptic curve is a cubic equation of the form: y + axy + by = x 3 + cx + dx + e where a, b, c, d and e are real numbers. A special addition operation is
More informationExercise Sheet Cryptography 1, 2011
Cryptography 1 http://www.cs.ut.ee/~unruh/crypto1-11/ Exercise Sheet Cryptography 1, 2011 Exercise 1 DES The Data Encryption Standard (DES) is a very famous and widely used block cipher. It maps 64-bit
More informationNUMBER THEORY FOR CRYPTOGRAPHY
1 CHAPTER 4. NUMBER THEORY FOR CRYPTOGRAPHY 1 INSTITÚID TEICNEOLAÍOCHTA CHEATHARLACH INSTITUTE OF TECHNOLOGY CARLOW NUMBER THEORY FOR CRYPTOGRAPHY Contents 1 Number Theory for Cryptography 2 1.1 Linear
More information10 Modular Arithmetic and Cryptography
10 Modular Arithmetic and Cryptography 10.1 Encryption and Decryption Encryption is used to send messages secretly. The sender has a message or plaintext. Encryption by the sender takes the plaintext and
More informationImplementation of Automatic Invertible Matrix Mechanism in NTRU Matrix Formulation Algorithm
Implementation of Automatic Invertible Matrix Mechanism in NTRU Matrix Formulation Algorithm Mohan Rao Mamdikar, Vinay Kumar & D. Ghosh National Institute of Technology, Durgapur E-mail : Mohanrao.mamdikar@gmail.com,
More informationCongruence of Integers
Congruence of Integers November 14, 2013 Week 11-12 1 Congruence of Integers Definition 1. Let m be a positive integer. For integers a and b, if m divides b a, we say that a is congruent to b modulo m,
More informationCRYPTOGRAPHY AND NUMBER THEORY
CRYPTOGRAPHY AND NUMBER THEORY XINYU SHI Abstract. In this paper, we will discuss a few examples of cryptographic systems, categorized into two different types: symmetric and asymmetric cryptography. We
More informationCryptography: Joining the RSA Cryptosystem
Cryptography: Joining the RSA Cryptosystem Greg Plaxton Theory in Programming Practice, Fall 2005 Department of Computer Science University of Texas at Austin Joining the RSA Cryptosystem: Overview First,
More informationPublic Key Encryption
Public Key Encryption 3/13/2012 Cryptography 1 Facts About Numbers Prime number p: p is an integer p 2 The only divisors of p are 1 and p s 2, 7, 19 are primes -3, 0, 1, 6 are not primes Prime decomposition
More information2 More on Congruences
2 More on Congruences 2.1 Fermat s Theorem and Euler s Theorem definition 2.1 Let m be a positive integer. A set S = {x 0,x 1,,x m 1 x i Z} is called a complete residue system if x i x j (mod m) whenever
More informationCIS 551 / TCOM 401 Computer and Network Security
CIS 551 / TCOM 401 Computer and Network Security Spring 2008 Lecture 15 3/20/08 CIS/TCOM 551 1 Announcements Project 3 available on the web. Get the handout in class today. Project 3 is due April 4th It
More informationNew RSA Vulnerabilities Using Lattice Reduction Methods
New RSA Vulnerabilities Using Lattice Reduction Methods Dissertation Thesis by Alexander May October 19, 2003 Reviewer: Prof. Dr. Johannes Blömer (University of Paderborn) Prof. Dr. Joachim von zur Gathen
More informationRSA RSA public key cryptosystem
RSA 1 RSA As we have seen, the security of most cipher systems rests on the users keeping secret a special key, for anyone possessing the key can encrypt and/or decrypt the messages sent between them.
More informationPost Quantum Cryptography
Malaysian Journal of Mathematical Sciences 11(S) August: 1-28 (2017) Special Issue: The 5th International Cryptology and Information Security Conference (New Ideas in Cryptology) MALAYSIAN JOURNAL OF MATHEMATICAL
More informationChapter 8 Public-key Cryptography and Digital Signatures
Chapter 8 Public-key Cryptography and Digital Signatures v 1. Introduction to Public-key Cryptography 2. Example of Public-key Algorithm: Diffie- Hellman Key Exchange Scheme 3. RSA Encryption and Digital
More informationCryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97
Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97 Phong Nguyen and Jacques Stern École Normale Supérieure, Laboratoire d Informatique 45, rue d Ulm, F 75230 Paris Cedex 05 {Phong.Nguyen,Jacques.Stern}@ens.fr
More information9 Knapsack Cryptography
9 Knapsack Cryptography In the past four weeks, we ve discussed public-key encryption systems that depend on various problems that we believe to be hard: prime factorization, the discrete logarithm, and
More informationPublic Key Cryptography
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Public Key Cryptography EECE 412 1 What is it? Two keys Sender uses recipient s public key to encrypt Receiver uses his private key to decrypt
More informationLectures on the NTRU encryption algorithm and digital signature scheme: Grenoble, June 2002
Lectures on the NTRU encryption algorithm and digital signature scheme: Grenoble, June 2002 J. Pipher Brown University, Providence RI 02912 1 Lecture 1 1.1 Integer lattices Lattices have been studied by
More informationSTRU: A Non Alternative and Multidimensional Public Key Cryptosystem
Global Journal of Pure and Applied Mathematics. ISS 0973-1768 Volume 13, umber 5 (2017), pp. 1447 1464 Research India Publications http://www.ripublication.com/gjpam.htm STRU: A on Alternative and Multidimensional
More informationOn estimating the lattice security of NTRU
On estimating the lattice security of NTRU Nick Howgrave-Graham, Jeff Hoffstein, Jill Pipher, William Whyte NTRU Cryptosystems Abstract. This report explicitly refutes the analysis behind a recent claim
More informationLLL lattice basis reduction algorithm
LLL lattice basis reduction algorithm Helfer Etienne 103010 Contents 1 Lattice 1 11 Introduction 1 1 Definition 13 Determinant 3 14 Shortest vector problem 5 Basis reduction 6 1 Introduction 6 Rank basis
More informationRSA ENCRYPTION USING THREE MERSENNE PRIMES
Int. J. Chem. Sci.: 14(4), 2016, 2273-2278 ISSN 0972-768X www.sadgurupublications.com RSA ENCRYPTION USING THREE MERSENNE PRIMES Ch. J. L. PADMAJA a*, V. S. BHAGAVAN a and B. SRINIVAS b a Department of
More informationYALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Notes 13 (rev. 2) Professor M. J. Fischer October 22, 2008 53 Chinese Remainder Theorem Lecture Notes 13 We
More informationLECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS
LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS Modular arithmetics that we have discussed in the previous lectures is very useful in Cryptography and Computer Science. Here we discuss several
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 14 October 23, 2017 CPSC 467, Lecture 14 1/42 Computing in Z n Modular multiplication Modular inverses Extended Euclidean algorithm
More informationAn Efficient Broadcast Attack against NTRU
An Efficient Broadcast Attack against NTRU Jianwei Li, Yanbin Pan, Mingjie Liu, Guizhen Zhu Institute for Advanced Study, Tsinghua University Beijing 00084, China {lijianwei0, liu-mj07, zhugz08}@mailstsinghuaeducn
More informationA Unified Framework for Small Secret Exponent Attack on RSA
A Unified Framework for Small Secret Exponent Attack on RSA Noboru Kunihiro 1, Naoyuki Shinohara 2, and Tetsuya Izu 3 1 The University of Tokyo, Japan kunihiro@k.u-tokyo.ac.jp 2 NICT, Japan 3 Fujitsu Labs,
More informationRéduction de réseau et cryptologie.
Réduction de réseau et cryptologie Séminaire CCA Nicolas Gama Ensicaen 8 janvier 2010 Nicolas Gama (Ensicaen) Réduction de réseau et cryptologie 8 janvier 2010 1 / 54 Outline 1 Example of lattice problems
More informationSolving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know?
Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know? Alexander May, Maike Ritzenhofen Faculty of Mathematics Ruhr-Universität Bochum, 44780 Bochum,
More informationCosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks
1 Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks Michael Albert michael.albert@cs.otago.ac.nz 2 This week Arithmetic Knapsack cryptosystems Attacks on knapsacks Some
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 9 February 14, 2013 CPSC 467b, Lecture 9 1/42 Integer Division (cont.) Relatively prime numbers, Z n, and φ(n) Computing in Z n
More informationImplementation Tutorial on RSA
Implementation Tutorial on Maciek Adamczyk; m adamczyk@umail.ucsb.edu Marianne Magnussen; mariannemagnussen@umail.ucsb.edu Adamczyk and Magnussen Spring 2018 1 / 13 Overview Implementation Tutorial Introduction
More informationLattices, Cryptography, and NTRU. An introduction to lattice theory and the NTRU cryptosystem. Ahsan Z. Zahid
Lattices, Cryptography, and NTRU An introduction to lattice theory and the NTRU cryptosystem Ahsan Z. Zahid A thesis presented for the degree of Bachelor of Science School of Science St. Mary s College
More informationIdeal Lattices and NTRU
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin April 23-30, 2013 Ideal Lattices and NTRU Scribe: Kina Winoto 1 Algebraic Background (Reminders) Definition 1. A commutative
More information