Recovering Private Keys Generated With Weak PRNGs
|
|
- Melvyn Briggs
- 5 years ago
- Views:
Transcription
1 Recovering Private Keys Generated With Weak PRNGs Pierre-Alain Fouque (Univ. Rennes 1) Mehdi Tibouchi (NTT Secure Platform Lab.) Jean-Christophe Zapalowicz (Inria) Journées C Jean-Christophe Zapalowicz (Inria) Journées C March, 27th / 16
2 About this talk "Generating secure public keys in the real world is challenging" (Lenstra et al. 2012) "We discovered that insecure RNGs are in widespread use" (Heninger et al. 2012) Jean-Christophe Zapalowicz (Inria) Journées C March, 27th / 16
3 About this talk "Generating secure public keys in the real world is challenging" (Lenstra et al. 2012) "We discovered that insecure RNGs are in widespread use" (Heninger et al. 2012) A public-key scheme based on the hardness of the discrete logarithm problem the factorization Known values: the public key a Linear Congruential Generator (LCG) used to generate the secret key Question: Is it secure? Related Work: Bellare et al. (1997) show that using a LCG for computing the nonces in DSA does seriously break security Jean-Christophe Zapalowicz (Inria) Journées C March, 27th / 16
4 Linear Congruential Generator is weak Heavily studied: Stern (1987), Frieze et al. (1988), Boyar (1989), Joux and Stern (1998), Contini and Shparlinski (2005) Advantages: efficient, very small footprint, easy to implement, good statistical properties... Drawback: cryptographically insecure: from some outputs, possibility to recover the seed and the parameters LCG outputs Jean-Christophe Zapalowicz (Inria) Journées C March, 27th / 16
5 Is this scheme weak? Reality: no access to the outputs of the LCG LCG out r... out 1 secret key crypto public key, parameters of the LCG Jean-Christophe Zapalowicz (Inria) Journées C March, 27th / 16
6 Is this scheme weak? Reality: no access to the outputs of the LCG LCG out r... out 1 secret key crypto public key, parameters of the LCG Cryptanalysis: search of the m-bit seed of the LCG Exhaustive search: complexity in O(2 m ) Our work: Time/Memory tradeoff: complexity between O(2 m/2 ) and O(2 m ) Jean-Christophe Zapalowicz (Inria) Journées C March, 27th / 16
7 Linear Congruential Generator M: known integer a, b < M: known integers s < M: secret seed seed s output v 1 = as + b mod M output v 2 = av 1 + b mod M v i+1 = a v i + b mod M The LCG outputs the k least (or most) significant bits o i of v i Jean-Christophe Zapalowicz (Inria) Journées C March, 27th / 16
8 Overview of our cryptanalysis (1) v i+1 = a v i + b mod M v i = a i s + b (1 + a + + a i 1 ) = a i s + b i mod M constants b i publicly computable b = 0 v i = a i s mod M secret key x = o k o (r 1)k o r 1 with o i = lsb k (v i ) Jean-Christophe Zapalowicz (Inria) Journées C March, 27th / 16
9 Overview of our cryptanalysis (1) v i+1 = a v i + b mod M v i = a i s + b (1 + a + + a i 1 ) = a i s + b i mod M constants b i publicly computable b = 0 v i = a i s mod M Main idea of the attack: secret key x = o k o (r 1)k o r 1 with o i = lsb k (v i ) split the m-bit seed into two part s = u + 2 m/2 v write the secret key as x = U + V U depends only on the m 2 -bit value u V depends only on the m 2 -bit value v take carries and overflows into account Jean-Christophe Zapalowicz (Inria) Journées C March, 27th / 16
10 Overview of our cryptanalysis (2): v u seed s Jean-Christophe Zapalowicz (Inria) Journées C March, 27th / 16
11 Overview of our cryptanalysis (2): v u seed s o r 1 o i o 0 secret key x V U Jean-Christophe Zapalowicz (Inria) Journées C March, 27th / 16
12 Overview of our cryptanalysis (2): v u seed s o r 1 o i o 0 secret key x 1 bit V U o i = a i s mod 2 k = a i u mod 2 k + 2 k/2 (a i v mod 2 k/2 ) ɛ i 2 k o r 1 o r 1 2 o r 1 2 o 0 carries (M = 2 k ) Y Jean-Christophe Zapalowicz (Inria) Journées C March, 27th / 16
13 Overview of our cryptanalysis (2): v u seed s o r 1 o i o 0 secret key x 1 bit V U o i = a i s mod 2 k = a i u mod 2 k + 2 k/2 (a i v mod 2 k/2 ) ɛ i 2 k o r 1 o r 1 2 o r 1 2 o 0 carries (M = 2 k ) Z W Jean-Christophe Zapalowicz (Inria) Journées C March, 27th / 16
14 Overview of our cryptanalysis (2): v u seed s o r 1 o i o 0 secret key x V x = U + V W Z U 1 bit o r 1 Z o r 1 2 o r 1 2 W o 0 carries (M = 2 k ) Jean-Christophe Zapalowicz (Inria) Journées C March, 27th / 16
15 Results on the discrete logarithm case: Introduction Discrete logarithm problem: cyclic group G of prime order q and generator g (G, q, g) public parameters secret key: x Z q public key: h = g x Hard to retrieve x from h x = o k o (r 1)k o r 1 We consider the following cases: use of a non-truncated LCG: M = 2 k use of a truncated LCG: M > 2 k (see paper) Jean-Christophe Zapalowicz (Inria) Journées C March, 27th / 16
16 Discrete logarithm case with a non-truncated LCG (1) where: r 1 U = 2 ik (a i u mod 2 k ) i=0 r 1 V = 2 ik+k/2 (a i v mod 2 k/2 ) i=0 i=0 x = U + V W Z r 1 2 r 1 Y = 2 (i+1)k ε i = 2 (i+1)k ε i + i=0 } {{ } W r 1 2 i= r 1 2 (i+1)k ε i } {{ } Z ε i {0, 1} g U Z = h g W V Jean-Christophe Zapalowicz (Inria) Journées C March, 27th / 16
17 Discrete logarithm case with a non-truncated LCG (2) g U Z = h g W V Collision search U (resp. V ) depends only on the k 2 -bit value u (resp. v) 2 k/2 possible values U i and 2 k/2 possible values V s W and Z take carries and overflows into account 2 r/2 possible values W t and 2 r/2 possible values Z j (k: size of the seed, r: number of used outputs) Attack: Compute the hash table H by storing i, j at H(g U i Z j ) O(2 k+r 2 ) in memory For each (V s, W t ) do: O(2 k+r 2 ) in time if H(h g Wt Vs ) exists then return x U i + V s Z j W t Jean-Christophe Zapalowicz (Inria) Journées C March, 27th / 16
18 Concretly Secret size Modulus Attack complexity Jean-Christophe Zapalowicz (Inria) Journées C March, 27th / 16
19 Results on the factorization case: Introduction Factorization problem: p, q two large primes Given N = pq, retrieve p and q p = o k o (r 1)k o r 1 We consider the following cases: basic prime generation use of a non-truncated LCG: M = 2 k use of a truncated LCG: M > 2 k (see paper) PRIMEINC method (see paper) use of a non-truncated LCG: M = 2 k use of a truncated LCG: M > 2 k Jean-Christophe Zapalowicz (Inria) Journées C March, 27th / 16
20 Factorization case with a non-truncated LCG (1) Point of view of an attacker: 2 k+r 2 possible values A i,j p = } U {{ Z } + V } {{ W } A B 2 k+r 2 possible values B s,t How to find the correct value A and B? if q c, then gcd(c(a + B), N) = p Use of the Multipoint evaluation of univariate polynomials: P(x) Z N [x] a polynomial of degree d Evaluate P at d distinct points Quasi-linear complexity Õ(d) using divide-and-conquer approach Jean-Christophe Zapalowicz (Inria) Journées C March, 27th / 16
21 Factorization case with a non-truncated LCG (2) Attack: Compute the polynomial of degree 2 k+r 2 : P(X ) = (X + B s,t ) mod N s,t Õ(2 k+r 2 ) in memory Multi-evaluate P at the points A i,j k+r Õ(2 2 ) in time For each point A i,j do: if gcd(p(a i,j ), N) 1 then return gcd(p(a i,j ), N) For the correct value A: with c = s,t B s,t B (A + B s,t) P(A) = c(a + B) Jean-Christophe Zapalowicz (Inria) Journées C March, 27th / 16
22 Conclusion Discrete logarithm-based and factorization-based schemes treated LCG out r... out 1 secret key crypto public key, parameters of the LCG Exhaustive search: complexity in O(2 m ) Our Time/Memory tradeoff: complexity between O(2 m/2 ) and O(2 m ) Open Questions: What if the parameters of the LCG are unknown Generalization to other PRNG Jean-Christophe Zapalowicz (Inria) Journées C March, 27th / 16
23 Thank you for your attention Jean-Christophe Zapalowicz (Inria) Journées C March, 27th / 16
Recovering Private Keys Generated with Weak PRNGs
Recovering Private Keys Generated with Weak PRNGs Pierre-Alain Fouque, Mehdi Tibouchi, Jean-Christophe Zapalowicz To cite this version: Pierre-Alain Fouque, Mehdi Tibouchi, Jean-Christophe Zapalowicz.
More informationTime/Memory/Data Tradeoffs for Variants of the RSA Problem
Time/Memory/Data Tradeoffs for Variants of the RSA Problem Pierre-Alain Fouque, Damien Vergnaud, Jean-Christophe Zapalowicz To cite this version: Pierre-Alain Fouque, Damien Vergnaud, Jean-Christophe Zapalowicz.
More informationGLV/GLS Decomposition, Power Analysis, and Attacks on ECDSA Signatures With Single-Bit Nonce Bias
GLV/GLS Decomposition, Power Analysis, and Attacks on ECDSA Signatures With Single-Bit Nonce Bias Diego F. Aranha Pierre-Alain Fouque Benoît Gerard Jean-Gabriel Kammerer Mehdi Tibouchi Jean-Christophe
More informationENEE 459-C Computer Security. Message authentication (continue from previous lecture)
ENEE 459-C Computer Security Message authentication (continue from previous lecture) Last lecture Hash function Cryptographic hash function Message authentication with hash function (attack?) with cryptographic
More informationElliptic Curve DRNGs. Çetin Kaya Koç Winter / 19
Elliptic Curve DRNGs Çetin Kaya Koç koc@cs.ucsb.edu Çetin Kaya Koç http://koclab.org Winter 2017 1 / 19 Elliptic Curve DRNGs There are three existing proposals Linear Congruential Generator Power Generator
More informationBreaking Plain ElGamal and Plain RSA Encryption
Breaking Plain ElGamal and Plain RSA Encryption (Extended Abstract) Dan Boneh Antoine Joux Phong Nguyen dabo@cs.stanford.edu joux@ens.fr pnguyen@ens.fr Abstract We present a simple attack on both plain
More informationPublic Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers
Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers Jean-Sébastien Coron, David Naccache and Mehdi Tibouchi University of Luxembourg & ENS & NTT EUROCRYPT, 2012-04-18
More informationPREDICTING MASKED LINEAR PSEUDORANDOM NUMBER GENERATORS OVER FINITE FIELDS
PREDICTING MASKED LINEAR PSEUDORANDOM NUMBER GENERATORS OVER FINITE FIELDS JAIME GUTIERREZ, ÁLVAR IBEAS, DOMINGO GÓMEZ-PEREZ, AND IGOR E. SHPARLINSKI Abstract. We study the security of the linear generator
More informationStructural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128
Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128 Pierre-Alain Fouque 1 Jérémy Jean 2 Thomas Peyrin 3 1 Université de Rennes 1, France 2 École Normale Supérieure, France 3 Nanyang
More informationPractical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits
Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits Damien Vergnaud École normale supérieure CHES September, 15th 2015 (with Aurélie Bauer) Damien Vergnaud
More informationPseudo-random Number Generation. Qiuliang Tang
Pseudo-random Number Generation Qiuliang Tang Random Numbers in Cryptography The keystream in the one-time pad The secret key in the DES encryption The prime numbers p, q in the RSA encryption The private
More informationLooking back at lattice-based cryptanalysis
September 2009 Lattices A lattice is a discrete subgroup of R n Equivalently, set of integral linear combinations: α 1 b1 + + α n bm with m n Lattice reduction Lattice reduction looks for a good basis
More informationPseudo-Random Generators
Pseudo-Random Generators Why do we need random numbers? Simulation Sampling Numerical analysis Computer programming (e.g. randomized algorithm) Elementary and critical element in many cryptographic protocols
More informationElliptic Curve DRNGs. Çetin Kaya Koç Winter / 21
Elliptic Curve DRNGs http://koclab.org Çetin Kaya Koç Winter 2017 1 / 21 Elliptic Curve DRNGs Linear Congruential Generator Power Generator Naor-Reingold Generator Dual EC RNG http://koclab.org Çetin Kaya
More informationAlgorithmic Number Theory and Public-key Cryptography
Algorithmic Number Theory and Public-key Cryptography Course 3 University of Luxembourg March 22, 2018 The RSA algorithm The RSA algorithm is the most widely-used public-key encryption algorithm Invented
More informationPseudo-Random Generators
Pseudo-Random Generators Topics Why do we need random numbers? Truly random and Pseudo-random numbers. Definition of pseudo-random-generator What do we expect from pseudorandomness? Testing for pseudo-randomness.
More informationTopics. Pseudo-Random Generators. Pseudo-Random Numbers. Truly Random Numbers
Topics Pseudo-Random Generators Why do we need random numbers? Truly random and Pseudo-random numbers. Definition of pseudo-random-generator What do we expect from pseudorandomness? Testing for pseudo-randomness.
More informationSome Lattice Attacks on DSA and ECDSA
Some Lattice Attacks on DSA and ECDSA Dimitrios Poulakis Department of Mathematics, Aristotle University of Thessaloniki, Thessaloniki 54124, Greece, email:poulakis@math.auth.gr November 10, 2010 Abstract
More informationInferring Sequences Produced by Nonlinear Pseudorandom Number Generators Using Coppersmith s Methods
Inferring Sequences Produced by Nonlinear Pseudorandom Number Generators Using Coppersmith s Methods Aurélie Bauer, Damien Vergnaud 2,, and Jean-Christophe Zapalowicz 3, Agence Nationale de la Sécurité
More informationCryptanalysis of a Zero-Knowledge Identification Protocol of Eurocrypt 95
Cryptanalysis of a Zero-Knowledge Identification Protocol of Eurocrypt 95 Jean-Sébastien Coron and David Naccache Gemplus Card International 34 rue Guynemer, 92447 Issy-les-Moulineaux, France {jean-sebastien.coron,
More informationNumber Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers
Number Theory: Applications Number Theory Applications Computer Science & Engineering 235: Discrete Mathematics Christopher M. Bourke cbourke@cse.unl.edu Results from Number Theory have many applications
More informationSide Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents
Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents Santanu Sarkar and Subhamoy Maitra Leuven, Belgium 12 September, 2012 Outline of the Talk RSA Cryptosystem
More informationStream Ciphers. Çetin Kaya Koç Winter / 20
Çetin Kaya Koç http://koclab.cs.ucsb.edu Winter 2016 1 / 20 Linear Congruential Generators A linear congruential generator produces a sequence of integers x i for i = 1,2,... starting with the given initial
More informationOther Public-Key Cryptosystems
Other Public-Key Cryptosystems Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-11/
More informationCryptanalysis via Lattice Techniques
Cryptanalysis via Lattice Techniques Alexander May Horst Görtz Institute for IT-Security Faculty of Mathematics Ruhr-University Bochum crypt@b-it 2010, Aug 2010, Bonn Lecture 1, Mon Aug 2 Introduction
More informationCryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg
Course 1: Remainder: RSA Université du Luxembourg September 21, 2010 Public-key encryption Public-key encryption: two keys. One key is made public and used to encrypt. The other key is kept private and
More informationLittle Dragon Two: An efficient Multivariate Public Key Cryptosystem
Little Dragon Two: An efficient Multivariate Public Key Cryptosystem Rajesh P Singh, A.Saikia, B.K.Sarma Department of Mathematics Indian Institute of Technology Guwahati Guwahati -781039, India October
More informationSimple Pseudorandom Number Generator with Strengthened Double Encryption (Cilia)
Simple Pseudorandom Number Generator with Strengthened Double Encryption (Cilia) Henry Ng Henry.Ng.a@gmail.com Abstract. A new cryptographic pseudorandom number generator Cilia is presented. It hashes
More informationTrue & Deterministic Random Number Generators
True & Deterministic Random Number Generators Çetin Kaya Koç http://cs.ucsb.edu/~koc koc@cs.ucsb.edu 1.0 0.5 1.0 0.5 0.5 1.0 0.5 1.0 Koç (http://cs.ucsb.edu/~koc) HRL RNG April 11, 2013 1 / 47 Random Numbers
More informationNotes. Number Theory: Applications. Notes. Number Theory: Applications. Notes. Hash Functions I
Number Theory: Applications Slides by Christopher M. Bourke Instructor: Berthe Y. Choueiry Fall 2007 Computer Science & Engineering 235 Introduction to Discrete Mathematics Sections 3.4 3.7 of Rosen cse235@cse.unl.edu
More informationCryptanalysis of the Quadratic Generator
Cryptanalysis of the Quadratic Generator Domingo Gomez, Jaime Gutierrez, Alvar Ibeas Faculty of Sciences, University of Cantabria, Santander E 39071, Spain jaime.gutierrez@unican.es Abstract. Let p be
More informationPartial Key Exposure: Generalized Framework to Attack RSA
Partial Key Exposure: Generalized Framework to Attack RSA Cryptology Research Group Indian Statistical Institute, Kolkata 12 December 2011 Outline of the Talk 1 RSA - A brief overview 2 Partial Key Exposure
More informationHidden Number Problem Given Bound of Secret Jia-ning LIU and Ke-wei LV *
2017 2nd International Conference on Artificial Intelligence: Techniques and Applications (AITA 2017) ISBN: 978-1-60595-491-2 Hidden Number Problem Given Bound of Secret Jia-ning LIU and Ke-wei LV * DCS
More informationOn the strength comparison of ECC and RSA
SHARCS 2012 (Special-Purpose Hardware for Attacking Cryptographic Systems) Date: 17-18 March 2012 Place: Washington, DC, USA On the strength comparison of ECC and RSA Masaya Yasuda, Takeshi Shimoyama,
More informationStatistical Properties of Short RSA Distribution and Their Cryptographic Applications
Statistical Properties of Short RSA Distribution and Their Cryptographic Applications Pierre-Alain Fouque, Jean-Christophe Zapalowicz To cite this version: Pierre-Alain Fouque, Jean-Christophe Zapalowicz.
More informationHomework 3 Solutions
5233/IOC5063 Theory of Cryptology, Fall 205 Instructor Prof. Wen-Guey Tzeng Homework 3 Solutions 7-Dec-205 Scribe Amir Rezapour. Consider an unfair coin with head probability 0.5. Assume that the coin
More informationPoly Dragon: An efficient Multivariate Public Key Cryptosystem
Poly Dragon: An efficient Multivariate Public Key Cryptosystem Rajesh P Singh, A.Saikia, B.K.Sarma Department of Mathematics Indian Institute of Technology Guwahati Guwahati -781039, India May 19, 2010
More informationMultivariate Public Key Cryptography or Why is there a rainbow hidden behind fields full of oil and vinegar?
Multivariate Public Key Cryptography or Why is there a rainbow hidden behind fields full of oil and vinegar? Christian Eder, Jean-Charles Faugère and Ludovic Perret Seminar on Fundamental Algorithms, University
More informationFull Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5
Full Attacks on HMAC/NMAC- and NMAC-MD5 Pierre-Alain Fouque, Gaëtan Leurent, Phong Nguyen Laboratoire d Informatique de l École Normale Supérieure CRYPTO 2007 1/26 WhatisaMACalgorithm? M Alice wants to
More informationA New Baby-Step Giant-Step Algorithm and Some Applications to Cryptanalysis
A New Baby-Step Giant-Step Algorithm and Some Applications to Cryptanalysis Jean Sébastien Coron 1, David Lefranc 2 and Guillaume Poupard 3 1 Université du Luxembourg Luxembourg coron@clipper.ens.fr 2
More informationComputing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring
Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring Alexander May Faculty of Computer Science, Electrical Engineering and Mathematics University of Paderborn 33102 Paderborn,
More informationHorizontal and Vertical Side-Channel Attacks against Secure RSA Implementations
Introduction Clavier et al s Paper This Paper Horizontal and Vertical Side-Channel Attacks against Secure RSA Implementations Aurélie Bauer Éliane Jaulmes Emmanuel Prouff Justine Wild ANSSI Session ID:
More informationCRYPTANALYSIS OF ELGAMAL TYPE DIGITAL SIGNATURE SCHEMES USING INTEGER DECOMPOSITION
Trends in Mathematics Information Center for Mathematical Sciences Volume 8, Number 1, June, 2005, Pages 167 175 CRYPTANALYSIS OF ELGAMAL TYPE DIGITAL SIGNATURE SCHEMES USING INTEGER DECOMPOSITION IKKWON
More informationOther Public-Key Cryptosystems
Other Public-Key Cryptosystems Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: 10-1 Overview 1. How to exchange
More informationDeterministic Polynomial Time Equivalence of Computing the RSA Secret Key and Factoring
Deterministic Polynomial Time Equivalence of Computing the RSA Secret Key and Factoring Jean-Sébastien Coron and Alexander May Gemplus Card International 34 rue Guynemer, 92447 Issy-les-Moulineaux, France
More informationFault Attacks Against emv Signatures
Fault Attacks Against emv Signatures Jean-Sébastien Coron 1, David Naccache 2, and Mehdi Tibouchi 2 1 Université du Luxembourg 6, rue Richard Coudenhove-Kalergi l-1359 Luxembourg, Luxembourg {jean-sebastien.coron,
More informationComputing Generator in Cyclotomic Integer Rings
A subfield algorithm for the Principal Ideal Problem in L 1 K 2 and application to the cryptanalysis of a FHE scheme Jean-François Biasse 1 Thomas Espitau 2 Pierre-Alain Fouque 3 Alexandre Gélin 2 Paul
More informationA Generic Algorithm for Small Weight Discrete Logarithms in Composite Groups
A Generic Algorithm for Small Weight Discrete Logarithms in Composite Groups Alexander May and Ilya Ozerov Horst Görtz Institute for IT-Security Ruhr-University Bochum, Germany Faculty of Mathematics alex.may@rub.de,
More information"Pseudo-Random" Number Generation Within Cryptographic Algorithms: The DDS Case
"Pseudo-Random" Number Generation Within Cryptographic Algorithms: The DDS Case Mihir Bellare 1, Shaft Goldwasser 2 and Daniele Micciancio 2 1 Dept. of Computer Science & Engineering, University of California
More informationHidden Field Equations
Security of Hidden Field Equations (HFE) 1 The security of Hidden Field Equations ( H F E ) Nicolas T. Courtois INRIA, Paris 6 and Toulon University courtois@minrank.org Permanent HFE web page : hfe.minrank.org
More informationSide Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents
Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents Santanu Sarkar and Subhamoy Maitra Applied Statistics Unit, Indian Statistical Institute, 203 B. T. Road,
More information5199/IOC5063 Theory of Cryptology, 2014 Fall
5199/IOC5063 Theory of Cryptology, 2014 Fall Homework 2 Reference Solution 1. This is about the RSA common modulus problem. Consider that two users A and B use the same modulus n = 146171 for the RSA encryption.
More informationLecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures
Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures Boaz Barak November 27, 2007 Quick review of homework 7 Existence of a CPA-secure public key encryption scheme such that oracle
More informationOn the Big Gap Between p and q in DSA
On the Big Gap Between p and in DSA Zhengjun Cao Department of Mathematics, Shanghai University, Shanghai, China, 200444. caozhj@shu.edu.cn Abstract We introduce a message attack against DSA and show that
More informationCrypto math II. Alin Tomescu May 27, Abstract A quick overview on group theory from Ron Rivest s course in Spring 2015.
Crypto math II Alin Tomescu alinush@mit.edu May 7, 015 Abstract A quick overview on group theory from Ron Rivest s 6.857 course in Spring 015. 1 Overview Group theory review Diffie-Hellman (DH) key exchange
More informationCorrecting Errors in Private Keys Obtained from Cold Boot Attacks
Correcting Errors in Private Keys Obtained from Cold Boot Attacks Hyung Tae Lee, HongTae Kim, Yoo-Jin Baek, and Jung Hee Cheon ISaC & Department of Mathmathical Sciences, SNU 2011. 11. 30. 1 / 17 Contents
More informationA New Baby-Step Giant-Step Algorithm and Some Applications to Cryptanalysis
A New Baby-Step Giant-Step Algorithm and Some Applications to Cryptanalysis 30/08/2005 J.S. Coron, G. Poupard and D. Lefranc D1-09/11/2005 Overview Introduction : the GPS scheme A new type of private keys
More informationMasking the GLP Lattice-Based Signature Scheme at any Order
Masking the GLP Lattice-Based Signature Scheme at any Order Gilles Barthe (IMDEA Software Institute) Sonia Belaïd (CryptoExperts) Thomas Espitau (UPMC) Pierre-Alain Fouque (Univ. Rennes I and IUF) Benjamin
More informationWinter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2
0368.3049.01 Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod Assignment #2 Published Sunday, February 17, 2008 and very slightly revised Feb. 18. Due Tues., March 4, in Rani Hod
More informationPublic-Key Cryptosystems CHAPTER 4
Public-Key Cryptosystems CHAPTER 4 Introduction How to distribute the cryptographic keys? Naïve Solution Naïve Solution Give every user P i a separate random key K ij to communicate with every P j. Disadvantage:
More information1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:
Today: Introduction to the class. Examples of concrete physical attacks on RSA A computational approach to cryptography Pseudorandomness 1 What are Physical Attacks Tampering/Leakage attacks Issue of how
More informationQuantum Differential and Linear Cryptanalysis
Quantum Differential and Linear Cryptanalysis Marc Kaplan 1,2 Gaëtan Leurent 3 Anthony Leverrier 3 María Naya-Plasencia 3 1 LTCI, Télécom ParisTech 2 School of Informatics, University of Edinburgh 3 Inria
More informationSome Security Comparisons of GOST R and ECDSA Signature Schemes
Some Security Comparisons of GOST R 34.10-2012 and ECDSA Signature Schemes Trieu Quang Phong Nguyen Quoc Toan Institute of Cryptography Science and Technology Gover. Info. Security Committee, Viet Nam
More informationImproving the Performance of the SYND Stream Cipher
Improving the Performance of the SYND Stream Cipher Mohammed Meziani, Gerhard Hoffmann and Pierre-Louis Cayrel AfricaCrypt 2012, July 10-12, Ifrane Morocco Backgrounds Previous Works XSYND Conclusion and
More informationCRYPTANALYSIS OF COMPACT-LWE
SESSION ID: CRYP-T10 CRYPTANALYSIS OF COMPACT-LWE Jonathan Bootle, Mehdi Tibouchi, Keita Xagawa Background Information Lattice-based cryptographic assumption Based on the learning-with-errors (LWE) assumption
More informationB. Maddah ENMG 622 Simulation 11/11/08
B. Maddah ENMG 622 Simulation 11/11/08 Random-Number Generators (Chapter 7, Law) Overview All stochastic simulations need to generate IID uniformly distributed on (0,1), U(0,1), random numbers. 1 f X (
More informationCryptanalysis of the RSA Subgroup Assumption from TCC 2005
Cryptanalysis of the RSA Subgroup Assumption from TCC 2005 Jean-Sébastien Coron 1, Antoine Joux 2,3, Avradip Mandal 1, David Naccache 4, and Mehdi Tibouchi 1,4 1 Université du Luxembourg 6, rue Richard
More informationEvidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs
Evidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs Jonah Brown-Cohen 1 Introduction The Diffie-Hellman protocol was one of the first methods discovered for two people, say Alice
More informationDesign of Cryptographically Strong Generator By Transforming Linearly Generated Sequences
Design of Cryptographically Strong Generator By Transforming Linearly Generated Sequences Matthew N. Anyanwu Department of Computer Science The University of Memphis Memphis, TN 38152, U.S.A. manyanwu
More informationLecture V : Public Key Cryptography
Lecture V : Public Key Cryptography Internet Security: Principles & Practices John K. Zao, PhD (Harvard) SMIEEE Amir Rezapoor Computer Science Department, National Chiao Tung University 2 Outline Functional
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationBreaking Symmetric Cryptosystems Using Quantum Algorithms
Breaking Symmetric Cryptosystems Using Quantum Algorithms Gaëtan Leurent Joined work with: Marc Kaplan Anthony Leverrier María Naya-Plasencia Inria, France FOQUS Workshop Gaëtan Leurent (Inria) Breaking
More informationLecture 10 - MAC s continued, hash & MAC
Lecture 10 - MAC s continued, hash & MAC Boaz Barak March 3, 2010 Reading: Boneh-Shoup chapters 7,8 The field GF(2 n ). A field F is a set with a multiplication ( ) and addition operations that satisfy
More informationA Small Subgroup Attack on Arazi s Key Agreement Protocol
Small Subgroup ttack on razi s Key greement Protocol Dan Brown Certicom Research, Canada dbrown@certicom.com lfred Menezes Dept. of C&O, University of Waterloo, Canada ajmeneze@uwaterloo.ca bstract In
More informationCryptanalysis of a Public Key Cryptosystem Proposed at ACISP 2000
Cryptanalysis of a Public Key Cryptosystem Proposed at ACISP 2000 Amr Youssef 1 and Guang Gong 2 1 Center for Applied Cryptographic Research Department of Combinatorics & Optimization 2 Department of Electrical
More informationFast correlation attacks on certain stream ciphers
FSE 2011, February 14-16, Lyngby, Denmark Fast correlation attacks on certain stream ciphers Willi Meier FHNW Switzerland 1 Overview A decoding problem LFSR-based stream ciphers Correlation attacks Fast
More informationCryptanalysis of two knapsack public-key cryptosystems
Cryptanalysis of two knapsack public-key cryptosystems Jingguo Bi 1, Xianmeng Meng 2, and Lidong Han 1 {jguobi,hanlidong}@sdu.edu.cn mengxm@sdfi.edu.cn 1 Key Laboratory of Cryptologic Technology and Information
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationLecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security
Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationWhy Textbook ElGamal and RSA Encryption Are Insecure
Why Textbook ElGamal and RSA Encryption Are Insecure (Extended Abstract) Dan Boneh 1, Antoine Joux 2, and Phong Q. Nguyen 3 1 Stanford University, Computer Science Department Stanford, CA 94305, USA dabo@cs.stanford.edu
More informationCryptanalysis of the Dual Elliptic Curve Pseudorandom Generator
Cryptanalysis of the Dual Elliptic Curve Pseudorandom Generator Berry Schoenmakers and Andrey Sidorenko Dept. of Mathematics and Computer Science, TU Eindhoven, P.O. Box 513, 5600 MB Eindhoven, The Netherlands.
More informationThe attack of the RSA Subgroup Assumption
The attack of the RSA Subgroup Assumption Jiang Weng 1,2, Yunqi Dou 1,2, and Chuangui Ma 1,2 1 Zhengzhou Information Science and Technology Institute,Zhengzhou 450002, China 2 State Key Laboratory of Mathematical
More informationIntro to Public Key Cryptography Diffie & Hellman Key Exchange
Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie & Hellman Key Exchange Course Summary - Math Part
More informationCryptographical Security in the Quantum Random Oracle Model
Cryptographical Security in the Quantum Random Oracle Model Center for Advanced Security Research Darmstadt (CASED) - TU Darmstadt, Germany June, 21st, 2012 This work is licensed under a Creative Commons
More informationNew attacks on RSA with Moduli N = p r q
New attacks on RSA with Moduli N = p r q Abderrahmane Nitaj 1 and Tajjeeddine Rachidi 2 1 Laboratoire de Mathématiques Nicolas Oresme Université de Caen Basse Normandie, France abderrahmane.nitaj@unicaen.fr
More informationNew Variant of ElGamal Signature Scheme
Int. J. Contemp. Math. Sciences, Vol. 5, 2010, no. 34, 1653-1662 New Variant of ElGamal Signature Scheme Omar Khadir Department of Mathematics Faculty of Science and Technology University of Hassan II-Mohammedia,
More informationIntroduction to Elliptic Curve Cryptography
Indian Statistical Institute Kolkata May 19, 2017 ElGamal Public Key Cryptosystem, 1984 Key Generation: 1 Choose a suitable large prime p 2 Choose a generator g of the cyclic group IZ p 3 Choose a cyclic
More informationPractice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017
Practice Final Exam Name: Winter 2017, CS 485/585 Crypto March 14, 2017 Portland State University Prof. Fang Song Instructions This exam contains 7 pages (including this cover page) and 5 questions. Total
More informationone eciently recover the entire key? There is no known method for doing so. Furthermore, the common belief is that no such ecient algorithm exists. Th
Exposing an RSA Private Key Given a Small Fraction of its Bits Dan Boneh Glenn Durfee y Yair Frankel dabo@cs.stanford.edu gdurf@cs.stanford.edu yfrankel@cs.columbia.edu Stanford University Stanford University
More informationPublic Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers
Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers Jean-Sébastien Coron 1, David Naccache 2, and Mehdi Tibouchi 3 1 Université du Luxembourg jean-sebastien.coron@uni.lu
More informationImproving the efficiency of Generalized Birthday Attacks against certain structured cryptosystems
Improving the efficiency of Generalized Birthday Attacks against certain structured cryptosystems Robert Niebuhr 1, Pierre-Louis Cayrel 2, and Johannes Buchmann 1,2 1 Technische Universität Darmstadt Fachbereich
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 12 Markus Bläser, Saarland University Digital signature schemes Goal: integrity of messages Signer signs a message using a private key
More informationThe Hash Function JH 1
The Hash Function JH 1 16 January, 2011 Hongjun Wu 2,3 wuhongjun@gmail.com 1 The design of JH is tweaked in this report. The round number of JH is changed from 35.5 to 42. This new version may be referred
More informationNetwork Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) Due Date: March 30
Network Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) LIU Zhen Due Date: March 30 Questions: 1. RSA (20 Points) Assume that we use RSA with the prime numbers p = 17 and q = 23. (a) Calculate
More informationOn the Key-collisions in the Signature Schemes
On the Key-collisions in the Signature Schemes Tomáš Rosa ICZ a.s., Prague, CZ Dept. of Computer Science, FEE, CTU in Prague, CZ tomas.rosa@i.cz Motivation to study k-collisions Def. Non-repudiation [9,10].
More informationRSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis. Daniel Genkin, Adi Shamir, Eran Tromer
RSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis Daniel Genkin, Adi Shamir, Eran Tromer Mathematical Attacks Input Crypto Algorithm Key Output Goal: recover the key given access to the inputs
More informationSafer parameters for the Chor-Rivest cryptosystem
Safer parameters for the Chor-Rivest cryptosystem L. Hernández Encinas, J. Muñoz Masqué and A. Queiruga Dios Applied Physics Institute, CSIC C/ Serrano 144, 28006-Madrid, Spain {luis, jaime, araceli}@iec.csic.es
More informationLattice Reduction Attack on the Knapsack
Lattice Reduction Attack on the Knapsack Mark Stamp 1 Merkle Hellman Knapsack Every private in the French army carries a Field Marshal wand in his knapsack. Napoleon Bonaparte The Merkle Hellman knapsack
More informationCSCE 564, Fall 2001 Notes 6 Page 1 13 Random Numbers The great metaphysical truth in the generation of random numbers is this: If you want a function
CSCE 564, Fall 2001 Notes 6 Page 1 13 Random Numbers The great metaphysical truth in the generation of random numbers is this: If you want a function that is reasonably random in behavior, then take any
More informationLattice-Based Fault Attacks on RSA Signatures
Lattice-Based Fault Attacks on RSA Signatures Mehdi Tibouchi École normale supérieure Workshop on Applied Cryptography, Singapore, 2010-12-03 Gist of this talk Review a classical attack on RSA signatures
More information