K 2r+8 PHT <<<1 MDS MDS


 Hector Simmons
 1 years ago
 Views:
Transcription
1 )*.1,(/+032 THE INSTITUTE OF ELECTRONICS, INFORMATION AND COMMUNICATION ENGINEERS 034 TECHNICAL REPORT OF IEICE. 7865'9 Twosh ;<= (:; 2) 3 B&C y 3 NTT FRUX_a[\]Ye`khE f Gnql #Hw~ ˆ g 11 y NTT Multimedia Communications Laboratories 250 Cambridge Ave., Palo Alto, CA 94306, USA ª «OŒ zkd!š AES Žƒ Q "œž ^b[z!š Twosh Lxp šdi}{ truncated dierential V šj%cys 2 057:3 žjt 16 W truncated dierential mœ šd 2 51 rvnm u c truncated dierential \good pair" 1 st c good pair i 2 77 st Ÿ} ž d šc Knudsen open problem Ÿ šc 5 W Twosh random permutationÿ Pž $oi truncated dierential mœ šd ± ³ ² µ, ¹, truncated dierential, Twosh, AES Cryptanalysis of Twosh (II) Shiho Moriai 3 Yiqun Lisa Yin y 3 NTT Information Sharing Platform Laboratories 11 Hikarinooka, Yokosuka, , Japan y NTT Multimedia Communications Laboratories 250 Cambridge Ave., Palo Alto, CA 94306, USA Abstract We present truncated dierential cryptanalysis of the block cipher Twosh, which is one of the ve nalists for the Advanced Encryption Standard (AES). From our experimental results, we found a 16round truncated dierential with probability of about 2 057:3. One can expect to get one good pair following the truncated dierential from 2 51 chosen plaintexts, and there are a total of 2 77 such goodpairs. We also found 5round truncated dierentials which can be useful in distinguishing Twosh reduced to 5 rounds from a random permutation. This was considered to be an open problem by Knudsen. key words cryptanalysis, dierential cryptanalysis, truncated dierential, Twosh, AES
2 1 Introduction Twosh is a 128bit block cipher proposed by Schneier et al. [SKW+98]. It is one of the ve nalists of AES, and it is used in many products such as GnuPG, SSH Secure Shell, and so on [C99]. The best known attack on variants of Twosh claimed by the designers is an impossible dierential attack on 6round Twosh [F99]. Recently Knudsen [K00] showed that there are dierentials for Twosh for up to 16 rounds, predicting at least 32 bits of nontrivial information in every round. The probability of the truncated dierentials are too small to distinguish Twosh with more than a few rounds from a random permutation, but he claimed that it is possible, at least in theory, to nd one good pair of plaintexts following the dierential through all 16 rounds. Murphy and Robshaw [MR00] made some observations on keydependent Sboxes and dierential cryptanalysis of Twosh. Their approach was to choose the Sbox to t the dierential characteristic, instead of choosing the dierential characteristic to t the Sbox. They found a 6round dierential characteristic which holds for a fraction of at least of the Sboxes and claimed possible attacks of 8round Twosh. Table 1 summarizes the known results on cryptanalysis of Twosh. In this paper we study truncated dierential cryptanalysis of Twosh. The type of truncated dierentials to be used are \byte characteristics," that is, the values of the dierence in a byte are distinguished between nonzero and zero, and the measure of dierence is exclusiveor. Note that Knudsen's truncated dierentials were based on the integer subtraction dierence between two 32bit words. By using byte wise characteristics instead, we can make a thorough investigation of the nonuniformity in the distribution of the dierences, which was left as an open question by Knudsen [K00]. Twosh consists of both byteoriented and nonbyteoriented operations as shown in Figure 1. The nonbyteoriented operations include the 1bit rotates, addition with subkeys, and PHT (pseudohadamard transform), which comprises of two additions modular To search for byte characteristics of Twosh, we begin by computing the truncated dierential probability of addition modular 2 n. Based on the ecient computation of dierential probability of addition modular 2 n shown in [M00], we give an ecient computation of truncated dierential probability of addition modular 2 n in Section 2. In Section 3, we consider truncated dierential probability of the MDS. Finally in Section 4 we present the truncated dierentials that we found by computer experiments. 2 Ecient Computation of Truncated Dierential Probabilities of Addition Modular 2 n In [M00], an ecient algorithm was presented for computing dierential probabilities of addition mod 2 n. The algorithm can be extended to compute truncated dierential probabilities of addition of 2 n, but a straightforward extension to the case of truncated dierentials can still be computationally very expensive. In this section, we study how to further speed up the round whitening key size cryptanalysis complexity conditions reference 4 w/ any distinguishing attack [K00] 6 w/o 128 impossible dierential [F99] 6 w/o 192 impossible dierential [F99] 6 w/o 256 impossible dierential [F99] 6 w/ 256 impossible dierential [F99] 8* w/ any dierential attack > fraction [MR00] of the Sboxes Table 1: Twosh cryptanalysis
3 K 0 K 1 K 2 K 3 input whitening Sbox 0 Sbox 1 Sbox 2 MDS K 2r+8 PHT <<<1 Sbox 3 <<<8 Sbox 0 Sbox 1 Sbox 2 Sbox 3 MDS K 2r+9 >>>1 1 round : 15 more rounds K 4 K 5 K 6 K 7 output whitening Figure 1: Twosh computation of truncated dierential probabilities. We will follow the denitions and notation in [M00], and here we will only restate some of them if they are directly related to our discussion below. For x; y; z 2 GF(2) n, the function addition mod 2 n is dened as follows: f(x; y) =x + y = z (mod2 n ): We divide 1x 2 GF(2) n into tbit subblocks and denote them by 1x [t] least signicant subblock. So 1x =(1x [t] m01 ;:::;1x[t] 1 ; 1x[t] 0 ); 0 ; 1x[t] 1 ;::: from the where m = n=t is the number of subblocks. A very ecient algorithm for computing dierential probabilities of f (denoted by DP f (1x; 1y;1z)) is given in [M00]. For each triplet (1x; 1y; 1z), the running time of the algorithm is O(n) 1, while a naive approach would require a running time of O(2 2n ). The truncated dierential probabilities for f are dened as follows. TDP f (x;y;z) = 1 c X (1x;1y;1z)=(x;y;z) DP f (1x; 1y; 1z); (1) where c is the number of pairs (1x; 1y) satisfying the condition (1x; 1y) =(x; y). Let w H (x) denote the Hamming weight ofx. Then it is easy to see that c =(2 t 0 1) w H(x)+w H (y) : In a typical setting (e.g., byte characteristics), we have n =32andt = 8. So the number of possible truncated dierentials is (2 n=t ) 3 =2 12. Some of these truncated dierentials may have a very large c value. For example, when w H (x) +w H (y) 6, we have c Therefore, computation of all truncated dierential probabilities using Equation (1) can still be very expensive, even when the dierential probabilities themselves can be calculated eciently. 1 Later the complexity was further improved to 2(log n) in the worstcase and 2(1) in the averagecase.
4 2.1 Basic idea The main idea for speeding up the computation of truncated dierential probabilities is to treat each subblock somewhat independently. More specically, we will rst compute some properly dened \partial sums of dierential probabilities" for each subblock ignoring the carry from one subblock to the next, and then we will join these probabilities together to obtain the total truncated dierential probability for f. For each subblock, we need to consider both the dierence in the carryin (denoted by 1cin) from the previous subblock and dierence in the carryout (denoted by 1cout) to the next subblock. There are two possible values for 1cin: 0,1. Let P 1cout denote the probability that there is carry from one subblock to the next. That is, P 1cout =Pr[1cout =1]: Based on the results in [M00], there are only three possible values for P 1cout : 0,0.5,1. For a give subblock (the ith subblock), let (x i ;y i ;z i ) be the values of (x; y; z) restricted to the subblock. Below, we dene 6 partial sums for the dierential probabilities, one corresponding to a possible combination of (1cin; P 1cout )=(d; p) ford =0; 1andp =0; 0:5; 1. where Condition PS is 2.2 Detailed algorithm = X PS(x i ;y i ;z i ;d;p) Condition PS DP(1x [t] i ; 1y[t] i ; 1z[t] i ); (2) (1x [t] i ; 1y[t] i ; 1z[t] i ) = (x i;y i ;z i ); 1cin = d; P 1cout = p: Our algorithm for computing truncated dierential probabilities contains two major components: precomputing partial sums and joining partial sums of subblocks. Precomputing partial sums We observe that the partial sums dened by Equation (2) only depend on the values restricted to a particular subblock. Therefore, these partial sums can be precomputed and stored in a table. Typically, eachx i ;y i ;z i is just a single bit. So the total number of partial sums to be stored is = 48. Joining subblocks Given the partial sums for anytwo consecutive subblocks H and L (each of length t bits), we can compute the partial sums for the subblock HjjL of length 2t bits. Let PS L (x i ;y i ;z i ;d;p); PS H (x i+1 ;y i+1 ;z i+1 ;d;p); and PS HjjL (x i+1 jjx i ;y i+1 jjy i ;z i+1 jjz i ;d;p)
5 denote the partial sums of dierential probabilities for the corresponding subblocks. PS HjjL is computed as Then PS HjjL (1; 1; 1;d;p)=[ ]: PS H (1; 1; 1; 0;p) 2 PS L (1; 1; 1;d;0) + PS H (1; 1; 1; 1;p) 2 PS L (1; 1; 1;d;1) + PS H (1; 1; 1; 0;p) 2 PS L (1; 1; 1;d;0:5) 2 0:5 + PS H (1; 1; 1; 1;p) 2 PS L (1; 1; 1;d;0:5) 2 0:5 In general, the two subblocks H and L can have anynumberofbits,say t 1 and t 2, respectively. Using the above formula, we can compute the new partial sums for the subblock HjjL of length (t 1 + t 2 ) bits. Computing the total TDP By repetitively joining successive subblocks, we can obtain the 6 partial sums PS(x;y;z; d;p) for the entire block of length n. Since 1cin = 0 for the least signicant subblock, 3 of these partial sums (for which d = 1) actually have value zero. Therefore, the total truncated dierential probability is TDP f (x; y;z) = 1 2 [ PS(x; y; z; 0; 0) c + PS(x; y; z; 0; 1) ]: + PS(x; y; z; 0; 0:5) Eciency analysis The algorithm given in this section is independent of the Hamming weight of x and y. For n = 32 and t =8,eachofthe2 12 truncated dierential probabilities can be computed using a constantnumber of table lookups, additions, and multiplications. Experiments show that all the 2 12 probabilities can be computed in less than one second on a PC. 3 Truncated Dierential Probabilities of MDS The truncated dierential probabilities for the MDS are dened as follows. TDP MDS (x; y) = 1 c X (1x;1y)=(x;y) Pr[MDS(x) 8 MDS(x 8 1x) =1y]; (3) where c is the number of 1x satisfying the condition (1x) =x. The distribution of TDP MDS (x;y) is related to the weight distribution of the MDS (Maximum Distance Separable) code. TDP MDS (x;y) is determined by the Hamming weights of x and y, astable 2 shows. 4 Search for Truncated Dierentials of Twosh In this section, we present our search results for truncated dierentials of Twosh. Our search uses the dierential probabilities of PHT and MDS computed in Sections 2 and 3. For speeding up the search, we rst set the probability to be one for 1bit rotations. Once we found the truncated dierentials, we then adjust the probability as follows. If the input dierence (32bit) of the 1bit rotation is f 2, the output dierence is still f. Otherwise, we need some adjustment. For example, if the input dierence of the 1bit right rotation is 8, the output 2 In this section we usetypewriter font for the hexadecimal representation of truncated dierentials.
6 w H (y) w H (x) : : : : : : : : :023 Table 2: Truncated dierential probabilities of MDS dierence is 8 with probability 2 01, c with probability and 4 with probability 2 08 (here we have multiple paths, but in most cases the multiple paths join at the next MDS). For additions with subkeys (i.e., f(x; k) =x + k = z (mod 2 n ), where k is some subkey), the value corresponding to k = 0 in our precomputed table gives the truncated dierential probability when we average over all possible keys. For any xed subkey k, the probability depends on k, and it can be larger or smaller than the average probability: the maximum probability can be 1 for a fraction of the subkeys. For easy treatment of probability after the search, we set the probability to be one for additions with subkeys. 4.1 Truncated dierentials with high probability First, we searched for truncated dierentials that hold with relatively high probability, although they may not be exploited in general (wellknown) cryptanalytic attacks. As Knudsen [K00] wrote, such dierentials can provide some bits of nontrivial information in every round. Our computer experiments found a 12round truncated dierential with probability of about 2 040:9.InTable 3, the output dierence of each round are shown in hexadecimal representation. One can expect to get one good pair following the truncated dierential from about 2 34 chosen plaintexts by using a structure in the last byte of the plaintext. There are a total of 2 94 such good pairs. More interestingly, we found a truncated dierential for the full 16 rounds of Twosh with probability of about 2 057:3 (see Table 4). One can expect to get one good pair following the truncated dierential from about chosen plaintexts, and there are 2 28 such good pairs. In [K00] Knudsen showed a 16round truncated dierential with probability The probability of our 16round truncated dierential is much higher than what was found by Knudsen, and the total number of good pairs for our dierential is also much larger. 4.2 Truncated dierentials useful for distinguishing attacks We also searched for truncated dierentials that may be useful in distinguishing attacks. As a result, we found one 4round truncated dierential, and four 5round truncated dierentials (see Tables 6 and 5). The 4round truncated dierential is a path included in the 4round truncated dierential that Knudsen used for the 2 tests in [K00, Section 5.2]. Note that Knudsen's 4round truncated dierential contains multiple paths and the probability is much higher. Knudsen concluded that for more than 4 rounds, it is an open question how nonuniform the distribution of dierences can be. Now that we found 5round truncated dierentials with probability slightly higher than a random permutation, in theory we can perform statistical tests such as 2 tests. Note that the probabilities in Table 5 can be a little smaller due to 1bit rotations or a little larger due to the eect of multiple paths.
7 round probability : f f 2 00: f f f e 2 08: f e f f 2 08: f f 7 f 2 016: f f f 2 016: f f b f 2 024: b f f f 2 024: f f 7 f 2 032: f f f 2 032: f f b f 2 040: b f f f 2 040: Table 3: 12round truncated dierential round probability : f f 2 00: f f f e 2 08: f e f f 2 08: f f 7 f 2 016: f f f 2 016: f f b f 2 024: b f f f 2 024: f f 7 f 2 032: f f f 2 032: f f b f 2 040: b f f f 2 040: f f 7 f 2 049: f f f 2 049: f f b f 2 057: b f f f 2 057: Table 4: 16round truncated dierential 5 Conclusion We presented truncated dierential cryptanalysis of the block cipher Twosh. We performed the search by computer experiments, and found a 16round truncated dierential with probability of about 2 057:3, which ismuch larger than previously known results. We also found 5round truncated dierentials which can be useful in distinguishing Twosh reduced to 5 rounds from a random permutation. We will implement some tests to conrm our conjecture. References [C99] [F99] N. Ferguson, \Impossible dierentials in Twosh," Twosh Technical Report #5, October 5, [K00] [K95] [KN96] [KRW99] [M00] L. R. Knudsen, \Trawling Twosh (revisited)," Presentation at rump session of AES3. Public comment on AES Candidate Algorithms { Round 2. csrc.nist.gov/encryption/aes/round2/comments/ lknudsen2.pdf L. R. Knudsen, \Truncated and Higher Order Dierentials," Fast Software Encryption Second International Workshop, Lecture Notes in Computer Science 1008, pp.196{211, SpringerVerlag, L. R. Knudsen and T. A. Berson, \Truncated dierentials of SAFER," Fast Software Encryption, 3rd International Workshop, Lecture Notes in Computer Science 1039, pp.15{26, SpringerVerlag, L. R. Knudsen, M. J. B. Robshaw, and D. Wagner, \Truncated Dierentials and Skipjack," Advances in Cryptology CRYPTO'99, Lecture Notes in Computer Science 1666, pp.165{180, SpringerVerlag, S. Moriai,\Cryptanalysis of Twosh (I)", In Proceedings of the 2000 Symposium on Cryptography and Information Security, Okinawa, Japan, January 2628, 2000.
8 round probability : f f 2 00: f f : : : c 0 2 0: c 0 e e 2 08: e e c : c : c : e 0 2 0: e 0 c c 2 015: c c e : e : e : f 0 2 0: f : f : f : f : Table 5: 5round truncated dierentials round probability : f f 2 00: f f : f f 2 055: Table 6: 4round truncated dierential [MR00] S. Murphy and M.J.B Robshaw, \Dierential Cryptanalysis, Keydependent S boxes, and Twosh", Public comment on AES Candidate Algorithms  Round 2. pdf [MSAK99] [MT99] [SKW+98] S. Moriai, M. Sugita, K. Aoki, and M. Kanda, \Security of E2 against Truncated Dierential Cryptanalysis," SAC'99, 6th Annual International Workshop on Selected Areas in Cryptography, Workshop Record, pp.133{143, 1999, (to appear in Lecture Notes in Computer Science, SpringerVerlag, 2000). M. Matsui and T. Tokita, \Cryptanalysis of a Reduced Version of the Block Cipher E2," Fast Software Encryption, 6th International Workshop, Lecture Notes in Computer Science 1636, pp.71{80, SpringerVerlag, B. Schneier, J. Kelsey, D. Whiting, D. Wagner, C. Hall, and N. Ferguson, \Twosh: A 128Bit Block Cipher".
Timing Attacks on Implementations of DieHellman, RSA, DSS, and Other Systems Paul C. Kocher Cryptography Research, Inc. 607 Market Street, 5th Floor, San Francisco, CA 94105, USA. Email: paul@cryptography.com.
More informationHow to Break MD5 and Other Hash Functions
How to Break MD5 and Other Hash Functions Xiaoyun Wang and Hongbo Yu Shandong University, Jinan 250100, China xywang@sdu.edu.cn yhb@mail.sdu.edu.cn Abstract. MD5 is one of the most widely used cryptographic
More informationHow to Break MD5 and Other Hash Functions
How to Break MD5 and Other Hash Functions Xiaoyun Wang and Hongbo Yu Shandong University, Jinan 250100, China, xywang@sdu.edu.cn, yhb@mail.sdu.edu.cn Abstract. MD5 is one of the most widely used cryptographic
More informationOn Collisions for MD5
Eindhoven University of Technology Department of Mathematics and Computing Science MASTER S THESIS On Collisions for MD5 By M.M.J. Stevens Supervisor: Prof. dr. ir. H.C.A. van Tilborg Advisors: Dr. B.M.M.
More informationA new probabilistic public key algorithm based on elliptic logarithms
A new probabilistic public key algorithm based on elliptic logarithms Afonso Comba de Araujo Neto, Raul Fernando Weber 1 Instituto de Informática Universidade Federal do Rio Grande do Sul (UFRGS) Caixa
More informationCommunication Theory of Secrecy Systems
Communication Theory of Secrecy Systems By C. E. SHANNON 1 INTRODUCTION AND SUMMARY The problems of cryptography and secrecy systems furnish an interesting application of communication theory 1. In this
More informationELECTROMAGNETIC SIDECHANNEL ANALYSIS ON INTEL ATOM PROCESSOR
ELECTROMAGNETIC SIDECHANNEL ANALYSIS ON INTEL ATOM PROCESSOR A Major Qualifying Project Report: submitted to the Faculty of the WORCESTER POLYTECHNIC INSTITUTE by Anh Do Soe Thet Ko Aung Thu Htet Date:
More informationGeneralized compact knapsacks, cyclic lattices, and efficient oneway functions
Generalized compact knapsacks, cyclic lattices, and efficient oneway functions Daniele Micciancio University of California, San Diego 9500 Gilman Drive La Jolla, CA 920930404, USA daniele@cs.ucsd.edu
More informationON THE DISTRIBUTION OF SPACINGS BETWEEN ZEROS OF THE ZETA FUNCTION. A. M. Odlyzko AT&T Bell Laboratories Murray Hill, New Jersey ABSTRACT
ON THE DISTRIBUTION OF SPACINGS BETWEEN ZEROS OF THE ZETA FUNCTION A. M. Odlyzko AT&T Bell Laboratories Murray Hill, New Jersey ABSTRACT A numerical study of the distribution of spacings between zeros
More informationThe Steganographic File System
The Steganographic File System Ross Anderson 1, Roger Needham 2, Adi Shamir 3 1 Cambridge University; rja14@cl.cam.ac.uk 2 Microsoft Research Ltd; needham@microsoft.com 3 Weizmann Institute; shamir@wisdom.weizmann.ac.il
More informationLest We Remember: Cold Boot Attacks on Encryption Keys
Lest We Remember: Cold Boot Attacks on Encryption Keys J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum, and Edward
More informationPublic Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers
Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers JeanSébastien Coron 1, David Naccache 2, and Mehdi Tibouchi 3 1 Université du Luxembourg jeansebastien.coron@uni.lu
More informationHow to Use Expert Advice
NICOLÒ CESABIANCHI Università di Milano, Milan, Italy YOAV FREUND AT&T Labs, Florham Park, New Jersey DAVID HAUSSLER AND DAVID P. HELMBOLD University of California, Santa Cruz, Santa Cruz, California
More informationDuplexing the sponge: singlepass authenticated encryption and other applications
Duplexing the sponge: singlepass authenticated encryption and other applications Guido Bertoni 1, Joan Daemen 1, Michaël Peeters 2, and Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Abstract.
More informationEstimating the Redundancy Factor for RAencoded sequences and also Studying Steganalysis Performance of YASS
Estimating the Redundancy Factor for RAencoded sequences and also Studying Steganalysis Performance of YASS Anindya Sarkar, Upamanyu Madhow and B. S. Manjunath, Department of Electrical and Computer Engineering,
More informationSubspace Pursuit for Compressive Sensing: Closing the Gap Between Performance and Complexity
Subspace Pursuit for Compressive Sensing: Closing the Gap Between Performance and Complexity Wei Dai and Olgica Milenkovic Department of Electrical and Computer Engineering University of Illinois at UrbanaChampaign
More informationRonald L. Rivest, Adi Shamir, and DavidA.Wagner. Rehovot, Israel. U.C. Berkeley
Timelock puzzles and timedrelease Crypto Ronald L. Rivest, Adi Shamir, and DavidA.Wagner Revised March 10, 1996 MIT Laboratory for Computer Science 545 Technology Square, Cambridge, Mass. 02139 Weizmann
More informationOn the Optimality of the Simple Bayesian. given the class, but the question of whether other sucient conditions for its optimality exist has
,, 1{30 () c Kluwer Academic Publishers, Boston. Manufactured in The Netherlands. On the Optimality of the Simple Bayesian Classier under ZeroOne Loss PEDRO DOMINGOS pedrod@ics.uci.edu MICHAEL PAZZANI
More informationApproximately Detecting Duplicates for Streaming Data using Stable Bloom Filters
Approximately Detecting Duplicates for Streaming Data using Stable Bloom Filters Fan Deng University of Alberta fandeng@cs.ualberta.ca Davood Rafiei University of Alberta drafiei@cs.ualberta.ca ABSTRACT
More informationCACHE MISSING FOR FUN AND PROFIT
CACHE MISSING FOR FUN AND PROFIT COLIN PERCIVAL Abstract. Simultaneous multithreading put simply, the sharing of the execution resources of a superscalar processor between multiple execution threads has
More informationAn efficient reconciliation algorithm for social networks
An efficient reconciliation algorithm for social networks Nitish Korula Google Inc. 76 Ninth Ave, 4th Floor New York, NY nitish@google.com Silvio Lattanzi Google Inc. 76 Ninth Ave, 4th Floor New York,
More informationChapter 7. Data Structures for Strings
Chapter 7 Data Structures for Strings In this chapter, we consider data structures for storing strings; sequences of characters taken from some alphabet. Data structures for strings are an important part
More informationPerformance of Checksums and CRCs over Real Data
Performance of Checksums and CRCs over Real Data Jonathan Stone, Stanford University Michael Greenwald, Stanford University Craig Partridge, BBN Technologies Jim Hughes, Network Systems Corporation Abstract
More informationSocial Authentication: Harder than it Looks
Social Authentication: Harder than it Looks Hyoungshick Kim, John Tang, and Ross Anderson Computer Laboratory, University of Cambridge, UK {hk33, jkt27, rja4}@cam.ac.uk Abstract. A number of web service
More informationOn the Practical Exploitability of Dual EC in TLS Implementations
On the Practical Exploitability of Dual EC in TLS Implementations Stephen Checkoway 1, Matthew Fredrikson 2, Ruben Niederhagen 3, Adam Everspaugh 2, Matthew Green 1, Tanja Lange 3, Thomas Ristenpart 2,
More informationGeneralized Compact Knapsacks are Collision Resistant
Generalized Compact Knapsacks are Collision Resistant Vadim Lyubashevsky Daniele Micciancio University of California, San Diego 9500 Gilman Drive, La Jolla, CA 920930404, USA {vlyubash,daniele}@cs.ucsd.edu
More informationEmbedding Covert Channels into TCP/IP
1 Embedding Covert Channels into TCP/IP Steven J. Murdoch and Stephen Lewis University of Cambridge, Computer Laboratory, 15 JJ Thomson Avenue, Cambridge CB3 0FD, United Kingdom http://www.cl.cam.ac.uk/users/{sjm217,
More informationAn Efficient and Parallel Gaussian Sampler for Lattices
An Efficient and Parallel Gaussian Sampler for Lattices Chris Peikert April 13, 2011 Abstract At the heart of many recent latticebased cryptographic schemes is a polynomialtime algorithm that, given
More informationA Method for Obtaining Digital Signatures and PublicKey Cryptosystems
A Method for Obtaining Digital Signatures and PublicKey Cryptosystems R.L. Rivest, A. Shamir, and L. Adleman Abstract An encryption method is presented with the novel property that publicly revealing
More informationFairplay A Secure TwoParty Computation System
Fairplay A Secure TwoParty Computation System Dahlia Malkhi 1, Noam Nisan 1, Benny Pinkas 2, and Yaron Sella 1 1 The School of Computer Science and Engineering The Hebrew University of Jerusalem Email:
More information