Study of algorithms for factoring integers and computing discrete logarithms

Size: px
Start display at page:

Download "Study of algorithms for factoring integers and computing discrete logarithms"

Transcription

1 Study of algorithms for factoring integers and computing discrete logarithms First Indo-French Workshop on Cryptography and Related Topics (IFW 2007) June 11 13, 2007 Paris, France Dr. Abhijit Das Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Kharagpur , India Dr. Abhijit Das First Indo-French Workshop on Cryptography and Related Topics, June 11 13, 2007, Paris Slide 1

2 The integer factorization problem (IFP) Given a positive composite integer n, compute all the prime divisors of n. The IFP is known to be a problem in the complexity class NP conp. The input size is measured by the minimum number of bits needed to encode n, which is log 2 n + 1 = O(log n). No polynomial-time algorithms are known to solve the IFP. The best known algorithms to solve the IFP run in subexponential time. These subexponential algorithms are probabilistic in nature, and their running times often lack rigorous proofs. Dr. Abhijit Das First Indo-French Workshop on Cryptography and Related Topics, June 11 13, 2007, Paris Slide 2

3 The discrete logarithm problem (DLP) Let G be a finite cyclic group of size n, and let g be a generator of G. Given a G, compute an integer x = ind g a satisfying a = g x. The index or discrete logarithm x is unique modulo n. There are certain groups where computing indices is computationally difficult. Multiplicative groups of finite fields Groups of rational points on elliptic curves defined over finite fields Jacobians of hyperelliptic curves defined over finite fields Class groups of (algebraic) number fields The finite field discrete logarithm problem is historically of similar complexity as the IFP. The subexponential algorithms for DLP are often adaptations of algorithms for factoring integers. Dr. Abhijit Das First Indo-French Workshop on Cryptography and Related Topics, June 11 13, 2007, Paris Slide 3

4 The Diffie-Hellman problem (DHP) Let G be a finite cyclic group, and g a generator of G. Given g x and g y, compute g xy. If the DLP can be solved easily, the DHP can be solved easily too. The converse implication is not proved. The DHP is relevant for groups where computing discrete logarithms is difficult. Dr. Abhijit Das First Indo-French Workshop on Cryptography and Related Topics, June 11 13, 2007, Paris Slide 4

5 Relevance to cryptography Public-key cryptography is based on the apparent intractability of solving some computational problems. The IFP, DLP and DHP are widely used in public-key systems. These problems lead to trapdoor one-way functions. The one-way-ness cannot be proved, but only believed. NP-complete problems are not found suitable for building public-key systems. Problems belonging to the class UP (unambiguous polynomial-time) are suitable. We have P UP NP. Both the inclusions are believed to be proper. Dr. Abhijit Das First Indo-French Workshop on Cryptography and Related Topics, June 11 13, 2007, Paris Slide 5

6 Cryptography examples RSA is related to the IFP. Inverting RSA keys is probabilistic polynomial-time equivalent to IFP. However, RSA decryption (without the private key) may be easier than solving the IFP. Rabin s encryption algorithm is based on the square-root problem which is probabilistic polynomial-time equivalent to the IFP. The Diffie-Hellman key exchange problem is based on the DHP. ElGamal encryption is based on the DHP. Many other encryption and signature algorithms (like ElGamal signature, DSA) are based on the DLP. IFP and DLP find applications in designing authentication schemes too. Dr. Abhijit Das First Indo-French Workshop on Cryptography and Related Topics, June 11 13, 2007, Paris Slide 6

7 Efficient implementation of modular arithmetic An old, yet interesting problem. A cryptography toolkit being developed in IIT Kharagpur runs 5 10% faster than GP/PARI for performing modular exponentiation of integers of cryptographic sizes. Exponentiation based on addition chains has been studied by my team. The goal is to generate crypto-grade exponents which lead to faster key operations than pseudorandom exponents. These works have not been published yet. Dr. Abhijit Das First Indo-French Workshop on Cryptography and Related Topics, June 11 13, 2007, Paris Slide 7

8 Fermat s method of factoring integers Let n be an odd (positive) composite integer. Given v Z n, there exist at least two u Z n such that u 2 v 2 (mod n) and u ±v (mod n). For any such pair (u,v), we obtain the non-trivial factor gcd(u v, n) of n. Examples 899 = = , and gcd(30 1, 899) = 29 is a nontrivial factor of = , and gcd(50 1, 833) = 49 is a non-trivial factor of 833. Most modern subexponential algorithms are based on locating such pairs (u, v). Dr. Abhijit Das First Indo-French Workshop on Cryptography and Related Topics, June 11 13, 2007, Paris Slide 8

9 Modern factoring algorithms Subexponential running time L(n,γ, c) = exp [ (c + o(1))(ln n) γ (ln lnn) 1 γ], 0 < γ < 1, c > 0. Algorithms with running time L[c] = L(n, 1/2, c) CFRAC (Continued fraction method) SQUFOF (Square-form factorization) QSM (Quadratic sieve method) CSM (Cubic sieve method) ECM (Elliptic curve method not based on Fermat s method) Algorithms with running time L(n, 1/3, c) SNFSM (Special number field sieve method) GNFSM (General number field sieve method) Dr. Abhijit Das First Indo-French Workshop on Cryptography and Related Topics, June 11 13, 2007, Paris Slide 9

10 A naive algorithm Choose a in the range 1 a < n and take T(a) = a 2 (mod n), 1 T(a) < n. Try to factor T(a) as T(a) = q e 1 1 q e 2 2 q e t t, where q 1, q 2,...,q t are the first t primes. If all e i are even, take u = a and v = q e 1/2 1 q e 2/2 2 q e t/2 t. In general, it is unreasonable to expect that all e i are even. Collect many such relations and combine the relations to arrive at a congruence of the form u 2 v 2 (mod n). This leads to a linear system modulo 2. The expected value of T(a) is O(n). Instead of T(a), we can also try to factor T(a) + kn for small integers k. One can use sieving while considering different values of k. Dr. Abhijit Das First Indo-French Workshop on Cryptography and Related Topics, June 11 13, 2007, Paris Slide 10

11 Quadratic sieve method (QSM) Let H = n, J = H 2 n. For a small integer a, we have (H +a) 2 T(a) (mod n), where T(a) = J +2aH +a 2. Try to factor T(a) over small primes. We have T(a) = O( n). So we get smooth candidates more frequently than in the naive method. Use sieving for running through all values of a. Running time is L[1]. We have studied some variants which reduce T(a) by small constant factors. Dr. Abhijit Das First Indo-French Workshop on Cryptography and Related Topics, June 11 13, 2007, Paris Slide 11

12 Cubic sieve method (CSM) Let the integers x,y, z satisfy x 3 y 2 z (mod n) with x 3 y 2 z as integers. For integers a,b,c with a + b + c = 0, one has (x + ay)(x + by)(x + cy) y 2 T(a, b,c) (mod n), where T(a,b,c) = z + (ab + ac + bc)x + (abc)y = b(b + c)(x + cy) + (z c 2 x). If x,y, z are O(n ξ ), then T(a,b,c) is O(n ξ ) for small values of a,b,c. The best value for ξ is 1/3. In this case T(a, b,c) is O(n 1/3 ). Use sieving for running through all triples (a, b, c) with a + b + c = 0. The best running time is L[ 2/3] = L[0.816]. Dr. Abhijit Das First Indo-French Workshop on Cryptography and Related Topics, June 11 13, 2007, Paris Slide 12

13 Our study of the CSM A heuristic idea was proposed to increase the sieving interval by 20 30%. The resulting increase in the running time of the sieving step is nominal (less than 1%). The congruence x 3 y 2 z (mod n) with x 3 y 2 z is studied. It is an open question whether one can obtain x, y, z of the order O(n ξ ) for ξ < 1/2. We proposed some heuristic counting argument to conclude that the number of solutions of the congruence with 1 x,y, z n ξ is O(n 3ξ 1 ). For ξ slightly bigger than 1/3, we expect to get a solution. It remains open how one can compute such a solution for a general value of n. Publication: Abhijit Das and C E Veni Madhavan, On the cubic sieve method for computing discrete logarithms over prime fields, International Journal of Computer Mathematics, Volume 82, Number 12, December 2005, Taylor & Francis, Dr. Abhijit Das First Indo-French Workshop on Cryptography and Related Topics, June 11 13, 2007, Paris Slide 13

14 The number field sieve method (NFSM) Take n = Choose a polynomial f(x) Z[x] and m Z such that f(m) 0 (mod n). For example, take f(x) = x 4 2x + 3 and m = 14. For this choice, f(m) = = 3n. We have (x 3 ) 2 2x 3 3x 2 (mod f(x)). This implies (14 3 ) (mod n). A non-trivial factor of n is gcd( , n) = 191. Indeed, we have n = Dr. Abhijit Das First Indo-French Workshop on Cryptography and Related Topics, June 11 13, 2007, Paris Slide 14

15 Future directions of research Efficient implementation efforts (for cryptographic and cryptanalytic algorithms). Study of the cubic sieve method, particularly, the congruence x 3 y 2 z (mod n). Study of the number field sieve method. Effective parallelization attempts, pertaining most importantly to the linear system solving stage. A high ambition: designing new subexponential algorithms (with smaller values of the exponent γ and/or the constant c). A dream: arriving at polynomial-time algorithms (possibly randomized) for the IFP and/or the DLP, or proving that no such algorithm can exist. (Note that polynomialtime quantum algorithms are known for both these problems.) Dr. Abhijit Das First Indo-French Workshop on Cryptography and Related Topics, June 11 13, 2007, Paris Slide 15

16 Thank you! Dr. Abhijit Das First Indo-French Workshop on Cryptography and Related Topics, June 11 13, 2007, Paris Slide 16

Principles of Public Key Cryptography. Applications of Public Key Cryptography. Security in Public Key Algorithms

Principles of Public Key Cryptography. Applications of Public Key Cryptography. Security in Public Key Algorithms Principles of Public Key Cryptography Chapter : Security Techniques Background Secret Key Cryptography Public Key Cryptography Hash Functions Authentication Chapter : Security on Network and Transport

More information

CHAPTER 3 THE NEW MMP CRYPTO SYSTEM. mathematical problems Hidden Root Problem, Discrete Logarithm Problem and

CHAPTER 3 THE NEW MMP CRYPTO SYSTEM. mathematical problems Hidden Root Problem, Discrete Logarithm Problem and 79 CHAPTER 3 THE NEW MMP CRYPTO SYSTEM In this chapter an overview of the new Mixed Mode Paired cipher text Cryptographic System (MMPCS) is given, its three hard mathematical problems are explained, and

More information

Elements of Applied Cryptography Public key encryption

Elements of Applied Cryptography Public key encryption Network Security Elements of Applied Cryptography Public key encryption Public key cryptosystem RSA and the factorization problem RSA in practice Other asymmetric ciphers Asymmetric Encryption Scheme Let

More information

Cryptography: RSA and the discrete logarithm problem

Cryptography: RSA and the discrete logarithm problem Cryptography: and the discrete logarithm problem R. Hayden Advanced Maths Lectures Department of Computing Imperial College London February 2010 Public key cryptography Assymmetric cryptography two keys:

More information

Primality Testing and Factorization Methods

Primality Testing and Factorization Methods Primality Testing and Factorization Methods Eli Howey May 27, 2014 Abstract Since the days of Euclid and Eratosthenes, mathematicians have taken a keen interest in finding the nontrivial factors of integers,

More information

U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, 2009. Notes on Algebra

U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, 2009. Notes on Algebra U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, 2009 Notes on Algebra These notes contain as little theory as possible, and most results are stated without proof. Any introductory

More information

Arithmetic algorithms for cryptology 5 October 2015, Paris. Sieves. Razvan Barbulescu CNRS and IMJ-PRG. R. Barbulescu Sieves 0 / 28

Arithmetic algorithms for cryptology 5 October 2015, Paris. Sieves. Razvan Barbulescu CNRS and IMJ-PRG. R. Barbulescu Sieves 0 / 28 Arithmetic algorithms for cryptology 5 October 2015, Paris Sieves Razvan Barbulescu CNRS and IMJ-PRG R. Barbulescu Sieves 0 / 28 Starting point Notations q prime g a generator of (F q ) X a (secret) integer

More information

Advanced Maths Lecture 3

Advanced Maths Lecture 3 Advanced Maths Lecture 3 Next generation cryptography and the discrete logarithm problem for elliptic curves Richard A. Hayden rh@doc.ic.ac.uk EC crypto p. 1 Public key cryptography Asymmetric cryptography

More information

Table of Contents. Bibliografische Informationen http://d-nb.info/996514864. digitalisiert durch

Table of Contents. Bibliografische Informationen http://d-nb.info/996514864. digitalisiert durch 1 Introduction to Cryptography and Data Security 1 1.1 Overview of Cryptology (and This Book) 2 1.2 Symmetric Cryptography 4 1.2.1 Basics 4 1.2.2 Simple Symmetric Encryption: The Substitution Cipher...

More information

FACTORING LARGE NUMBERS, A GREAT WAY TO SPEND A BIRTHDAY

FACTORING LARGE NUMBERS, A GREAT WAY TO SPEND A BIRTHDAY FACTORING LARGE NUMBERS, A GREAT WAY TO SPEND A BIRTHDAY LINDSEY R. BOSKO I would like to acknowledge the assistance of Dr. Michael Singer. His guidance and feedback were instrumental in completing this

More information

RSA Question 2. Bob thinks that p and q are primes but p isn t. Then, Bob thinks Φ Bob :=(p-1)(q-1) = φ(n). Is this true?

RSA Question 2. Bob thinks that p and q are primes but p isn t. Then, Bob thinks Φ Bob :=(p-1)(q-1) = φ(n). Is this true? RSA Question 2 Bob thinks that p and q are primes but p isn t. Then, Bob thinks Φ Bob :=(p-1)(q-1) = φ(n). Is this true? Bob chooses a random e (1 < e < Φ Bob ) such that gcd(e,φ Bob )=1. Then, d = e -1

More information

Public-Key Cryptanalysis 1: Introduction and Factoring

Public-Key Cryptanalysis 1: Introduction and Factoring Public-Key Cryptanalysis 1: Introduction and Factoring Nadia Heninger University of Pennsylvania July 21, 2013 Adventures in Cryptanalysis Part 1: Introduction and Factoring. What is public-key crypto

More information

Public-Key Cryptography. Oregon State University

Public-Key Cryptography. Oregon State University Public-Key Cryptography Çetin Kaya Koç Oregon State University 1 Sender M Receiver Adversary Objective: Secure communication over an insecure channel 2 Solution: Secret-key cryptography Exchange the key

More information

Lecture Note 5 PUBLIC-KEY CRYPTOGRAPHY. Sourav Mukhopadhyay

Lecture Note 5 PUBLIC-KEY CRYPTOGRAPHY. Sourav Mukhopadhyay Lecture Note 5 PUBLIC-KEY CRYPTOGRAPHY Sourav Mukhopadhyay Cryptography and Network Security - MA61027 Modern/Public-key cryptography started in 1976 with the publication of the following paper. W. Diffie

More information

Faster deterministic integer factorisation

Faster deterministic integer factorisation David Harvey (joint work with Edgar Costa, NYU) University of New South Wales 25th October 2011 The obvious mathematical breakthrough would be the development of an easy way to factor large prime numbers

More information

Overview of Public-Key Cryptography

Overview of Public-Key Cryptography CS 361S Overview of Public-Key Cryptography Vitaly Shmatikov slide 1 Reading Assignment Kaufman 6.1-6 slide 2 Public-Key Cryptography public key public key? private key Alice Bob Given: Everybody knows

More information

Factoring. Factoring 1

Factoring. Factoring 1 Factoring Factoring 1 Factoring Security of RSA algorithm depends on (presumed) difficulty of factoring o Given N = pq, find p or q and RSA is broken o Rabin cipher also based on factoring Factoring like

More information

3. Applications of Number Theory

3. Applications of Number Theory 3. APPLICATIONS OF NUMBER THEORY 163 3. Applications of Number Theory 3.1. Representation of Integers. Theorem 3.1.1. Given an integer b > 1, every positive integer n can be expresses uniquely as n = a

More information

Factorization Methods: Very Quick Overview

Factorization Methods: Very Quick Overview Factorization Methods: Very Quick Overview Yuval Filmus October 17, 2012 1 Introduction In this lecture we introduce modern factorization methods. We will assume several facts from analytic number theory.

More information

Integer Factorization using the Quadratic Sieve

Integer Factorization using the Quadratic Sieve Integer Factorization using the Quadratic Sieve Chad Seibert* Division of Science and Mathematics University of Minnesota, Morris Morris, MN 56567 seib0060@morris.umn.edu March 16, 2011 Abstract We give

More information

ALGEBRAIC APPROACH TO COMPOSITE INTEGER FACTORIZATION

ALGEBRAIC APPROACH TO COMPOSITE INTEGER FACTORIZATION ALGEBRAIC APPROACH TO COMPOSITE INTEGER FACTORIZATION Aldrin W. Wanambisi 1* School of Pure and Applied Science, Mount Kenya University, P.O box 553-50100, Kakamega, Kenya. Shem Aywa 2 Department of Mathematics,

More information

MATH 168: FINAL PROJECT Troels Eriksen. 1 Introduction

MATH 168: FINAL PROJECT Troels Eriksen. 1 Introduction MATH 168: FINAL PROJECT Troels Eriksen 1 Introduction In the later years cryptosystems using elliptic curves have shown up and are claimed to be just as secure as a system like RSA with much smaller key

More information

The Mathematics of the RSA Public-Key Cryptosystem

The Mathematics of the RSA Public-Key Cryptosystem The Mathematics of the RSA Public-Key Cryptosystem Burt Kaliski RSA Laboratories ABOUT THE AUTHOR: Dr Burt Kaliski is a computer scientist whose involvement with the security industry has been through

More information

Elementary Number Theory We begin with a bit of elementary number theory, which is concerned

Elementary Number Theory We begin with a bit of elementary number theory, which is concerned CONSTRUCTION OF THE FINITE FIELDS Z p S. R. DOTY Elementary Number Theory We begin with a bit of elementary number theory, which is concerned solely with questions about the set of integers Z = {0, ±1,

More information

UNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering. Introduction to Cryptography ECE 597XX/697XX

UNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering. Introduction to Cryptography ECE 597XX/697XX UNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering Introduction to Cryptography ECE 597XX/697XX Part 6 Introduction to Public-Key Cryptography Israel Koren ECE597/697 Koren Part.6.1

More information

The RSA Algorithm: A Mathematical History of the Ubiquitous Cryptological Algorithm

The RSA Algorithm: A Mathematical History of the Ubiquitous Cryptological Algorithm The RSA Algorithm: A Mathematical History of the Ubiquitous Cryptological Algorithm Maria D. Kelly December 7, 2009 Abstract The RSA algorithm, developed in 1977 by Rivest, Shamir, and Adlemen, is an algorithm

More information

CIS 5371 Cryptography. 8. Encryption --

CIS 5371 Cryptography. 8. Encryption -- CIS 5371 Cryptography p y 8. Encryption -- Asymmetric Techniques Textbook encryption algorithms In this chapter, security (confidentiality) is considered in the following sense: All-or-nothing secrecy.

More information

FACTORING. n = 2 25 + 1. fall in the arithmetic sequence

FACTORING. n = 2 25 + 1. fall in the arithmetic sequence FACTORING The claim that factorization is harder than primality testing (or primality certification) is not currently substantiated rigorously. As some sort of backward evidence that factoring is hard,

More information

A Factoring and Discrete Logarithm based Cryptosystem

A Factoring and Discrete Logarithm based Cryptosystem Int. J. Contemp. Math. Sciences, Vol. 8, 2013, no. 11, 511-517 HIKARI Ltd, www.m-hikari.com A Factoring and Discrete Logarithm based Cryptosystem Abdoul Aziz Ciss and Ahmed Youssef Ecole doctorale de Mathematiques

More information

International Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013

International Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013 FACTORING CRYPTOSYSTEM MODULI WHEN THE CO-FACTORS DIFFERENCE IS BOUNDED Omar Akchiche 1 and Omar Khadir 2 1,2 Laboratory of Mathematics, Cryptography and Mechanics, Fstm, University of Hassan II Mohammedia-Casablanca,

More information

RSA and Primality Testing

RSA and Primality Testing and Primality Testing Joan Boyar, IMADA, University of Southern Denmark Studieretningsprojekter 2010 1 / 81 Correctness of cryptography cryptography Introduction to number theory Correctness of with 2

More information

Breaking The Code. Ryan Lowe. Ryan Lowe is currently a Ball State senior with a double major in Computer Science and Mathematics and

Breaking The Code. Ryan Lowe. Ryan Lowe is currently a Ball State senior with a double major in Computer Science and Mathematics and Breaking The Code Ryan Lowe Ryan Lowe is currently a Ball State senior with a double major in Computer Science and Mathematics and a minor in Applied Physics. As a sophomore, he took an independent study

More information

Discrete Mathematics, Chapter 4: Number Theory and Cryptography

Discrete Mathematics, Chapter 4: Number Theory and Cryptography Discrete Mathematics, Chapter 4: Number Theory and Cryptography Richard Mayr University of Edinburgh, UK Richard Mayr (University of Edinburgh, UK) Discrete Mathematics. Chapter 4 1 / 35 Outline 1 Divisibility

More information

Factoring & Primality

Factoring & Primality Factoring & Primality Lecturer: Dimitris Papadopoulos In this lecture we will discuss the problem of integer factorization and primality testing, two problems that have been the focus of a great amount

More information

Implementation of Elliptic Curve Digital Signature Algorithm

Implementation of Elliptic Curve Digital Signature Algorithm Implementation of Elliptic Curve Digital Signature Algorithm Aqeel Khalique Kuldip Singh Sandeep Sood Department of Electronics & Computer Engineering, Indian Institute of Technology Roorkee Roorkee, India

More information

Cryptography and Network Security

Cryptography and Network Security Cryptography and Network Security Fifth Edition by William Stallings Chapter 9 Public Key Cryptography and RSA Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared

More information

Primality - Factorization

Primality - Factorization Primality - Factorization Christophe Ritzenthaler November 9, 2009 1 Prime and factorization Definition 1.1. An integer p > 1 is called a prime number (nombre premier) if it has only 1 and p as divisors.

More information

An Overview of Integer Factoring Algorithms. The Problem

An Overview of Integer Factoring Algorithms. The Problem An Overview of Integer Factoring Algorithms Manindra Agrawal IITK / NUS The Problem Given an integer n, find all its prime divisors as efficiently as possible. 1 A Difficult Problem No efficient algorithm

More information

RSA Attacks. By Abdulaziz Alrasheed and Fatima

RSA Attacks. By Abdulaziz Alrasheed and Fatima RSA Attacks By Abdulaziz Alrasheed and Fatima 1 Introduction Invented by Ron Rivest, Adi Shamir, and Len Adleman [1], the RSA cryptosystem was first revealed in the August 1977 issue of Scientific American.

More information

Public Key Cryptography. Performance Comparison and Benchmarking

Public Key Cryptography. Performance Comparison and Benchmarking Public Key Cryptography Performance Comparison and Benchmarking Tanja Lange Department of Mathematics Technical University of Denmark tanja@hyperelliptic.org 28.08.2006 Tanja Lange Benchmarking p. 1 What

More information

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike

More information

On Factoring Integers and Evaluating Discrete Logarithms

On Factoring Integers and Evaluating Discrete Logarithms On Factoring Integers and Evaluating Discrete Logarithms A thesis presented by JOHN AARON GREGG to the departments of Mathematics and Computer Science in partial fulfillment of the honors requirements

More information

SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES

SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES www.arpapress.com/volumes/vol8issue1/ijrras_8_1_10.pdf SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES Malek Jakob Kakish Amman Arab University, Department of Computer Information Systems, P.O.Box 2234,

More information

Cryptography and Network Security Chapter 10

Cryptography and Network Security Chapter 10 Cryptography and Network Security Chapter 10 Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 10 Other Public Key Cryptosystems Amongst the tribes of Central

More information

Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring

Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring Eli Biham Dan Boneh Omer Reingold Abstract The Diffie-Hellman key-exchange protocol may naturally be extended to k > 2

More information

Prime Numbers The generation of prime numbers is needed for many public key algorithms:

Prime Numbers The generation of prime numbers is needed for many public key algorithms: CA547: CRYPTOGRAPHY AND SECURITY PROTOCOLS 1 7 Number Theory 2 7.1 Prime Numbers Prime Numbers The generation of prime numbers is needed for many public key algorithms: RSA: Need to find p and q to compute

More information

Cryptography and Network Security Chapter 8

Cryptography and Network Security Chapter 8 Cryptography and Network Security Chapter 8 Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 8 Introduction to Number Theory The Devil said to Daniel Webster:

More information

QUANTUM COMPUTERS AND CRYPTOGRAPHY. Mark Zhandry Stanford University

QUANTUM COMPUTERS AND CRYPTOGRAPHY. Mark Zhandry Stanford University QUANTUM COMPUTERS AND CRYPTOGRAPHY Mark Zhandry Stanford University Classical Encryption pk m c = E(pk,m) sk m = D(sk,c) m??? Quantum Computing Attack pk m aka Post-quantum Crypto c = E(pk,m) sk m = D(sk,c)

More information

Homework 5 Solutions

Homework 5 Solutions Homework 5 Solutions 4.2: 2: a. 321 = 256 + 64 + 1 = (01000001) 2 b. 1023 = 512 + 256 + 128 + 64 + 32 + 16 + 8 + 4 + 2 + 1 = (1111111111) 2. Note that this is 1 less than the next power of 2, 1024, which

More information

Factoring Algorithms

Factoring Algorithms Factoring Algorithms The p 1 Method and Quadratic Sieve November 17, 2008 () Factoring Algorithms November 17, 2008 1 / 12 Fermat s factoring method Fermat made the observation that if n has two factors

More information

PUBLIC KEY ENCRYPTION

PUBLIC KEY ENCRYPTION PUBLIC KEY ENCRYPTION http://www.tutorialspoint.com/cryptography/public_key_encryption.htm Copyright tutorialspoint.com Public Key Cryptography Unlike symmetric key cryptography, we do not find historical

More information

Digital Signature. Raj Jain. Washington University in St. Louis

Digital Signature. Raj Jain. Washington University in St. Louis Digital Signature Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-11/

More information

I. GROUPS: BASIC DEFINITIONS AND EXAMPLES

I. GROUPS: BASIC DEFINITIONS AND EXAMPLES I GROUPS: BASIC DEFINITIONS AND EXAMPLES Definition 1: An operation on a set G is a function : G G G Definition 2: A group is a set G which is equipped with an operation and a special element e G, called

More information

Is n a Prime Number? Manindra Agrawal. March 27, 2006, Delft. IIT Kanpur

Is n a Prime Number? Manindra Agrawal. March 27, 2006, Delft. IIT Kanpur Is n a Prime Number? Manindra Agrawal IIT Kanpur March 27, 2006, Delft Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 1 / 47 Overview 1 The Problem 2 Two Simple, and Slow, Methods

More information

The Quadratic Sieve Factoring Algorithm

The Quadratic Sieve Factoring Algorithm The Quadratic Sieve Factoring Algorithm Eric Landquist MATH 488: Cryptographic Algorithms December 14, 2001 1 Introduction Mathematicians have been attempting to find better and faster ways to factor composite

More information

A New Generic Digital Signature Algorithm

A New Generic Digital Signature Algorithm Groups Complex. Cryptol.? (????), 1 16 DOI 10.1515/GCC.????.??? de Gruyter???? A New Generic Digital Signature Algorithm Jennifer Seberry, Vinhbuu To and Dongvu Tonien Abstract. In this paper, we study

More information

Chapter 9. Computational Number Theory. 9.1 The basic groups Integers mod N Groups

Chapter 9. Computational Number Theory. 9.1 The basic groups Integers mod N Groups Chapter 9 Computational Number Theory 9.1 The basic groups We let Z = {..., 2, 1,0,1,2,...} denote the set of integers. We let Z + = {1,2,...} denote the set of positive integers and N = {0,1,2,...} the

More information

Introduction to Security Proof of Cryptosystems

Introduction to Security Proof of Cryptosystems Introduction to Security Proof of Cryptosystems D. J. Guan November 16, 2007 Abstract Provide proof of security is the most important work in the design of cryptosystems. Problem reduction is a tool to

More information

Cryptography and Network Security Number Theory

Cryptography and Network Security Number Theory Cryptography and Network Security Number Theory Xiang-Yang Li Introduction to Number Theory Divisors b a if a=mb for an integer m b a and c b then c a b g and b h then b (mg+nh) for any int. m,n Prime

More information

Public-Key Cryptanalysis

Public-Key Cryptanalysis To appear in Recent Trends in Cryptography, I. Luengo (Ed.), Contemporary Mathematics series, AMS-RSME, 2008. Public-Key Cryptanalysis Phong Q. Nguyen Abstract. In 1976, Diffie and Hellman introduced the

More information

Factoring Report. MEC Consulting (communicated via RSA Security) Dr.Preda Mihailescu

Factoring Report. MEC Consulting (communicated via RSA Security) Dr.Preda Mihailescu Factoring Report 2001 12 4 MEC Consulting (communicated via RSA Security) Dr.Preda Mihailescu Factoring Report Dr. Preda Mihailescu MEC Consulting Seestr. 78, 8700 Erlenbach Zürich Email: preda@upb.de

More information

MA2C03 Mathematics School of Mathematics, Trinity College Hilary Term 2016 Lecture 59 (April 1, 2016) David R. Wilkins

MA2C03 Mathematics School of Mathematics, Trinity College Hilary Term 2016 Lecture 59 (April 1, 2016) David R. Wilkins MA2C03 Mathematics School of Mathematics, Trinity College Hilary Term 2016 Lecture 59 (April 1, 2016) David R. Wilkins The RSA encryption scheme works as follows. In order to establish the necessary public

More information

Notes on Factoring. MA 206 Kurt Bryan

Notes on Factoring. MA 206 Kurt Bryan The General Approach Notes on Factoring MA 26 Kurt Bryan Suppose I hand you n, a 2 digit integer and tell you that n is composite, with smallest prime factor around 5 digits. Finding a nontrivial factor

More information

Secure Network Communication Part II II Public Key Cryptography. Public Key Cryptography

Secure Network Communication Part II II Public Key Cryptography. Public Key Cryptography Kommunikationssysteme (KSy) - Block 8 Secure Network Communication Part II II Public Key Cryptography Dr. Andreas Steffen 2000-2001 A. Steffen, 28.03.2001, KSy_RSA.ppt 1 Secure Key Distribution Problem

More information

CHAPTER 5. Number Theory. 1. Integers and Division. Discussion

CHAPTER 5. Number Theory. 1. Integers and Division. Discussion CHAPTER 5 Number Theory 1. Integers and Division 1.1. Divisibility. Definition 1.1.1. Given two integers a and b we say a divides b if there is an integer c such that b = ac. If a divides b, we write a

More information

Index Calculation Attacks on RSA Signature and Encryption

Index Calculation Attacks on RSA Signature and Encryption Index Calculation Attacks on RSA Signature and Encryption Jean-Sébastien Coron 1, Yvo Desmedt 2, David Naccache 1, Andrew Odlyzko 3, and Julien P. Stern 4 1 Gemplus Card International {jean-sebastien.coron,david.naccache}@gemplus.com

More information

Factoring pq 2 with Quadratic Forms: Nice Cryptanalyses

Factoring pq 2 with Quadratic Forms: Nice Cryptanalyses Factoring pq 2 with Quadratic Forms: Nice Cryptanalyses Phong Nguyễn http://www.di.ens.fr/~pnguyen & ASIACRYPT 2009 Joint work with G. Castagnos, A. Joux and F. Laguillaumie Summary Factoring A New Factoring

More information

MA257: INTRODUCTION TO NUMBER THEORY LECTURE NOTES

MA257: INTRODUCTION TO NUMBER THEORY LECTURE NOTES MA257: INTRODUCTION TO NUMBER THEORY LECTURE NOTES 2016 47 4. Diophantine Equations A Diophantine Equation is simply an equation in one or more variables for which integer (or sometimes rational) solutions

More information

Computer and Network Security

Computer and Network Security MIT 6.857 Computer and Networ Security Class Notes 1 File: http://theory.lcs.mit.edu/ rivest/notes/notes.pdf Revision: December 2, 2002 Computer and Networ Security MIT 6.857 Class Notes by Ronald L. Rivest

More information

Lukasz Pater CMMS Administrator and Developer

Lukasz Pater CMMS Administrator and Developer Lukasz Pater CMMS Administrator and Developer EDMS 1373428 Agenda Introduction Why do we need asymmetric ciphers? One-way functions RSA Cipher Message Integrity Examples Secure Socket Layer Single Sign

More information

Smooth numbers and the quadratic sieve

Smooth numbers and the quadratic sieve Algorithmic Number Theory MSRI Publications Volume 44, 2008 Smooth numbers and the quadratic sieve CARL POMERANCE ABSTRACT. This article gives a gentle introduction to factoring large integers via the

More information

Network Security. Chapter 2 Basics 2.2 Public Key Cryptography. Public Key Cryptography. Public Key Cryptography

Network Security. Chapter 2 Basics 2.2 Public Key Cryptography. Public Key Cryptography. Public Key Cryptography Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Encryption/Decryption using Public Key Cryptography Network Security Chapter 2 Basics 2.2 Public Key Cryptography

More information

NEW DIGITAL SIGNATURE PROTOCOL BASED ON ELLIPTIC CURVES

NEW DIGITAL SIGNATURE PROTOCOL BASED ON ELLIPTIC CURVES NEW DIGITAL SIGNATURE PROTOCOL BASED ON ELLIPTIC CURVES Ounasser Abid 1, Jaouad Ettanfouhi 2 and Omar Khadir 3 1,2,3 Laboratory of Mathematics, Cryptography and Mechanics, Department of Mathematics, Fstm,

More information

2. Cryptography 2.4 Digital Signatures

2. Cryptography 2.4 Digital Signatures DI-FCT-UNL Computer and Network Systems Security Segurança de Sistemas e Redes de Computadores 2010-2011 2. Cryptography 2.4 Digital Signatures 2010, Henrique J. Domingos, DI/FCT/UNL 2.4 Digital Signatures

More information

Public Key Cryptography: RSA and Lots of Number Theory

Public Key Cryptography: RSA and Lots of Number Theory Public Key Cryptography: RSA and Lots of Number Theory Public vs. Private-Key Cryptography We have just discussed traditional symmetric cryptography: Uses a single key shared between sender and receiver

More information

Number theory Harald Hanche-Olsen

Number theory Harald Hanche-Olsen TMA4155 Cryptography, intro 2010 Number theory Harald Hanche-Olsen http://www.math.ntnu.no/~hanche/ Congruences, or modular arithmetic Arithmetic modulo 12 or 24 is familiar to anyone using a clock, though

More information

Is this number prime? Berkeley Math Circle Kiran Kedlaya

Is this number prime? Berkeley Math Circle Kiran Kedlaya Is this number prime? Berkeley Math Circle 2002 2003 Kiran Kedlaya Given a positive integer, how do you check whether it is prime (has itself and 1 as its only two positive divisors) or composite (not

More information

Public Key Cryptography. c Eli Biham - March 30, 2011 258 Public Key Cryptography

Public Key Cryptography. c Eli Biham - March 30, 2011 258 Public Key Cryptography Public Key Cryptography c Eli Biham - March 30, 2011 258 Public Key Cryptography Key Exchange All the ciphers mentioned previously require keys known a-priori to all the users, before they can encrypt

More information

Elliptic Curve Cryptography

Elliptic Curve Cryptography Elliptic Curve Cryptography Elaine Brow, December 2010 Math 189A: Algebraic Geometry 1. Introduction to Public Key Cryptography To understand the motivation for elliptic curve cryptography, we must first

More information

ECE 842 Report Implementation of Elliptic Curve Cryptography

ECE 842 Report Implementation of Elliptic Curve Cryptography ECE 842 Report Implementation of Elliptic Curve Cryptography Wei-Yang Lin December 15, 2004 Abstract The aim of this report is to illustrate the issues in implementing a practical elliptic curve cryptographic

More information

Signature Schemes. CSG 252 Fall 2006. Riccardo Pucella

Signature Schemes. CSG 252 Fall 2006. Riccardo Pucella Signature Schemes CSG 252 Fall 2006 Riccardo Pucella Signatures Signatures in real life have a number of properties They specify the person responsible for a document E.g. that it has been produced by

More information

THE MATHEMATICS OF PUBLIC KEY CRYPTOGRAPHY.

THE MATHEMATICS OF PUBLIC KEY CRYPTOGRAPHY. THE MATHEMATICS OF PUBLIC KEY CRYPTOGRAPHY. IAN KIMING 1. Forbemærkning. Det kan forekomme idiotisk, at jeg som dansktalende og skrivende i et danskbaseret tidsskrift med en (formentlig) primært dansktalende

More information

Library (versus Language) Based Parallelism in Factoring: Experiments in MPI. Dr. Michael Alexander Dr. Sonja Sewera.

Library (versus Language) Based Parallelism in Factoring: Experiments in MPI. Dr. Michael Alexander Dr. Sonja Sewera. Library (versus Language) Based Parallelism in Factoring: Experiments in MPI Dr. Michael Alexander Dr. Sonja Sewera Talk 2007-10-19 Slide 1 of 20 Primes Definitions Prime: A whole number n is a prime number

More information

Improved Online/Offline Signature Schemes

Improved Online/Offline Signature Schemes Improved Online/Offline Signature Schemes Adi Shamir and Yael Tauman Applied Math. Dept. The Weizmann Institute of Science Rehovot 76100, Israel {shamir,tauman}@wisdom.weizmann.ac.il Abstract. The notion

More information

UOSEC Week 2: Asymmetric Cryptography. Frank IRC kee Adam IRC xe0 IRC: irc.freenode.net #0x4f

UOSEC Week 2: Asymmetric Cryptography. Frank IRC kee Adam IRC xe0 IRC: irc.freenode.net #0x4f UOSEC Week 2: Asymmetric Cryptography Frank farana@uoregon.edu IRC kee Adam pond2@uoregon.edu IRC xe0 IRC: irc.freenode.net #0x4f Agenda HackIM CTF Results GITSC CTF this Saturday 10:00am Basics of Asymmetric

More information

Primality - Factorization

Primality - Factorization Primality - Factorization Christophe Ritzenthaler February 8, 2016 1 Primality Definition 1.1. An integer p > 1 is called a prime number if it has only 1 and p as divisors. Example 1. There are infinitely

More information

ELEMENTARY THOUGHTS ON DISCRETE LOGARITHMS. Carl Pomerance

ELEMENTARY THOUGHTS ON DISCRETE LOGARITHMS. Carl Pomerance ELEMENTARY THOUGHTS ON DISCRETE LOGARITHMS Carl Pomerance Given a cyclic group G with generator g, and given an element t in G, the discrete logarithm problem is that of computing an integer l with g l

More information

Problem Set 7 - Fall 2008 Due Tuesday, Oct. 28 at 1:00

Problem Set 7 - Fall 2008 Due Tuesday, Oct. 28 at 1:00 18.781 Problem Set 7 - Fall 2008 Due Tuesday, Oct. 28 at 1:00 Throughout this assignment, f(x) always denotes a polynomial with integer coefficients. 1. (a) Show that e 32 (3) = 8, and write down a list

More information

Introduction. Digital Signature

Introduction. Digital Signature Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology

More information

Public Key Cryptography and RSA. Review: Number Theory Basics

Public Key Cryptography and RSA. Review: Number Theory Basics Public Key Cryptography and RSA Murat Kantarcioglu Based on Prof. Ninghui Li s Slides Review: Number Theory Basics Definition An integer n > 1 is called a prime number if its positive divisors are 1 and

More information

Cryptography. Course 2: attacks against RSA. Jean-Sébastien Coron. September 26, Université du Luxembourg

Cryptography. Course 2: attacks against RSA. Jean-Sébastien Coron. September 26, Université du Luxembourg Course 2: attacks against RSA Université du Luxembourg September 26, 2010 Attacks against RSA Factoring Equivalence between factoring and breaking RSA? Mathematical attacks Attacks against plain RSA encryption

More information

9 Modular Exponentiation and Cryptography

9 Modular Exponentiation and Cryptography 9 Modular Exponentiation and Cryptography 9.1 Modular Exponentiation Modular arithmetic is used in cryptography. In particular, modular exponentiation is the cornerstone of what is called the RSA system.

More information

Lecture 13 - Basic Number Theory.

Lecture 13 - Basic Number Theory. Lecture 13 - Basic Number Theory. Boaz Barak March 22, 2010 Divisibility and primes Unless mentioned otherwise throughout this lecture all numbers are non-negative integers. We say that A divides B, denoted

More information

LUC: A New Public Key System

LUC: A New Public Key System LUC: A New Public Key System Peter J. Smith a and Michael J. J. Lennon b a LUC Partners, Auckland UniServices Ltd, The University of Auckland, Private Bag 92019, Auckland, New Zealand. b Department of

More information

Faster Cryptographic Key Exchange on Hyperelliptic Curves

Faster Cryptographic Key Exchange on Hyperelliptic Curves Faster Cryptographic Key Exchange on Hyperelliptic Curves No Author Given No Institute Given Abstract. We present a key exchange procedure based on divisor arithmetic for the real model of a hyperelliptic

More information

Advanced Cryptography

Advanced Cryptography Family Name:... First Name:... Section:... Advanced Cryptography Final Exam July 18 th, 2006 Start at 9:15, End at 12:00 This document consists of 12 pages. Instructions Electronic devices are not allowed.

More information

Cryptography and Network Security

Cryptography and Network Security Cryptography and Network Security Spring 2012 http://users.abo.fi/ipetre/crypto/ Lecture 7: Public-key cryptography and RSA Ion Petre Department of IT, Åbo Akademi University 1 Some unanswered questions

More information

Factoring and Discrete Log

Factoring and Discrete Log Factoring and Discrete Log Nadia Heninger University of Pennsylvania June 1, 2015 Textbook RSA [Rivest Shamir Adleman 1977] Public Key N = pq modulus e encryption exponent Private Key p, q primes d decryption

More information

Public Key Cryptography. Basic Public Key Cryptography

Public Key Cryptography. Basic Public Key Cryptography Public Key Cryptography EJ Jung Basic Public Key Cryptography public key public key? private key Alice Bob Given: Everybody knows Bob s public key - How is this achieved in practice? Only Bob knows the

More information

Lecture 3: One-Way Encryption, RSA Example

Lecture 3: One-Way Encryption, RSA Example ICS 180: Introduction to Cryptography April 13, 2004 Lecturer: Stanislaw Jarecki Lecture 3: One-Way Encryption, RSA Example 1 LECTURE SUMMARY We look at a different security property one might require

More information