Generic attacks and index calculus. D. J. Bernstein University of Illinois at Chicago

Size: px
Start display at page:

Download "Generic attacks and index calculus. D. J. Bernstein University of Illinois at Chicago"

Transcription

1 Generic attacks and index calculus D. J. Bernstein University of Illinois at Chicago

2 The discrete-logarithm problem Define Ô = Easy to prove: Ô is prime. Can we find an integer Ò ¾ Ô 1 such that 5Ò mod Ô = ? Easy to prove: Ò 5Ò mod Ô permutes Ô 1. So there exists an Ò such that 5Ò mod Ô = Could find Ò by brute force. Is there a faster way?

3 Typical cryptanalytic application: Ô Imagine standard = in the Diffie-Hellman protocol. User chooses secret key Ò, publishes 5Ò mod Ô = Can attacker quickly solve the discrete-logarithm problem? 5Ò Given public key mod Ô, quickly find secret key Ò? (Warning: This is one way to attack the protocol. Maybe there are better ways.)

4 Relations to ECC: 1. Some DL techniques also apply to elliptic-curve DL problems. Use in evaluating security of an elliptic curve. 2. Some techniques don t apply. Use in evaluating advantages of elliptic curves compared to multiplication. 3. Tricky: Some techniques have extra applications to some curves. See Tanja Lange s talk on Weil descent etc.

5 Understanding brute force Can compute successively 5 1 mod Ô = 5, 5 2 mod Ô = 25, 5 3 mod Ô = 125,, 5 8 mod Ô = , 5 9 mod Ô = ,, mod Ô = 1. At some point we ll find Ò with 5Ò mod Ô = Maximum cost of computation: Ô 1 mults by 5 mod Ô; Ô 1 nanoseconds on a CPU that does 1 mult/nanosecond.

6 This is negligible work for Ô But users can standardize a larger Ô, making the attack slower. Attack cost scales linearly: 2 50 mults for Ô 2 50, mults for Ô 2 100, etc. (Not exactly linearly: cost of mults grows with Ô. But this is a minor effect.)

7 Computation has a good chance of finishing earlier. Chance scales linearly: 1 2 chance of 1 2 cost; 1 10 chance of 1 10 cost; etc. So users should choose large Ò. That s pointless. We can apply random self-reduction : choose random Ö, say ; 5Ö compute mod Ô = ; 5Ö Ò compute 5 mod Ô as (5Ò ( mod Ô)) mod Ô; compute discrete log; subtract Ö mod Ô 1; obtain Ò.

8 Computation can be parallelized. One low-cost chip can run many parallel searches. Example, 2 6 e: one chip, 2 10 cores on the chip, each 2 30 mults/second? Maybe; see SHARCS workshops for detailed cost analyses. Attacker can run many parallel chips. Example, 2 30 e: 2 24 chips, so 2 34 cores, so 2 64 mults/second, so 2 89 mults/year.

9 Multiple targets and giant steps Computation can be applied to many targets at once. Given 100 DL targets 5Ò 1 mod Ô, 5Ò 2 mod Ô,, 5Ò 100 mod Ô: Can find all of Ò 1 Ò 2 Ò 100 with Ô 1 mults mod Ô. Simplest approach: First build a sorted table containing 5Ò 1 mod Ô,, 5Ò 100 mod Ô. Then check table for 5 1 mod Ô, 5 2 mod Ô, etc.

10 Interesting consequence #1: Solving all 100 DL problems isn t much harder than solving one DL problem. Interesting consequence #2: Solving at least one out of 100 DL problems is much easier than solving one DL problem. When did this computation find its first Ò? Typically (Ô 1) 100 mults.

11 Can use random self-reduction to turn a single target into multiple targets. Given 5Ò mod Ô: Choose random Ö 1 Ö 2 Ö 100. Compute 5Ö 1 5Ò mod Ô, 5Ö 2 5Ò mod Ô, etc. Solve these 100 DL problems. Typically (Ô 1) 100 mults to find at least one Ö + Ò mod Ô 1, immediately revealing Ò.

12 Also spent some mults to compute each 5Ö mod Ô: lgô mults for each. Faster: Choose Ö = Ö 1 with Ö 1 (Ô 1) 100. Compute 5Ö 1 mod Ô; 5Ö 1 5Ò mod Ô; 5 2Ö 15Ò mod Ô; 5 3Ö 15Ò mod Ô; etc. Just 1 mult for each new lgô + (Ô 1) 100 mults to find Ò given 5Ò mod Ô.

13 Faster: Increase 100 to Ô Ô. Only 2 Ô Ô mults to solve one DL problem! Shanks baby-step-giant-step discrete-logarithm algorithm. Example: Ô = , 5Ò mod Ô = Compute mod Ô = Then compute 1000 targets: Ò mod Ô = , Ò mod Ô = , Ò mod Ô = ,, Ò mod Ô =

14 Build a sorted table of targets: 2573 = Ò mod Ô, 3371 = Ò mod Ô, 3593 = Ò mod Ô, 4960 = Ò mod Ô, 5218 = Ò mod Ô,, = Ò mod Ô. Look up 5 1 mod Ô, 5 2 mod Ô, 5 3 mod Ô, etc. in this table mod Ô = ; find = Ò mod Ô in the table of targets; so 755 = Ò mod Ô 1; deduce Ò =

15 Eliminating storage Improved method: Define Ü 0 = 1; Ü +1 = 5Ü mod Ô if Ü ¾ 3Z; Ü +1 = Ü 2 mod Ô if Ü ¾ 2 + 3Z; Ü +1 = 5ÒÜ mod Ô otherwise. Then Ü = 5 Ò+ mod Ô where ( 0 0 ) = (0 0) and ( +1 +1) = ( + 1), or ( +1 +1) = (2 2 ), or ( +1 +1) = ( + 1 ). Search for a collision in Ü : Ü 1 = Ü 2? Ü 2 = Ü 4? Ü 3 = Ü 6? Ü 4 = Ü 8? Ü 5 = Ü 10? etc. Deduce linear equation for Ò.

16 The Ü s enter a cycle, typically within Ô Ô steps. Example: , Modulo : Ü 1 = 5Ò = Ü 2 = 5 2Ò = = Ü 3 = 5 2Ò+1 = = Ü 4 = 5 2Ò+2 = = Ü 5 = 5 2Ò+3 = = Ü 6 = 5 2Ò+4 = = Ü 7 = 5 4Ò+8 = = Ü 8 = 5 4Ò+9 = = etc.

17 Ü 1785 = Ò = Ü 3570 = Ò = (Cycle length is 357.) Conclude that Ò Ò (mod Ô 1), so Ò (mod (Ô 1) 6). Only 6 possible Ò s. Try each of them. Find that 5Ò mod Ô = for Ò = (Ô 1) 6, i.e., for Ò =

18 This is Pollard s rho method. Optimized: Ô Ô mults. Another method, similar speed: Pollard s kangaroo method. Can parallelize both methods. van Oorschot/Wiener parallel DL using distinguished points. Bottom line: With mults, distributed across many cores, have chance 2 Ô of finding Ò from 5Ò mod Ô. With 2 90 mults (a few years?), have chance Ô. Negligible if, e.g., Ô

19 Factors of the group order Assume 5 has order. Given Ü, a power of 5: 5 has order, and Ü is a power of 5. Compute = log 5 Ü. 5 has order, and Ü 5 is a power of 5. Compute Ñ = log 5 (Ü 5 ). Then Ü = 5 +Ñ.

20 This Pohlig-Hellman method converts an order- DL into an order- DL, an order- DL, and a few exponentiations. e.g. Ô = , Ü = : Ô 1 = 6 where = Compute log 5 6(Ü 6 ) = Compute Ü = Compute log = 3. Then Ü = = Use rho: Ô + Ô mults. Better if factors further: apply Pohlig-Hellman recursively.

21 All of the techniques so far apply to elliptic curves. An elliptic curve over FÕ has Õ + 1 points so can compute ECDL using Ô Õ elliptic-curve adds. Need quite large Õ. If largest prime divisor of number of points is much smaller than Õ then Pohlig-Hellman method computes ECDL more quickly. Need larger Õ; or change choice of curve.

22 Index calculus Have generated many group elements 5 Ò+ mod Ô. Deduced equations for Ò from random collisions. Index calculus obtains discrete-logarithm equations in a different way. Example for Ô = : Can completely factor 3 (Ô 3) as in Q so (mod Ô) so log 5 ( 1) + log log log 5 5 (mod Ô 1).

23 Can completely factor 62 (Ô + 62) as so log log 5 31 log log log log log 5 29 (mod Ô 1). Try to completely factor 1 (Ô + 1), 2 (Ô + 2), etc. Find factorization of (Ô + ) as product of powers of for each of the following s: 5100, 4675, 3128, 403, 368, 147, 3, 62, 957, 2912, 3857, 6877.

24 Each complete factorization produces a log equation. Now have 12 linear equations for log 5 2 log 5 3 log Free equations: log 5 5 = 1, (Ô log 5 ( 1) = 1) 2. By linear algebra compute log 5 2 log 5 3 log (If this hadn t been enough, could have searched more s.) By similar technique obtain discrete log of any target.

25 For Ô ½, index calculus scales surprisingly well: cost Ô where 0. Compare to rho: Ô 1 2. Specifically: searching ¾ 1 2 Ý 2, with lgý ¾ Ç( Ô lgôlg lgô), finds Ý complete factorizations into primes Ý, and computes discrete logs. (Assuming standard conjectures. Have extensive evidence.)

26 Latest index-calculus variants use the number-field sieve and the function-field sieve. To compute discrete logs in FÕ: lg cost ¾ Ç((lgÕ) 1 3 (lg lgõ) 2 3 ). For security: Õ to stop rho; Õ to stop NFS. We don t know any index-calculus methods for ECDL! except for some curves.

Arithmetic algorithms for cryptology 5 October 2015, Paris. Sieves. Razvan Barbulescu CNRS and IMJ-PRG. R. Barbulescu Sieves 0 / 28

Arithmetic algorithms for cryptology 5 October 2015, Paris. Sieves. Razvan Barbulescu CNRS and IMJ-PRG. R. Barbulescu Sieves 0 / 28 Arithmetic algorithms for cryptology 5 October 2015, Paris Sieves Razvan Barbulescu CNRS and IMJ-PRG R. Barbulescu Sieves 0 / 28 Starting point Notations q prime g a generator of (F q ) X a (secret) integer

More information

Digital Signatures. (Note that authentication of sender is also achieved by MACs.) Scan your handwritten signature and append it to the document?

Digital Signatures. (Note that authentication of sender is also achieved by MACs.) Scan your handwritten signature and append it to the document? Cryptography Digital Signatures Professor: Marius Zimand Digital signatures are meant to realize authentication of the sender nonrepudiation (Note that authentication of sender is also achieved by MACs.)

More information

MATH 168: FINAL PROJECT Troels Eriksen. 1 Introduction

MATH 168: FINAL PROJECT Troels Eriksen. 1 Introduction MATH 168: FINAL PROJECT Troels Eriksen 1 Introduction In the later years cryptosystems using elliptic curves have shown up and are claimed to be just as secure as a system like RSA with much smaller key

More information

Computer Security: Principles and Practice

Computer Security: Principles and Practice Computer Security: Principles and Practice Chapter 20 Public-Key Cryptography and Message Authentication First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Public-Key Cryptography

More information

Elliptic Curve Hash (and Sign)

Elliptic Curve Hash (and Sign) Elliptic Curve Hash (and Sign) (and the 1-up problem for ECDSA) Daniel R. L. Brown Certicom Research ECC 2008, Utrecht, Sep 22-24 2008 Dan Brown (Certicom) Elliptic Curve Hash (and Sign) ECC 2008 1 / 43

More information

Study of algorithms for factoring integers and computing discrete logarithms

Study of algorithms for factoring integers and computing discrete logarithms Study of algorithms for factoring integers and computing discrete logarithms First Indo-French Workshop on Cryptography and Related Topics (IFW 2007) June 11 13, 2007 Paris, France Dr. Abhijit Das Department

More information

Elements of Applied Cryptography Public key encryption

Elements of Applied Cryptography Public key encryption Network Security Elements of Applied Cryptography Public key encryption Public key cryptosystem RSA and the factorization problem RSA in practice Other asymmetric ciphers Asymmetric Encryption Scheme Let

More information

Cryptographic Algorithms and Key Size Issues. Çetin Kaya Koç Oregon State University, Professor http://islab.oregonstate.edu/koc koc@ece.orst.

Cryptographic Algorithms and Key Size Issues. Çetin Kaya Koç Oregon State University, Professor http://islab.oregonstate.edu/koc koc@ece.orst. Cryptographic Algorithms and Key Size Issues Çetin Kaya Koç Oregon State University, Professor http://islab.oregonstate.edu/koc koc@ece.orst.edu Overview Cryptanalysis Challenge Encryption: DES AES Message

More information

An Overview of Integer Factoring Algorithms. The Problem

An Overview of Integer Factoring Algorithms. The Problem An Overview of Integer Factoring Algorithms Manindra Agrawal IITK / NUS The Problem Given an integer n, find all its prime divisors as efficiently as possible. 1 A Difficult Problem No efficient algorithm

More information

RSA Question 2. Bob thinks that p and q are primes but p isn t. Then, Bob thinks Φ Bob :=(p-1)(q-1) = φ(n). Is this true?

RSA Question 2. Bob thinks that p and q are primes but p isn t. Then, Bob thinks Φ Bob :=(p-1)(q-1) = φ(n). Is this true? RSA Question 2 Bob thinks that p and q are primes but p isn t. Then, Bob thinks Φ Bob :=(p-1)(q-1) = φ(n). Is this true? Bob chooses a random e (1 < e < Φ Bob ) such that gcd(e,φ Bob )=1. Then, d = e -1

More information

Public-Key Cryptanalysis 1: Introduction and Factoring

Public-Key Cryptanalysis 1: Introduction and Factoring Public-Key Cryptanalysis 1: Introduction and Factoring Nadia Heninger University of Pennsylvania July 21, 2013 Adventures in Cryptanalysis Part 1: Introduction and Factoring. What is public-key crypto

More information

ALGEBRAIC APPROACH TO COMPOSITE INTEGER FACTORIZATION

ALGEBRAIC APPROACH TO COMPOSITE INTEGER FACTORIZATION ALGEBRAIC APPROACH TO COMPOSITE INTEGER FACTORIZATION Aldrin W. Wanambisi 1* School of Pure and Applied Science, Mount Kenya University, P.O box 553-50100, Kakamega, Kenya. Shem Aywa 2 Department of Mathematics,

More information

Primality - Factorization

Primality - Factorization Primality - Factorization Christophe Ritzenthaler November 9, 2009 1 Prime and factorization Definition 1.1. An integer p > 1 is called a prime number (nombre premier) if it has only 1 and p as divisors.

More information

Final Exam. IT 4823 Information Security Administration. Rescheduling Final Exams. Kerberos. Idea. Ticket

Final Exam. IT 4823 Information Security Administration. Rescheduling Final Exams. Kerberos. Idea. Ticket IT 4823 Information Security Administration Public Key Encryption Revisited April 5 Notice: This session is being recorded. Lecture slides prepared by Dr Lawrie Brown for Computer Security: Principles

More information

Factoring and Discrete Log

Factoring and Discrete Log Factoring and Discrete Log Nadia Heninger University of Pennsylvania June 1, 2015 Textbook RSA [Rivest Shamir Adleman 1977] Public Key N = pq modulus e encryption exponent Private Key p, q primes d decryption

More information

What output size resists collisions in a xor of independent expansions?

What output size resists collisions in a xor of independent expansions? What output size resists collisions in a xor of independent expansions? Daniel J. Bernstein Department of Mathematics, Statistics, and Computer Science (MC 249) University of Illinois at Chicago, Chicago,

More information

FACTORING. n = 2 25 + 1. fall in the arithmetic sequence

FACTORING. n = 2 25 + 1. fall in the arithmetic sequence FACTORING The claim that factorization is harder than primality testing (or primality certification) is not currently substantiated rigorously. As some sort of backward evidence that factoring is hard,

More information

Public Key Cryptography. Performance Comparison and Benchmarking

Public Key Cryptography. Performance Comparison and Benchmarking Public Key Cryptography Performance Comparison and Benchmarking Tanja Lange Department of Mathematics Technical University of Denmark tanja@hyperelliptic.org 28.08.2006 Tanja Lange Benchmarking p. 1 What

More information

Cryptography and Network Security Chapter 10

Cryptography and Network Security Chapter 10 Cryptography and Network Security Chapter 10 Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 10 Other Public Key Cryptosystems Amongst the tribes of Central

More information

Factorization Methods: Very Quick Overview

Factorization Methods: Very Quick Overview Factorization Methods: Very Quick Overview Yuval Filmus October 17, 2012 1 Introduction In this lecture we introduce modern factorization methods. We will assume several facts from analytic number theory.

More information

ELEMENTARY THOUGHTS ON DISCRETE LOGARITHMS. Carl Pomerance

ELEMENTARY THOUGHTS ON DISCRETE LOGARITHMS. Carl Pomerance ELEMENTARY THOUGHTS ON DISCRETE LOGARITHMS Carl Pomerance Given a cyclic group G with generator g, and given an element t in G, the discrete logarithm problem is that of computing an integer l with g l

More information

Factoring & Primality

Factoring & Primality Factoring & Primality Lecturer: Dimitris Papadopoulos In this lecture we will discuss the problem of integer factorization and primality testing, two problems that have been the focus of a great amount

More information

Principles of Public Key Cryptography. Applications of Public Key Cryptography. Security in Public Key Algorithms

Principles of Public Key Cryptography. Applications of Public Key Cryptography. Security in Public Key Algorithms Principles of Public Key Cryptography Chapter : Security Techniques Background Secret Key Cryptography Public Key Cryptography Hash Functions Authentication Chapter : Security on Network and Transport

More information

Factoring Algorithms

Factoring Algorithms Factoring Algorithms The p 1 Method and Quadratic Sieve November 17, 2008 () Factoring Algorithms November 17, 2008 1 / 12 Fermat s factoring method Fermat made the observation that if n has two factors

More information

ECE 842 Report Implementation of Elliptic Curve Cryptography

ECE 842 Report Implementation of Elliptic Curve Cryptography ECE 842 Report Implementation of Elliptic Curve Cryptography Wei-Yang Lin December 15, 2004 Abstract The aim of this report is to illustrate the issues in implementing a practical elliptic curve cryptographic

More information

SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES

SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES www.arpapress.com/volumes/vol8issue1/ijrras_8_1_10.pdf SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES Malek Jakob Kakish Amman Arab University, Department of Computer Information Systems, P.O.Box 2234,

More information

Is n a Prime Number? Manindra Agrawal. March 27, 2006, Delft. IIT Kanpur

Is n a Prime Number? Manindra Agrawal. March 27, 2006, Delft. IIT Kanpur Is n a Prime Number? Manindra Agrawal IIT Kanpur March 27, 2006, Delft Manindra Agrawal (IIT Kanpur) Is n a Prime Number? March 27, 2006, Delft 1 / 47 Overview 1 The Problem 2 Two Simple, and Slow, Methods

More information

A Factoring and Discrete Logarithm based Cryptosystem

A Factoring and Discrete Logarithm based Cryptosystem Int. J. Contemp. Math. Sciences, Vol. 8, 2013, no. 11, 511-517 HIKARI Ltd, www.m-hikari.com A Factoring and Discrete Logarithm based Cryptosystem Abdoul Aziz Ciss and Ahmed Youssef Ecole doctorale de Mathematiques

More information

Faster Cryptographic Key Exchange on Hyperelliptic Curves

Faster Cryptographic Key Exchange on Hyperelliptic Curves Faster Cryptographic Key Exchange on Hyperelliptic Curves No Author Given No Institute Given Abstract. We present a key exchange procedure based on divisor arithmetic for the real model of a hyperelliptic

More information

Lecture 3: One-Way Encryption, RSA Example

Lecture 3: One-Way Encryption, RSA Example ICS 180: Introduction to Cryptography April 13, 2004 Lecturer: Stanislaw Jarecki Lecture 3: One-Way Encryption, RSA Example 1 LECTURE SUMMARY We look at a different security property one might require

More information

FactHacks: RSA factorization in the real world

FactHacks: RSA factorization in the real world FactHacks: RSA factorization in the real world Daniel J. Bernstein University of Illinois at Chicago Technische Universiteit Eindhoven Nadia Heninger Microsoft Research New England Tanja Lange Technische

More information

Cryptography and Network Security

Cryptography and Network Security Cryptography and Network Security Fifth Edition by William Stallings Chapter 9 Public Key Cryptography and RSA Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared

More information

Outline. Cryptography. Bret Benesh. Math 331

Outline. Cryptography. Bret Benesh. Math 331 Outline 1 College of St. Benedict/St. John s University Department of Mathematics Math 331 2 3 The internet is a lawless place, and people have access to all sorts of information. What is keeping people

More information

Curve25519: new Diffie-Hellman speed records

Curve25519: new Diffie-Hellman speed records Curve25519: new Diffie-Hellman speed records Daniel J. Bernstein djb@cr.yp.to Abstract. This paper explains the design and implementation of a highsecurity elliptic-curve-diffie-hellman function achieving

More information

A New Generic Digital Signature Algorithm

A New Generic Digital Signature Algorithm Groups Complex. Cryptol.? (????), 1 16 DOI 10.1515/GCC.????.??? de Gruyter???? A New Generic Digital Signature Algorithm Jennifer Seberry, Vinhbuu To and Dongvu Tonien Abstract. In this paper, we study

More information

ChaCha, a variant of Salsa20

ChaCha, a variant of Salsa20 ChaCha, a variant of Salsa20 Daniel J. Bernstein Department of Mathematics, Statistics, and Computer Science (M/C 249) The University of Illinois at Chicago Chicago, IL 60607 7045 snuffle6@box.cr.yp.to

More information

Runtime and Implementation of Factoring Algorithms: A Comparison

Runtime and Implementation of Factoring Algorithms: A Comparison Runtime and Implementation of Factoring Algorithms: A Comparison Justin Moore CSC290 Cryptology December 20, 2003 Abstract Factoring composite numbers is not an easy task. It is classified as a hard algorithm,

More information

CIS 5371 Cryptography. 8. Encryption --

CIS 5371 Cryptography. 8. Encryption -- CIS 5371 Cryptography p y 8. Encryption -- Asymmetric Techniques Textbook encryption algorithms In this chapter, security (confidentiality) is considered in the following sense: All-or-nothing secrecy.

More information

Overview of Public-Key Cryptography

Overview of Public-Key Cryptography CS 361S Overview of Public-Key Cryptography Vitaly Shmatikov slide 1 Reading Assignment Kaufman 6.1-6 slide 2 Public-Key Cryptography public key public key? private key Alice Bob Given: Everybody knows

More information

FACTORING LARGE NUMBERS, A GREAT WAY TO SPEND A BIRTHDAY

FACTORING LARGE NUMBERS, A GREAT WAY TO SPEND A BIRTHDAY FACTORING LARGE NUMBERS, A GREAT WAY TO SPEND A BIRTHDAY LINDSEY R. BOSKO I would like to acknowledge the assistance of Dr. Michael Singer. His guidance and feedback were instrumental in completing this

More information

Short Programs for functions on Curves

Short Programs for functions on Curves Short Programs for functions on Curves Victor S. Miller Exploratory Computer Science IBM, Thomas J. Watson Research Center Yorktown Heights, NY 10598 May 6, 1986 Abstract The problem of deducing a function

More information

The RSA Algorithm. Evgeny Milanov. 3 June 2009

The RSA Algorithm. Evgeny Milanov. 3 June 2009 The RSA Algorithm Evgeny Milanov 3 June 2009 In 1978, Ron Rivest, Adi Shamir, and Leonard Adleman introduced a cryptographic algorithm, which was essentially to replace the less secure National Bureau

More information

Factoring. Factoring 1

Factoring. Factoring 1 Factoring Factoring 1 Factoring Security of RSA algorithm depends on (presumed) difficulty of factoring o Given N = pq, find p or q and RSA is broken o Rabin cipher also based on factoring Factoring like

More information

High-speed cryptography and DNSCurve. D. J. Bernstein University of Illinois at Chicago

High-speed cryptography and DNSCurve. D. J. Bernstein University of Illinois at Chicago High-speed cryptography and DNSCurve D. J. Bernstein University of Illinois at Chicago Stealing Internet mail: easy! Given a mail message: Your mail software sends a DNS request, receives a server address,

More information

U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, 2009. Notes on Algebra

U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, 2009. Notes on Algebra U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, 2009 Notes on Algebra These notes contain as little theory as possible, and most results are stated without proof. Any introductory

More information

Cryptography and Network Security Chapter 8

Cryptography and Network Security Chapter 8 Cryptography and Network Security Chapter 8 Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 8 Introduction to Number Theory The Devil said to Daniel Webster:

More information

Faster deterministic integer factorisation

Faster deterministic integer factorisation David Harvey (joint work with Edgar Costa, NYU) University of New South Wales 25th October 2011 The obvious mathematical breakthrough would be the development of an easy way to factor large prime numbers

More information

Lecture Note 5 PUBLIC-KEY CRYPTOGRAPHY. Sourav Mukhopadhyay

Lecture Note 5 PUBLIC-KEY CRYPTOGRAPHY. Sourav Mukhopadhyay Lecture Note 5 PUBLIC-KEY CRYPTOGRAPHY Sourav Mukhopadhyay Cryptography and Network Security - MA61027 Modern/Public-key cryptography started in 1976 with the publication of the following paper. W. Diffie

More information

An Approach to Shorten Digital Signature Length

An Approach to Shorten Digital Signature Length Computer Science Journal of Moldova, vol.14, no.342, 2006 An Approach to Shorten Digital Signature Length Nikolay A. Moldovyan Abstract A new method is proposed to design short signature schemes based

More information

Breaking The Code. Ryan Lowe. Ryan Lowe is currently a Ball State senior with a double major in Computer Science and Mathematics and

Breaking The Code. Ryan Lowe. Ryan Lowe is currently a Ball State senior with a double major in Computer Science and Mathematics and Breaking The Code Ryan Lowe Ryan Lowe is currently a Ball State senior with a double major in Computer Science and Mathematics and a minor in Applied Physics. As a sophomore, he took an independent study

More information

Cryptanalysis with a cost-optimized FPGA cluster

Cryptanalysis with a cost-optimized FPGA cluster Cryptanalysis with a cost-optimized FPGA cluster Jan Pelzl, Horst Görtz Institute for IT-Security, Germany UCLA IPAM Workshop IV Special Purpose Hardware for Cryptography: Attacks and Applications December

More information

Integer Factorization using the Quadratic Sieve

Integer Factorization using the Quadratic Sieve Integer Factorization using the Quadratic Sieve Chad Seibert* Division of Science and Mathematics University of Minnesota, Morris Morris, MN 56567 seib0060@morris.umn.edu March 16, 2011 Abstract We give

More information

A SOFTWARE COMPARISON OF RSA AND ECC

A SOFTWARE COMPARISON OF RSA AND ECC International Journal Of Computer Science And Applications Vol. 2, No. 1, April / May 29 ISSN: 974-13 A SOFTWARE COMPARISON OF RSA AND ECC Vivek B. Kute Lecturer. CSE Department, SVPCET, Nagpur 9975549138

More information

THE ADVANTAGES OF ELLIPTIC CURVE CRYPTOGRAPHY FOR WIRELESS SECURITY KRISTIN LAUTER, MICROSOFT CORPORATION

THE ADVANTAGES OF ELLIPTIC CURVE CRYPTOGRAPHY FOR WIRELESS SECURITY KRISTIN LAUTER, MICROSOFT CORPORATION T OPICS IN WIRELESS SECURITY THE ADVANTAGES OF ELLIPTIC CURVE CRYPTOGRAPHY FOR WIRELESS SECURITY KRISTIN LAUTER, MICROSOFT CORPORATION Q 2 = R 1 Q 2 R 1 R 1 As the wireless industry explodes, it faces

More information

The Mathematics of the RSA Public-Key Cryptosystem

The Mathematics of the RSA Public-Key Cryptosystem The Mathematics of the RSA Public-Key Cryptosystem Burt Kaliski RSA Laboratories ABOUT THE AUTHOR: Dr Burt Kaliski is a computer scientist whose involvement with the security industry has been through

More information

Digital Signature. Raj Jain. Washington University in St. Louis

Digital Signature. Raj Jain. Washington University in St. Louis Digital Signature Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-11/

More information

Public Key Cryptography Overview

Public Key Cryptography Overview Ch.20 Public-Key Cryptography and Message Authentication I will talk about it later in this class Final: Wen (5/13) 1630-1830 HOLM 248» give you a sample exam» Mostly similar to homeworks» no electronic

More information

Speeding up XTR. P.O.Box 513, 5600 MB Eindhoven, The Netherlands stam@win.tue.nl

Speeding up XTR. P.O.Box 513, 5600 MB Eindhoven, The Netherlands stam@win.tue.nl Speeding up XTR Martijn Stam 1, and Arjen K. Lenstra 2 1 Technische Universiteit Eindhoven P.O.Box 513, 5600 MB Eindhoven, The Netherlands stam@win.tue.nl 2 Citibank, N.A. and Technische Universiteit Eindhoven

More information

Elliptic Curve Cryptography

Elliptic Curve Cryptography Elliptic Curve Cryptography Elaine Brow, December 2010 Math 189A: Algebraic Geometry 1. Introduction to Public Key Cryptography To understand the motivation for elliptic curve cryptography, we must first

More information

SOLUTIONS FOR PROBLEM SET 2

SOLUTIONS FOR PROBLEM SET 2 SOLUTIONS FOR PROBLEM SET 2 A: There exist primes p such that p+6k is also prime for k = 1,2 and 3. One such prime is p = 11. Another such prime is p = 41. Prove that there exists exactly one prime p such

More information

Determining the Optimal Combination of Trial Division and Fermat s Factorization Method

Determining the Optimal Combination of Trial Division and Fermat s Factorization Method Determining the Optimal Combination of Trial Division and Fermat s Factorization Method Joseph C. Woodson Home School P. O. Box 55005 Tulsa, OK 74155 Abstract The process of finding the prime factorization

More information

Shor s algorithm and secret sharing

Shor s algorithm and secret sharing Shor s algorithm and secret sharing Libor Nentvich: QC 23 April 2007: Shor s algorithm and secret sharing 1/41 Goals: 1 To explain why the factoring is important. 2 To describe the oldest and most successful

More information

Implementation of Elliptic Curve Digital Signature Algorithm

Implementation of Elliptic Curve Digital Signature Algorithm Implementation of Elliptic Curve Digital Signature Algorithm Aqeel Khalique Kuldip Singh Sandeep Sood Department of Electronics & Computer Engineering, Indian Institute of Technology Roorkee Roorkee, India

More information

International Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013

International Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013 FACTORING CRYPTOSYSTEM MODULI WHEN THE CO-FACTORS DIFFERENCE IS BOUNDED Omar Akchiche 1 and Omar Khadir 2 1,2 Laboratory of Mathematics, Cryptography and Mechanics, Fstm, University of Hassan II Mohammedia-Casablanca,

More information

3. Computational Complexity.

3. Computational Complexity. 3. Computational Complexity. (A) Introduction. As we will see, most cryptographic systems derive their supposed security from the presumed inability of any adversary to crack certain (number theoretic)

More information

SHARK A Realizable Special Hardware Sieving Device for Factoring 1024-bit Integers

SHARK A Realizable Special Hardware Sieving Device for Factoring 1024-bit Integers SHARK A Realizable Special Hardware Sieving Device for Factoring 1024-bit Integers Jens Franke 1, Thorsten Kleinjung 1, Christof Paar 2, Jan Pelzl 2, Christine Priplata 3, Colin Stahlke 3 1 University

More information

Table of Contents. Bibliografische Informationen http://d-nb.info/996514864. digitalisiert durch

Table of Contents. Bibliografische Informationen http://d-nb.info/996514864. digitalisiert durch 1 Introduction to Cryptography and Data Security 1 1.1 Overview of Cryptology (and This Book) 2 1.2 Symmetric Cryptography 4 1.2.1 Basics 4 1.2.2 Simple Symmetric Encryption: The Substitution Cipher...

More information

Lecture 9 - Message Authentication Codes

Lecture 9 - Message Authentication Codes Lecture 9 - Message Authentication Codes Boaz Barak March 1, 2010 Reading: Boneh-Shoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,

More information

Techniques of Asymmetric File Encryption. Alvin Li Thomas Jefferson High School For Science and Technology Computer Systems Lab

Techniques of Asymmetric File Encryption. Alvin Li Thomas Jefferson High School For Science and Technology Computer Systems Lab Techniques of Asymmetric File Encryption Alvin Li Thomas Jefferson High School For Science and Technology Computer Systems Lab Abstract As more and more people are linking to the Internet, threats to the

More information

Authentication requirement Authentication function MAC Hash function Security of

Authentication requirement Authentication function MAC Hash function Security of UNIT 3 AUTHENTICATION Authentication requirement Authentication function MAC Hash function Security of hash function and MAC SHA HMAC CMAC Digital signature and authentication protocols DSS Slides Courtesy

More information

ELLIPTIC CURVES AND LENSTRA S FACTORIZATION ALGORITHM

ELLIPTIC CURVES AND LENSTRA S FACTORIZATION ALGORITHM ELLIPTIC CURVES AND LENSTRA S FACTORIZATION ALGORITHM DANIEL PARKER Abstract. This paper provides a foundation for understanding Lenstra s Elliptic Curve Algorithm for factoring large numbers. We give

More information

Advanced Cryptography

Advanced Cryptography Family Name:... First Name:... Section:... Advanced Cryptography Final Exam July 18 th, 2006 Start at 9:15, End at 12:00 This document consists of 12 pages. Instructions Electronic devices are not allowed.

More information

Some facts about polynomials modulo m (Full proof of the Fingerprinting Theorem)

Some facts about polynomials modulo m (Full proof of the Fingerprinting Theorem) Some facts about polynomials modulo m (Full proof of the Fingerprinting Theorem) In order to understand the details of the Fingerprinting Theorem on fingerprints of different texts from Chapter 19 of the

More information

CSCE 465 Computer & Network Security

CSCE 465 Computer & Network Security CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Public Key Cryptogrophy 1 Roadmap Introduction RSA Diffie-Hellman Key Exchange Public key and

More information

Notes on Factoring. MA 206 Kurt Bryan

Notes on Factoring. MA 206 Kurt Bryan The General Approach Notes on Factoring MA 26 Kurt Bryan Suppose I hand you n, a 2 digit integer and tell you that n is composite, with smallest prime factor around 5 digits. Finding a nontrivial factor

More information

CUNSHENG DING HKUST, Hong Kong. Computer Security. Computer Security. Cunsheng DING, HKUST COMP4631

CUNSHENG DING HKUST, Hong Kong. Computer Security. Computer Security. Cunsheng DING, HKUST COMP4631 Cunsheng DING, HKUST Lecture 08: Key Management for One-key Ciphers Topics of this Lecture 1. The generation and distribution of secret keys. 2. A key distribution protocol with a key distribution center.

More information

Mathematics of Cryptography Modular Arithmetic, Congruence, and Matrices. A Biswas, IT, BESU SHIBPUR

Mathematics of Cryptography Modular Arithmetic, Congruence, and Matrices. A Biswas, IT, BESU SHIBPUR Mathematics of Cryptography Modular Arithmetic, Congruence, and Matrices A Biswas, IT, BESU SHIBPUR McGraw-Hill The McGraw-Hill Companies, Inc., 2000 Set of Integers The set of integers, denoted by Z,

More information

Parallel Collision Search with Cryptanalytic Applications

Parallel Collision Search with Cryptanalytic Applications Parallel Collision Search with Cryptanalytic Applications Paul C. van Oorschot and Michael J. Wiener Nortel, P.O. Box 3511 Station C, Ottawa, Ontario, K1Y 4H7, Canada 1996 September 23 Abstract. A simple

More information

The Future of Digital Signatures. Johannes Buchmann

The Future of Digital Signatures. Johannes Buchmann The Future of Digital Signatures Johannes Buchmann Digital Signatures Digital signatures document sign signature verify valid / invalid secret public No IT-Security without digital signatures Software

More information

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike

More information

The Factoring Dead Preparing for the Cryptopocalypse

The Factoring Dead Preparing for the Cryptopocalypse The Factoring Dead Preparing for the Cryptopocalypse Thomas Ptacek, Matasano Tom Ritter, isec Partners Javed Samuel, isec Partners Alex Stamos, Artemis Internet Agenda Introduction The Math New Advances

More information

Revised Version of Chapter 23. We learned long ago how to solve linear congruences. ax c (mod m)

Revised Version of Chapter 23. We learned long ago how to solve linear congruences. ax c (mod m) Chapter 23 Squares Modulo p Revised Version of Chapter 23 We learned long ago how to solve linear congruences ax c (mod m) (see Chapter 8). It s now time to take the plunge and move on to quadratic equations.

More information

Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography (Revised)

Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography (Revised) NIST Special Publication 800-56A Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography (Revised) Elaine Barker, Don Johnson, and Miles Smid C O M P U T E R S E C

More information

Capture Resilient ElGamal Signature Protocols

Capture Resilient ElGamal Signature Protocols Capture Resilient ElGamal Signature Protocols Hüseyin Acan 1, Kamer Kaya 2,, and Ali Aydın Selçuk 2 1 Bilkent University, Department of Mathematics acan@fen.bilkent.edu.tr 2 Bilkent University, Department

More information

On the largest prime factor of x 2 1

On the largest prime factor of x 2 1 On the largest prime factor of x 2 1 Florian Luca and Filip Najman Abstract In this paper, we find all integers x such that x 2 1 has only prime factors smaller than 100. This gives some interesting numerical

More information

D. J. Bernstein University of Illinois at Chicago. See online version of paper, particularly for bibliography: http://cr.yp.to /papers.

D. J. Bernstein University of Illinois at Chicago. See online version of paper, particularly for bibliography: http://cr.yp.to /papers. The tangent FFT D. J. Bernstein University of Illinois at Chicago See online version of paper, particularly for bibliography: http://cr.yp.to /papers.html#tangentfft Algebraic algorithms f 0 f 1 g 0 g

More information

Notes on Network Security Prof. Hemant K. Soni

Notes on Network Security Prof. Hemant K. Soni Chapter 9 Public Key Cryptography and RSA Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications

More information

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives CIS 6930 Emerging Topics in Network Security Topic 2. Network Security Primitives 1 Outline Absolute basics Encryption/Decryption; Digital signatures; D-H key exchange; Hash functions; Application of hash

More information

Selecting Cryptographic Key Sizes Extended Abstract

Selecting Cryptographic Key Sizes Extended Abstract Selecting Cryptographic Key Sizes Extended Abstract Arjen K. Lenstra 1, Eric R. Verheul 2 1 Citibank, N.A., 1 North Gate Road, Mendham, NJ 07945-3104, U.S.A, arjen.lenstra@citicorp.com 2 PricewaterhouseCoopers,

More information

Computer Networks. Network Security and Ethics. Week 14. College of Information Science and Engineering Ritsumeikan University

Computer Networks. Network Security and Ethics. Week 14. College of Information Science and Engineering Ritsumeikan University Computer Networks Network Security and Ethics Week 14 College of Information Science and Engineering Ritsumeikan University Security Intro for Admins l Network administrators can break security into two

More information

A simple and fast algorithm for computing exponentials of power series

A simple and fast algorithm for computing exponentials of power series A simple and fast algorithm for computing exponentials of power series Alin Bostan Algorithms Project, INRIA Paris-Rocquencourt 7815 Le Chesnay Cedex France and Éric Schost ORCCA and Computer Science Department,

More information

A new probabilistic public key algorithm based on elliptic logarithms

A new probabilistic public key algorithm based on elliptic logarithms A new probabilistic public key algorithm based on elliptic logarithms Afonso Comba de Araujo Neto, Raul Fernando Weber 1 Instituto de Informática Universidade Federal do Rio Grande do Sul (UFRGS) Caixa

More information

Lecture 25: Pairing-Based Cryptography

Lecture 25: Pairing-Based Cryptography 6.897 Special Topics in Cryptography Instructors: Ran Canetti and Ron Rivest May 5, 2004 Lecture 25: Pairing-Based Cryptography Scribe: Ben Adida 1 Introduction The field of Pairing-Based Cryptography

More information

Public Key Cryptography in Practice. c Eli Biham - May 3, 2005 372 Public Key Cryptography in Practice (13)

Public Key Cryptography in Practice. c Eli Biham - May 3, 2005 372 Public Key Cryptography in Practice (13) Public Key Cryptography in Practice c Eli Biham - May 3, 2005 372 Public Key Cryptography in Practice (13) How Cryptography is Used in Applications The main drawback of public key cryptography is the inherent

More information

Primality Testing and Factorization Methods

Primality Testing and Factorization Methods Primality Testing and Factorization Methods Eli Howey May 27, 2014 Abstract Since the days of Euclid and Eratosthenes, mathematicians have taken a keen interest in finding the nontrivial factors of integers,

More information

Integer Factorisation

Integer Factorisation Integer Factorisation Vassilis Kostakos Department of Mathematical Sciences University of Bath vkostakos@yahoo.com http://www.geocities.com/vkostakos May 7, 2001 MATH0082 Double Unit Project Comparison

More information

Public Key Cryptography. c Eli Biham - March 30, 2011 258 Public Key Cryptography

Public Key Cryptography. c Eli Biham - March 30, 2011 258 Public Key Cryptography Public Key Cryptography c Eli Biham - March 30, 2011 258 Public Key Cryptography Key Exchange All the ciphers mentioned previously require keys known a-priori to all the users, before they can encrypt

More information

1720 - Forward Secrecy: How to Secure SSL from Attacks by Government Agencies

1720 - Forward Secrecy: How to Secure SSL from Attacks by Government Agencies 1720 - Forward Secrecy: How to Secure SSL from Attacks by Government Agencies Dave Corbett Technical Product Manager Implementing Forward Secrecy 1 Agenda Part 1: Introduction Why is Forward Secrecy important?

More information

Improved Online/Offline Signature Schemes

Improved Online/Offline Signature Schemes Improved Online/Offline Signature Schemes Adi Shamir and Yael Tauman Applied Math. Dept. The Weizmann Institute of Science Rehovot 76100, Israel {shamir,tauman}@wisdom.weizmann.ac.il Abstract. The notion

More information