PublicKey Cryptanalysis 1: Introduction and Factoring


 Shavonne Gallagher
 3 years ago
 Views:
Transcription
1 PublicKey Cryptanalysis 1: Introduction and Factoring Nadia Heninger University of Pennsylvania July 21, 2013
2 Adventures in Cryptanalysis Part 1: Introduction and Factoring. What is publickey crypto really based on? How to break RSA from the comfort of your very own home. Part 2: Generating keys. How not to generate your crypto keys. And how many people who should know better have screwed it up. Part 3: Breaking keys with lattices. How fragile is RSA? And why not to post your private keys to Pastebin.
3
4
5 Textbook DiffieHellman [Diffie Hellman 1976] Public Parameters G a group (e.g. F p, or an elliptic curve) g group generator Key Exchange g a g b g ab g ab
6 Computational problems Discrete Log Problem: Given g a, compute a. Solving this problem permits attacker to compute shared key by computing a and raising (g b ) a. Discrete log is in NP and conp not NPcomplete (unless P=NP or similar).
7 Computational problems DiffieHellman problem Problem: Given g a, g b, compute g ab. Exactly problem of computing shared key from public information. Reduces to discrete log in some cases: DiffieHellman is as strong as discrete log for certain primes [den Boer 1988] both problems are (probabilistically) polynomialtime equivalent if the totient of p 1 has only small prime factors Towards the equivalence of breaking the DiffieHellman protocol and computing discrete logarithms [Maurer 1994] if... an elliptic curve with smooth order can be construted efficiently, then... [the discrete log] can be reduced efficiently to breakingthe DiffieHellman protocol (Computational) DiffieHellman assumption: This problem is hard in general.
8
9
10
11 Textbook RSA [Rivest Shamir Adleman 1977] Public Key N = pq modulus e encryption exponent Private Key p, q primes d decryption exponent (d = e 1 mod (p 1)(q 1)) Encryption public key = (N, e) ciphertext = message e mod N message = ciphertext d mod N
12 Textbook RSA [Rivest Shamir Adleman 1977] Public Key N = pq modulus e encryption exponent Private Key p, q primes d decryption exponent (d = e 1 mod (p 1)(q 1)) Signing public key = (N, e) signature = message d mod N message = signature e mod N
13 Computational problems Factoring Problem: Given N, compute its prime factors. Computationally equivalent to computing private key d. Factoring is in NP and conp not NPcomplete (unless P=NP or similar).
14 Computational problems eth roots mod N Problem: Given N, e, and c, compute x such that x e c mod N. Equivalent to decrypting an RSAencrypted ciphertext. Equivalent to selective forgery of RSA signatures. Conflicting results about whether it reduces to factoring: Breaking RSA may not be equivalent to factoring [Boneh Venkatesan 1998] an algebraic reduction from factoring to breaking lowexponent RSA can be converted into an efficient factoring algorithm Breaking RSA generically is equivalent to factoring [Aggarwal Maurer 2009] a generic ring algorithm for breaking RSA in Z N can be converted into an algorithm for factoring RSA assumption : This problem is hard.
15 Public service announcement: Textbook RSA is insecure RSA encryption is homomorphic under multiplication. This lets an attacker do all sorts of fun things: Attack: Malleability Given a ciphertext c = m e mod N, ca e mod N is an encryption of ma for any a chosen by attacker. Attack: Chosen ciphertext attack Given a ciphertext c, attacker asks for decryption of ca e mod N and divides by a to obtain m. Attack: Signature forgery Attacker convinces a signer to sign z = xy e mod N and computes a valid signature of x as z d /y mod N. So in practice we always use padding on messages.
16
17 The DSA Algorithm DSA Public Key p prime q prime, divides (p 1) g generator of subgroup of order q mod p y = g x mod p Private Key x private key Verify u 1 = H(m)s 1 mod q u 2 = rs 1 mod q r? = g u 1 y u 2 mod p mod q Sign Generate random k. r = g k mod p mod q s = k 1 (H(m) + xr) mod q
18 Computational problems Discrete Log Breaking DSA is equivalent to computing discrete logs in the random oracle model. [Pointcheval, Vaudenay 96]
19
20 The rest of this lecture.
21
22 Not ethical research.
23
24
25
26 The other two lectures.
27 Factoring (and discrete log) the hard way Some material borrowed from Dan Bernstein and Tanja Lange
28 Preliminaries: Using Sage Working code examples will be given in Sage. Sage is free open source mathematics software. Download from Sage is based on Python sage: 2*3 6
29 Preliminaries: Using Sage Working code examples will be given in Sage. Sage is free open source mathematics software. Download from Sage is based on Python, but there are a few differences: sage: 2^3 8 ˆ is exponentiation, not xor
30 Preliminaries: Using Sage Working code examples will be given in Sage. Sage is free open source mathematics software. Download from Sage is based on Python, but there are a few differences: sage: 2^3 8 ˆ is exponentiation, not xor It has lots of useful libraries: sage: factor(15) 3 * 5
31 Preliminaries: Using Sage Working code examples will be given in Sage. Sage is free open source mathematics software. Download from Sage is based on Python, but there are a few differences: sage: 2^3 8 ˆ is exponentiation, not xor It has lots of useful libraries: sage: factor(15) 3 * 5 sage: factor(x^21) (x  1) * (x + 1)
32 Practicing Sage and Textbook RSA Key generation: sage: p = random_prime(2^512); q = random_prime(2^512) sage: N = p*q sage: e = sage: d = inverse_mod(e,(p1)*(q1)) Encryption: sage: m = Integer( helloworld,base=35) sage: c = pow(m,65537,n) Decryption: sage: Integer(pow(c,d,N)).str(base=35) helloworld
33 So how hard is factoring?
34 So how hard is factoring? sage: time factor(random_prime(2^32)*random_prime(2^32))
35 So how hard is factoring? sage: time factor(random_prime(2^32)*random_prime(2^32)) * Time: CPU 0.01 s, Wall: 0.01 s
36 So how hard is factoring? sage: time factor(random_prime(2^32)*random_prime(2^32)) * Time: CPU 0.01 s, Wall: 0.01 s sage: time factor(random_prime(2^64)*random_prime(2^64))
37 So how hard is factoring? sage: time factor(random_prime(2^32)*random_prime(2^32)) * Time: CPU 0.01 s, Wall: 0.01 s sage: time factor(random_prime(2^64)*random_prime(2^64)) * Time: CPU 0.13 s, Wall: 0.15 s
38 So how hard is factoring? sage: time factor(random_prime(2^32)*random_prime(2^32)) * Time: CPU 0.01 s, Wall: 0.01 s sage: time factor(random_prime(2^64)*random_prime(2^64)) * Time: CPU 0.13 s, Wall: 0.15 s sage: time factor(random_prime(2^96)*random_prime(2^96))
39 So how hard is factoring? sage: time factor(random_prime(2^32)*random_prime(2^32)) * Time: CPU 0.01 s, Wall: 0.01 s sage: time factor(random_prime(2^64)*random_prime(2^64)) * Time: CPU 0.13 s, Wall: 0.15 s sage: time factor(random_prime(2^96)*random_prime(2^96)) * Time: CPU 4.64 s, Wall: 4.76 s
40 So how hard is factoring? sage: time factor(random_prime(2^32)*random_prime(2^32)) * Time: CPU 0.01 s, Wall: 0.01 s sage: time factor(random_prime(2^64)*random_prime(2^64)) * Time: CPU 0.13 s, Wall: 0.15 s sage: time factor(random_prime(2^96)*random_prime(2^96)) * Time: CPU 4.64 s, Wall: 4.76 s sage: time factor(random_prime(2^128)*random_prime(2^128))
41 So how hard is factoring? sage: time factor(random_prime(2^32)*random_prime(2^32)) * Time: CPU 0.01 s, Wall: 0.01 s sage: time factor(random_prime(2^64)*random_prime(2^64)) * Time: CPU 0.13 s, Wall: 0.15 s sage: time factor(random_prime(2^96)*random_prime(2^96)) * Time: CPU 4.64 s, Wall: 4.76 s sage: time factor(random_prime(2^128)*random_prime(2^128)) * Time: CPU s, Wall: s
42 Factoring in practice Two kinds of factoring algorithms: 1. Algorithms that have running time dependent on the size of the factor. Good for factoring small numbers, and finding small factors of big numbers. 2. Generalpurpose algorithms that depend on the size of the number to be factored. Stateoftheart algorithms for factoring really big numbers.
43 Trial Division Good for finding very small factors Takes p/ log p trial divisions to find a prime factor p.
44 Pollard rho Good for finding slightly larger prime factors Intuition Try to take a random walk among elements modn. If p divides n, there will be a cycle of length p.
45 Pollard rho Good for finding slightly larger prime factors Intuition Try to take a random walk among elements modn. If p divides n, there will be a cycle of length p. Details Expect a collision after searching about p random elements. To avoid having to store and search every element, use Floyd s cyclefinding algorithm. (Store two pointers, and move one twice as fast as the other until they coincide.)
46 Why is it the rho algorithm?
47 Pollard rho impementation def rho(n): a = ; c=10 # some random values f = lambda x: (x^2+c)%n a1 = f(a) ; a2 = f(a1) while gcd(n, a2a1)==1: a1 = f(a1); a2 = f(f(a2)) return gcd(n, a2a1) sage: N = sage: rho(n) 2053
48 Pollard s p 1 method Good for finding special small factors Intuition If a r 1 mod p then p gcd(a r 1, N). Don t know p, pick very smooth number r, hoping for ord(a) p to divide it. ( Smooth means has only small prime factors.)
49 Pollard s p 1 method Good for finding special small factors Intuition If a r 1 mod p then p gcd(a r 1, N). Don t know p, pick very smooth number r, hoping for ord(a) p to divide it. ( Smooth means has only small prime factors.) N= r=lcm(range(1,2^22)) # this takes a while... s=integer(pow(2,r,n)) sage: gcd(s1,n)
50 Pollard p 1 method This method finds larger factors than the rho method (in the same time)...but only works for special primes. In the previous example, p 1 = has only small factors (aka. p 1 is smooth). Many crypto standards require using only strong primes a.k.a primes where p 1 is not smooth. This recommendation is outdated. The elliptic curve method (next slide) works even for strong primes.
51 Lenstra s Elliptic Curve Method Good for finding mediumsized factors Intuition Pollard s p 1 method works in the multiplicative group of integers modulo p. The elliptic curve method is exactly the p 1 method, but over the group of points on an elliptic curve modulo p: Multiplication of group elements becomes addition of points on the curve. All arithmetic is still done modulo N.
52 Lenstra s Elliptic Curve Method Good for finding mediumsized factors Intuition Pollard s p 1 method works in the multiplicative group of integers modulo p. The elliptic curve method is exactly the p 1 method, but over the group of points on an elliptic curve modulo p: Multiplication of group elements becomes addition of points on the curve. All arithmetic is still done modulo N. Theorem (Hasse) The order of an elliptic curve modulo p is in [p p, p p]. There are lots of smooth numbers in this interval. If one elliptic curve doesn t work, try more until you find a smooth order.
53 Elliptic Curves def curve(d): frac_n = type(d) class P(object): def init (self,x,y): self.x,self.y = frac_n(x),frac_n(y)... def add (a,b): return P((a.x*b.y + b.x*a.y)/(1 + d*a.x*a.y*b.x*b.y) (a.y*b.y  a.x*b.x)/(1  d*a.x*b.x*a.y*b.y) def mul (self, m): return double_and_add(self,m,p(0,1))
54 Elliptic Curve Factorization def ecm(n,y,t): # Choose a curve and a point on the curve. frac_n = Q(n) P = curve(frac_n(1,3)) p = P(2,3) q = p * lcm(xrange(1,y)) return gcd(q.x.t,n) Method runs very well on GPUs. Still an active research area. ECM is very efficient at factoring random numbers, once small factors are removed. Heuristic running time L p (1/2) = O(e c ln p ln ln p ).
55 Quadratic Sieve Intuition: Fermat factorization Main insight: If we can find two squares a 2 and b 2 such that Then a 2 b 2 mod N a 2 b 2 = (a + b)(a b) 0 mod N and we might hope that one of a + b or a b shares a nontrivial common factor with N.
56 Quadratic Sieve Intuition: Fermat factorization Main insight: If we can find two squares a 2 and b 2 such that a 2 b 2 mod N Then a 2 b 2 = (a + b)(a b) 0 mod N and we might hope that one of a + b or a b shares a nontrivial common factor with N. First try: 1. Start at c = N 2. Check c 2 N, (c + 1) 2 N,... until we find a square. This is Fermat factorization, which could take up to p steps.
57 Quadratic Sieve Generalpurpose factoring Intuition We might not find a square outright, but we can construct a square as a product of numbers we look through.
58 Quadratic Sieve Generalpurpose factoring Intuition We might not find a square outright, but we can construct a square as a product of numbers we look through. 1. Sieving Try to factor each of c 2 N, (c + 1) 2 N, Only save a d i = c 2 i N if all of its prime factors are less than some bound B. (If it is Bsmooth.) 3. Store each d i by its exponent vector d i = 2 e 2 3 e 3... B e B. 4. If i d i is a square, then its exponent vector contains only even entries.
59 Quadratic Sieve Generalpurpose factoring Intuition We might not find a square outright, but we can construct a square as a product of numbers we look through. 1. Sieving Try to factor each of c 2 N, (c + 1) 2 N, Only save a d i = c 2 i N if all of its prime factors are less than some bound B. (If it is Bsmooth.) 3. Store each d i by its exponent vector d i = 2 e 2 3 e 3... B e B. 4. If i d i is a square, then its exponent vector contains only even entries. 5. Linear Algebra Once enough factorizations have been collected, can use linear algebra to find a linear dependence mod2.
60 Quadratic Sieve Generalpurpose factoring Intuition We might not find a square outright, but we can construct a square as a product of numbers we look through. 1. Sieving Try to factor each of c 2 N, (c + 1) 2 N, Only save a d i = c 2 i N if all of its prime factors are less than some bound B. (If it is Bsmooth.) 3. Store each d i by its exponent vector d i = 2 e 2 3 e 3... B e B. 4. If i d i is a square, then its exponent vector contains only even entries. 5. Linear Algebra Once enough factorizations have been collected, can use linear algebra to find a linear dependence mod2. 6. Square roots Take square roots and hope for a nontrivial factorization. Math exercise: Square product has 50% chance of factoring pq.
61 An example of the quadratic sieve Let s try to factor N = 2759.
62 An example of the quadratic sieve Let s try to factor N = Recall idea: If a 2 N is a square b 2 then N = (a b)(a + b).
63 An example of the quadratic sieve Let s try to factor N = Recall idea: If a 2 N is a square b 2 then N = (a b)(a + b) = 50 =
64 An example of the quadratic sieve Let s try to factor N = Recall idea: If a 2 N is a square b 2 then N = (a b)(a + b) = 50 = = 157.
65 An example of the quadratic sieve Let s try to factor N = Recall idea: If a 2 N is a square b 2 then N = (a b)(a + b) = 50 = = = 266.
66 An example of the quadratic sieve Let s try to factor N = Recall idea: If a 2 N is a square b 2 then N = (a b)(a + b) = 50 = = = = 377.
67 An example of the quadratic sieve Let s try to factor N = Recall idea: If a 2 N is a square b 2 then N = (a b)(a + b) = 50 = = = = = 490 =
68 An example of the quadratic sieve Let s try to factor N = Recall idea: If a 2 N is a square b 2 then N = (a b)(a + b) = 50 = = = = = 490 = = 605 =
69 An example of the quadratic sieve Let s try to factor N = Recall idea: If a 2 N is a square b 2 then N = (a b)(a + b) = 50 = = = = = 490 = = 605 = The product is a square:
70 An example of the quadratic sieve Let s try to factor N = Recall idea: If a 2 N is a square b 2 then N = (a b)(a + b) = 50 = = = = = 490 = = 605 = The product is a square: QS computes gcd{2759, } = 31.
71 Quadratic Sieve running time How do we choose B? How many numbers do we have to try to factor? Depends on (heuristic) probability that a randomly chosen number is Bsmooth. Running time: L n (1/2) = e ln n ln ln n.
72 Number field sieve Best running time for general purpose factoring Insight Replace relationship a 2 = b 2 mod N with a homomorphism between ring of integers O K in a specially chosen number field and Z N. Algorithm 1. Polynomial selection Find a good choice of number field K. 2. Relation finding Factor elements over O K and over Z. 3. Linear algebra Find a square in O K and a square in Z 4. Square roots Take square roots, map into Z, and hope we find a factor. Running time: L n (1/3) = e (ln n ln ln n)1/3.
73 Discrete log: State of the art Discrete log: Compute g l = t in some group. (Recall DiffieHellman.) For decades, progress in discrete log closely followed progress in factoring. Best running time was L(1/3) using number field or function field sieve.
74 Discrete log: State of the art Discrete log: Compute g l = t in some group. (Recall DiffieHellman.) For decades, progress in discrete log closely followed progress in factoring. Best running time was L(1/3) using number field or function field sieve.... until this year... A new index calculus algorithm with complexity L(1/4 + o(1)) in very small characteristic. Antoine Joux, February 2013 A quasipolynomial algorithm for discrete logarithm in finite fields of small characteristic. Razvan Barbulescu, Pierrick Gaudry, Antoine Joux, and Emmanuel Thomé, June 2013
75 Index calculus for discrete log. Goal: Solve g l t mod p. 1. Relation finding: Collect g r p r pr k k mod p for many choices of r. This gives us a congruence of discrete logarithms for the p i : r r 1 log g p r k log g p k mod (p 1) 2. Linear algebra Once we have enough relations, use linear algebra to solve for the log g p i. 3. Smooth relation Search through values of R until we find one that results in a smooth value for g R t: 4. Output discrete log: g R t p τ pτ k k mod p log g t R + τ 1 log g p τ k log g p k mod (p 1)
76 Recent discrete log progress The new discrete log algorithms have resulted in very impressive new computational results. We still need to verify whether heuristic assumptions line up in practice. Open problem: Do these new results mean anything for discrete logs in large characteristic (working mod p?) Open problem: Do these new results lead to new results in factoring?
77 Factoring in practice 1977 Rivest estimates factoring a 125digit number would require 40 quadrillion years. (Letter to Martin Gardner) 1978 An 80digit n provides moderate security against an attack using current technology; using 200 digits provides a margin of safety against future developments. A Method for Obtaining Digital Signatures and PublicKey Cryptosystems 1994 Atkins, Graff, Lenstra, Leyland factor RSA129 challenge from Martin Gardner s 1977 column. We conclude that commonlyused 512bit RSA moduli are vulnerable to any organiation prepared to spend a few million dollars and wait a few months.
78 Factoring in practice 1999 te Riele, Cavallar, Dodson, Lenstra, Lioen, Montgomery, Murphy factor (512bit) RSA155 challenge in 4 months. Spent 35.7 CPU years Benjamin Moody factors 512bit RSA signing key for TI83+ calculator in 73 days on a 1.9 GHz dualcore processor Zachary Harris factors Google s 512bit domain authentication key in 72 hours for $75 using Amazon ec2.
79 An amateur can use off the shelf software to factor a 512bit RSA modulus in about a day for a few hundred dollars.
80 Factoring in the cloud Amazon Elastic Compute Cloud + Cluster computing toolkit for ec2 + Number field sieve implementation
81 My first attempt: Running time details 30 hours to factor a 512bit modulus, $234 in computation time. Polynomial selection: 7 minutes (parallel) Sieving: 14 hours (parallel) Generating matrix: 1 hour 30 minutes (single core) Linear algebra: 14 hours (partially parallel) Square root: 23 minutes (single core) 21 8x large compute optimized cluster compute instances = 20 spot instances ($0.27/hour) + 1 on demand instance control node ($2.40/hour)
82 The dirtier details of factoring +14 hours sieving first attempt + 6 hours dealing with running out of disk space and StarCluster crashing when I tried to increase size of volume, gave up and restarted + 30 minutes figuring out why CADONFS crashed parallelizing linear algebra across 21 nodes until I figured out it wouldn t crash if run with 16 nodes $550 total Amazon bill over four days including time to figure out installation, configuration, test smaller experiments and false starts
83 Suggestions for future experiments and optimizations Likely improvements Experiment with using more (cheaper) instances for sieving (used about 75% CPU on each instance) Experiment with effect of oversieving more to make linear algebra easier Optimize parallelization for linear algebra step. Linear algebra is only partially parallelized, and the parts that were parallelized only used 15% of available CPU on each instance.
84 How hard is it to factor longer keys? key size ECU years estimated cost $ $422, $38 million $560 million $ Using the cloud to determine key strengths T. Kleinjung, A.K. Lenstra, D. Page, and N.P. Smart. 2012
85 Summary: It costs $560 million to factor a 1024bit key. Next Lecture: Factoring 60, bit keys for $5.
Factoring and Discrete Log
Factoring and Discrete Log Nadia Heninger University of Pennsylvania June 1, 2015 Textbook RSA [Rivest Shamir Adleman 1977] Public Key N = pq modulus e encryption exponent Private Key p, q primes d decryption
More informationFactHacks: RSA factorization in the real world
FactHacks: RSA factorization in the real world Daniel J. Bernstein University of Illinois at Chicago Technische Universiteit Eindhoven Nadia Heninger Microsoft Research New England Tanja Lange Technische
More informationPrimality Testing and Factorization Methods
Primality Testing and Factorization Methods Eli Howey May 27, 2014 Abstract Since the days of Euclid and Eratosthenes, mathematicians have taken a keen interest in finding the nontrivial factors of integers,
More informationOverview of PublicKey Cryptography
CS 361S Overview of PublicKey Cryptography Vitaly Shmatikov slide 1 Reading Assignment Kaufman 6.16 slide 2 PublicKey Cryptography public key public key? private key Alice Bob Given: Everybody knows
More informationStudy of algorithms for factoring integers and computing discrete logarithms
Study of algorithms for factoring integers and computing discrete logarithms First IndoFrench Workshop on Cryptography and Related Topics (IFW 2007) June 11 13, 2007 Paris, France Dr. Abhijit Das Department
More informationCHAPTER 3 THE NEW MMP CRYPTO SYSTEM. mathematical problems Hidden Root Problem, Discrete Logarithm Problem and
79 CHAPTER 3 THE NEW MMP CRYPTO SYSTEM In this chapter an overview of the new Mixed Mode Paired cipher text Cryptographic System (MMPCS) is given, its three hard mathematical problems are explained, and
More informationArithmetic algorithms for cryptology 5 October 2015, Paris. Sieves. Razvan Barbulescu CNRS and IMJPRG. R. Barbulescu Sieves 0 / 28
Arithmetic algorithms for cryptology 5 October 2015, Paris Sieves Razvan Barbulescu CNRS and IMJPRG R. Barbulescu Sieves 0 / 28 Starting point Notations q prime g a generator of (F q ) X a (secret) integer
More informationMATH 168: FINAL PROJECT Troels Eriksen. 1 Introduction
MATH 168: FINAL PROJECT Troels Eriksen 1 Introduction In the later years cryptosystems using elliptic curves have shown up and are claimed to be just as secure as a system like RSA with much smaller key
More informationFactoring. Factoring 1
Factoring Factoring 1 Factoring Security of RSA algorithm depends on (presumed) difficulty of factoring o Given N = pq, find p or q and RSA is broken o Rabin cipher also based on factoring Factoring like
More informationRSA Question 2. Bob thinks that p and q are primes but p isn t. Then, Bob thinks Φ Bob :=(p1)(q1) = φ(n). Is this true?
RSA Question 2 Bob thinks that p and q are primes but p isn t. Then, Bob thinks Φ Bob :=(p1)(q1) = φ(n). Is this true? Bob chooses a random e (1 < e < Φ Bob ) such that gcd(e,φ Bob )=1. Then, d = e 1
More informationCSCE 465 Computer & Network Security
CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Public Key Cryptogrophy 1 Roadmap Introduction RSA DiffieHellman Key Exchange Public key and
More informationElements of Applied Cryptography Public key encryption
Network Security Elements of Applied Cryptography Public key encryption Public key cryptosystem RSA and the factorization problem RSA in practice Other asymmetric ciphers Asymmetric Encryption Scheme Let
More informationCryptography and Network Security Chapter 9
Cryptography and Network Security Chapter 9 Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 9 Public Key Cryptography and RSA Every Egyptian received two names,
More informationSECURITY IMPROVMENTS TO THE DIFFIEHELLMAN SCHEMES
www.arpapress.com/volumes/vol8issue1/ijrras_8_1_10.pdf SECURITY IMPROVMENTS TO THE DIFFIEHELLMAN SCHEMES Malek Jakob Kakish Amman Arab University, Department of Computer Information Systems, P.O.Box 2234,
More informationRSA Attacks. By Abdulaziz Alrasheed and Fatima
RSA Attacks By Abdulaziz Alrasheed and Fatima 1 Introduction Invented by Ron Rivest, Adi Shamir, and Len Adleman [1], the RSA cryptosystem was first revealed in the August 1977 issue of Scientific American.
More informationThe Quadratic Sieve Factoring Algorithm
The Quadratic Sieve Factoring Algorithm Eric Landquist MATH 488: Cryptographic Algorithms December 14, 2001 1 Introduction Mathematicians have been attempting to find better and faster ways to factor composite
More informationInternational Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013
FACTORING CRYPTOSYSTEM MODULI WHEN THE COFACTORS DIFFERENCE IS BOUNDED Omar Akchiche 1 and Omar Khadir 2 1,2 Laboratory of Mathematics, Cryptography and Mechanics, Fstm, University of Hassan II MohammediaCasablanca,
More informationA Factoring and Discrete Logarithm based Cryptosystem
Int. J. Contemp. Math. Sciences, Vol. 8, 2013, no. 11, 511517 HIKARI Ltd, www.mhikari.com A Factoring and Discrete Logarithm based Cryptosystem Abdoul Aziz Ciss and Ahmed Youssef Ecole doctorale de Mathematiques
More informationFinal Exam. IT 4823 Information Security Administration. Rescheduling Final Exams. Kerberos. Idea. Ticket
IT 4823 Information Security Administration Public Key Encryption Revisited April 5 Notice: This session is being recorded. Lecture slides prepared by Dr Lawrie Brown for Computer Security: Principles
More informationOutline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures
Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike
More informationNotes on Network Security Prof. Hemant K. Soni
Chapter 9 Public Key Cryptography and RSA PrivateKey Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications
More informationThe Mathematics of the RSA PublicKey Cryptosystem
The Mathematics of the RSA PublicKey Cryptosystem Burt Kaliski RSA Laboratories ABOUT THE AUTHOR: Dr Burt Kaliski is a computer scientist whose involvement with the security industry has been through
More informationCryptography and Network Security
Cryptography and Network Security Fifth Edition by William Stallings Chapter 9 Public Key Cryptography and RSA PrivateKey Cryptography traditional private/secret/single key cryptography uses one key shared
More informationQUANTUM COMPUTERS AND CRYPTOGRAPHY. Mark Zhandry Stanford University
QUANTUM COMPUTERS AND CRYPTOGRAPHY Mark Zhandry Stanford University Classical Encryption pk m c = E(pk,m) sk m = D(sk,c) m??? Quantum Computing Attack pk m aka Postquantum Crypto c = E(pk,m) sk m = D(sk,c)
More informationCryptography: RSA and the discrete logarithm problem
Cryptography: and the discrete logarithm problem R. Hayden Advanced Maths Lectures Department of Computing Imperial College London February 2010 Public key cryptography Assymmetric cryptography two keys:
More informationInteger Factorization using the Quadratic Sieve
Integer Factorization using the Quadratic Sieve Chad Seibert* Division of Science and Mathematics University of Minnesota, Morris Morris, MN 56567 seib0060@morris.umn.edu March 16, 2011 Abstract We give
More informationEfficient and Robust Secure Aggregation of Encrypted Data in Wireless Sensor Networks
Efficient and Robust Secure Aggregation of Encrypted Data in Wireless Sensor Networks J. M. BAHI, C. GUYEUX, and A. MAKHOUL Computer Science Laboratory LIFC University of FrancheComté Journée thématique
More informationComputer Security: Principles and Practice
Computer Security: Principles and Practice Chapter 20 PublicKey Cryptography and Message Authentication First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown PublicKey Cryptography
More informationPrinciples of Public Key Cryptography. Applications of Public Key Cryptography. Security in Public Key Algorithms
Principles of Public Key Cryptography Chapter : Security Techniques Background Secret Key Cryptography Public Key Cryptography Hash Functions Authentication Chapter : Security on Network and Transport
More informationFactorization Methods: Very Quick Overview
Factorization Methods: Very Quick Overview Yuval Filmus October 17, 2012 1 Introduction In this lecture we introduce modern factorization methods. We will assume several facts from analytic number theory.
More informationLibrary (versus Language) Based Parallelism in Factoring: Experiments in MPI. Dr. Michael Alexander Dr. Sonja Sewera.
Library (versus Language) Based Parallelism in Factoring: Experiments in MPI Dr. Michael Alexander Dr. Sonja Sewera Talk 20071019 Slide 1 of 20 Primes Definitions Prime: A whole number n is a prime number
More informationFactoring pq 2 with Quadratic Forms: Nice Cryptanalyses
Factoring pq 2 with Quadratic Forms: Nice Cryptanalyses Phong Nguyễn http://www.di.ens.fr/~pnguyen & ASIACRYPT 2009 Joint work with G. Castagnos, A. Joux and F. Laguillaumie Summary Factoring A New Factoring
More informationSecure Network Communication Part II II Public Key Cryptography. Public Key Cryptography
Kommunikationssysteme (KSy)  Block 8 Secure Network Communication Part II II Public Key Cryptography Dr. Andreas Steffen 20002001 A. Steffen, 28.03.2001, KSy_RSA.ppt 1 Secure Key Distribution Problem
More informationCIS 5371 Cryptography. 8. Encryption 
CIS 5371 Cryptography p y 8. Encryption  Asymmetric Techniques Textbook encryption algorithms In this chapter, security (confidentiality) is considered in the following sense: Allornothing secrecy.
More informationThe state of factoring algorithms and other cryptanalytic threats to RSA
The state of factoring algorithms and other cryptanalytic threats to RSA Daniel J. Bernstein University of Illinois at Chicago Technische Universiteit Eindhoven Nadia Heninger Microsoft Research New England
More informationAn Overview of Integer Factoring Algorithms. The Problem
An Overview of Integer Factoring Algorithms Manindra Agrawal IITK / NUS The Problem Given an integer n, find all its prime divisors as efficiently as possible. 1 A Difficult Problem No efficient algorithm
More informationLecture Note 5 PUBLICKEY CRYPTOGRAPHY. Sourav Mukhopadhyay
Lecture Note 5 PUBLICKEY CRYPTOGRAPHY Sourav Mukhopadhyay Cryptography and Network Security  MA61027 Modern/Publickey cryptography started in 1976 with the publication of the following paper. W. Diffie
More informationA New Generic Digital Signature Algorithm
Groups Complex. Cryptol.? (????), 1 16 DOI 10.1515/GCC.????.??? de Gruyter???? A New Generic Digital Signature Algorithm Jennifer Seberry, Vinhbuu To and Dongvu Tonien Abstract. In this paper, we study
More informationCIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives
CIS 6930 Emerging Topics in Network Security Topic 2. Network Security Primitives 1 Outline Absolute basics Encryption/Decryption; Digital signatures; DH key exchange; Hash functions; Application of hash
More informationFactoring integers and Producing primes
Factoring integers,..., RSA Erbil, Kurdistan 0 Lecture in Number Theory College of Sciences Department of Mathematics University of Salahaddin Debember 4, 2014 Factoring integers and Producing primes Francesco
More informationFactoring & Primality
Factoring & Primality Lecturer: Dimitris Papadopoulos In this lecture we will discuss the problem of integer factorization and primality testing, two problems that have been the focus of a great amount
More informationPublicKey Cryptography. Oregon State University
PublicKey Cryptography Çetin Kaya Koç Oregon State University 1 Sender M Receiver Adversary Objective: Secure communication over an insecure channel 2 Solution: Secretkey cryptography Exchange the key
More informationFactoring Algorithms
Factoring Algorithms The p 1 Method and Quadratic Sieve November 17, 2008 () Factoring Algorithms November 17, 2008 1 / 12 Fermat s factoring method Fermat made the observation that if n has two factors
More informationRuntime and Implementation of Factoring Algorithms: A Comparison
Runtime and Implementation of Factoring Algorithms: A Comparison Justin Moore CSC290 Cryptology December 20, 2003 Abstract Factoring composite numbers is not an easy task. It is classified as a hard algorithm,
More information1720  Forward Secrecy: How to Secure SSL from Attacks by Government Agencies
1720  Forward Secrecy: How to Secure SSL from Attacks by Government Agencies Dave Corbett Technical Product Manager Implementing Forward Secrecy 1 Agenda Part 1: Introduction Why is Forward Secrecy important?
More informationA Study on Asymmetric Key Cryptography Algorithms
A Study on Asymmetric Key Cryptography Algorithms ASAITHAMBI.N School of Computer Science and Engineering, Bharathidasan University, Trichy, asaicarrier@gmail.com Abstract Asymmetric key algorithms use
More informationThe RSA Algorithm: A Mathematical History of the Ubiquitous Cryptological Algorithm
The RSA Algorithm: A Mathematical History of the Ubiquitous Cryptological Algorithm Maria D. Kelly December 7, 2009 Abstract The RSA algorithm, developed in 1977 by Rivest, Shamir, and Adlemen, is an algorithm
More informationBreaking Generalized DiffieHellman Modulo a Composite is no Easier than Factoring
Breaking Generalized DiffieHellman Modulo a Composite is no Easier than Factoring Eli Biham Dan Boneh Omer Reingold Abstract The DiffieHellman keyexchange protocol may naturally be extended to k > 2
More informationFactoring a semiprime n by estimating φ(n)
Factoring a semiprime n by estimating φ(n) Kyle Kloster May 7, 2010 Abstract A factoring algorithm, called the PhiFinder algorithm, is presented that factors a product of two primes, n = pq, by determining
More informationChapter 9 Public Key Cryptography and RSA
Chapter 9 Public Key Cryptography and RSA Cryptography and Network Security: Principles and Practices (3rd Ed.) 2004/1/15 1 9.1 Principles of Public Key PrivateKey Cryptography traditional private/secret/single
More informationGeneric attacks and index calculus. D. J. Bernstein University of Illinois at Chicago
Generic attacks and index calculus D. J. Bernstein University of Illinois at Chicago The discretelogarithm problem Define Ô = 1000003. Easy to prove: Ô is prime. Can we find an integer Ò ¾ 1 2 3 Ô 1 such
More information3. Applications of Number Theory
3. APPLICATIONS OF NUMBER THEORY 163 3. Applications of Number Theory 3.1. Representation of Integers. Theorem 3.1.1. Given an integer b > 1, every positive integer n can be expresses uniquely as n = a
More informationBreaking The Code. Ryan Lowe. Ryan Lowe is currently a Ball State senior with a double major in Computer Science and Mathematics and
Breaking The Code Ryan Lowe Ryan Lowe is currently a Ball State senior with a double major in Computer Science and Mathematics and a minor in Applied Physics. As a sophomore, he took an independent study
More informationLecture 6  Cryptography
Lecture 6  Cryptography CSE497b  Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497bs07 Question 2 Setup: Assume you and I don t know anything about
More informationIntroduction to Security Proof of Cryptosystems
Introduction to Security Proof of Cryptosystems D. J. Guan November 16, 2007 Abstract Provide proof of security is the most important work in the design of cryptosystems. Problem reduction is a tool to
More informationTable of Contents. Bibliografische Informationen http://dnb.info/996514864. digitalisiert durch
1 Introduction to Cryptography and Data Security 1 1.1 Overview of Cryptology (and This Book) 2 1.2 Symmetric Cryptography 4 1.2.1 Basics 4 1.2.2 Simple Symmetric Encryption: The Substitution Cipher...
More informationAsymmetric Cryptography. Mahalingam Ramkumar Department of CSE Mississippi State University
Asymmetric Cryptography Mahalingam Ramkumar Department of CSE Mississippi State University Mathematical Preliminaries CRT Chinese Remainder Theorem Euler Phi Function Fermat's Theorem Euler Fermat's Theorem
More informationIndex Calculation Attacks on RSA Signature and Encryption
Index Calculation Attacks on RSA Signature and Encryption JeanSébastien Coron 1, Yvo Desmedt 2, David Naccache 1, Andrew Odlyzko 3, and Julien P. Stern 4 1 Gemplus Card International {jeansebastien.coron,david.naccache}@gemplus.com
More informationCryptography and Network Security Chapter 8
Cryptography and Network Security Chapter 8 Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 8 Introduction to Number Theory The Devil said to Daniel Webster:
More informationApplied Cryptography Public Key Algorithms
Applied Cryptography Public Key Algorithms Sape J. Mullender Huygens Systems Research Laboratory Universiteit Twente Enschede 1 Public Key Cryptography Independently invented by Whitfield Diffie & Martin
More informationFACTORING LARGE NUMBERS, A GREAT WAY TO SPEND A BIRTHDAY
FACTORING LARGE NUMBERS, A GREAT WAY TO SPEND A BIRTHDAY LINDSEY R. BOSKO I would like to acknowledge the assistance of Dr. Michael Singer. His guidance and feedback were instrumental in completing this
More informationEvaluation Report on the Factoring Problem
Evaluation Report on the Factoring Problem Jacques Stern 1 Introduction This document is an evaluation of the factoring problem, as a basis for designing cryptographic schemes. It relies on the analysis
More informationEXAM questions for the course TTM4135  Information Security June 2010. Part 1
EXAM questions for the course TTM4135  Information Security June 2010 Part 1 This part consists of 6 questions all from one common topic. The number of maximal points for every correctly answered question
More informationFACTORING. n = 2 25 + 1. fall in the arithmetic sequence
FACTORING The claim that factorization is harder than primality testing (or primality certification) is not currently substantiated rigorously. As some sort of backward evidence that factoring is hard,
More informationFaster deterministic integer factorisation
David Harvey (joint work with Edgar Costa, NYU) University of New South Wales 25th October 2011 The obvious mathematical breakthrough would be the development of an easy way to factor large prime numbers
More informationPublic Key Cryptography: RSA and Lots of Number Theory
Public Key Cryptography: RSA and Lots of Number Theory Public vs. PrivateKey Cryptography We have just discussed traditional symmetric cryptography: Uses a single key shared between sender and receiver
More informationU.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, 2009. Notes on Algebra
U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, 2009 Notes on Algebra These notes contain as little theory as possible, and most results are stated without proof. Any introductory
More informationCryptography and Network Security Chapter 10
Cryptography and Network Security Chapter 10 Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 10 Other Public Key Cryptosystems Amongst the tribes of Central
More informationA chosen text attack on the RSA cryptosystem and some discrete logarithm schemes
A chosen text attack on the RSA cryptosystem and some discrete logarithm schemes Y. Desmedt Aangesteld Navorser NFWO Katholieke Universiteit Leuven Laboratorium ESAT B3030 Heverlee, Belgium A. M. Odlyzko
More informationMathematics of Internet Security. Keeping Eve The Eavesdropper Away From Your Credit Card Information
The : Keeping Eve The Eavesdropper Away From Your Credit Card Information Department of Mathematics North Dakota State University 16 September 2010 Science Cafe Introduction Disclaimer: is not an internet
More informationPublicKey Cryptanalysis
To appear in Recent Trends in Cryptography, I. Luengo (Ed.), Contemporary Mathematics series, AMSRSME, 2008. PublicKey Cryptanalysis Phong Q. Nguyen Abstract. In 1976, Diffie and Hellman introduced the
More informationPrimality  Factorization
Primality  Factorization Christophe Ritzenthaler November 9, 2009 1 Prime and factorization Definition 1.1. An integer p > 1 is called a prime number (nombre premier) if it has only 1 and p as divisors.
More informationPublic Key (asymmetric) Cryptography
PublicKey Cryptography UNIVERSITA DEGLI STUDI DI PARMA Dipartimento di Ingegneria dell Informazione Public Key (asymmetric) Cryptography Luca Veltri (mail.to: luca.veltri@unipr.it) Course of Network Security,
More informationFactoring integers, Producing primes and the RSA cryptosystem HarishChandra Research Institute
RSA cryptosystem HRI, Allahabad, February, 2005 0 Factoring integers, Producing primes and the RSA cryptosystem HarishChandra Research Institute Allahabad (UP), INDIA February, 2005 RSA cryptosystem HRI,
More informationUNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering. Introduction to Cryptography ECE 597XX/697XX
UNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering Introduction to Cryptography ECE 597XX/697XX Part 6 Introduction to PublicKey Cryptography Israel Koren ECE597/697 Koren Part.6.1
More informationCS Computer and Network Security: Applied Cryptography
CS 5410  Computer and Network Security: Applied Cryptography Professor Patrick Traynor Spring 2016 Reminders Project Ideas are due on Tuesday. Where are we with these? Assignment #2 is posted. Let s get
More informationFactoring integers, Producing primes and the RSA cryptosystem
Factoring integers,..., RSA Erbil, Kurdistan 0 Lecture in Number Theory College of Sciences Department of Mathematics University of Salahaddin Debember 1, 2014 Factoring integers, Producing primes and
More informationEvaluation of Digital Signature Process
Evaluation of Digital Signature Process Emil SIMION, Ph. D. email: esimion@fmi.unibuc.ro Agenda Evaluation of digital signatures schemes: evaluation criteria; security evaluation; security of hash functions;
More informationPrime Numbers The generation of prime numbers is needed for many public key algorithms:
CA547: CRYPTOGRAPHY AND SECURITY PROTOCOLS 1 7 Number Theory 2 7.1 Prime Numbers Prime Numbers The generation of prime numbers is needed for many public key algorithms: RSA: Need to find p and q to compute
More informationOn Factoring Integers and Evaluating Discrete Logarithms
On Factoring Integers and Evaluating Discrete Logarithms A thesis presented by JOHN AARON GREGG to the departments of Mathematics and Computer Science in partial fulfillment of the honors requirements
More information1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.
1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks
More informationComputer and Network Security
MIT 6.857 Computer and Networ Security Class Notes 1 File: http://theory.lcs.mit.edu/ rivest/notes/notes.pdf Revision: December 2, 2002 Computer and Networ Security MIT 6.857 Class Notes by Ronald L. Rivest
More informationShor s algorithm and secret sharing
Shor s algorithm and secret sharing Libor Nentvich: QC 23 April 2007: Shor s algorithm and secret sharing 1/41 Goals: 1 To explain why the factoring is important. 2 To describe the oldest and most successful
More informationDigital Signatures. Prof. Zeph Grunschlag
Digital Signatures Prof. Zeph Grunschlag (Public Key) Digital Signatures PROBLEM: Alice would like to prove to Bob, Carla, David,... that has really sent them a claimed message. E GOAL: Alice signs each
More informationIn this paper a new signature scheme and a public key cryptotsystem are proposed. They can be seen as a compromise between the RSA and ElGamaltype sc
Digital Signature and Public Key Cryptosystem in a Prime Order Subgroup of Z n Colin Boyd Information Security Research Centre, School of Data Communications Queensland University of Technology, Brisbane
More informationComparative Analysis for Performance acceleration of Modern Asymmetric Crypto Systems
J. of Comp. and I.T. Vol. 3(1&2), 16 (2012). Comparative Analysis for Performance acceleration of Modern Asymmetric Crypto Systems RAJ KUMAR 1 and V.K. SARASWAT 2 1,2 Department of Computer Science, ICIS
More informationFactorization of a 1061bit number by the Special Number Field Sieve
Factorization of a 1061bit number by the Special Number Field Sieve Greg Childers California State University Fullerton Fullerton, CA 92831 August 4, 2012 Abstract I provide the details of the factorization
More informationDiscrete Mathematics, Chapter 4: Number Theory and Cryptography
Discrete Mathematics, Chapter 4: Number Theory and Cryptography Richard Mayr University of Edinburgh, UK Richard Mayr (University of Edinburgh, UK) Discrete Mathematics. Chapter 4 1 / 35 Outline 1 Divisibility
More informationCryptography. Course 2: attacks against RSA. JeanSébastien Coron. September 26, Université du Luxembourg
Course 2: attacks against RSA Université du Luxembourg September 26, 2010 Attacks against RSA Factoring Equivalence between factoring and breaking RSA? Mathematical attacks Attacks against plain RSA encryption
More informationModular arithmetic. x ymodn if x = y +mn for some integer m. p. 1/??
p. 1/?? Modular arithmetic Much of modern number theory, and many practical problems (including problems in cryptography and computer science), are concerned with modular arithmetic. While this is probably
More informationAsymmetric Encryption. With material from Jonathan Katz, David Brumley, and Dave Levin
Asymmetric Encryption With material from Jonathan Katz, David Brumley, and Dave Levin Warmup activity Overview of asymmetrickey crypto Intuition for El Gamal and RSA And intuition for attacks Digital
More informationSmart card implementation of a digital signature scheme for Twisted Edwards curves
May 20, 2011 Smart card implementation of a digital signature scheme for Twisted Edwards curves Author: Niels Duif Supervisors: Prof. Dr. Tanja Lange 1 and Dr. Ir. Cees Jansen 2 Department of Mathematics
More informationPublic Key Cryptography Overview
Ch.20 PublicKey Cryptography and Message Authentication I will talk about it later in this class Final: Wen (5/13) 16301830 HOLM 248» give you a sample exam» Mostly similar to homeworks» no electronic
More informationPublic Key Cryptography and RSA. Review: Number Theory Basics
Public Key Cryptography and RSA Murat Kantarcioglu Based on Prof. Ninghui Li s Slides Review: Number Theory Basics Definition An integer n > 1 is called a prime number if its positive divisors are 1 and
More informationCRYPTOGRAPHY IN NETWORK SECURITY
ELE548 Research Essays CRYPTOGRAPHY IN NETWORK SECURITY AUTHOR: SHENGLI LI INSTRUCTOR: DR. JIENCHUNG LO Date: March 5, 1999 Computer network brings lots of great benefits and convenience to us. We can
More informationAn Introduction to the RSA Encryption Method
April 17, 2012 Outline 1 History 2 3 4 5 History RSA stands for Rivest, Shamir, and Adelman, the last names of the designers It was first published in 1978 as one of the first publickey crytographic systems
More informationModule: Applied Cryptography. Professor Patrick McDaniel Fall 2010. CSE543  Introduction to Computer and Network Security
CSE543  Introduction to Computer and Network Security Module: Applied Cryptography Professor Patrick McDaniel Fall 2010 Page 1 Key Distribution/Agreement Key Distribution is the process where we assign
More informationDigital Signatures. (Note that authentication of sender is also achieved by MACs.) Scan your handwritten signature and append it to the document?
Cryptography Digital Signatures Professor: Marius Zimand Digital signatures are meant to realize authentication of the sender nonrepudiation (Note that authentication of sender is also achieved by MACs.)
More informationPUBLIC KEY ENCRYPTION
PUBLIC KEY ENCRYPTION http://www.tutorialspoint.com/cryptography/public_key_encryption.htm Copyright tutorialspoint.com Public Key Cryptography Unlike symmetric key cryptography, we do not find historical
More informationTwo Integer Factorization Methods
Two Integer Factorization Methods Christopher Koch April 22, 2014 Abstract Integer factorization methods are algorithms that find the prime divisors of any positive integer. Besides studying trial division
More information