Public-Key Cryptanalysis

Similar documents
Chapter 9 Public Key Cryptography. WANG YANG

CS408 Cryptography & Internet Security

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

CSC 474/574 Information Systems Security

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Applied Cryptography and Computer Security CSE 664 Spring 2018

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

RSA. Public Key CryptoSystem

Public Key Algorithms

Channel Coding and Cryptography Part II: Introduction to Cryptography

Chapter 9. Public Key Cryptography, RSA And Key Management

Public Key Cryptography

Public-Key Cryptography

Chapter 3 Public Key Cryptography

Side-Channel Attacks on RSA with CRT. Weakness of RSA Alexander Kozak Jared Vanderbeck

Introduction to Public-Key Cryptography

Lecture 6: Overview of Public-Key Cryptography and RSA

Introduction to Cryptography and Security Mechanisms: Unit 5. Public-Key Encryption

Public-key encipherment concept

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

Cryptography and Network Security. Sixth Edition by William Stallings

- 0 - CryptoLib: Cryptography in Software John B. Lacy 1 Donald P. Mitchell 2 William M. Schell 3 AT&T Bell Laboratories ABSTRACT

Public Key Algorithms

Introduction to Cryptography Lecture 7

An overview and Cryptographic Challenges of RSA Bhawana

Introduction. Cambridge University Press Mathematics of Public Key Cryptography Steven D. Galbraith Excerpt More information

INTERNATIONAL JOURNAL OF ELECTRONICS AND COMMUNICATION ENGINEERING & TECHNOLOGY (IJECET)

New Public Key Cryptosystems Based on the Dependent RSA Problems

Lecture 2 Applied Cryptography (Part 2)

Public Key Cryptography

C - Cryptography

PUBLIC KEY CRYPTO. Anwitaman DATTA SCSE, NTU Singapore CX4024. CRYPTOGRAPHY & NETWORK SECURITY 2018, Anwitaman DATTA

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Chapter 11 : Private-Key Encryption

Computer Security 3/23/18

Introduction to Cryptography. Vasil Slavov William Jewell College

Lecture IV : Cryptography, Fundamentals

Study Guide to Mideterm Exam

Introduction to Cryptography Lecture 7

Other Topics in Cryptography. Truong Tuan Anh

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 31 October 2017

CS669 Network Security

Outline. Data Encryption Standard. Symmetric-Key Algorithms. Lecture 4

EEC-484/584 Computer Networks

Network Security. Chapter 4 Public Key Cryptography. Public Key Cryptography (4) Public Key Cryptography

Tuesday, January 17, 17. Crypto - mini lecture 1

Public Key Cryptography and RSA

Asymmetric Primitives. (public key encryptions and digital signatures)

Overview. Public Key Algorithms I

Public Key Algorithms

RSA (material drawn from Avi Kak Lecture 12, Lecture Notes on "Computer and Network Security" Used in asymmetric crypto.

Introduction to Cryptography and Security Mechanisms. Abdul Hameed

Goals for Today. Substitution Permutation Ciphers. Substitution Permutation stages. Encryption Details 8/24/2010

Securely Combining Public-Key Cryptosystems

Research, Universiti Putra Malaysia, Serdang, 43400, Malaysia. 1,2 Department of Mathematics, Faculty of Sciences, Universiti Putra Malaysia,

Some Stuff About Crypto

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Public Key Encryption. Modified by: Dr. Ramzi Saifan

Cryptography and Network Security

Computer Security: Principles and Practice

Network Security Technology Project

Key Exchange. References: Applied Cryptography, Bruce Schneier Cryptography and Network Securiy, Willian Stallings

The most important development from the work on public-key cryptography is the digital signature. Message authentication protects two parties who

The Application of Elliptic Curves Cryptography in Embedded Systems

Public Key Cryptography and the RSA Cryptosystem

ISA 662 Internet Security Protocols. Outline. Prime Numbers (I) Beauty of Mathematics. Division (II) Division (I)

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security

Lecture 3.4: Public Key Cryptography IV

McEliece Cryptosystem in real life: security and implementation

Great Theoretical Ideas in Computer Science. Lecture 27: Cryptography

Lecture 6 - Cryptography

This chapter continues our overview of public-key cryptography systems (PKCSs), and begins with a description of one of the earliest and simplest

Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

C - Cryptography

Technological foundation

Cryptography Today. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 44

Cryptography V: Digital Signatures

LECTURE 4: Cryptography

Public-key Cryptography: Theory and Practice

Cryptography (DES+RSA) by Amit Konar Dept. of Math and CS, UMSL

T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A. Introduction to Cryptography

Cryptography: More Primitives

CSC/ECE 774 Advanced Network Security

RSA (algorithm) History

Public Key Cryptography 2. c Eli Biham - December 19, Public Key Cryptography 2

Sankalchand Patel College of Engineering, Visnagar Department of Computer Engineering & Information Technology. Question Bank

Modification on the Algorithm of RSA Cryptography System

Cryptographic Concepts

POST-QUANTUM CRYPTOGRAPHY VIENNA CYBER SECURITY WEEK DR. DANIEL SLAMANIG

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

A SIGNATURE ALGORITHM BASED ON DLP AND COMPUTING SQUARE ROOTS

Table of Contents. Preface... vii Abstract... vii Kurzfassung... x Acknowledgements... xiii. I The Preliminaries 1

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security

LECTURE NOTES ON PUBLIC- KEY CRYPTOGRAPHY. (One-Way Functions and ElGamal System)

T Cryptography and Data Security

Chapter 7 Public Key Cryptography and Digital Signatures

CS 161 Computer Security

From Wikipedia, the free encyclopedia

Keywords Security, Cryptanalysis, RSA algorithm, Timing Attack

Transcription:

http://www.di.ens.fr/ pnguyen INRIA and École normale supérieure, Paris, France MPRI, 2010

Outline 1 Introduction Asymmetric Cryptology Course Overview 2 Textbook RSA 3 Euclid s Algorithm Applications to Cryptanalysis

Asymmetric Cryptology Course Overview What is Public-Key Cryptography? Invented by Diffie and Hellman in 1976. A user U has a pair of keys (p, s): p is public, while s is secret. p and s are related to each other, but it should be computationally hard to recover s from p. Historical goals: Asymmetric encryption: anyone can encrypt a message to U, using U s public key p. But only U should be able to decrypt. Digital signatures: U can sign any message m, using his private key s. Anyone can check whether a given signature corresponds to a message and a public key.

Two Kinds of Hard Problems Asymmetric Cryptology Course Overview Few and rather large unknowns, "slow" operations. Factoring and e-th roots (RSA, etc.) Discrete Log (Diffie-Hellman, El Gamal, DSA, etc.). Many small unknowns, "fast" operations. Often related to NP-hard problems. Lattices and Knapsacks (NTRU, etc.) Coding (McEliece, etc.), Multivariate polynomials (HFE, etc.)

Asymmetric Cryptology Course Overview What is? Trying to "break" public-key cryptographic schemes, either with general techniques (factoring, lattice reduction, Gröbner basis, etc.) or specific ones. Studying attack environments (chosen-ciphertext attacks, side-channel, etc.) and goals of attacks (key recovery, partial information, distinguishability, etc.). This is very much related to the development of "provable security". Thirty years after the introduction of public-key cryptography, we have a much better understanding of what security means. But no good book on public-key cryptanalysis yet.

In This Series of Lectures Asymmetric Cryptology Course Overview We only have 12 hours. We will focus on the most famous public-key scheme: RSA, for both asymmetric encryption and digital signatures. We will present attacks which explain the strengthening of security notions: e.g. a trapdoor one-way function should not be used directly as an asymmetric encryption scheme. Textbook RSA should not be used. In particular, we will present two popular techniques in public-key cryptanalysis: square root attacks and lattice reduction (a geometric high-dimensional generalization of Euclid s gcd algorithm). No side-channel attack.

Schedule Asymmetric Cryptology Course Overview 1 Basic attacks and basic security notions 2 Square-root attacks 3 Lattice attacks 1 Lattice reduction in a nutshell 2 "Linear" attacks 3 "Polynomial" attacks

Textbook RSA (1978) Textbook RSA Public key: N = p q where p and q are large primes, and an exponent e coprime with φ(n) = (p 1) (q 1). Private key: d Z such that e d 1 mod φ(n). RSA gives a trapdoor one-way permutation, which provides both encryption and signature. Encryption: A "message" m Z N is encrypted as c = m e mod N. The message is recovered as m = c d mod N. Signature: The signature of a "message" m Z N is s = m d mod N. To verify (s, m) Z 2 N, check that m se mod N.

Textbook RSA Textbook RSA This is the scheme described in the original article (and in many textbooks) by Rivest, Shamir and Adleman published in 1978. At that time, there was no preprocessing of messages, no hash functions, and almost no security notions. And now? We know that textbook RSA should not be directly used for asymmetric encryption or signature, because it is only a trapdoor one-way permutation. We need a padding scheme to process the messages, before/after encryption/signature and decryption/verification, using hash functions and/or pseudo-random number generators. The RSA standards currently advocated by RSA are RSA-OAEP (for encryption) and RSA-PSS (signatures).

Multiplicativity Textbook RSA RSA encryption is multiplicative. The "product" of ciphertexts is a ciphertext of the "product" of plaintexts. m 1 e m 2 e (m 1 m 2 ) e (mod N).

Euclid s Algorithm Euclid s Algorithm Applications to Cryptanalysis Toy Example Specification Input: Integers a b N. To compute gcd(21, 15): Output: gcd(a, b). 21 = 1 15 + 6 15 = 2 6 + 3 6 = 2 3 + 0 Description a b 21 15 15 6 6 3 3 0 While b 0 a := a mod b Swap a and b Output a.

Euclid s Algorithm Applications to Cryptanalysis Classical Result on Euclid s Algorithm Specification Input: Integers a b N. Output: gcd(a, b). Description While b 0 a := a mod b Swap a and b Output a. The full cost with elementary arithmetic is no more than a multiplication: O(log 2 a).

Generalizing Euclid s Algorithm Euclid s Algorithm Applications to Cryptanalysis Interpretation Since gcd(a, b)z = az + bz, Euclid computes the shortest non-zero linear combination of a and b. In the Next Lectures We will discuss a more general problem, lattice reduction, where a and b are replaced by n-dimensional vectors with integer coordinates. The algorithms will perform similar operations as Euclid: translations and swaps. They have numerous applications in public-key cryptanalysis. We will present the following ones.

Euclid s Algorithm Applications to Cryptanalysis Small Solutions of Linear Equations Assume that we have a linear congruence n i=1 a ix i b (mod M). If n is small, then lattice reduction can find a solution such that x i = O(M 1/n ). This is trivial if n = 1. If there is a solution such that n i=1 x i is much smaller than M, then it can "probably" be recovered in practice, and perhaps also in theory. This problem or its variant arise in many cryptanalytic applications: knapsack cryptosystems, linear congruential generators, DL-based signatures with exposed one-time keys, forgery of RSA signatures, etc.

Euclid s Algorithm Applications to Cryptanalysis Small Solutions of Polynomial Equations Assume that we have a polynomial congruence x δ P(x) (mod N) where deg P < δ and N has unknown factorization. Coppersmith showed in 1996 using lattice reduction that in time polynomial in (δ, log N), one can find all the small roots x N 1/δ. This is trivial if P() is constant. This result and its many variants/generalizations have many cryptanalytic applications to RSA.

Appendix For Further Reading Many References In The Survey P. Q. Nguyen.. In Recent Trends in Cryptography. AMS-RSME, 2009. P. Q. Nguyen and J. Stern. The two faces of lattices in cryptology. In Proc. Workshop on Cryptography and Lattices (CALC 01), volume 2146 of LNCS, pages 146 180. Springer-Verlag, 2001.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback