a complete and explicit security reduction algorithm for
play

A Complete and Explicit Security Reduction Algorithm for RSA-based - PowerPoint PPT Presentation

Mar 07, 2023 •18 likes •408 views

A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems Asiacrypt 2003, Taipei Kaoru Kurosawa 1 , Katja Schmidt-Samoa 2 , Tsuyoshi Takagi 2 1 Ibaraki University 2 Technische Universit at Darmstadt A Complete and

  1. A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems Asiacrypt 2003, Taipei Kaoru Kurosawa 1 , Katja Schmidt-Samoa 2 , Tsuyoshi Takagi 2 1 Ibaraki University 2 Technische Universit¨ at Darmstadt A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.1/15

  2. Introduction Problem: Find "small" solutions x, y of ax = y + c mod N Many applications in cryptanalysis and provable security Previous solutions: Brute-force method Continued fraction methods Affine variant of Euclidian algorithm Lattice-based methods A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.2/15

  3. Outline of the talk PD-OW of RSA Features of the lattice-based solution Proposed algorithm Application to PD-OW of RSA Comparison Conclusion A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.3/15

  4. RSA: OW ⇒ PD-OW Target: Compute m from C = m e mod N PD-OW Oracle O : Gets s 1 from ( s 1 · 2 k + s 2 ) e mod N Fujisaki, Okamoto, Pointcheval, Stern 2001: 1. Choose a ∈ Z × N at random 2. Define C ′ = Ca e mod N (encryption of am mod N ) 3. O ( C ) = u and O ( C ′ ) = v 4. m mod N = u · 2 k + r and am mod N = v · 2 k + s ⇒ a · ( u · 2 k + r ) mod N = v · 2 k + s ⇒ ar = s + c mod N, c = ( v − ua ) · 2 k mod N. ⇒ ax = y + c mod N A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.4/15

  5. RSA: OW ⇒ PD-OW, cont’d Problem C = ( u · 2 k + r ) e mod N , find r √ We have ar = s + c mod N, 0 ≤ r, s < B < N General answer to the problem Solve ax = y + c mod N (small solutions) � e mod N For each ( x, y ) : Check C ? u · 2 k + x � = Questions How to solve ax = y + c mod N ? How many small solutions? back A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.5/15

  6. Features of the lattice-based method √ Problem: Find 0 ≤ x, y < B < N s.t. ax = y + c mod N Define lattice L a,N = { ( x, y ) ∈ Z 2 | ax = y mod N } Precondition: L a,N contains no 0 � = v, | v | < 4 B � � 1. unique small solution ( x, y ) of ax = y + c mod N ( ֒ → no checks necessary) 2. ( x, y ) can be found efficiently (lattice reduction) A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.6/15

  7. Critical area for lattice-based solution Critical area of lattice L a,N = { ( x, y ) ∈ Z 2 | ax = y mod N } : No non-zero vector inside critical area ⇒ method works 4 B Target: New algorithm for solving ax = y + c mod N downsizes critical area A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.7/15

  8. Motivation of proposed algorithm √ Problem: Find 0 ≤ x, y < B < N s.t. ax = y + c mod N 1 st step: Specify the problem Find x -minimal solution w. r. t. B : ? → y = − c mod N x = 0 < B no ? → y = − c + a mod N x = 1 < B no . . . . . . . . . . . . . . . . . . ? → y = − c + ˆ x = ˆ x ˆ xa mod N < B yes! A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.8/15

  9. Motivation of proposed algorithm √ Problem: Find 0 ≤ x, y < B < N s.t. ax = y + c mod N � 1 st step: Specify the problem y = ax − c mod N Find x -minimal solution w. r. t. B : ? → y = − c mod N x = 0 < B no ? → y = − c + a mod N x = 1 < B no . . . . . . . . . . . . . . . . . . ? → y = − c + ˆ x = ˆ x ˆ xa mod N < B yes! A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.8/15

  10. Motivation of proposed algorithm √ Problem: Find 0 ≤ x, y < B < N s.t. ax = y + c mod N � 1 st step: Specify the problem y = ax − c mod N Find x -minimal solution w. r. t. B : ? → y = − c mod N x = 0 < B no ? → y = − c + a mod N x = 1 < B no . . . . . . . . . . . . . . . . . . ? → y = − c + ˆ x = ˆ x ˆ xa mod N < B yes! 0 B − c mod N N a A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.8/15

  11. Motivation of proposed algorithm √ Problem: Find 0 ≤ x, y < B < N s.t. ax = y + c mod N � 1 st step: Specify the problem y = ax − c mod N Find x -minimal solution w. r. t. B : ? → y = − c mod N x = 0 < B no ? → y = − c + a mod N x = 1 < B no . . . . . . . . . . . . . . . . . . ? → y = − c + ˆ x = ˆ x ˆ xa mod N < B yes! 0 B − c mod N N A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.8/15

  12. Motivation of proposed algorithm √ Problem: Find 0 ≤ x, y < B < N s.t. ax = y + c mod N � 1 st step: Specify the problem y = ax − c mod N Find x -minimal solution w. r. t. B : ? → y = − c mod N x = 0 < B no ? → y = − c + a mod N x = 1 < B no . . . . . . . . . . . . . . . . . . ? → y = − c + ˆ x = ˆ x ˆ xa mod N < B yes! 0 B − c mod N N A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.8/15

  13. Motivation of proposed algorithm √ Problem: Find 0 ≤ x, y < B < N s.t. ax = y + c mod N � 1 st step: Specify the problem y = ax − c mod N Find x -minimal solution w. r. t. B : ? → y = − c mod N x = 0 < B no ? → y = − c + a mod N x = 1 < B no . . . . . . . . . . . . . . . . . . ? → y = − c + ˆ x = ˆ x ˆ xa mod N < B yes! 0 B − c mod N N A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.8/15

  14. Motivation of proposed algorithm √ Problem: Find 0 ≤ x, y < B < N s.t. ax = y + c mod N � 1 st step: Specify the problem y = ax − c mod N Find x -minimal solution w. r. t. B : ? → y = − c mod N x = 0 < B no ? → y = − c + a mod N x = 1 < B no . . . . . . . . . . . . . . . . . . ? → y = − c + ˆ x = ˆ x ˆ xa mod N < B yes! 0 B − c mod N N A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.8/15

  15. Motivation of proposed algorithm √ Problem: Find 0 ≤ x, y < B < N s.t. ax = y + c mod N � 1 st step: Specify the problem y = ax − c mod N Find x -minimal solution w. r. t. B : ? → y = − c mod N x = 0 < B no ? → y = − c + a mod N x = 1 < B no . . . . . . . . . . . . . . . . . . ? → y = − c + ˆ x = ˆ x ˆ xa mod N < B yes! 0 B − c mod N N A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.8/15

  16. Motivation of proposed algorithm √ Problem: Find 0 ≤ x, y < B < N s.t. ax = y + c mod N � 1 st step: Specify the problem y = ax − c mod N Find x -minimal solution w. r. t. B : ? → y = − c mod N x = 0 < B no ? → y = − c + a mod N x = 1 < B no . . . . . . . . . . . . . . . . . . ? → y = − c + ˆ x = ˆ x ˆ xa mod N < B yes! 0 B − c mod N N A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.8/15

  17. Motivation of proposed algorithm √ Problem: Find 0 ≤ x, y < B < N s.t. ax = y + c mod N � 1 st step: Specify the problem y = ax − c mod N Find x -minimal solution w. r. t. B : ? → y = − c mod N x = 0 < B no ? → y = − c + a mod N x = 1 < B no . . . . . . . . . . . . . . . . . . ? → y = − c + ˆ x = ˆ x ˆ xa mod N < B yes! 0 B − c mod N N A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.8/15

  18. Motivation of proposed algorithm √ Problem: Find 0 ≤ x, y < B < N s.t. ax = y + c mod N � 1 st step: Specify the problem y = ax − c mod N Find x -minimal solution w. r. t. B : ? → y = − c mod N x = 0 < B no ? → y = − c + a mod N x = 1 < B no . . . . . . . . . . . . . . . . . . ? → y = − c + ˆ x = ˆ x ˆ xa mod N < B yes! 0 B − c mod N N A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.8/15

  19. Motivation of proposed algorithm √ Problem: Find 0 ≤ x, y < B < N s.t. ax = y + c mod N � 1 st step: Specify the problem y = ax − c mod N Find x -minimal solution w. r. t. B : ? → y = − c mod N x = 0 < B no ? → y = − c + a mod N x = 1 < B no . . . . . . . . . . . . . . . . . . ? → y = − c + ˆ x = ˆ x ˆ xa mod N < B yes! 0 B − c mod N N A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.8/15

  20. Motivation of proposed algorithm √ Problem: Find 0 ≤ x, y < B < N s.t. ax = y + c mod N � 1 st step: Specify the problem y = ax − c mod N Find x -minimal solution w. r. t. B : ? → y = − c mod N x = 0 < B no ? → y = − c + a mod N x = 1 < B no . . . . . . . . . . . . . . . . . . ? → y = − c + ˆ x = ˆ x ˆ xa mod N < B yes! 0 B − c mod N N A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.8/15

  21. Motivation of proposed algorithm √ Problem: Find 0 ≤ x, y < B < N s.t. ax = y + c mod N � 1 st step: Specify the problem y = ax − c mod N Find x -minimal solution w. r. t. B : ? → y = − c mod N x = 0 < B no ? → y = − c + a mod N x = 1 < B no . . . . . . . . . . . . . . . . . . ? → y = − c + ˆ x = ˆ x ˆ xa mod N < B yes! 0 B − c mod N N a A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.8/15

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Line Characterizations Bresenhams Midpoint Algorithm y mx B Explicit:

Line Characterizations Bresenhams Midpoint Algorithm y mx B Explicit:

Spring 2013 Line Characterizations Bresenhams Midpoint Algorithm y mx B Explicit: F x y ax by c Implicit: ( , ) 0 CS5600 Computer Graphics Lecture Set 2 y adapted from k

513 views • 12 slides
NP-Complete Problems Algorithm : Design &amp; Analysis [20] In the last class Simple

NP-Complete Problems Algorithm : Design &amp; Analysis [20] In the last class Simple

NP-Complete Problems Algorithm : Design &amp; Analysis [20] In the last class Simple String Matching KMP Flowchart Construction Jump at Fail KMP Scan NP-Complete Problems Decision Problem The Class P The Class NP

894 views • 35 slides
Lots of NP Complete Problems When confronted with trying to show a problem is NP-Complete

Lots of NP Complete Problems When confronted with trying to show a problem is NP-Complete

Lots of NP Complete Problems When confronted with trying to show a problem is NP-Complete NP-Complete Problems There are lots to chose from which to perform a reduction. Garey and Johnson lists over 300 (and that was printed in

170 views • 6 slides
An explicit algorithm for solving the acoustic tomography problem for a moving fluid Alexey

An explicit algorithm for solving the acoustic tomography problem for a moving fluid Alexey

An explicit algorithm for solving the acoustic tomography problem for a moving fluid Alexey Agaltsov agaltsov @ cmap.polytechnique.fr Moscow September 12, 2016 Alexey Agaltsov Algorithm for acoustic tomography of moving fluid Acoustic

509 views • 24 slides
A Novel Algorithm for the Reduction of Irregular Noise in Corrupted Speech Signals ROSHAHLIZA M

A Novel Algorithm for the Reduction of Irregular Noise in Corrupted Speech Signals ROSHAHLIZA M

A Novel Algorithm for the Reduction of Irregular Noise in Corrupted Speech Signals ROSHAHLIZA M RAMLI, ALI O. ABID NOOR &amp; SALINA ABDUL SAMAD FACULTY OF ENGINEERING &amp; BUILT ENVIRONMENT UNIVERSITI KEBANGSAAN MALAYSIA (NATIONAL UNIVERSITY OF

440 views • 13 slides
A Net-Reduction based Clustering Preprocessing Algorithm Jianhua Li, Laleh Behjat University of

A Net-Reduction based Clustering Preprocessing Algorithm Jianhua Li, Laleh Behjat University of

A Net-Reduction based Clustering Preprocessing Algorithm Jianhua Li, Laleh Behjat University of Calgary, Calgary, Canada ISPD April 12, 2006 A net reduction-based clustering preprocessing algorithm - ISPD 2006 Outline Introduction

771 views • 35 slides
Outline Cryptographic Algorithm Engineering and Provable Security Crypto refresher

Outline Cryptographic Algorithm Engineering and Provable Security Crypto refresher

Bart Preneel September 2007 Cryptographic Algorithm Engineering and Provable Security Outline Cryptographic Algorithm Engineering and Provable Security Crypto refresher Basic concepts Foundations of Security Analysis and

958 views • 31 slides
Modeling Algorithm for Test Cost Reduction of Analog/RF Circuits Hugo Gonalves 1,2 , Xin Li 1 ,

Modeling Algorithm for Test Cost Reduction of Analog/RF Circuits Hugo Gonalves 1,2 , Xin Li 1 ,

A Fast Wafer-Level Spatial Variation Modeling Algorithm for Test Cost Reduction of Analog/RF Circuits Hugo Gonalves 1,2 , Xin Li 1 , Miguel Correia 2 and Vitor Tavares 2 1 ECE Department, Carnegie Mellon University, USA 2 Faculdade de

480 views • 27 slides
An Algorithm for Sample and Data Dimensionality Reduction Using Fast Simulated Annealing Szymon

An Algorithm for Sample and Data Dimensionality Reduction Using Fast Simulated Annealing Szymon

7th International Conference on Advanced Data Mining and Applications An Algorithm for Sample and Data Dimensionality Reduction Using Fast Simulated Annealing Szymon ukasik , Piotr Kulczycki Department of Automatic Control and IT, Cracow

589 views • 16 slides
CS475 / CM375 Lecture 17: Nov 8, 2011 QR Algorithm and Reduction to Hessenberg Reading: [TB] Chapt

CS475 / CM375 Lecture 17: Nov 8, 2011 QR Algorithm and Reduction to Hessenberg Reading: [TB] Chapt

08/11/2011 CS475 / CM375 Lecture 17: Nov 8, 2011 QR Algorithm and Reduction to Hessenberg Reading: [TB] Chapt 28 CS475/CM375 (c) 2011 P. Poupart &amp; J. Wan 1 Simultaneous iteration vs QR algorithm QR algorithm can be viewed as simultaneous

501 views • 8 slides
Noise Reduction in Gridded AIRS Radiance Products using the MODIS Gridding Algorithm. David

Noise Reduction in Gridded AIRS Radiance Products using the MODIS Gridding Algorithm. David

Noise Reduction in Gridded AIRS Radiance Products using the MODIS Gridding Algorithm. David Chapman, Phuong Nguyen, Jeff Avery, Milt Halem University of Maryland Baltimore County (UMBC) Introduction Gridded data is easier to work with

428 views • 17 slides
Dimensionality Reduction Algorithms (and how to interpret their output) Dalya Baron (Tel Aviv

Dimensionality Reduction Algorithms (and how to interpret their output) Dalya Baron (Tel Aviv

Dimensionality Reduction Algorithms (and how to interpret their output) Dalya Baron (Tel Aviv University) XXX Winter School, November 2018 What is Dimensionality Reduction? Dimensionality Reduction algorithm 28 x 28 features per object 2

437 views • 33 slides
Efficient cyclic reduction for QBDs with rank structured blocks: algorithm and analysis

Efficient cyclic reduction for QBDs with rank structured blocks: algorithm and analysis

Dario A. Bini, Stefano Massei, Leonardo Robol Efficient cyclic reduction for QBDs with rank structured blocks: algorithm and analysis University of Pisa Scuola Normale Superiore KU Leuven stefano.massei@sns.it Budapest, 28 June 2016 Speaker:

462 views • 19 slides
A Sound and Complete Algorithm for Simple Conceptual Logic Programs Cristina Feier and Stijn

A Sound and Complete Algorithm for Simple Conceptual Logic Programs Cristina Feier and Stijn

A Sound and Complete Algorithm for Simple Conceptual Logic Programs Cristina Feier and Stijn Heymans Institute of Information Systems, Knowledge-Based Systems Group, Vienna University of Technology 12 December 2008 1 Overview Open Answer Set

1.1k views • 45 slides
A Complete Algorithm for Generating Landmarks Blai Bonet Julio Castillo Universidad Sim on

A Complete Algorithm for Generating Landmarks Blai Bonet Julio Castillo Universidad Sim on

A Complete Algorithm for Generating Landmarks Blai Bonet Julio Castillo Universidad Sim on Bol var, Caracas, Venezuela ICAPS 2011 Freiburg, June 2011 Introduction multiple uses of landmarks in planning most powerful admissible

527 views • 38 slides
Security Cryptography Arise from resources sharing Plaintext; Encryption algorithm;

Security Cryptography Arise from resources sharing Plaintext; Encryption algorithm;

Security Cryptography Arise from resources sharing Plaintext; Encryption algorithm; keys; Ciphertext; Resources are encapsulated by process; Decryption algorithm users access them through processs interface. Three

565 views • 7 slides
New Hampshire Department of Revenue Administration Commission to Study School Funding March 2,

New Hampshire Department of Revenue Administration Commission to Study School Funding March 2,

New Hampshire Department of Revenue Administration Commission to Study School Funding March 2, 2020 Lindsey M. Stepp, Commissioner James P. Gerry, Director 109 Pleasant Street, Concord, NH 03301 603-230-5000 MISSION The mission of the

592 views • 16 slides
DISCLAIMER the forward-looking statements contained herein are based on Managements current

DISCLAIMER the forward-looking statements contained herein are based on Managements current

Corporate Presentation 2Q 2016 1 DISCLAIMER the forward-looking statements contained herein are based on Managements current forecasts and outlook. For better illustration and decision-making, figures for Suramericana, SURA Asset Management

632 views • 39 slides
Pl Planning nning Bo Board rd Ba Basi sics cs Da Danie niel l D. D. Cre Crean an Cr

Pl Planning nning Bo Board rd Ba Basi sics cs Da Danie niel l D. D. Cre Crean an Cr

Pl Planning nning Bo Board rd Ba Basi sics cs Da Danie niel l D. D. Cre Crean an Cr Crean ean Law w Of Offi fice ce Pe Pembroke, broke, Ne New w Hampshire pshire Pr Provid vide e General neral Guida danc nce e in

429 views • 24 slides
[q 31-gargi Q2 FY 2019 Content Highlights Financial Performance Business Performance Treasury

[q 31-gargi Q2 FY 2019 Content Highlights Financial Performance Business Performance Treasury

IDBI Bank Limited srregtestrf UfZiPi2.5 Regd. Office : IDBI Tower, comicie4 : 3iT - it - 4/34 dick, WTC Complex, Cuffe Parade, g ac ` etZTI cad Lc)crei, wicu Qs, CIN: L65190MH2004G01148838, etc Mumbai - 400 005. - 400 005. '.D (+91 22)

863 views • 46 slides
Introduction Samuel Pierre PAIR Program Manager VR Program Specialist State Liaison

Introduction Samuel Pierre PAIR Program Manager VR Program Specialist State Liaison

R EHABILITATION S ERVICES A DMINISTRATION O FFICE OF S PECIAL E DUCATION AND R EHABILITATIVE S ERVICES U.S. D EPARTMENT OF E DUCATION S AMUEL P IERRE VR P ROGRAM S PECIALIST P ROTECTION AND A DVOCACY OF I NDIVIDUAL R IGHTS RSA R EHABILITATION S

233 views • 12 slides
Road Safety Assessment Program: Identification to Solution Bahram Dariush,P.E. SHSP/RSA Program

Road Safety Assessment Program: Identification to Solution Bahram Dariush,P.E. SHSP/RSA Program

Arizona Department of Transportation Road Safety Assessment Program: Identification to Solution Bahram Dariush,P.E. SHSP/RSA Program Manager ADOT Traffic Safety Section San Carlos Apache Tribe/White Mountain Apache Tribe Transportation

782 views • 31 slides
Delaware Bankruptcy Court Confirms the Validity of Plan Support Agreements May/June 2013 George

Delaware Bankruptcy Court Confirms the Validity of Plan Support Agreements May/June 2013 George

Delaware Bankruptcy Court Confirms the Validity of Plan Support Agreements May/June 2013 George R. Howard Mark G. Douglas Chapter 11 debtors and sophisticated creditor and/or shareholder constituencies are increasingly using postpetition plan

407 views • 9 slides
The Reverse Shoulder Replacement: Let Me Show You The Results Lawrence V. Gulotta, MD Director

The Reverse Shoulder Replacement: Let Me Show You The Results Lawrence V. Gulotta, MD Director

The Reverse Shoulder Replacement: Let Me Show You The Results Lawrence V. Gulotta, MD Director of Research, Sports Medicine and Shoulder Service Co-Medical Director, Leon Root Motion Analysis Laboratory Attending Surgeon, Sports Medicine and

482 views • 33 slides

More recommend