compressing rsa rabin keys public keys d j bernstein each
play

Compressing RSA/Rabin keys Public keys D. J. Bernstein Each user - PowerPoint PPT Presentation

Oct 30, 2022 •227 likes •768 views

Compressing RSA/Rabin keys Public keys D. J. Bernstein Each user publishes a key 2 2047 + 1 2 2047 2 2048 1 . Thanks to: University of Illinois at Chicago User knows prime factors of . NSF CCR9983950

  1. � ✂ ✁ ✁ ✁ Compressing RSA/Rabin keys Public keys D. J. Bernstein Each user publishes a key � 2 2047 + 1 2 2047 � 2 2048 1 . Thanks to: University of Illinois at Chicago User knows prime factors of . NSF CCR–9983950 Hopefully attacker doesn’t. Alfred P. Sloan Foundation ✄ ; RSA: also publish big exponent American Institute of Mathematics ✄ th roots. use primes allowing Rabin: always use exponent 2; use primes in 3 + 4 Z . Williams: 3 + 8 Z and 7 + 8 Z . Many subsequent variants; e.g., “RSA” using exponent 3, and “RSA” using exponent 65537.

  2. ✁ ✂ ✁ � � ✁ ✁ ✁ � � ✁ ✁ ✁ � RSA/Rabin keys Public keys The compression question Each user publishes a key Can store in 2048 � 2 2047 + 1 2 2047 � 2 2048 1 . Can store 1 2 randomly accessible, Illinois at Chicago User knows prime factors of . CCR–9983950 Hopefully attacker doesn’t. Can we use fewer bits? Foundation ✄ ; RSA: also publish big exponent Knee-jerk answer: Institute of Mathematics ✄ th roots. use primes allowing If you can’t afford Rabin: always use exponent 2; switch to 256-bit elliptic use primes in 3 + 4 Z . http://cr.yp.to/ecdh.html Williams: 3 + 8 Z and 7 + 8 Z . But elliptic-curve signatures Many subsequent variants; have slow verification. e.g., “RSA” using exponent 3, Want a better answ and “RSA” using exponent 65537.

  3. ✁ ✁ � ✁ ✁ ✁ � ✂ ✁ ✁ ✁ � � Public keys The compression question Each user publishes a key Can store in 2048 bits. � 2 2047 + 1 2 2047 � 2 2048 � , 1 . Can store 1 2 randomly accessible, in 2048 bits. User knows prime factors of . Hopefully attacker doesn’t. Can we use fewer bits? ✄ ; RSA: also publish big exponent Knee-jerk answer: “No! ✄ th roots. use primes allowing If you can’t afford 2048 bits, Rabin: always use exponent 2; switch to 256-bit elliptic curves. use primes in 3 + 4 Z . http://cr.yp.to/ecdh.html ” Williams: 3 + 8 Z and 7 + 8 Z . But elliptic-curve signatures Many subsequent variants; have slow verification. e.g., “RSA” using exponent 3, Want a better answer. and “RSA” using exponent 65537.

  4. ✁ ✁ ✁ ✁ ✁ � � ✁ � � ✁ ✁ ✂ ✂ � ✁ ✁ ✁ � � The compression question Recognizing lower 2 2047 � 2 2048 publishes a key Can store in 2048 bits. � 2 2048 � , 1 . Can store so has top bit 1. 1 2 randomly accessible, in 2048 bits. Don’t store that bit. rime factors of . er doesn’t. Can we use fewer bits? With Rabin-Williams: Don’t store bottom ✄ ; publish big exponent Knee-jerk answer: “No! ✄ th roots. wing If you can’t afford 2048 bits, Better: Users never � 5 � 7 use exponent 2; switch to 256-bit elliptic curves. divisible by 3 4 Z . http://cr.yp.to/ecdh.html ” so only 480 possibilities Z and 7 + 8 Z . for mod 9240. Replace But elliptic-curve signatures subsequent variants; bottom 13 bits with have slow verification. using exponent 3, encoding of mod Want a better answer. using exponent 65537.

  5. ✁ ✂ ✁ ✁ � ✁ � ✁ ✁ ✁ � � ✁ The compression question Recognizing lower entropy 2 2047 � 2 2048 Can store in 2048 bits. 1 � , Can store so has top bit 1. 1 2 randomly accessible, in 2048 bits. Don’t store that bit. Can we use fewer bits? With Rabin-Williams: 5 + 8 Z . Don’t store bottom 3 bits. Knee-jerk answer: “No! If you can’t afford 2048 bits, Better: Users never generate � 5 � 7 � 11, switch to 256-bit elliptic curves. divisible by 3 http://cr.yp.to/ecdh.html ” so only 480 possibilities for mod 9240. Replace But elliptic-curve signatures bottom 13 bits with 9-bit have slow verification. encoding of mod 9240. Want a better answer.

  6. ✁ ✁ ✁ ✁ ✁ � ✁ ✁ ✂ � � ✂ � ✁ � ✂ � ✂ � ✁ � ✁ � ✁ ✁ ✁ � � ✁ question Recognizing lower entropy Have reduced 2048 Can we do much b 2 2047 � 2 2048 2048 bits. 1 � , so has top bit 1. Knee-jerk answer: accessible, in 2048 bits. Don’t store that bit. C’mon, you know y switch to elliptic curves.” er bits? With Rabin-Williams: 5 + 8 Z . Don’t store bottom 3 bits. e.g. User generates er: “No! independent uniform rd 2048 bits, Better: Users never generate 2 1023 � 2 1024 � 5 � 7 � 11, 256-bit elliptic curves. divisible by 3 2 1024 � 2 1025 http://cr.yp.to/ecdh.html ” so only 480 possibilities 1 1025 log 2 chance for mod 9240. Replace elliptic-curve signatures 1 1026 log 2 chance bottom 13 bits with 9-bit verification. 1 8 chance of encoding of mod 9240. answer. 2 log 2 1 chance 2 2023 equally so

  7. ✁ � ✁ ✁ ✂ � � ✁ ✁ ✁ � ✂ ✂ ✁ ✂ � ✁ ✁ Recognizing lower entropy Have reduced 2048 to 2043. Can we do much better? 2 2047 � 2 2048 1 so has top bit 1. Knee-jerk answer: “No! Don’t store that bit. C’mon, you know you want to switch to elliptic curves.” With Rabin-Williams: 5 + 8 Z . Don’t store bottom 3 bits. e.g. User generates = � from independent uniform random Better: Users never generate 2 1023 � 2 1024 1 , � 5 � 7 � 11, divisible by 3 2 1024 � 2 1025 1 : so only 480 possibilities 1 1025 log 2 chance of prime, for mod 9240. Replace 1 1026 log 2 chance of � prime, bottom 13 bits with 9-bit � 7 + 8 Z , 1 8 chance of 3 encoding of mod 9240. 2 2048 , 2 log 2 1 chance of 2 2023 equally likely so ’s.

  8. � ✁ ✁ ✁ ✂ � � � ✁ ✁ � ✂ ✂ ✂ � ✁ ✁ ✁ ✁ er entropy Have reduced 2048 to 2043. Reducing entropy Can we do much better? � 2 2048 1 Define ( ) = 500th 1. Knee-jerk answer: “No! ( ) = with 500th bit. C’mon, you know you want to Change key-generation switch to elliptic curves.” Rabin-Williams: 5 + 8 Z . to produce keys ottom 3 bits. e.g. User generates = � from Then can encode independent uniform random saving one bit; also never generate 2 1023 � 2 1024 1 , top/bottom bits as � 7 � 11, 2 1024 � 2 1025 1 : ossibilities Brute-force key generation: 1 1025 log 2 chance of prime, Replace generate by the 1 1026 log 2 chance of � prime, with 9-bit if ( ) = 1, try again. � 7 + 8 Z , 1 8 chance of 3 mod 9240. Conjecturally this tak 2 2048 , 2 log 2 1 chance of almost exactly 2 tries 2 2023 equally likely so ’s. confirmed by experiment.

  9. ✂ ✁ � ✂ ✁ ✁ ✁ � � ✁ ✂ ✁ � Have reduced 2048 to 2043. Reducing entropy Can we do much better? Define ( ) = 500th bit of , Knee-jerk answer: “No! ( ) = with 500th bit omitted. C’mon, you know you want to Change key-generation procedure switch to elliptic curves.” to produce keys with ( ) = 0. e.g. User generates = � from Then can encode as ( ), independent uniform random saving one bit; also save 2 1023 � 2 1024 1 , top/bottom bits as before. 2 1024 � 2 1025 1 : Brute-force key generation: 1 1025 log 2 chance of prime, generate by the old method; 1 1026 log 2 chance of � prime, if ( ) = 1, try again. � 7 + 8 Z , 1 8 chance of 3 Conjecturally this takes 2 2048 , 2 log 2 1 chance of almost exactly 2 tries on average; 2 2023 equally likely so ’s. confirmed by experiment.

  10. ✂ ✂ � ✁ ✁ ✁ � � ✂ ✁ ✁ ✁ � ✂ � � 2048 to 2043. Reducing entropy More generally, select better? : 2048-bit strings Define ( ) = 500th bit of , -bit strings er: “No! ( ) = with 500th bit omitted. : 2048-bit strings you want to Change key-generation procedure (2048 curves.” to produce keys with ( ) = 0. with invertible. generates = � from Then can encode as ( ), Change key-generation uniform random saving one bit; also save to produce keys � 2 1024 1 , top/bottom bits as before. Then can encode � 2 1025 1 : Brute-force key generation: saving bits. chance of prime, generate by the old method; chance of � prime, Is easy to compute if ( ) = 1, try again. � 7 + 8 Z , 3 and easy to invert? Conjecturally this takes 2 2048 , chance of for the functions w almost exactly 2 tries on average; equally likely ’s. confirmed by experiment.

  11. � � ✂ Reducing entropy More generally, select functions : 2048-bit strings Define ( ) = 500th bit of , -bit strings and ( ) = with 500th bit omitted. : 2048-bit strings Change key-generation procedure (2048 )-bit strings to produce keys with ( ) = 0. with invertible. Then can encode as ( ), Change key-generation procedure saving one bit; also save to produce keys with ( ) = 0. top/bottom bits as before. Then can encode as ( ), Brute-force key generation: saving bits. generate by the old method; Is easy to compute if ( ) = 1, try again. and easy to invert? Yes Conjecturally this takes for the functions we’ll consider. almost exactly 2 tries on average; confirmed by experiment.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

2010 2500 keys > 100 uses 1250 keys > 1000 uses 2018 11000 keys >

2010 2500 keys > 100 uses 1250 keys > 1000 uses 2018 11000 keys >

2010 2500 keys > 100 uses 1250 keys > 1000 uses 2018 11000 keys > 100 uses 4450 keys > 1000 uses An excursion in to the world of OSM tagging presets Simon Poole, SOtM 2018 In the beginning Bus

686 views • 50 slides
Compressing Intermediate Keys between Mappers and Reducers in SciHadoop Adam Crume, Joe Buck,

Compressing Intermediate Keys between Mappers and Reducers in SciHadoop Adam Crume, Joe Buck,

Background Semantically-informed byte-level compression User-level semantic compression Compressing Intermediate Keys between Mappers and Reducers in SciHadoop Adam Crume, Joe Buck, Carlos Maltzahn, Scott Brandt { adamcrume,buck,carlosm,scott }

739 views • 22 slides
Factoring RSA keys from certified smart cards: Coppersmith in the wild Daniel J. Bernstein,

Factoring RSA keys from certified smart cards: Coppersmith in the wild Daniel J. Bernstein,

Factoring RSA keys from certified smart cards: Coppersmith in the wild Daniel J. Bernstein, Yun-An Chang, Chen-Mou Cheng, Li-Ping Chou, Nadia Heninger, Tanja Lange, Nicko van Someren September 16, 2013 Problems with non-randomness 2012

810 views • 32 slides
Factoring RSA keys from certified smart cards: Coppersmith in the wild Daniel J. Bernstein,

Factoring RSA keys from certified smart cards: Coppersmith in the wild Daniel J. Bernstein,

Factoring RSA keys from certified smart cards: Coppersmith in the wild Daniel J. Bernstein, Yun-An Chang, Chen-Mou Cheng, Li-Ping Chou, Nadia Heninger, Tanja Lange, Nicko van Someren 5 December 2013 Problems with non-randomness 2012

545 views • 50 slides
Password Human beings : Short keys; possibly used to generate longer keys Dictionary

Password Human beings : Short keys; possibly used to generate longer keys Dictionary

Password Human beings : Short keys; possibly used to generate longer keys Dictionary attack: adversary tries more common keys (easy with a large set of users) Trojan horse Countermeasures: slow login, close after several

563 views • 14 slides
Everglades excerpts of a talk by Fritz Davis 2004 John Kunkel Small The Keys Lower

Everglades excerpts of a talk by Fritz Davis 2004 John Kunkel Small The Keys Lower

The Keys Everglades excerpts of a talk by Fritz Davis 2004 John Kunkel Small The Keys Lower keys Upper keys Miami Rocklands (Everglades Keys) Sea of saw grass. Sea of pine trees sea of tropical

201 views • 9 slides
Driving the 5 Keys Smiths 5 Keys 1- Aim High in Steering 2- Get the Big Picture 3-

Driving the 5 Keys Smiths 5 Keys 1- Aim High in Steering 2- Get the Big Picture 3-

Smith System Driving the 5 Keys Smiths 5 Keys 1- Aim High in Steering 2- Get the Big Picture 3- Keep Your Eyes Moving 4- Leave Yourself an Out 5- Make Sure They See You Aim im Hig igh The first rule for this method is

682 views • 10 slides
Proving tight security for Rabin-Williams signatures D. J. Bernstein Public-key signatures 1976

Proving tight security for Rabin-Williams signatures D. J. Bernstein Public-key signatures 1976

Proving tight security for Rabin-Williams signatures D. J. Bernstein Public-key signatures 1976 Diffie Hellman: Public-key signatures would allow verification by anyone, not just signer. Cool! Can we build a signature system? 1977 Rivest

743 views • 33 slides
Reaping and breaking keys at scale: when crypto meets big data Nils Amiet Yolan Romailler

Reaping and breaking keys at scale: when crypto meets big data Nils Amiet Yolan Romailler

Reaping and breaking keys at scale: when crypto meets big data Nils Amiet Yolan Romailler August 2018 DEF CON 26 Public keys what for? Break them! Retrieve the private keys Show how easy it is If we can do it

684 views • 31 slides
(CAN,Tapestry, Pastry) Freenet: search towards keys, but no guarantees Chord: Map keys

(CAN,Tapestry, Pastry) Freenet: search towards keys, but no guarantees Chord: Map keys

Napster: central search engine (CAN,Tapestry, Pastry) Freenet: search towards keys, but no guarantees Chord: Map keys to linear search space Stoica, R. Morris, D. Karger, F. Kaashoek, and Keep pointers (fingers) into

281 views • 12 slides
1 Key Exchange Diffie-Hellman Key Exchange Parties may have initial information Assume

1 Key Exchange Diffie-Hellman Key Exchange Parties may have initial information Assume

TECS Week 2005 Key Management Options Key Management Protocols Out of band and Compositionality Can set up some keys this way (Kerberos) Public-key infrastructure (PKI) Leverage small # of public signing keys Protocols for

282 views • 5 slides
Public Key Encryption Systems The encrypter and decrypter have different keys C = E(K E ,P) P

Public Key Encryption Systems The encrypter and decrypter have different keys C = E(K E ,P) P

Public Key Encryption Systems The encrypter and decrypter have different keys C = E(K E ,P) P = D(K D ,C) Often, works the other way, too Lecture 4 Page 1 CS 236 Online History of Public Key Cryptography Invented by Diffie and

618 views • 24 slides
AVL Trees All keys in left subtree smaller than nodes key 2 6 10 12 All keys in

AVL Trees All keys in left subtree smaller than nodes key 2 6 10 12 All keys in

1/21/2016 Review: Binary Search Tree (BST) Structure property (binary tree) Each node has 2 children 8 Result: keeps operations simple CSE373: Data Structures and Algorithms Order property 5 11 AVL Trees All keys in

414 views • 5 slides
Ordered Dictionaries Ordered Dictionaries Keys are ordered Perform usual dictionary

Ordered Dictionaries Ordered Dictionaries Keys are ordered Perform usual dictionary

Ordered Dictionaries Ordered Dictionaries Keys are ordered Perform usual dictionary operations (insertItem, removeItem, findElement) and maintain an order relation for the keys we use an external comparator for keys New

452 views • 31 slides
Recap: Part 6 Public key cryptosystem: a pair of keys Public-key: meant for public, should

Recap: Part 6 Public key cryptosystem: a pair of keys Public-key: meant for public, should

Recap: Part 6 Public key cryptosystem: a pair of keys Public-key: meant for public, should be given out Private-key: remains always secret An operation performed by one key in the pair can be inversed only by the other key

267 views • 13 slides
Signatures with Flexible Public Key: Introducing Equivalence Classes for Public Keys Michael

Signatures with Flexible Public Key: Introducing Equivalence Classes for Public Keys Michael

Signatures with Flexible Public Key: Introducing Equivalence Classes for Public Keys Michael Backes, Lucjan Hanzlik, Kamil Kluzcniak, Jonas Schneider This Talk New primitive! Signatures with Flexible Public Key Applications to

1.11k views • 56 slides
Compression Overview Multimedia Encoding and Compression Huffman codes Lossless

Compression Overview Multimedia Encoding and Compression Huffman codes Lossless

Compression Overview Multimedia Encoding and Compression Huffman codes Lossless Outline data received = data sent Compression used for executables, text files, numeric data RTP Lossy Scheduling data received

83 views • 4 slides
Aligning DNA sequences on compressed collections of genomes Part 2. Compressed indexing The

Aligning DNA sequences on compressed collections of genomes Part 2. Compressed indexing The

Aligning DNA sequences on compressed collections of genomes Part 2. Compressed indexing The CODATA-RDA Research Data Science Applied workshop on Bioinformatics ICTP, Trieste - Italy July 24-28, 2017 Nicola Prezza Technical University of

788 views • 45 slides
Mesh Compression Mesh Compression Connectivity: Often, triangulated graph CS101 - Meshing

Mesh Compression Mesh Compression Connectivity: Often, triangulated graph CS101 - Meshing

Triangle Meshes Two main parts: Mesh Compression Mesh Compression Connectivity: Often, triangulated graph CS101 - Meshing Sometimes, polygons 3-connected graphs Geometry: Positions in space CS101b - Meshing 2 Basic

781 views • 20 slides
High-Dimensional Signature Compression for Large-Scale Image Classification Jorge S anchez and

High-Dimensional Signature Compression for Large-Scale Image Classification Jorge S anchez and

High-Dimensional Signature Compression for Large-Scale Image Classification Jorge S anchez and Florent Perronnin Textual and Visual Pattern Analysis (TVPA) group Xerox Research Centre Europe (XRCE) Abstract winners of the PASCAL VOC 2007 [8]

566 views • 8 slides
Faster Isogeny-Based Compressed Key Agreement Gustavo H. M. Zanon, Marcos A. Simplicio Jr,

Faster Isogeny-Based Compressed Key Agreement Gustavo H. M. Zanon, Marcos A. Simplicio Jr,

Faster Isogeny-Based Compressed Key Agreement Gustavo H. M. Zanon, Marcos A. Simplicio Jr, Geovandro C. C. F. Pereira , Javad Doliskani, and Paulo S. L. M. Barreto. 1 REVI EW : SI DH AND COMPRESSED KEYS 2 Isogeny-based Crypto n SIDH:

856 views • 81 slides
in RIOT? R I O T S U M M I T 2 0 2 0 - B A R T M O O N S MAIN GOAL Integrate libSCHC for

in RIOT? R I O T S U M M I T 2 0 2 0 - B A R T M O O N S MAIN GOAL Integrate libSCHC for

Static Context Header Compression [sjiek] Where do we want to go in RIOT? R I O T S U M M I T 2 0 2 0 - B A R T M O O N S MAIN GOAL Integrate libSCHC for standard, IPv6-based connectivity to the smallest devices reliable

471 views • 20 slides
Models for Sentence Compression A Comparison across Domains, Training Requirements and Evaluation

Models for Sentence Compression A Comparison across Domains, Training Requirements and Evaluation

Models for Sentence Compression A Comparison across Domains, Training Requirements and Evaluation Measures James Clarke and Mirella Lapata School of Informatics University of Edinburgh July 2006 ACL 2006 James Clarke and Mirella Lapata 1

1.07k views • 62 slides
Benchmarking HDF5 Compression Filters in R Mike L. Smith @grimbough HDF5 is a file format for

Benchmarking HDF5 Compression Filters in R Mike L. Smith @grimbough HDF5 is a file format for

Benchmarking HDF5 Compression Filters in R Mike L. Smith @grimbough HDF5 is a file format for storing large, heterogenous, data Used in a variety of software, e.g: DelayedArray Kallisto ONT sequencing mz5 mass spec

414 views • 12 slides

More recommend