cryptanalysis of nistpqc submissions
play

Cryptanalysis of NISTPQC submissions Daniel J. Bernstein, Tanja - PowerPoint PPT Presentation

Aug 01, 2023 •423 likes •1.92k views

Cryptanalysis of NISTPQC submissions Daniel J. Bernstein, Tanja Lange, Lorenz Panny University of Illinois at Chicago, Technische Universiteit Eindhoven 18 August 2018 Workshops on Attacks in Cryptography NSA announcements August 11, 2015 IAD

  1. Attack timeline: month 1 2018.01.01 Bernstein, building on Bernstein–Lange, Wang–Malluhi, Li–Liu–Pan–Xie: faster attack script breaking HK17; HK17 withdrawn 2018.01.02 Steinfeld, independently Albrecht–Postlethwaite–Virdia: attack script breaking CFPKM 2018.01.02 Alperin-Sheriff–Perlner: attack breaking pqsigRM 2018.01.04 Yang–Bernstein–Lange: attack script breaking SRTPI; SRTPI withdrawn Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 7

  2. Attack timeline: month 1 2018.01.01 Bernstein, building on Bernstein–Lange, Wang–Malluhi, Li–Liu–Pan–Xie: faster attack script breaking HK17; HK17 withdrawn 2018.01.02 Steinfeld, independently Albrecht–Postlethwaite–Virdia: attack script breaking CFPKM 2018.01.02 Alperin-Sheriff–Perlner: attack breaking pqsigRM 2018.01.04 Yang–Bernstein–Lange: attack script breaking SRTPI; SRTPI withdrawn 2018.01.05 Lequesne–Sendrier–Tillich: attack breaking Edon-K; script posted 2018.02.20; Edon-K withdrawn Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 7

  3. Attack timeline: month 1 2018.01.01 Bernstein, building on Bernstein–Lange, Wang–Malluhi, Li–Liu–Pan–Xie: faster attack script breaking HK17; HK17 withdrawn 2018.01.02 Steinfeld, independently Albrecht–Postlethwaite–Virdia: attack script breaking CFPKM 2018.01.02 Alperin-Sheriff–Perlner: attack breaking pqsigRM 2018.01.04 Yang–Bernstein–Lange: attack script breaking SRTPI; SRTPI withdrawn 2018.01.05 Lequesne–Sendrier–Tillich: attack breaking Edon-K; script posted 2018.02.20; Edon-K withdrawn 2018.01.05 Beullens: attack script breaking DME � Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 7

  4. Attack timeline: month 1 2018.01.01 Bernstein, building on Bernstein–Lange, Wang–Malluhi, Li–Liu–Pan–Xie: faster attack script breaking HK17; HK17 withdrawn 2018.01.02 Steinfeld, independently Albrecht–Postlethwaite–Virdia: attack script breaking CFPKM 2018.01.02 Alperin-Sheriff–Perlner: attack breaking pqsigRM 2018.01.04 Yang–Bernstein–Lange: attack script breaking SRTPI; SRTPI withdrawn 2018.01.05 Lequesne–Sendrier–Tillich: attack breaking Edon-K; script posted 2018.02.20; Edon-K withdrawn 2018.01.05 Beullens: attack script breaking DME � 2018.01.05 Li–Liu–Pan–Xie, independently Bootle–Tibouchi–Xagawa: attack breaking Compact LWE � ; script from 2nd team Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 7

  5. Attack timeline: month 1 2018.01.01 Bernstein, building on Bernstein–Lange, Wang–Malluhi, Li–Liu–Pan–Xie: faster attack script breaking HK17; HK17 withdrawn 2018.01.02 Steinfeld, independently Albrecht–Postlethwaite–Virdia: attack script breaking CFPKM 2018.01.02 Alperin-Sheriff–Perlner: attack breaking pqsigRM 2018.01.04 Yang–Bernstein–Lange: attack script breaking SRTPI; SRTPI withdrawn 2018.01.05 Lequesne–Sendrier–Tillich: attack breaking Edon-K; script posted 2018.02.20; Edon-K withdrawn 2018.01.05 Beullens: attack script breaking DME � 2018.01.05 Li–Liu–Pan–Xie, independently Bootle–Tibouchi–Xagawa: attack breaking Compact LWE � ; script from 2nd team 2018.01.11 Castryck–Vercauteren: attack breaking Giophantus Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 7

  6. Attack timeline: month 1 2018.01.01 Bernstein, building on Bernstein–Lange, Wang–Malluhi, Li–Liu–Pan–Xie: faster attack script breaking HK17; HK17 withdrawn 2018.01.02 Steinfeld, independently Albrecht–Postlethwaite–Virdia: attack script breaking CFPKM 2018.01.02 Alperin-Sheriff–Perlner: attack breaking pqsigRM 2018.01.04 Yang–Bernstein–Lange: attack script breaking SRTPI; SRTPI withdrawn 2018.01.05 Lequesne–Sendrier–Tillich: attack breaking Edon-K; script posted 2018.02.20; Edon-K withdrawn 2018.01.05 Beullens: attack script breaking DME � 2018.01.05 Li–Liu–Pan–Xie, independently Bootle–Tibouchi–Xagawa: attack breaking Compact LWE � ; script from 2nd team 2018.01.11 Castryck–Vercauteren: attack breaking Giophantus 2018.01.22 Blackburn: attack reducing WalnutDSA � security level Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 7

  7. Attack timeline: month 1 2018.01.01 Bernstein, building on Bernstein–Lange, Wang–Malluhi, Li–Liu–Pan–Xie: faster attack script breaking HK17; HK17 withdrawn 2018.01.02 Steinfeld, independently Albrecht–Postlethwaite–Virdia: attack script breaking CFPKM 2018.01.02 Alperin-Sheriff–Perlner: attack breaking pqsigRM 2018.01.04 Yang–Bernstein–Lange: attack script breaking SRTPI; SRTPI withdrawn 2018.01.05 Lequesne–Sendrier–Tillich: attack breaking Edon-K; script posted 2018.02.20; Edon-K withdrawn 2018.01.05 Beullens: attack script breaking DME � 2018.01.05 Li–Liu–Pan–Xie, independently Bootle–Tibouchi–Xagawa: attack breaking Compact LWE � ; script from 2nd team 2018.01.11 Castryck–Vercauteren: attack breaking Giophantus 2018.01.22 Blackburn: attack reducing WalnutDSA � security level 2018.01.23 Beullens: another attack reducing WalnutDSA � security level Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 7

  8. Attack timeline: subsequent events 2018.02.01 Beullens: attack breaking WalnutDSA � Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 8

  9. Attack timeline: subsequent events 2018.02.01 Beullens: attack breaking WalnutDSA � 2018.02.07 Fabsic–Hromada–Zajac: attack breaking CCA for LEDA Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 8

  10. Attack timeline: subsequent events 2018.02.01 Beullens: attack breaking WalnutDSA � 2018.02.07 Fabsic–Hromada–Zajac: attack breaking CCA for LEDA 2018.03.27 Yu–Ducas: attack reducing DRS security level Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 8

  11. Attack timeline: subsequent events 2018.02.01 Beullens: attack breaking WalnutDSA � 2018.02.07 Fabsic–Hromada–Zajac: attack breaking CCA for LEDA 2018.03.27 Yu–Ducas: attack reducing DRS security level 2018.04.03 Debris-Alazard–Tillich: attack breaking RankSign; RankSign withdrawn Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 8

  12. Attack timeline: subsequent events 2018.02.01 Beullens: attack breaking WalnutDSA � 2018.02.07 Fabsic–Hromada–Zajac: attack breaking CCA for LEDA 2018.03.27 Yu–Ducas: attack reducing DRS security level 2018.04.03 Debris-Alazard–Tillich: attack breaking RankSign; RankSign withdrawn 2018.04.04 Beullens–Blackburn: attack script breaking WalnutDSA � Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 8

  13. Attack timeline: subsequent events 2018.02.01 Beullens: attack breaking WalnutDSA � 2018.02.07 Fabsic–Hromada–Zajac: attack breaking CCA for LEDA 2018.03.27 Yu–Ducas: attack reducing DRS security level 2018.04.03 Debris-Alazard–Tillich: attack breaking RankSign; RankSign withdrawn 2018.04.04 Beullens–Blackburn: attack script breaking WalnutDSA � 2018.05.09 Kotov–Menshov–Ushakov: another attack breaking WalnutDSA � Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 8

  14. Attack timeline: subsequent events 2018.02.01 Beullens: attack breaking WalnutDSA � 2018.02.07 Fabsic–Hromada–Zajac: attack breaking CCA for LEDA 2018.03.27 Yu–Ducas: attack reducing DRS security level 2018.04.03 Debris-Alazard–Tillich: attack breaking RankSign; RankSign withdrawn 2018.04.04 Beullens–Blackburn: attack script breaking WalnutDSA � 2018.05.09 Kotov–Menshov–Ushakov: another attack breaking WalnutDSA � 2018.05.16 Barelli–Couvreur: attack reducing DAGS security level Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 8

  15. Attack timeline: subsequent events 2018.02.01 Beullens: attack breaking WalnutDSA � 2018.02.07 Fabsic–Hromada–Zajac: attack breaking CCA for LEDA 2018.03.27 Yu–Ducas: attack reducing DRS security level 2018.04.03 Debris-Alazard–Tillich: attack breaking RankSign; RankSign withdrawn 2018.04.04 Beullens–Blackburn: attack script breaking WalnutDSA � 2018.05.09 Kotov–Menshov–Ushakov: another attack breaking WalnutDSA � 2018.05.16 Barelli–Couvreur: attack reducing DAGS security level 2018.05.30 Couvreur–Lequesne–Tillich: attack breaking “short” parameters for RLCE � Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 8

  16. Attack timeline: subsequent events 2018.02.01 Beullens: attack breaking WalnutDSA � 2018.02.07 Fabsic–Hromada–Zajac: attack breaking CCA for LEDA 2018.03.27 Yu–Ducas: attack reducing DRS security level 2018.04.03 Debris-Alazard–Tillich: attack breaking RankSign; RankSign withdrawn 2018.04.04 Beullens–Blackburn: attack script breaking WalnutDSA � 2018.05.09 Kotov–Menshov–Ushakov: another attack breaking WalnutDSA � 2018.05.16 Barelli–Couvreur: attack reducing DAGS security level 2018.05.30 Couvreur–Lequesne–Tillich: attack breaking “short” parameters for RLCE � 2018.06.11 Beullens–Castryck–Vercauteren: attack script breaking Giophantus Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 8

  17. “Complete and proper” submissions 21 December 2017: NIST posts 69 submissions from 260 people. BIG QUAKE . BIKE . CFPKM . Classic McEliece . Compact LWE . CRYSTALS-DILITHIUM . CRYSTALS-KYBER . DAGS . Ding Key Exchange . DME . DRS . DualModeMS . Edon-K . EMBLEM and R.EMBLEM . FALCON . FrodoKEM . GeMSS . Giophantus . Gravity-SPHINCS . Guess Again . Gui . HILA5 . HiMQ-3 . HK17 . HQC . KINDI . LAC . LAKE . LEDAkem . LEDApkc . Lepton . LIMA . Lizard . LOCKER . LOTUS . LUOV . McNie . Mersenne-756839 . MQDSS . NewHope . NTRUEncrypt . NTRU-HRSS-KEM . NTRU Prime . NTS-KEM . Odd Manhattan . OKCN/AKCN/CNKE . Ouroboros-R . Picnic . pqNTRUSign . pqRSA encryption . pqRSA signature . pqsigRM . QC-MDPC KEM . qTESLA . RaCoSS . Rainbow . Ramstake . RankSign . RLCE-KEM . Round2 . RQC . RVB . SABER . SIKE . SPHINCS+ . SRTPI . Three Bears . Titanium . WalnutDSA . Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 9

  18. “Complete and proper” submissions 21 December 2017: NIST posts 69 submissions from 260 people. BIG QUAKE . BIKE . CFPKM . Classic McEliece . Compact LWE . CRYSTALS-DILITHIUM . CRYSTALS-KYBER . DAGS . Ding Key Exchange . DME . DRS . DualModeMS . Edon-K . EMBLEM and R.EMBLEM . FALCON . FrodoKEM . GeMSS . Giophantus . Gravity-SPHINCS . Guess Again . Gui . HILA5 . HiMQ-3 . HK17 . HQC . KINDI . LAC . LAKE . LEDAkem . LEDApkc . Lepton . LIMA . Lizard . LOCKER . LOTUS . LUOV . McNie . Mersenne-756839 . MQDSS . NewHope . NTRUEncrypt . NTRU-HRSS-KEM . NTRU Prime . NTS-KEM . Odd Manhattan . OKCN/AKCN/CNKE . Ouroboros-R . Picnic . pqNTRUSign . pqRSA encryption . pqRSA signature . pqsigRM . QC-MDPC KEM . qTESLA . RaCoSS . Rainbow . Ramstake . RankSign . RLCE-KEM . Round2 . RQC . RVB . SABER . SIKE . SPHINCS+ . SRTPI . Three Bears . Titanium . WalnutDSA . Color coding: total break ; partial break Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 9

  19. HILA5 ◮ HILA5 is a RLWE-based KEM submitted to NISTPQC. This design also provides IND-CCA secure KEM-DEM public key encryption if used in conjunction with an appropriate AEAD such as NIST approved AES256-GCM. — HILA5 NIST submission document (v1.0) ◮ Decapsulation much faster than encapsulation (and faster than any other scheme). ◮ No mention of a CCA transform (e.g. Fujisaki–Okamoto). Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 10

  20. Noisy Diffie–Hellman degree n ◮ Have a ring R = Z [ x ] / ( q , ϕ ) where q ∈ Z and ϕ ∈ Z [ x ]. ◮ Let χ be a narrow distribution around 0 ∈ R . ◮ Fix some “random” element g ∈ R . b , e ′ ← χ n a , e ← χ n B = gb + e ′ A = ga + e S ′ = Ab = gab + eb S = Ba = gab + e ′ a ⇒ S − S ′ = e ′ a − eb ≈ = 0 ↑ χ small Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 11

  21. Reconciliation Alice and Bob obtain close secret vectors S , S ′ ∈ ( Z / q ) n . How to map coefficients to bits? 0 ≡ q 3 q / 4 q / 4 q / 2 Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 12

  22. Reconciliation Alice and Bob obtain close secret vectors S , S ′ ∈ ( Z / q ) n . How to map coefficients to bits? 0 ≡ q “edge” 1 3 q / 4 q / 4 0 q / 2 Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 12

  23. Reconciliation Alice and Bob obtain close secret vectors S , S ′ ∈ ( Z / q ) n . How to map coefficients to bits? 0 ≡ q “edge” 1 Alice: 1 3 q / 4 q / 4 Bob: 1 0 q / 2 Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 12

  24. Reconciliation Alice and Bob obtain close secret vectors S , S ′ ∈ ( Z / q ) n . How to map coefficients to bits? 0 ≡ q “edge” 1 Alice: 0 3 q / 4 q / 4 Bob: 0 0 q / 2 Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 12

  25. Reconciliation Alice and Bob obtain close secret vectors S , S ′ ∈ ( Z / q ) n . How to map coefficients to bits? 0 ≡ q “edge” 1 Alice: 1 3 q / 4 q / 4 Bob: 0 0 q / 2 Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 12

  26. Reconciliation Alice and Bob obtain close secret vectors S , S ′ ∈ ( Z / q ) n . How to map coefficients to bits? 0 ≡ q “edge” 1 Alice: 1 3 q / 4 q / 4 Bob: 0 oops! 0 q / 2 Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 12

  27. Reconciliation Mapping coefficients to bits using fixed intervals is bad. Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 13

  28. Reconciliation Mapping coefficients to bits using fixed intervals is bad. Better: Bob chooses a mapping based on his coefficient and tells Alice which mapping he used. Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 13

  29. Reconciliation Mapping coefficients to bits using fixed intervals is bad. Better: Bob chooses a mapping based on his coefficient and tells Alice which mapping he used. Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 13

  30. Reconciliation Mapping coefficients to bits using fixed intervals is bad. Better: Bob chooses a mapping based on his coefficient and tells Alice which mapping he used. 1 0 Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 13

  31. Reconciliation Mapping coefficients to bits using fixed intervals is bad. Better: Bob chooses a mapping based on his coefficient and tells Alice which mapping he used. 1 0 1 0 Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 13

  32. Reconciliation Mapping coefficients to bits using fixed intervals is bad. Better: Bob chooses a mapping based on his coefficient and tells Alice which mapping he used. 1 0 1 0 Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 13

  33. Fluhrer’s attack https://ia.cr/2016/085 Problem: Evil Bob can trick Alice into leaking information by deliberately using the wrong mapping for one coefficient. Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 14

  34. Fluhrer’s attack https://ia.cr/2016/085 Problem: Evil Bob can trick Alice into leaking information by deliberately using the wrong mapping for one coefficient. Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 14

  35. Fluhrer’s attack https://ia.cr/2016/085 Problem: Evil Bob can trick Alice into leaking information by deliberately using the wrong mapping for one coefficient. 1 1 0 0 Alice: 0 Alice: 1 Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 14

  36. Fluhrer’s attack https://ia.cr/2016/085 Problem: Evil Bob can trick Alice into leaking information by deliberately using the wrong mapping for one coefficient. 1 1 0 0 Alice: 0 Alice: 1 Evil Bob can distinguish these cases! (He knows all the other key bits.) Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 14

  37. Chosen-ciphertext information leaks Evil Bob has two guesses k 0 , k 1 for what Alice’s key k will be given his manipulated public key B . Alice Evil Bob Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 15

  38. Chosen-ciphertext information leaks Evil Bob has two guesses k 0 , k 1 for what Alice’s key k will be given his manipulated public key B . B � Enc( k 0 , "GET / HTTP/1.1" ) Alice Evil Bob Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 15

  39. Chosen-ciphertext information leaks Evil Bob has two guesses k 0 , k 1 for what Alice’s key k will be given his manipulated public key B . B � Enc( k 0 , "GET / HTTP/1.1" ) I don’t understand! Aborting. Alice Evil Bob Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 15

  40. Chosen-ciphertext information leaks Evil Bob has two guesses k 0 , k 1 for what Alice’s key k will be given his manipulated public key B . B � Enc( k 1 , "GET / HTTP/1.1" ) Alice Evil Bob Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 15

  41. Chosen-ciphertext information leaks Evil Bob has two guesses k 0 , k 1 for what Alice’s key k will be given his manipulated public key B . B � Enc( k 1 , "GET / HTTP/1.1" ) Here’s your webpage! Alice Evil Bob Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 15

  42. Chosen-ciphertext information leaks Evil Bob has two guesses k 0 , k 1 for what Alice’s key k will be given his manipulated public key B . B � Enc( k 1 , "GET / HTTP/1.1" ) Here’s your webpage! Alice Evil Bob = ⇒ Bob learns that k = k 1 . Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 15

  43. Chosen-ciphertext information leaks Evil Bob has two guesses k 0 , k 1 for what Alice’s key k will be given his manipulated public key B . B � Enc( k 0 , "GET / HTTP/1.1" ) Decryption failure! Aborting. Alice Evil Bob = ⇒ Bob learns that k = k 1 . This still works if Enc is an authenticated symmetric cipher! Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 15

  44. Chosen-ciphertext information leaks Evil Bob has two guesses k 0 , k 1 for what Alice’s key k will be given his manipulated public key B . B � Enc( k 1 , "GET / HTTP/1.1" ) Here’s your webpage! Alice Evil Bob = ⇒ Bob learns that k = k 1 . This still works if Enc is an authenticated symmetric cipher! Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 15

  45. Fluhrer’s attack https://ia.cr/2016/085 Adaptive chosen-ciphertext attack against static keys. Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 16

  46. Fluhrer’s attack https://ia.cr/2016/085 Adaptive chosen-ciphertext attack against static keys. Recall that Alice’s “shared” secret is gab + e ′ a . Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 16

  47. Fluhrer’s attack https://ia.cr/2016/085 Adaptive chosen-ciphertext attack against static keys. Recall that Alice’s “shared” secret is gab + e ′ a . edge Suppose Evil Bob knows b δ such that gab δ [0] = M + δ . ⇒ Querying Alice with b = b δ leaks whether − e ′ a [0] > δ . = Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 16

  48. Fluhrer’s attack https://ia.cr/2016/085 Adaptive chosen-ciphertext attack against static keys. Recall that Alice’s “shared” secret is gab + e ′ a . edge Suppose Evil Bob knows b δ such that gab δ [0] = M + δ . ⇒ Querying Alice with b = b δ leaks whether − e ′ a [0] > δ . = Structure of R � Can choose e ′ such that e ′ a [0] = a [ i ] to recover all of a . Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 16

  49. Fluhrer’s attack https://ia.cr/2016/085 Querying Alice with b = b δ and e ′ = 1 leaks whether − a [0] > δ . 1 M 0 Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 17

  50. Fluhrer’s attack https://ia.cr/2016/085 Querying Alice with b = b δ and e ′ = 1 leaks whether − a [0] > δ . 1 Evil Bob’s δ : 0 M Alice: 1 0 Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 17

  51. Fluhrer’s attack https://ia.cr/2016/085 Querying Alice with b = b δ and e ′ = 1 leaks whether − a [0] > δ . 1 Evil Bob’s δ : -8 M Alice: 0 0 Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 17

  52. Fluhrer’s attack https://ia.cr/2016/085 Querying Alice with b = b δ and e ′ = 1 leaks whether − a [0] > δ . 1 Evil Bob’s δ : -4 M Alice: 1 0 Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 17

  53. Fluhrer’s attack https://ia.cr/2016/085 Querying Alice with b = b δ and e ′ = 1 leaks whether − a [0] > δ . 1 Evil Bob’s δ : -6 M Alice: 0 0 Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 17

  54. Fluhrer’s attack https://ia.cr/2016/085 Querying Alice with b = b δ and e ′ = 1 leaks whether − a [0] > δ . 1 Evil Bob’s δ : -5 M Alice: 1 0 Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 17

  55. Fluhrer’s attack https://ia.cr/2016/085 Querying Alice with b = b δ and e ′ = 1 leaks whether − a [0] > δ . 1 Evil Bob’s δ : -5 M Alice: 1 0 = ⇒ Evil Bob learns that a [0] = 5. Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 17

  56. Our work Adaption of Fluhrer’s attack to HILA5 and analysis Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 18

  57. HILA5 https://ia.cr/2017/424 https://github.com/mjosaarinen/hila5 ◮ Standard noisy Diffie–Hellman with new reconciliation. Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 19

  58. HILA5 https://ia.cr/2017/424 https://github.com/mjosaarinen/hila5 ◮ Standard noisy Diffie–Hellman with new reconciliation. ◮ Ring: Z [ x ] / ( q , x 1024 + 1) where q = 12289. 1 ◮ Noise distribution χ : Ψ 16 . 1 on {− 16, ..., 16 } 1 same as New Hope. Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 19

  59. HILA5 https://ia.cr/2017/424 https://github.com/mjosaarinen/hila5 ◮ Standard noisy Diffie–Hellman with new reconciliation. ◮ Ring: Z [ x ] / ( q , x 1024 + 1) where q = 12289. 1 ◮ Noise distribution χ : Ψ 16 . 1 on {− 16, ..., 16 } ◮ New reconciliation mechanism: ◮ Only use “safe bits” that are far from an edge. ◮ Additionally apply an error-correcting code. 1 same as New Hope. Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 19

  60. HILA5’s reconciliation For each coefficient: d = 0: Discard coefficient. d = 1: Send reconciliation information c ; use for key bit k . Edges: c = 0: ⌈ 3 q / 8 ⌋ ... ⌈ 7 q / 8 ⌋ � k = 0. ⌈ 7 q / 8 ⌋ ... ⌈ 3 q / 8 ⌋ � k = 1. c = 1: ⌈ q / 8 ⌋ ... ⌈ 5 q / 8 ⌋ � k = 0. ⌈ 5 q / 8 ⌋ ... ⌈ q / 8 ⌋ � k = 1. (picture: HILA5 documentation) Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 20

  61. HILA5’s packet format bits d 0 ... d 1023 select 496 coefficients bits r 0 ... r 239 correct errors Bob’s public key safe bits reconciliation error correction gb + e ′ bits c 0 ... c 495 select an edge Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 21

  62. HILA5’s packet format bits d 0 ... d 1023 select 496 coefficients bits r 0 ... r 239 correct errors Bob’s public key safe bits reconciliation error correction gb + e ′ bits c 0 ... c 495 select an edge We’re going to manipulate each of these parts. Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 21

  63. Unsafe bits gb + e ′ safe bits reconciliation error correction We want to attack the first coefficient. Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 22

  64. Unsafe bits gb + e ′ safe bits reconciliation error correction We want to attack the first coefficient. = ⇒ Force d 0 = 1 to make Alice use it. Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 22

  65. Living on the edge gb + e ′ safe bits reconciliation error correction We want to attack the edge at M = ⌈ q / 8 ⌋ . Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 23

  66. Living on the edge gb + e ′ safe bits reconciliation error correction We want to attack the edge at M = ⌈ q / 8 ⌋ . = ⇒ Force c 0 = 1. Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 23

  67. Making errors gb + e ′ safe bits reconciliation error correction ◮ HILA5 uses a custom linear error-correcting code XE5. ◮ Encrypted (XOR) using part of Bob’s shared secret S ′ . ◮ Ten variable-length codewords R 0 ... R 9 . ◮ Alice corrects S [0] using the first bit of each R i . ◮ Capable of correcting (at least) 5-bit errors. We want to keep errors in S [0]. Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 24

  68. Making errors gb + e ′ safe bits reconciliation error correction ◮ HILA5 uses a custom linear error-correcting code XE5. ◮ Encrypted (XOR) using part of Bob’s shared secret S ′ . ◮ Ten variable-length codewords R 0 ... R 9 . ◮ Alice corrects S [0] using the first bit of each R i . ◮ Capable of correcting (at least) 5-bit errors. We want to keep errors in S [0]. = ⇒ Flip the first bit of R 0 ... R 4 ! Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 24

  69. All coefficients for the price of one gb + e ′ safe bits reconciliation error correction Our binary search recovers e ′ a [0] from gab δ + e ′ a by varying δ . How to get a [1], a [2], ..? Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 25

  70. All coefficients for the price of one gb + e ′ safe bits reconciliation error correction Our binary search recovers e ′ a [0] from gab δ + e ′ a by varying δ . How to get a [1], a [2], ..? By construction of R = Z [ x ] / ( q , x 1024 + 1), Evil Bob can rotate a [ i ] into e ′ a [0] by setting e ′ = − x 1024 − i . Running the search for all i yields all coefficients of a . Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 25

  71. Evil Bob needs evil b δ gb + e ′ safe bits reconciliation error correction Recall that Evil Bob needs b δ such that gab δ [0] = M + δ . How to obtain b δ without knowing a ? Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 26

  72. Evil Bob needs evil b δ gb + e ′ safe bits reconciliation error correction Recall that Evil Bob needs b δ such that gab δ [0] = M + δ . How to obtain b δ without knowing a ? = ⇒ Guess b 0 based on Alice’s public key A = ga + e : Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 26

  73. Evil Bob needs evil b δ g b + e ′ safe bits reconciliation error correction Recall that Evil Bob needs b δ such that gab δ [0] = M + δ . How to obtain b δ without knowing a ? = ⇒ Guess b 0 based on Alice’s public key A = ga + e : If b 0 has two entries ± 1 and ( Ab 0 )[0] = M , then e ← χ n [ gab 0 [0] = M ] = Pr Pr x , y ← Ψ 16 [ x + y = 0] ≈ 9.9%. Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 26

  74. Evil Bob needs evil b δ gb + e ′ safe bits reconciliation error correction Recall that Evil Bob needs b δ such that gab δ [0] = M + δ . How to obtain b δ without knowing a ? = ⇒ Guess b 0 based on Alice’s public key A = ga + e : If b 0 has two entries ± 1 and ( Ab 0 )[0] = M , then e ← χ n [ gab 0 [0] = M ] = Pr Pr x , y ← Ψ 16 [ x + y = 0] ≈ 9.9%. For all other δ , set b δ := (1 + δ M − 1 mod q ) · b 0 . This works because M − 1 mod q = − 8 is small here. Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 26

  75. Evil Bob needs evil b δ gb + e ′ safe bits reconciliation error correction Recall that Evil Bob needs b δ such that gab δ [0] = M + δ . How to obtain b δ without knowing a ? = ⇒ Guess b 0 based on Alice’s public key A = ga + e : If b 0 has two entries ± 1 and ( Ab 0 )[0] = M , then e ← χ n [ gab 0 [0] = M ] = Pr Pr x , y ← Ψ 16 [ x + y = 0] ≈ 9.9%. For all other δ , set b δ := (1 + δ M − 1 mod q ) · b 0 . This works because M − 1 mod q = − 8 is small here. If b 0 was wrong, the recovered coefficients are all 0 or − 1. = ⇒ easily detectable. Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 26

  76. Implementation ◮ Our code 1 attacks the HILA5 reference implementation. ◮ 100% success rate in our experiments. ◮ Less than 6000 queries (virtually always). (Note: Evil Bob could recover fewer coefficients and compute the rest by solving a lattice problem of reduced dimension.) 1 https://helaas.org/hila5-20171218.tar.gz Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 27

  78. HK17 “HK17 consists broadly in a Key Exchange Protocol (KEP) based on non-commutative algebra of hypercomplex numbers limited to quaternions and octonions. In particular, this proposal is based on non-commutative and non-associative algebra using octonions.” Security analysis: “. . . In our protocol, we could not find any ways to proceed with any abelianization of our octonions non-associative Moufang loop [29] or reducing of the GSDP problem of polynomial powers of octonions to a finitely generated nilpotent image of the given free group in the cryptosystem and a further nonlinear decomposition attack. We simply conclude that Roman’kov attacks do not affect our proposal.” Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 28

  79. What are octonions? R : set of real numbers. C : set of complex numbers; dim-2 R -vector space. H : set of quaternions; dim-4 R -vector space; 1843 Hamilton. O : set of octonions; dim-8 R -vector space; 1845 Cayley, 1845 Graves. Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 29

  80. What are octonions? R : set of real numbers. C : set of complex numbers; dim-2 R -vector space. H : set of quaternions; dim-4 R -vector space; 1843 Hamilton. O : set of octonions; dim-8 R -vector space; 1845 Cayley, 1845 Graves. Each of these sets has a three-part definition: ◮ Elements. Daniel J. Bernstein, Tanja Lange, Lorenz Panny https://pqcrypto.eu.org Cryptanalysis of NISTPQC submissions 29

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Cryptanalysis of Classical Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Models for Cryptanalysis Cryptanalysis of

657 views • 20 slides
Eurocrypt 2016 Report Marc Fischlin TU Darmstadt, Germany Submissions, submissions, submissions

Eurocrypt 2016 Report Marc Fischlin TU Darmstadt, Germany Submissions, submissions, submissions

Rump Session 2016 Eurocrypt 2016 Report Marc Fischlin TU Darmstadt, Germany Submissions, submissions, submissions parallel-track no. Eurocrypt system goes public submissions 274 202 197 195 194 2012 2013 2014 2015 2016 Marc

253 views • 12 slides
Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC Outline Outline Distribution of Correlation Data Complexity Linear Hulls Zero

659 views • 30 slides
Final Submissions & Writing Emmanuel Agu Computer Science Dept Final Submissions Due

Final Submissions & Writing Emmanuel Agu Computer Science Dept Final Submissions Due

Final Submissions & Writing Emmanuel Agu Computer Science Dept Final Submissions Due April 26, class time. Each group 15-minute talk Paper formatted like ones we read. 10-page limit, two column All source code and

402 views • 15 slides
Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May, 2017 0/35 Cryptanalysis of Affine Cipher Outline Cryptanalysis of Affine Cipher 1 Hypothesis Testing 2 Linear Cryptanalysis 3 0/35

1.52k views • 110 slides
and Presentation submissions 1.0 Sign up / Register 2.0 Sign in 3.0 Manage submissions 3.1 New

and Presentation submissions 1.0 Sign up / Register 2.0 Sign in 3.0 Manage submissions 3.1 New

GCSI Project Information Form and Presentation submissions 1.0 Sign up / Register 2.0 Sign in 3.0 Manage submissions 3.1 New Submission 1.0 Sign up / Register Create a new account at first time, please press the Sign up /Register

200 views • 5 slides
Appendix 01 Presentation of Budget Submissions 2018-19 BUDGET SUBMISSIONS RECEIVED DURING

Appendix 01 Presentation of Budget Submissions 2018-19 BUDGET SUBMISSIONS RECEIVED DURING

12 June 201 8 Hobsons Bay City Council Ordinary Council Meeting Agenda Appendix 01 Presentation of Budget Submissions 2018-19 BUDGET SUBMISSIONS RECEIVED DURING STATUTORY PERIOD (BUDGET 2018/2019) Amount Presenting to Submission Received by

826 views • 56 slides
Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential cryptanalysis Linear cryptanalysis Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and Linear Cryptanalysis Differential cryptanalysis Linear cryptanalysis Iterated block ciphers (DES,

910 views • 53 slides
The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas

The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas

Introduction Previous cryptanalysis techniques The Super-Sbox cryptanalysis Results The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas Peyrin Orange Labs and Ingenico FSE 2010 - Seoul - Korea

1.38k views • 19 slides
Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship between the difference of two inputs and the difference of the corresponding two outputs. - the difference M Z of two strings of bits Z and Z

556 views • 10 slides
Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU

Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU

Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU Leuven, and imec, Belgium FSE, March 2017 1 Table of Contents ARX & Rotational Cryptanalysis Rotational cryptanalysis with constants Experiment

1.12k views • 72 slides
Differential Cryptanalysis The first method which reduced the complexity of attacking DES below

Differential Cryptanalysis The first method which reduced the complexity of attacking DES below

Differential Cryptanalysis The first method which reduced the complexity of attacking DES below (half of) exhaustive search. Differential Cryptanalysis Note : In all the following discussion we ignore the existence of the initial and the final

330 views • 8 slides
Cryptanalysis of LAC G. Leurent (Inria) Cryptanalysis of LAC DIAC 2014 1 / 9 . . . . . . . .

Cryptanalysis of LAC G. Leurent (Inria) Cryptanalysis of LAC DIAC 2014 1 / 9 . . . . . . . .

Description of LAC Differentials and Characteristics Forgery attack Cryptanalysis of LAC G. Leurent (Inria) Cryptanalysis of LAC DIAC 2014 1 / 9 . . . . . . . . Gatan Leurent Inria, France DIAC 2014 2 / 9 Description of LAC DIAC

1.04k views • 36 slides
Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential

Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential

Automatic Cryptanalysis of Block Ciphers with CP A case study: related key differential cryptanalysis David Gerault LIMOS, University Clermont Auvergne This presentation is inspired by 4 papers written with Pascal Lafourcade, Marine Minier,

455 views • 26 slides
Probabilistic Slide Cryptanalysis and Its Applications to LED-64 and Zorro Hadi Soleimany

Probabilistic Slide Cryptanalysis and Its Applications to LED-64 and Zorro Hadi Soleimany

Probabilistic Slide Cryptanalysis and Its Applications to LED-64 and Zorro Hadi Soleimany Department of Information and Computer Science, Aalto University School of Science, Finland FSE 2014 1 / 21 Outline Introduction Slide Cryptanalysis

712 views • 49 slides
Cryptanalysis of RadioGatn Thomas Fuhr 1 Thomas Peyrin 2 1 Direction Centrale de la Scurit

Cryptanalysis of RadioGatn Thomas Fuhr 1 Thomas Peyrin 2 1 Direction Centrale de la Scurit

Cryptanalysis of RadioGatn Cryptanalysis of RadioGatn Thomas Fuhr 1 Thomas Peyrin 2 1 Direction Centrale de la Scurit des Systmes dInformation 2 Ingenico FSE 2009 - February 22-25 - Leuven Thomas Fuhr , Thomas Peyrin Cryptanalysis

567 views • 28 slides
Chapter 6 Role of capital Role of population growth Role of other production factors:

Chapter 6 Role of capital Role of population growth Role of other production factors:

Introduction Chapter 6 Role of capital Role of population growth Role of other production factors: Human Capital A third proximate determinant Role of world trade of long-run growth: Human Capital Role of productivity

530 views • 8 slides
Disclosure I have nothing to disclose Trying to Prevent Illness in Kids Who

Disclosure I have nothing to disclose Trying to Prevent Illness in Kids Who

5/16/13 Disclosure I have nothing to disclose Trying to Prevent Illness in Kids Who TravelDiagnosing it when they Return 46 th Advances and Controversies in Clinical Pediatrics Jay Tureen, M.D. International Travel with Kids Health

145 views • 10 slides
L ECTURE 10 Labor Markets April 1, 2015 I. O VERVIEW Issues and Papers Broadlythe

L ECTURE 10 Labor Markets April 1, 2015 I. O VERVIEW Issues and Papers Broadlythe

Economics 210A Christina Romer Spring 2015

727 views • 60 slides
Results for the Third Quarter ended 30 September 2009 22 October 2009 0 0 Disclaimer This

Results for the Third Quarter ended 30 September 2009 22 October 2009 0 0 Disclaimer This

Results for the Third Quarter ended 30 September 2009 22 October 2009 0 0 Disclaimer This Presentation is focused on comparing results for the three months ended 30 September 2009 versus results achieved in the three months ended 30

758 views • 60 slides
Functions Recall A function f is a rule which assigns to each element x of a set D , exactly one

Functions Recall A function f is a rule which assigns to each element x of a set D , exactly one

Functions Recall A function f is a rule which assigns to each element x of a set D , exactly one element, f ( x ), of a set E . A function can be viewed as a machine like object which acts on a variable to transform it. For example, the

295 views • 6 slides
MATH 12002 - CALCULUS I 1.6: Horizontal Asymptotes Professor Donald L. White Department of

MATH 12002 - CALCULUS I 1.6: Horizontal Asymptotes Professor Donald L. White Department of

MATH 12002 - CALCULUS I 1.6: Horizontal Asymptotes Professor Donald L. White Department of Mathematical Sciences Kent State University D.L. White (Kent State University) 1 / 5 Horizontal Asymptotes Horizontal asymptotes are very closely

185 views • 5 slides
Kinetic Energy & The Work-Energy Theorem Kinetic Energy The Work-Energy Theorem

Kinetic Energy & The Work-Energy Theorem Kinetic Energy The Work-Energy Theorem

Kinetic Energy & The Work-Energy Theorem Kinetic Energy The Work-Energy Theorem Situations Involving Friction Power Homework 1 Kinetic Energy Consider a mass m that undergoes a displacement of magnitude x and a

269 views • 10 slides
A Multiphase Adjoint Model for CMAQ Shunliu Zhao, Amir Hakami (Carleton University); Matt D.

A Multiphase Adjoint Model for CMAQ Shunliu Zhao, Amir Hakami (Carleton University); Matt D.

A Multiphase Adjoint Model for CMAQ Shunliu Zhao, Amir Hakami (Carleton University); Matt D. Turner, Shannon L. Capps, and Daven K. Henze (University of Colorado); Peter B. Percell (University of Houston); Jaroslav Resler (ICS Prague); Jesse O.

635 views • 29 slides

More recommend