e th roots and static diffie hellman using index calculus
play

E -th roots and static Diffie-Hellman using index calculus Antoine - PowerPoint PPT Presentation

Aug 31, 2023 •272 likes •538 views

E -th roots and static Diffie-Hellman using index calculus Antoine Joux 1 Joint work with Reynald Lercier 2 , David Naccache 3 , Emmanuel Thom e 4 Elliptic Curve Cryptography 2008 Utrecht 1 DGA and UVSQ 2 DGA and IRMAR 3 ENS 4 INRIA Lorraine 1

  1. E -th roots and static Diffie-Hellman using index calculus Antoine Joux 1 Joint work with Reynald Lercier 2 , David Naccache 3 , Emmanuel Thom´ e 4 Elliptic Curve Cryptography 2008 Utrecht 1 DGA and UVSQ 2 DGA and IRMAR 3 ENS 4 INRIA Lorraine 1 A. Joux, R. Lercier, D. Naccache, E. Thom´ e E -th roots and static Diffie-Hellman using index calculus

  2. Key questions Security of plain RSA Diffie-Hellman ? � � Factoring Discrete Log. 2 A. Joux, R. Lercier, D. Naccache, E. Thom´ e E -th roots and static Diffie-Hellman using index calculus

  3. Quick reminder: RSA ◮ RSA: Rivest, Shamir, Adleman (1977) ◮ Public key: N a large integer, e encryption exponent ◮ Private key: N = pq , p and q prime, d decryption exponent ed = λ ( p − 1 )( q − 1 ) + 1 . → x e ( mod N ) Encryption : x − √ y ( mod N ) Decryption : y − → e → y d ( mod N ) y − 3 A. Joux, R. Lercier, D. Naccache, E. Thom´ e E -th roots and static Diffie-Hellman using index calculus

  4. Quick reminder: Diffie-Hellman ◮ Invented by Diffie and Hellman (1976) ◮ Public parameters: p a large prime, g a generator (subgroup) ◮ Key exchange: Alice Bob g a Choose a − → g b ← − Choose b g ab ◮ When a = s is fixed: Static Diffie-Hellman 4 A. Joux, R. Lercier, D. Naccache, E. Thom´ e E -th roots and static Diffie-Hellman using index calculus

  5. Quick reminder: RSA and factoring ? ◮ Pros: ◮ Finding d is as difficult as factoring N ◮ Probabilistic (already in RSA from Miller 1975) ◮ Deterministic (May 2004) ◮ Breaking RSA may be as difficult as factoring (Brown 2006) ◮ Cons: ◮ Specific weaknesses: ◮ Multiplicative attacks ◮ Blinding ◮ Breaking RSA may be easier than factoring (Boneh, Venkatesan, 1998) 5 A. Joux, R. Lercier, D. Naccache, E. Thom´ e E -th roots and static Diffie-Hellman using index calculus

  6. Specific weaknesses ◮ Multiplicative attacks: √ √ √ a and ◮ From e e e b , deduce ab . ◮ Blinding: √ √ a . ◮ Ask e ar e . Deduce e 6 A. Joux, R. Lercier, D. Naccache, E. Thom´ e E -th roots and static Diffie-Hellman using index calculus

  7. Quick reminder: Diffie-Hellman and DLOG ? ◮ Computational Diffie-Hellman and Discrete Log. (Maurer-Wolf 1996) ◮ Static Diffie-Hellman less clear (Brown-Gallant 2005) 7 A. Joux, R. Lercier, D. Naccache, E. Thom´ e E -th roots and static Diffie-Hellman using index calculus

  8. Reformulating the key question ◮ RSA: ◮ Given access to an e -th root oracle: ◮ Can we learn to compute e -th roots ? ◮ Efficienty (with a cost lower than factoring) ? ◮ Diffie-Hellman ◮ Given access to a static Diffie-Hellman oracle: ◮ Can we learn to raise to the secret power ? ◮ Efficienty (with a cost lower than discrete log.) ? 8 A. Joux, R. Lercier, D. Naccache, E. Thom´ e E -th roots and static Diffie-Hellman using index calculus

  9. Reminder: Number Field Sieve Z [ X ] ւ ց Q ( α 1 ) Q ( α 2 ) ց ւ Z / N Z or Z / p Z ◮ Number fields defined from two polynomials: f 1 and f 2 ◮ Relies on multiplicative relations over smoothness bases ◮ Applicable to factoring and discrete logarithms ◮ Complexity: L N ( 1 / 3 , ( 64 / 9 ) 1 / 3 ) = e (( 64 / 9 ) 1 / 3 + o ( 1 )) log 1 / 3 N log log 2 / 3 N ) 9 A. Joux, R. Lercier, D. Naccache, E. Thom´ e E -th roots and static Diffie-Hellman using index calculus

  10. Reminder: simplified Function Field Sieve Z / p Z [ X , Y ] ւ ց Z / p Z [ X ] Z / p Z [ Y ] ց ւ F p n ◮ Function fields defined from two polynomials: x = f 1 ( y ) and y = f 2 ( x ) ◮ Applicable to discrete logarithms in small characteristic ◮ Complexity: L N ( 1 / 3 , ( 32 / 9 ) 1 / 3 ) = e (( 32 / 9 ) 1 / 3 + o ( 1 )) log 1 / 3 N log log 2 / 3 N ) 10 A. Joux, R. Lercier, D. Naccache, E. Thom´ e E -th roots and static Diffie-Hellman using index calculus

  11. Reminder 1 : NFS and FFS 1. Find smooth objects and write multiplicative relations 2. Do linear algebra 3. Final stage ◮ Finish factorization: Square root of ideal (Montgomery) ◮ Compute individual discrete logarithms: Descent 1 Another reminder: both are heuristic algorithms 11 A. Joux, R. Lercier, D. Naccache, E. Thom´ e E -th roots and static Diffie-Hellman using index calculus

  12. A special case for RSA: Affine modular roots (AMR) √ c + x ( c fixed, x small) ◮ Special oracle e ◮ Multiplicative attack ? ◮ Known attacks when x ≥ N 1 / 3 is allowed ◮ Arbitrary e -th roots ? Z [ X ] ւ ↓ √ Q ( α 1 ) e ց ↓ Z / N Z 12 A. Joux, R. Lercier, D. Naccache, E. Thom´ e E -th roots and static Diffie-Hellman using index calculus

  13. A special case for RSA: Affine modular roots √ 1. One sided smooth objects: multiplicative relations with e √ of basis elements 2. Do linear algebra: e 3. Final stage ◮ Get multiplicative relation ◮ Existential forgery ◮ Compute arbitrary e -th roots (with additional queries) ◮ Universal forgery ◮ One sided descent 13 A. Joux, R. Lercier, D. Naccache, E. Thom´ e E -th roots and static Diffie-Hellman using index calculus

  14. Answering the key question √ x or x s ◮ General oracle e ◮ Collect two sides ◮ Sieving on one side. Twice. ◮ Same complexity ! Z [ X ] Z [ X ] ւ ↓ ↓ ց √ √ Q ( α 1 ) Q ( α 2 ) e e ց ↓ ↓ ւ Z / N Z Z / N Z 14 A. Joux, R. Lercier, D. Naccache, E. Thom´ e E -th roots and static Diffie-Hellman using index calculus

  15. Easy case: FFS in small characteristic ◮ Two linear sides: No sieving and no linear algebra ◮ Descent (compute s -th power for h ( x ) ) ◮ Randomize until: h ( x ) = A ( x ) B ( x ) is smooth enough. ◮ For each factor q ( x ) , choose l ( x , y ) to find: q ( x ) C ( x ) = D ( y ) , with C ( x ) and D ( y ) smooth enough ◮ Finally backtrack from known s -th powers 15 A. Joux, R. Lercier, D. Naccache, E. Thom´ e E -th roots and static Diffie-Hellman using index calculus

  16. Special q : How to ◮ We want q ( x ) to divide l ( x , f 2 ( x )) ◮ That’s deg ( q ) linear conditions ◮ Precompute 1, x , . . . , x d x (modulo q ( x ) ) ◮ Precompute f 2 ( x ) , xf 2 ( x ) , . . . , x d x f 2 ( x ) ◮ . . . ◮ Precompute f 2 ( x ) d y , xf 2 ( x ) d y , . . . , x d x f 2 ( x ) d y ◮ Construct matrix and find kernel 16 A. Joux, R. Lercier, D. Naccache, E. Thom´ e E -th roots and static Diffie-Hellman using index calculus

  17. FFS experiment in F 2 1025 ◮ Two polynomials: x 171 + x 4 + x 3 + x 2 + 1 y = y 6 + y + 1 x = ◮ 77 millions calls to oracle (deg. up to 29) ◮ Total runtime less than a week (single computer 2 ) ◮ For details, see IACR eprint 2008-217 2 Intel Core-2 at 3.6 GHz 17 A. Joux, R. Lercier, D. Naccache, E. Thom´ e E -th roots and static Diffie-Hellman using index calculus

  18. General case 1. Collect relations: ◮ On side 1: sieving ◮ On side 2: directly obtain e -th roots or s -th powers √ or s -th powers of basis elements 2. Do linear algebra: e (side 1) ◮ Possibly delayed 3. Optionally enlarge smoothness bases 4. Final stage ◮ Descent as in discrete logs ◮ Recover e -th root or s power 18 A. Joux, R. Lercier, D. Naccache, E. Thom´ e E -th roots and static Diffie-Hellman using index calculus

  19. General case: linear algebra ◮ Type of linear algebra: ◮ Modulo e (or p − 1) with Schirokauer’s maps ◮ Alternatively: Exact ◮ Before the final stage: “Multiplicative” ◮ Or postponed to backtrack of final phase 19 A. Joux, R. Lercier, D. Naccache, E. Thom´ e E -th roots and static Diffie-Hellman using index calculus

  20. General case: Descent ◮ Descent for H : ◮ Randomize until: H = A B is smooth enough in Z . ◮ For each factor q , choose ax + b to find: q . C = D ( α ) , with C and norm of D ( α ) smooth enough ◮ Backtrack (postponed linear algebra here) ◮ If modulo e , need variant of Montgomery’s square root 20 A. Joux, R. Lercier, D. Naccache, E. Thom´ e E -th roots and static Diffie-Hellman using index calculus

  21. RSA experiment on 512 bits With public exponent e = 65537. ◮ 400 millions calls to oracle ◮ Initial sieving: 2 CPU hours 1 ◮ Bases extension: 44 CPU hours ◮ Descent time: around one hour ◮ Linear algebra 2 : 6 hours on 4 proc. ◮ Montgomery e -th root: five minutes ◮ For details, see IACR eprint 2007-424 Reminder: Factoring this number took 8000 mips.years 1 AMD Opteron 2.4GHz. 2 Intel Core 2 at 2.667GHZ 21 A. Joux, R. Lercier, D. Naccache, E. Thom´ e E -th roots and static Diffie-Hellman using index calculus

  22. Dlog experiment on 516 bits 10 155 π + 88896 ◮ Using p = � � ◮ 140 millions calls to oracle ◮ Initial sieving: 4 minutes on 128 proc. 1 (FB 2 19 ) ◮ Base extension: 24 more minutes (FB 2 32 ) ◮ Linear algebra 2 : 8 hours on 4 proc. ◮ Descent time: around two hours ◮ For details, see IACR eprint 2008-217 1 Intel Core 2 at 1.6 GHz 2 Intel Core 2 at 2.4 GHZ 22 A. Joux, R. Lercier, D. Naccache, E. Thom´ e E -th roots and static Diffie-Hellman using index calculus

  23. Asymptotic complexity √· ) : All complexities are L ( 1 / 3 , 3 variant calls lin. alg. descent Dlog 4 / 9 - 4 / 9 32 / 9 FFS NFS - HD 48 / 91 384 / 91 384 / 91 128 / 9 NFS 3 4 / 9 32 / 9 3 64 / 9 Reminder, range of algorithms: Algorithm From p To p L p n ( 1 / 3 , · ) 2 FFS L p n ( 1 / 3 , · ) L p n ( 2 / 3 , · ) NFS - HD p = p n L p n ( 2 / 3 , ) NFS 3 Requires Montgomery algorithm for RSA 23 A. Joux, R. Lercier, D. Naccache, E. Thom´ e E -th roots and static Diffie-Hellman using index calculus

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

On the Static Diffie-Hellman Problem on Elliptic Curves over Extension Fields Robert Granger

On the Static Diffie-Hellman Problem on Elliptic Curves over Extension Fields Robert Granger

Motivation - Exotic Security Assumptions in Cryptography Main Algorithm and Results Oracle-assisted Static DHP for binary curves On the Static Diffie-Hellman Problem on Elliptic Curves over Extension Fields Robert Granger

1.32k views • 105 slides
A Static Diffie-Hellman Attack on Several Direct Anonymous Attestation Schemes Ernie Brickell 1

A Static Diffie-Hellman Attack on Several Direct Anonymous Attestation Schemes Ernie Brickell 1

A Static Diffie-Hellman Attack on Several Direct Anonymous Attestation Schemes Ernie Brickell 1 Liqun Chen 2 Jiangtao Li 1 1. Intel Corporation, Hillsboro, Oregon, USA 2. Hewlett-Packard Laboratories, Bristol, UK InTrust 2012 Royal Holloway,

827 views • 17 slides
On the Static Diffie-Hellman Problem on Elliptic Curves over Extension Fields Robert Granger

On the Static Diffie-Hellman Problem on Elliptic Curves over Extension Fields Robert Granger

Background and Motivation Main Algorithm and Results On the Static Diffie-Hellman Problem on Elliptic Curves over Extension Fields Robert Granger rgranger@computing.dcu.ie Claude Shannon Institute, UCD and DCU, Ireland ASIACRYPT, 8th December

655 views • 48 slides
Outline CPSC 418/MATH 318 Introduction to Cryptography More Number Theory 1 Primitive Roots

Outline CPSC 418/MATH 318 Introduction to Cryptography More Number Theory 1 Primitive Roots

Outline CPSC 418/MATH 318 Introduction to Cryptography More Number Theory 1 Primitive Roots (Recall) Number Theory, Security and Efficiency of Diffie-Hellman, Hash Eulers Function Functions Security of Diffie-Hellman 2 Discrete Log

671 views • 7 slides
Lecture Outline Review of Diffie-Hellman key exchange Looking at Authentication from a

Lecture Outline Review of Diffie-Hellman key exchange Looking at Authentication from a

Lecture Outline Review of Diffie-Hellman key exchange Looking at Authentication from a number of perspectives Today: authenticating users, services Agreeing on Secret Keys Without Prior Arrangement Diffie-Hellman Key Exchange

1.07k views • 73 slides
Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography Asymmetric cryptography Invented in 1974-1978 (Diffie-Hellman and Rivest-Shamir- Adleman) Two keys: private (SK), public (PK) Encryption: with

445 views • 17 slides
Lecture 7 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 7 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 7 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography Asymmetric cryptography Invented in 1974-1978 (Diffie-Hellman and Rivest-Shamir- Adleman) Two keys: private (SK), public (PK) Encryption:

810 views • 42 slides
Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography Asymmetric cryptography Invented in 1974-1978 (Diffie-Hellman and Rivest-Shamir- Adleman) Two keys: private (SK), public (PK) Encryption:

256 views • 22 slides
Diffie-Hellman, discrete logs, the NSA, and you J. Alex Halderman University of Michigan Based

Diffie-Hellman, discrete logs, the NSA, and you J. Alex Halderman University of Michigan Based

Diffie-Hellman, discrete logs, the NSA, and you J. Alex Halderman University of Michigan Based on joint work: Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry,

879 views • 63 slides
High-speed Diffie-Hellman, part 2 D. J. Bernstein University of Illinois at Chicago Classic

High-speed Diffie-Hellman, part 2 D. J. Bernstein University of Illinois at Chicago Classic

High-speed Diffie-Hellman, part 2 D. J. Bernstein University of Illinois at Chicago Classic question about the Diffie-Hellman system: How quickly can we compute n th powers mod p ? Modular exponentiation. p ; Assume standard prime p =

684 views • 45 slides
1 Diffie-Hellman exponential key exchange Diffie-Hellman exponential key exchange Alice has

1 Diffie-Hellman exponential key exchange Diffie-Hellman exponential key exchange Alice has

Symmetric cryptography Both parties must agree on a secret key, K message is encrypted, sent, decrypted at other side E K (P) D K (C) Secure Communication Bob Alice Key distribution must be secret otherwise messages can be

553 views • 10 slides
RSA Public Key CryptoSystem One way Trapdoor Functions Diffie and Hellman (76) New Directions

RSA Public Key CryptoSystem One way Trapdoor Functions Diffie and Hellman (76) New Directions

RSA Public Key CryptoSystem One way Trapdoor Functions Diffie and Hellman (76) New Directions in Cryptography Split the Bobs secret key K to two parts: K E , to be used for encrypting messages to Bob. K D , to be used for

482 views • 32 slides
C.c) DSA and Diffie-Hellman W. Schindler: Cryptography, B-IT, winter 2006 / 2007 2 C.73 DSA

C.c) DSA and Diffie-Hellman W. Schindler: Cryptography, B-IT, winter 2006 / 2007 2 C.73 DSA

1 C.c) DSA and Diffie-Hellman W. Schindler: Cryptography, B-IT, winter 2006 / 2007 2 C.73 DSA (Digital Signature Algorithm) standardized by NIST A) Generation of a key pair Select a prime q with 2 159 < q < 2 160 Select a

348 views • 11 slides
Diffie-Hellman not secure against Man-in-the-Middle-attack: Want to guarantee authenticity. Alice

Diffie-Hellman not secure against Man-in-the-Middle-attack: Want to guarantee authenticity. Alice

Diffie-Hellman not secure against Man-in-the-Middle-attack: Want to guarantee authenticity. Alice Mallory Bob Can achieve this with publc-key cryptography as well. g a a First example: Schnorr Signature g m m a 1024 bit

283 views • 3 slides
Diffie-Hellman not secure against Man-in-the-Middle-attack: Alice Mallory Bob g a a g

Diffie-Hellman not secure against Man-in-the-Middle-attack: Alice Mallory Bob g a a g

Diffie-Hellman not secure against Man-in-the-Middle-attack: Alice Mallory Bob g a a g m m g ma g ma g n n g b b g nb g nb g ma g ma , g nb g nb Eike Ritter Cryptography 2014/15 106

417 views • 9 slides
Public Key Cryptography Diffie-Hellman Others CSS441: Security and Cryptography Sirindhorn

Public Key Cryptography Diffie-Hellman Others CSS441: Security and Cryptography Sirindhorn

CSS441 Public Key Crypto Principles RSA Public Key Cryptography Diffie-Hellman Others CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 20 December 2015

461 views • 29 slides
Web Technologies in Java EE JAX-RS 2.0, JSON-P, WebSocket, JSF 2.2 $ whoami Luk Fry

Web Technologies in Java EE JAX-RS 2.0, JSON-P, WebSocket, JSF 2.2 $ whoami Luk Fry

Web Technologies in Java EE JAX-RS 2.0, JSON-P, WebSocket, JSF 2.2 $ whoami Luk Fry Software Engineer, JBoss, Red Hat AeroGear, (Arquillian, RichFaces) Interests HTML5, Web Components, AngularJS Living and

1.17k views • 83 slides
The Frontiers of Continuous Delivery Eberhard Wolff @ewolff http://ewolff.com Fellow

The Frontiers of Continuous Delivery Eberhard Wolff @ewolff http://ewolff.com Fellow

The Frontiers of Continuous Delivery Eberhard Wolff @ewolff http://ewolff.com Fellow http://continuous-delivery-buch.de/ http://continuous-delivery-book.com/ http://microservices-buch.de/ http://microservices-book.com/ FREE!!!!

1k views • 83 slides
Media Analysis of Social Network and Media Content 1 Three examples of data analysis 1. Tweets

Media Analysis of Social Network and Media Content 1 Three examples of data analysis 1. Tweets

Online Social Networks and Media Analysis of Social Network and Media Content 1 Three examples of data analysis 1. Tweets and stock prices/volume 2. Tweets and event (earthquake) detection 3. Tracking memes in news media and blogs 2

1.03k views • 89 slides
Craig Knoblock University of Southern California These slides are based in part on slides from

Craig Knoblock University of Southern California These slides are based in part on slides from

Craig Knoblock University of Southern California These slides are based in part on slides from Matt Michelson, Sheila Tejada, Misha Bilenko, Jose Luis Ambite, Claude Nanjo, and Steve Minton Craig Knoblock University of Southern California 1

919 views • 81 slides
17-654: Analysis of Software Systems Spring 2005 4/21/2005 Topics Timing attack

17-654: Analysis of Software Systems Spring 2005 4/21/2005 Topics Timing attack

17-654: Analysis of Software Systems Spring 2005 4/21/2005 Topics Timing attack Algorithms leak information Nice example of practice trumping theoretical security Hardening algorithms: randomization Privilege separation

1.11k views • 69 slides
A brief overwiev of pairings Razvan Barbulescu CNRS and IMJ-PRG R. Barbulescu Overview

A brief overwiev of pairings Razvan Barbulescu CNRS and IMJ-PRG R. Barbulescu Overview

Bordeaux November 22, 2016 A brief overwiev of pairings Razvan Barbulescu CNRS and IMJ-PRG R. Barbulescu Overview pairings 0 / 37 Plan of the lecture Pairings Pairing-friendly curves Progress of NFS attacks

744 views • 72 slides
Byzantine Techniques Michael George November 29, 2005 Michael George Byzantine Techniques

Byzantine Techniques Michael George November 29, 2005 Michael George Byzantine Techniques

Overview The Byzantine Generals Problem Practical Byzantine Fault Tolerance Conclusion Byzantine Techniques Michael George November 29, 2005 Michael George Byzantine Techniques Overview The Byzantine Generals Problem Practical

940 views • 64 slides
The Byzantine Generals Problem - Kushal Babel Authors Leslie Lamport Turing Award

The Byzantine Generals Problem - Kushal Babel Authors Leslie Lamport Turing Award

The Byzantine Generals Problem - Kushal Babel Authors Leslie Lamport Turing Award Paxos, Lamport Clocks, LaTex... Robert Shostak PhD at Harvard Entrepreneur Marshall Pease Reinvented & Re-branded

822 views • 56 slides

More recommend