generic attacks the discrete logarithm problem and index
play

Generic attacks The discrete-logarithm problem and index calculus - PowerPoint PPT Presentation

May 27, 2023 •264 likes •1.24k views

Generic attacks The discrete-logarithm problem and index calculus Define = 1000003. D. J. Bernstein Easy to prove: is prime. University of Illinois at Chicago Can we find an integer 1 2 3

  1. Generic attacks The discrete-logarithm problem and index calculus Define ♣ = 1000003. D. J. Bernstein Easy to prove: ♣ is prime. University of Illinois at Chicago Can we find an integer ♥ ✷ ❢ 1 ❀ 2 ❀ 3 ❀ ✿ ✿ ✿ ❀ ♣ � 1 ❣ such that 5 ♥ mod ♣ = 262682? Easy to prove: ♥ ✼✦ 5 ♥ mod ♣ permutes ❢ 1 ❀ 2 ❀ 3 ❀ ✿ ✿ ✿ ❀ ♣ � 1 ❣ . So there exists an ♥ such that 5 ♥ mod ♣ = 262682. Could find ♥ by brute force. Is there a faster way?

  2. Generic attacks The discrete-logarithm problem Typical cryptanalytic index calculus Define ♣ = 1000003. Imagine ♣ Bernstein Easy to prove: ♣ is prime. in the Diffie-Hellman University of Illinois at Chicago Can we find an integer User cho ♥ ♥ ♥ ✷ ❢ 1 ❀ 2 ❀ 3 ❀ ✿ ✿ ✿ ❀ ♣ � 1 ❣ publishes ♣ such that 5 ♥ mod ♣ = 262682? Can attack Easy to prove: ♥ ✼✦ 5 ♥ mod ♣ the discrete- ♥ permutes ❢ 1 ❀ 2 ❀ 3 ❀ ✿ ✿ ✿ ❀ ♣ � 1 ❣ . Given public ♣ So there exists an ♥ quickly find ♥ such that 5 ♥ mod ♣ = 262682. (Warning: Could find ♥ by brute force. to attack Is there a faster way? Maybe there

  3. The discrete-logarithm problem Typical cryptanalytic calculus Define ♣ = 1000003. Imagine standard ♣ Easy to prove: ♣ is prime. in the Diffie-Hellman Illinois at Chicago Can we find an integer User chooses secret ♥ publishes 5 ♥ mod ♣ ♥ ✷ ❢ 1 ❀ 2 ❀ 3 ❀ ✿ ✿ ✿ ❀ ♣ � 1 ❣ such that 5 ♥ mod ♣ = 262682? Can attacker quickly Easy to prove: ♥ ✼✦ 5 ♥ mod ♣ the discrete-logarithm Given public key 5 ♥ permutes ❢ 1 ❀ 2 ❀ 3 ❀ ✿ ✿ ✿ ❀ ♣ � 1 ❣ . ♣ So there exists an ♥ quickly find secret ♥ such that 5 ♥ mod ♣ = 262682. (Warning: This is Could find ♥ by brute force. to attack the proto Is there a faster way? Maybe there are b

  4. The discrete-logarithm problem Typical cryptanalytic application: Define ♣ = 1000003. Imagine standard ♣ = 1000003 Easy to prove: ♣ is prime. in the Diffie-Hellman protocol. Chicago Can we find an integer User chooses secret key ♥ , publishes 5 ♥ mod ♣ = 262682. ♥ ✷ ❢ 1 ❀ 2 ❀ 3 ❀ ✿ ✿ ✿ ❀ ♣ � 1 ❣ such that 5 ♥ mod ♣ = 262682? Can attacker quickly solve Easy to prove: ♥ ✼✦ 5 ♥ mod ♣ the discrete-logarithm problem? Given public key 5 ♥ mod ♣ , permutes ❢ 1 ❀ 2 ❀ 3 ❀ ✿ ✿ ✿ ❀ ♣ � 1 ❣ . So there exists an ♥ quickly find secret key ♥ ? such that 5 ♥ mod ♣ = 262682. (Warning: This is one way Could find ♥ by brute force. to attack the protocol. Is there a faster way? Maybe there are better ways.)

  5. The discrete-logarithm problem Typical cryptanalytic application: Define ♣ = 1000003. Imagine standard ♣ = 1000003 Easy to prove: ♣ is prime. in the Diffie-Hellman protocol. Can we find an integer User chooses secret key ♥ , publishes 5 ♥ mod ♣ = 262682. ♥ ✷ ❢ 1 ❀ 2 ❀ 3 ❀ ✿ ✿ ✿ ❀ ♣ � 1 ❣ such that 5 ♥ mod ♣ = 262682? Can attacker quickly solve Easy to prove: ♥ ✼✦ 5 ♥ mod ♣ the discrete-logarithm problem? Given public key 5 ♥ mod ♣ , permutes ❢ 1 ❀ 2 ❀ 3 ❀ ✿ ✿ ✿ ❀ ♣ � 1 ❣ . So there exists an ♥ quickly find secret key ♥ ? such that 5 ♥ mod ♣ = 262682. (Warning: This is one way Could find ♥ by brute force. to attack the protocol. Is there a faster way? Maybe there are better ways.)

  6. discrete-logarithm problem Typical cryptanalytic application: Relations ♣ = 1000003. Imagine standard ♣ = 1000003 1. Some to prove: ♣ is prime. in the Diffie-Hellman protocol. to elliptic-curve Use in evaluating e find an integer User chooses secret key ♥ , security publishes 5 ♥ mod ♣ = 262682. ♥ ✷ ❢ ❀ 2 ❀ 3 ❀ ✿ ✿ ✿ ❀ ♣ � 1 ❣ that 5 ♥ mod ♣ = 262682? 2. Some Can attacker quickly solve Use in evaluating to prove: ♥ ✼✦ 5 ♥ mod ♣ the discrete-logarithm problem? advantages Given public key 5 ♥ mod ♣ , ermutes ❢ 1 ❀ 2 ❀ 3 ❀ ✿ ✿ ✿ ❀ ♣ � 1 ❣ . compared there exists an ♥ quickly find secret key ♥ ? that 5 ♥ mod ♣ = 262682. 3. Tricky: (Warning: This is one way extra applications find ♥ by brute force. to attack the protocol. See Tanja there a faster way? Maybe there are better ways.) on Weil

  7. discrete-logarithm problem Typical cryptanalytic application: Relations to ECC: ♣ 1000003. Imagine standard ♣ = 1000003 1. Some DL techniques ♣ is prime. in the Diffie-Hellman protocol. to elliptic-curve DL Use in evaluating integer User chooses secret key ♥ , security of an elliptic publishes 5 ♥ mod ♣ = 262682. ♥ ✷ ❢ ❀ ❀ ❀ ✿ ✿ ✿ ❀ ♣ � 1 ❣ ♥ d ♣ = 262682? 2. Some techniques Can attacker quickly solve Use in evaluating ♥ ✼✦ 5 ♥ mod ♣ the discrete-logarithm problem? advantages of elliptic Given public key 5 ♥ mod ♣ , ❢ ❀ ❀ ❀ ✿ ✿ ✿ ❀ ♣ � 1 ❣ . compared to multiplication. an ♥ quickly find secret key ♥ ? ♥ d ♣ = 262682. 3. Tricky: Some techniques (Warning: This is one way extra applications ♥ brute force. to attack the protocol. See Tanja Lange’s way? Maybe there are better ways.) on Weil descent etc.

  8. roblem Typical cryptanalytic application: Relations to ECC: ♣ Imagine standard ♣ = 1000003 1. Some DL techniques also ♣ in the Diffie-Hellman protocol. to elliptic-curve DL problems. Use in evaluating User chooses secret key ♥ , security of an elliptic curve. publishes 5 ♥ mod ♣ = 262682. ♥ ✷ ❢ ❀ ❀ ❀ ✿ ✿ ✿ ❀ ♣ � ❣ ♥ ♣ 262682? 2. Some techniques don’t apply Can attacker quickly solve Use in evaluating ♥ mod ♣ the discrete-logarithm problem? ♥ ✼✦ advantages of elliptic curves Given public key 5 ♥ mod ♣ , ❢ ❀ ❀ ❀ ✿ ✿ ✿ ❀ ♣ � 1 ❣ . compared to multiplication. ♥ quickly find secret key ♥ ? ♥ ♣ 262682. 3. Tricky: Some techniques (Warning: This is one way extra applications to some curves. ♥ rce. to attack the protocol. See Tanja Lange’s talk Maybe there are better ways.) on Weil descent etc.

  9. Typical cryptanalytic application: Relations to ECC: Imagine standard ♣ = 1000003 1. Some DL techniques also apply in the Diffie-Hellman protocol. to elliptic-curve DL problems. Use in evaluating User chooses secret key ♥ , security of an elliptic curve. publishes 5 ♥ mod ♣ = 262682. 2. Some techniques don’t apply. Can attacker quickly solve Use in evaluating the discrete-logarithm problem? advantages of elliptic curves Given public key 5 ♥ mod ♣ , compared to multiplication. quickly find secret key ♥ ? 3. Tricky: Some techniques have (Warning: This is one way extra applications to some curves. to attack the protocol. See Tanja Lange’s talk Maybe there are better ways.) on Weil descent etc.

  10. ypical cryptanalytic application: Relations to ECC: Understanding Imagine standard ♣ = 1000003 1. Some DL techniques also apply Can compute 5 1 mod ♣ Diffie-Hellman protocol. to elliptic-curve DL problems. 5 2 mod ♣ Use in evaluating chooses secret key ♥ , 5 3 mod ♣ security of an elliptic curve. ✿ ✿ ✿ publishes 5 ♥ mod ♣ = 262682. 5 8 mod ♣ 2. Some techniques don’t apply. 5 9 mod ♣ attacker quickly solve ✿ ✿ ✿ Use in evaluating discrete-logarithm problem? 5 1000002 ♣ advantages of elliptic curves public key 5 ♥ mod ♣ , compared to multiplication. At some ♥ quickly find secret key ♥ ? with 5 ♥ mo ♣ 3. Tricky: Some techniques have rning: This is one way extra applications to some curves. Maximum attack the protocol. See Tanja Lange’s talk ✔ ♣ � 1 ♣ there are better ways.) on Weil descent etc. ✔ ♣ � 1 that does

  11. cryptanalytic application: Relations to ECC: Understanding brute rd ♣ = 1000003 1. Some DL techniques also apply Can compute successively 5 1 mod ♣ = 5, Diffie-Hellman protocol. to elliptic-curve DL problems. 5 2 mod ♣ = 25, Use in evaluating secret key ♥ , 5 3 mod ♣ = 125, ✿ ✿ ✿ security of an elliptic curve. ♥ d ♣ = 262682. 5 8 mod ♣ = 390625, 2. Some techniques don’t apply. 5 9 mod ♣ = 953122, ✿ ✿ ✿ quickly solve Use in evaluating 5 1000002 mod ♣ = 1. rithm problem? advantages of elliptic curves 5 ♥ mod ♣ , compared to multiplication. At some point we’ll ♥ secret key ♥ ? with 5 ♥ mod ♣ = 262682. 3. Tricky: Some techniques have is one way extra applications to some curves. Maximum cost of rotocol. See Tanja Lange’s talk ✔ ♣ � 1 mults by 5 ♣ better ways.) on Weil descent etc. ✔ ♣ � 1 nanoseconds that does 1 mult/nanosecond.

  12. application: Relations to ECC: Understanding brute force ♣ 1000003 1. Some DL techniques also apply Can compute successively 5 1 mod ♣ = 5, rotocol. to elliptic-curve DL problems. 5 2 mod ♣ = 25, Use in evaluating ♥ , 5 3 mod ♣ = 125, ✿ ✿ ✿ , security of an elliptic curve. ♥ ♣ 262682. 5 8 mod ♣ = 390625, 2. Some techniques don’t apply. 5 9 mod ♣ = 953122, ✿ ✿ ✿ , Use in evaluating 5 1000002 mod ♣ = 1. roblem? advantages of elliptic curves ♥ ♣ , compared to multiplication. At some point we’ll find ♥ ♥ with 5 ♥ mod ♣ = 262682. 3. Tricky: Some techniques have y extra applications to some curves. Maximum cost of computation: See Tanja Lange’s talk ✔ ♣ � 1 mults by 5 mod ♣ ; ys.) on Weil descent etc. ✔ ♣ � 1 nanoseconds on a CPU that does 1 mult/nanosecond.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Generic attacks and index calculus D. J. Bernstein University of Illinois at Chicago The

Generic attacks and index calculus D. J. Bernstein University of Illinois at Chicago The

Generic attacks and index calculus D. J. Bernstein University of Illinois at Chicago The discrete-logarithm problem p = 1000003. Define p is prime. Easy to prove: Can we find an integer n 2 f 1 ; 2 ; 3 ; : : : ; p 1 g n mod p =

279 views • 26 slides
On the discrete logarithm problem in elliptic curves Claus Diem University of Leipzig On the

On the discrete logarithm problem in elliptic curves Claus Diem University of Leipzig On the

On the discrete logarithm problem in elliptic curves Claus Diem University of Leipzig On the discrete logarithm problem in elliptic curves p.1/37 Some history At ECC 2004 in Bochum, Pierrick Gaudry presented an index calculus algorithm

897 views • 67 slides
Discrete logarithm problem for matrices over finite group rings Alex Myasnikov Stevens Institute

Discrete logarithm problem for matrices over finite group rings Alex Myasnikov Stevens Institute

Discrete logarithm problem for matrices over finite group rings Alex Myasnikov Stevens Institute of Technology Discrete logarithm problem. The discrete logarithm problem (DLP) in a finite cyclic group G : for any pair g , h G find a

673 views • 18 slides
On the discrete logarithm problem in finite fields Pierrick Gaudry CNRS, Universit de

On the discrete logarithm problem in finite fields Pierrick Gaudry CNRS, Universit de

On the discrete logarithm problem in finite fields Pierrick Gaudry CNRS, Universit de Lorraine, Inria Nancy, France joint work with Razvan Barbulescu, Antoine Joux, Emmanuel Thom RICAM Linz, Austria 1/42 Plan Background Recent

598 views • 49 slides
Index Calculus Applied to Elliptic Curves Whats the Problem? Elliptic Curve Discrete

Index Calculus Applied to Elliptic Curves Whats the Problem? Elliptic Curve Discrete

Index Calculus Applied to Elliptic Curves Whats the Problem? Elliptic Curve Discrete Logarithm Problem (ECDLP) Typical DLP: Find a such that a = , given and ECDLP: Find k such that P=kQ, given P and Q How do

1.58k views • 16 slides
The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards

The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards

What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. -Pollard and CUDA. Conclusions The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards algorithm for ECDLP Alberto

1.52k views • 103 slides
Discrete Log Problem Discrete Log Problem Given a prime number p Z * x

Discrete Log Problem Discrete Log Problem Given a prime number p Z * x

Discrete Log Problem Discrete Log Problem Given a prime number p Z * x (mod p ) Given a prime number p , Z p , (mod p ) finding x is called the discrete logarithm problem Not every discrete

640 views • 11 slides
Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm Problem

Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm Problem

Counting points on elliptic curves over F q Christiane Peters DIAMANT-Summer School on Elliptic and Hyperelliptic Curve Cryptography September 17, 2008 Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm

587 views • 30 slides
Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22 Overview What is a stream cipher? Classification of attacks Different Attacks Exhaustive Key Search Time Memory Tradeoffs

656 views • 22 slides
Algebraic approaches for the Elliptic Curve Discrete Logarithm Problem over Prime Fields

Algebraic approaches for the Elliptic Curve Discrete Logarithm Problem over Prime Fields

Algebraic approaches for the Elliptic Curve Discrete Logarithm Problem over Prime Fields Christophe Petit, Michiel Kosters, Ange Messeng University of Oxford, University of California Irvine, University of Passau Christophe Petit - PKC2016 -

562 views • 41 slides
Solving the Discrete Logarithm of a 113-bit Koblitz Curve with an FPGA Cluster Erich Wenger and

Solving the Discrete Logarithm of a 113-bit Koblitz Curve with an FPGA Cluster Erich Wenger and

Solving the Discrete Logarithm of a 113-bit Koblitz Curve with an FPGA Cluster Erich Wenger and Paul Wolfger Graz University of Technology WECC 2014, Chennai, India We solved the discrete logarithm of a 113-bit Koblitz Curve.

572 views • 34 slides
The Discrete Logarithm Problem with Preprocessing Henry Corrigan-Gibbs and Dmitry Kogan Stanford

The Discrete Logarithm Problem with Preprocessing Henry Corrigan-Gibbs and Dmitry Kogan Stanford

The Discrete Logarithm Problem with Preprocessing Henry Corrigan-Gibbs and Dmitry Kogan Stanford University Eurocrypt 1 May 2018 Tel Aviv, Israel 38 Signatures (DSA and Schnorr) 39 DH key Signatures exchange (DSA and Schnorr) 40

1.63k views • 134 slides
On Using Torsion Points in the Elliptic Curve Index Calculus Gu ena el Renault Sorbonne

On Using Torsion Points in the Elliptic Curve Index Calculus Gu ena el Renault Sorbonne

On Using Torsion Points in the Elliptic Curve Index Calculus Gu ena el Renault Sorbonne Universit es UPMC, INRIA, CNRS LIP6 1/43 General Context Discrete Logarithm Problem (DLP) Given a finite cyclic group ( G = g , +) and h

595 views • 56 slides
Generic Attacks against MAC algorithms G. Leurent (Inria) Generic Attacks against MAC algorithms

Generic Attacks against MAC algorithms G. Leurent (Inria) Generic Attacks against MAC algorithms

Introduction Hash-based MACs State recovery Universal forgery Key-recovery Conclusion Generic Attacks against MAC algorithms G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 1 / 59 Gatan Leurent Inria Rocquencourt,

1.71k views • 102 slides
New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs

New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs

Introduction New generic attacks HMAC-GOST key-recovery Conclusion New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs Asiacrypt 2013 1 / 22 . . . . . . . . . . . . . . . . . Gatan Leurent,

759 views • 52 slides
The DLP Problem Consider G, having order n. < >={ i :0 i n-1} is a

The DLP Problem Consider G, having order n. < >={ i :0 i n-1} is a

The Discrete Logarithm Problem Debdeep Mukhopadhyay IIT Kharagpur The DLP Problem Consider G, having order n. < >={ i :0 i n-1} is a cyclic sub-group of G having order n. 1 Cryptographic Utility of DLP For

334 views • 9 slides
Extending Code Genera/on to Support Pla6orm-Independent Event-B Models Asieh Salehi, Michael

Extending Code Genera/on to Support Pla6orm-Independent Event-B Models Asieh Salehi, Michael

Extending Code Genera/on to Support Pla6orm-Independent Event-B Models Asieh Salehi, Michael Butler, Colin Snook University of Southampton, Southampton, United Kingdom 6th Rodin User and Developer Workshop, 23 May, 2016, Linz, Austria

452 views • 17 slides
GENERAL OVERVIEW OF THE BABEL DEMONSTRATOR SYSTEM RESPITE PROJECT www.babeltech.com

GENERAL OVERVIEW OF THE BABEL DEMONSTRATOR SYSTEM RESPITE PROJECT www.babeltech.com

The Speech Solution GENERAL OVERVIEW OF THE BABEL DEMONSTRATOR SYSTEM RESPITE PROJECT www.babeltech.com www.infovox.se The Speech Solution Some General features Based on the wavesurfer program developped by KTH. Why ? Platform

488 views • 14 slides
Our Re-Opening and Our Housing June 23, 2020 All participants are in listen-only mode

Our Re-Opening and Our Housing June 23, 2020 All participants are in listen-only mode

The country is re-opening and so is Nevada. As we move through this stage of the pandemic, what are some of our most immediate housing needs ? What are others around the country observing with their COVID-19 housing assistance programs? How are some

1.02k views • 44 slides
Acknowledgments S.Sudarshan ArvindHulgeri B.Aditya Parag Two extreme search paradigms

Acknowledgments S.Sudarshan ArvindHulgeri B.Aditya Parag Two extreme search paradigms

Text Search for Fine-grained Semi-structured Data Soumen Chakrabarti Indian Institute of Technology, Bombay www.cse.iitb.ac.in/~soumen/ Acknowledgments S.Sudarshan ArvindHulgeri B.Aditya Parag Two extreme search

594 views • 24 slides
Israels Chronology Egypt Ex 1-11 Egypt Sinai

Israels Chronology Egypt Ex 1-11 Egypt Sinai

Israels Chronology Egypt Ex 1-11 Egypt Sinai Ex 12-18 Sinai Ex 19-Num 10 Sinai Kadesh Num 10-12 Kadesh Num 13-20 Kadesh Moab Num 20-21

698 views • 20 slides
? 10 3 . 85 6 K K pH [ H ] w w [ OH ] K C

? 10 3 . 85 6 K K pH [ H ] w w [ OH ] K C

CEE 680 Lecture #16 2/21/2020 Print version Updated: 21 February 2020 Lecture #16 Buffers & Titrations (Benjamin, Chapter 5) (Stumm & Morgan, Chapt.1 3 ) David Reckhow CEE 680 #16 1 Titrations of Acids and Bases Weak acid

679 views • 10 slides
Thinking Like a Chemist About Acids and Bases Part III UNIT 6 DAY 5 Work on Activity, Part I

Thinking Like a Chemist About Acids and Bases Part III UNIT 6 DAY 5 Work on Activity, Part I

Thinking Like a Chemist About Acids and Bases Part III UNIT 6 DAY 5 Work on Activity, Part I Poll: Clicker Question Calculate the K a of a weak acid. The pH of a 0.2 M aqueous solution of crotonic acid is 2.69. What is the percent ionization

394 views • 11 slides
Slide 1 / 48 1 According to the Arrhenius concept, an acid is a substance that __________. A

Slide 1 / 48 1 According to the Arrhenius concept, an acid is a substance that __________. A

Slide 1 / 48 1 According to the Arrhenius concept, an acid is a substance that __________. A is capable of donating one or more H+ causes an increase in the concentration of H+ in B aqueous solutions can accept a pair of electrons to form a

553 views • 16 slides

More recommend