hashing to elliptic curves and cryptanalysis of rsa based
play

Hashing to Elliptic Curves and Cryptanalysis of RSA-Based Schemes - PowerPoint PPT Presentation

Jan 11, 2024 •466 likes •2.09k views

Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion Hashing to Elliptic Curves and Cryptanalysis of RSA-Based Schemes Mehdi Tibouchi Ecole normale sup erieure Ph.D. Defense 20110923 Introduction RSA

  1. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion RSA signatures (textbook ver.) • “Public key”: to authenticate herself to Bob, Alice doesn’t need to share a secret with him. She can sign messages and those signatures can be checked by anyone. • The scheme is as follows: • Key generation: Alice picks random large primes p , q and computes N = pq . She chooses e coprime to ϕ ( N ) = ( p − 1 )( q − 1 ) , and computes d the inverse of e mod ϕ ( N ) . She makes ( N , e ) public and keeps p , q , d secret. • Signature: the signature on a message m is σ = m d mod N . • Verification: to check that the signature σ on m is valid, Bob verifies that σ e ≡ m ( mod N ) . • The scheme is correct, because by Euler’s theorem σ e ≡ m ed ≡ m ( mod N ) . • Recovering the secret key d from the public key ( N , e ) is as hard as factoring the RSA modulus N .

  2. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion RSA signatures (textbook ver.) • “Public key”: to authenticate herself to Bob, Alice doesn’t need to share a secret with him. She can sign messages and those signatures can be checked by anyone. • The scheme is as follows: • Key generation: Alice picks random large primes p , q and computes N = pq . She chooses e coprime to ϕ ( N ) = ( p − 1 )( q − 1 ) , and computes d the inverse of e mod ϕ ( N ) . She makes ( N , e ) public and keeps p , q , d secret. • Signature: the signature on a message m is σ = m d mod N . • Verification: to check that the signature σ on m is valid, Bob verifies that σ e ≡ m ( mod N ) . • The scheme is correct, because by Euler’s theorem σ e ≡ m ed ≡ m ( mod N ) . • Recovering the secret key d from the public key ( N , e ) is as hard as factoring the RSA modulus N .

  3. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion The importance of padding functions • As such, the scheme is not secure. For example, if Alice publishes signatures σ 1 ,σ 2 on messages m 1 , m 2 , then anyone can forge a signature on the product m 1 ⋅ m 2 : simply σ = σ 1 ⋅ σ 2 mod N . • The usual solution is to apply the RSA function not to m itself but to µ ( m ) for some public function µ , called a padding: σ = µ ( m ) d mod N • In applications until the 1990s, µ was constructed to be fast and thwart some known attacks, but with no proof of security: ad-hoc paddings, many of which have been shown to be flawed (example in this thesis). • Recently, provably secure paddings have been constructed, at least in the idealized “random oracle model”. For example, the RSA signature scheme obtained by choosing µ as a full-length random oracle (FDH) is secure.

  4. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion The importance of padding functions • As such, the scheme is not secure. For example, if Alice publishes signatures σ 1 ,σ 2 on messages m 1 , m 2 , then anyone can forge a signature on the product m 1 ⋅ m 2 : simply σ = σ 1 ⋅ σ 2 mod N . • The usual solution is to apply the RSA function not to m itself but to µ ( m ) for some public function µ , called a padding: σ = µ ( m ) d mod N • In applications until the 1990s, µ was constructed to be fast and thwart some known attacks, but with no proof of security: ad-hoc paddings, many of which have been shown to be flawed (example in this thesis). • Recently, provably secure paddings have been constructed, at least in the idealized “random oracle model”. For example, the RSA signature scheme obtained by choosing µ as a full-length random oracle (FDH) is secure.

  5. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion The importance of padding functions • As such, the scheme is not secure. For example, if Alice publishes signatures σ 1 ,σ 2 on messages m 1 , m 2 , then anyone can forge a signature on the product m 1 ⋅ m 2 : simply σ = σ 1 ⋅ σ 2 mod N . • The usual solution is to apply the RSA function not to m itself but to µ ( m ) for some public function µ , called a padding: σ = µ ( m ) d mod N • In applications until the 1990s, µ was constructed to be fast and thwart some known attacks, but with no proof of security: ad-hoc paddings, many of which have been shown to be flawed (example in this thesis). • Recently, provably secure paddings have been constructed, at least in the idealized “random oracle model”. For example, the RSA signature scheme obtained by choosing µ as a full-length random oracle (FDH) is secure.

  6. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion The importance of padding functions • As such, the scheme is not secure. For example, if Alice publishes signatures σ 1 ,σ 2 on messages m 1 , m 2 , then anyone can forge a signature on the product m 1 ⋅ m 2 : simply σ = σ 1 ⋅ σ 2 mod N . • The usual solution is to apply the RSA function not to m itself but to µ ( m ) for some public function µ , called a padding: σ = µ ( m ) d mod N • In applications until the 1990s, µ was constructed to be fast and thwart some known attacks, but with no proof of security: ad-hoc paddings, many of which have been shown to be flawed (example in this thesis). • Recently, provably secure paddings have been constructed, at least in the idealized “random oracle model”. For example, the RSA signature scheme obtained by choosing µ as a full-length random oracle (FDH) is secure.

  7. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion Fault attacks • Security in traditional cryptography: against adversaries that “follow the rules” and try to break a mathematical problem. • Real-world adversaries want to break a physical cryptographic device. • Thus, they have more powerful attacks at their disposal. Side channels: passively exploit the physical leakage (time, heat, power consumption, etc.) of the device to gain additional information; Faults: actively induce device malfunction (power spikes, overheating, laser beams, etc.) to cause exploitable errors in computations. • Even provably secure schemes like FDH do not necessarily remain secure against such attacks!

  8. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion Fault attacks • Security in traditional cryptography: against adversaries that “follow the rules” and try to break a mathematical problem. • Real-world adversaries want to break a physical cryptographic device. • Thus, they have more powerful attacks at their disposal. Side channels: passively exploit the physical leakage (time, heat, power consumption, etc.) of the device to gain additional information; Faults: actively induce device malfunction (power spikes, overheating, laser beams, etc.) to cause exploitable errors in computations. • Even provably secure schemes like FDH do not necessarily remain secure against such attacks!

  9. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion Fault attacks • Security in traditional cryptography: against adversaries that “follow the rules” and try to break a mathematical problem. • Real-world adversaries want to break a physical cryptographic device. • Thus, they have more powerful attacks at their disposal. Side channels: passively exploit the physical leakage (time, heat, power consumption, etc.) of the device to gain additional information; Faults: actively induce device malfunction (power spikes, overheating, laser beams, etc.) to cause exploitable errors in computations. • Even provably secure schemes like FDH do not necessarily remain secure against such attacks!

  10. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion Fault attacks • Security in traditional cryptography: against adversaries that “follow the rules” and try to break a mathematical problem. • Real-world adversaries want to break a physical cryptographic device. • Thus, they have more powerful attacks at their disposal. Side channels: passively exploit the physical leakage (time, heat, power consumption, etc.) of the device to gain additional information; Faults: actively induce device malfunction (power spikes, overheating, laser beams, etc.) to cause exploitable errors in computations. • Even provably secure schemes like FDH do not necessarily remain secure against such attacks!

  11. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion Fault attacks • Security in traditional cryptography: against adversaries that “follow the rules” and try to break a mathematical problem. • Real-world adversaries want to break a physical cryptographic device. • Thus, they have more powerful attacks at their disposal. Side channels: passively exploit the physical leakage (time, heat, power consumption, etc.) of the device to gain additional information; Faults: actively induce device malfunction (power spikes, overheating, laser beams, etc.) to cause exploitable errors in computations. • Even provably secure schemes like FDH do not necessarily remain secure against such attacks!

  12. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion Fault attacks • Security in traditional cryptography: against adversaries that “follow the rules” and try to break a mathematical problem. • Real-world adversaries want to break a physical cryptographic device. • Thus, they have more powerful attacks at their disposal. Side channels: passively exploit the physical leakage (time, heat, power consumption, etc.) of the device to gain additional information; Faults: actively induce device malfunction (power spikes, overheating, laser beams, etc.) to cause exploitable errors in computations. • Even provably secure schemes like FDH do not necessarily remain secure against such attacks!

  13. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion Signing with RSA-CRT • RSA remains the most widely used signature scheme today. It is implemented in many embedded applications (esp. smart cards). • However, modular exponentiation is rather slow. • Very commonly used improvement: using the Chinese Remainder Theorem. 1. σ p = µ ( m ) d mod p 2. σ q = µ ( m ) d mod q 3. σ = CRT ( σ p ,σ q ) mod N • Roughly 4-fold speed-up.

  14. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion Signing with RSA-CRT • RSA remains the most widely used signature scheme today. It is implemented in many embedded applications (esp. smart cards). • However, modular exponentiation is rather slow. • Very commonly used improvement: using the Chinese Remainder Theorem. 1. σ p = µ ( m ) d mod p 2. σ q = µ ( m ) d mod q 3. σ = CRT ( σ p ,σ q ) mod N • Roughly 4-fold speed-up.

  15. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion Signing with RSA-CRT • RSA remains the most widely used signature scheme today. It is implemented in many embedded applications (esp. smart cards). • However, modular exponentiation is rather slow. • Very commonly used improvement: using the Chinese Remainder Theorem. 1. σ p = µ ( m ) d mod p 2. σ q = µ ( m ) d mod q 3. σ = CRT ( σ p ,σ q ) mod N • Roughly 4-fold speed-up.

  16. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion Signing with RSA-CRT • RSA remains the most widely used signature scheme today. It is implemented in many embedded applications (esp. smart cards). • However, modular exponentiation is rather slow. • Very commonly used improvement: using the Chinese Remainder Theorem. 1. σ p = µ ( m ) d mod p 2. σ q = µ ( m ) d mod q 3. σ = CRT ( σ p ,σ q ) mod N • Roughly 4-fold speed-up.

  17. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion The Boneh-DeMillo-Lipton fault attack (1997) • The problem with CRT: fault attacks. • A fault in signature generation makes it possible to recover the secret key! 1. σ p = µ ( m ) d mod p q ≠ µ ( m ) d mod q 2. σ ′ ← fault 3. σ ′ = CRT ( σ p ,σ ′ q ) mod N ← faulty signature • Then σ ′ e is µ ( m ) mod p but not mod q , so the attacker can then factor N : p = gcd ( σ ′ e − µ ( m ) , N ) • This attack applies to any deterministic padding, including provably secure ones like FDH.

  18. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion The Boneh-DeMillo-Lipton fault attack (1997) • The problem with CRT: fault attacks. • A fault in signature generation makes it possible to recover the secret key! 1. σ p = µ ( m ) d mod p q ≠ µ ( m ) d mod q 2. σ ′ ← fault 3. σ ′ = CRT ( σ p ,σ ′ q ) mod N ← faulty signature • Then σ ′ e is µ ( m ) mod p but not mod q , so the attacker can then factor N : p = gcd ( σ ′ e − µ ( m ) , N ) • This attack applies to any deterministic padding, including provably secure ones like FDH.

  19. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion The Boneh-DeMillo-Lipton fault attack (1997) • The problem with CRT: fault attacks. • A fault in signature generation makes it possible to recover the secret key! 1. σ p = µ ( m ) d mod p q ≠ µ ( m ) d mod q 2. σ ′ ← fault 3. σ ′ = CRT ( σ p ,σ ′ q ) mod N ← faulty signature • Then σ ′ e is µ ( m ) mod p but not mod q , so the attacker can then factor N : p = gcd ( σ ′ e − µ ( m ) , N ) • This attack applies to any deterministic padding, including provably secure ones like FDH.

  20. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion The Boneh-DeMillo-Lipton fault attack (1997) • The problem with CRT: fault attacks. • A fault in signature generation makes it possible to recover the secret key! 1. σ p = µ ( m ) d mod p q ≠ µ ( m ) d mod q 2. σ ′ ← fault 3. σ ′ = CRT ( σ p ,σ ′ q ) mod N ← faulty signature • Then σ ′ e is µ ( m ) mod p but not mod q , so the attacker can then factor N : p = gcd ( σ ′ e − µ ( m ) , N ) • This attack applies to any deterministic padding, including provably secure ones like FDH.

  21. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion The Boneh-DeMillo-Lipton fault attack (1997) • The problem with CRT: fault attacks. • A fault in signature generation makes it possible to recover the secret key! 1. σ p = µ ( m ) d mod p q ≠ µ ( m ) d mod q 2. σ ′ ← fault 3. σ ′ = CRT ( σ p ,σ ′ q ) mod N ← faulty signature • Then σ ′ e is µ ( m ) mod p but not mod q , so the attacker can then factor N : p = gcd ( σ ′ e − µ ( m ) , N ) • This attack applies to any deterministic padding, including provably secure ones like FDH.

  22. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion The Boneh-DeMillo-Lipton fault attack (1997) • The problem with CRT: fault attacks. • A fault in signature generation makes it possible to recover the secret key! 1. σ p = µ ( m ) d mod p q ≠ µ ( m ) d mod q 2. σ ′ ← fault 3. σ ′ = CRT ( σ p ,σ ′ q ) mod N ← faulty signature • Then σ ′ e is µ ( m ) mod p but not mod q , so the attacker can then factor N : p = gcd ( σ ′ e − µ ( m ) , N ) • This attack applies to any deterministic padding, including provably secure ones like FDH.

  23. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion The Boneh-DeMillo-Lipton fault attack (1997) • The problem with CRT: fault attacks. • A fault in signature generation makes it possible to recover the secret key! 1. σ p = µ ( m ) d mod p q ≠ µ ( m ) d mod q 2. σ ′ ← fault 3. σ ′ = CRT ( σ p ,σ ′ q ) mod N ← faulty signature • Then σ ′ e is µ ( m ) mod p but not mod q , so the attacker can then factor N : p = gcd ( σ ′ e − µ ( m ) , N ) • This attack applies to any deterministic padding, including provably secure ones like FDH.

  24. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion Shamir’s trick • Faults against RSA-CRT signatures have been an active research subject since then. Many variants and countermeasures have been proposed. • One simple countermeasure due to Shamir is to compute the signature as follows ( r is a small fixed integer like 2 31 − 1): p = µ ( m ) d mod r ⋅ p 1. σ + q = µ ( m ) d mod r ⋅ q 2. σ + 3. if σ + p / ≡ σ + q ( mod r ) , abort 4. σ = CRT ( σ + p ,σ + q ) mod N • If one of the half-exponentiations is perturbed, signature generation is very likely to abort, and hence the fault attacker cannot factor anymore!

  25. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion Shamir’s trick • Faults against RSA-CRT signatures have been an active research subject since then. Many variants and countermeasures have been proposed. • One simple countermeasure due to Shamir is to compute the signature as follows ( r is a small fixed integer like 2 31 − 1): p = µ ( m ) d mod r ⋅ p 1. σ + q = µ ( m ) d mod r ⋅ q 2. σ + 3. if σ + p / ≡ σ + q ( mod r ) , abort 4. σ = CRT ( σ + p ,σ + q ) mod N • If one of the half-exponentiations is perturbed, signature generation is very likely to abort, and hence the fault attacker cannot factor anymore!

  26. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion Shamir’s trick • Faults against RSA-CRT signatures have been an active research subject since then. Many variants and countermeasures have been proposed. • One simple countermeasure due to Shamir is to compute the signature as follows ( r is a small fixed integer like 2 31 − 1): p = µ ( m ) d mod r ⋅ p 1. σ + q = µ ( m ) d mod r ⋅ q 2. σ + 3. if σ + p / ≡ σ + q ( mod r ) , abort 4. σ = CRT ( σ + p ,σ + q ) mod N • If one of the half-exponentiations is perturbed, signature generation is very likely to abort, and hence the fault attacker cannot factor anymore!

  27. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion Outline Introduction RSA Cryptanalysis RSA-CRT signatures Modulus fault attacks Hashing to Elliptic Curves Elliptic curve cryptography Hashing to elliptic curves Constructing good hash functions

  28. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion Attacking the modulus • A lot of work has been invested into protecting the exponentiations in RSA-CRT signature generation. • So what about attacking another part of the algorithm? • Idea: attack the modular reduction instead! 1. σ p = µ ( m ) d mod p ← correct 2. σ q = µ ( m ) d mod q ← correct 3. σ ′ = CRT ( σ p ,σ q ) mod N ′ ← faulty signature: wrong modular reduction! • This new, strange type of faults can also be used to factor N .

  29. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion Attacking the modulus • A lot of work has been invested into protecting the exponentiations in RSA-CRT signature generation. • So what about attacking another part of the algorithm? • Idea: attack the modular reduction instead! 1. σ p = µ ( m ) d mod p ← correct 2. σ q = µ ( m ) d mod q ← correct 3. σ ′ = CRT ( σ p ,σ q ) mod N ′ ← faulty signature: wrong modular reduction! • This new, strange type of faults can also be used to factor N .

  30. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion Attacking the modulus • A lot of work has been invested into protecting the exponentiations in RSA-CRT signature generation. • So what about attacking another part of the algorithm? • Idea: attack the modular reduction instead! 1. σ p = µ ( m ) d mod p ← correct 2. σ q = µ ( m ) d mod q ← correct 3. σ ′ = CRT ( σ p ,σ q ) mod N ′ ← faulty signature: wrong modular reduction! • This new, strange type of faults can also be used to factor N .

  31. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion Attacking the modulus • A lot of work has been invested into protecting the exponentiations in RSA-CRT signature generation. • So what about attacking another part of the algorithm? • Idea: attack the modular reduction instead! 1. σ p = µ ( m ) d mod p ← correct 2. σ q = µ ( m ) d mod q ← correct 3. σ ′ = CRT ( σ p ,σ q ) mod N ′ ← faulty signature: wrong modular reduction! • This new, strange type of faults can also be used to factor N .

  32. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion Attacking the modulus • A lot of work has been invested into protecting the exponentiations in RSA-CRT signature generation. • So what about attacking another part of the algorithm? • Idea: attack the modular reduction instead! 1. σ p = µ ( m ) d mod p ← correct 2. σ q = µ ( m ) d mod q ← correct 3. σ ′ = CRT ( σ p ,σ q ) mod N ′ ← faulty signature: wrong modular reduction! • This new, strange type of faults can also be used to factor N .

  33. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion Attacking the modulus • A lot of work has been invested into protecting the exponentiations in RSA-CRT signature generation. • So what about attacking another part of the algorithm? • Idea: attack the modular reduction instead! 1. σ p = µ ( m ) d mod p ← correct 2. σ q = µ ( m ) d mod q ← correct 3. σ ′ = CRT ( σ p ,σ q ) mod N ′ ← faulty signature: wrong modular reduction! • This new, strange type of faults can also be used to factor N .

  34. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion Attacking the modulus • A lot of work has been invested into protecting the exponentiations in RSA-CRT signature generation. • So what about attacking another part of the algorithm? • Idea: attack the modular reduction instead! 1. σ p = µ ( m ) d mod p ← correct 2. σ q = µ ( m ) d mod q ← correct 3. σ ′ = CRT ( σ p ,σ q ) mod N ′ ← faulty signature: wrong modular reduction! • This new, strange type of faults can also be used to factor N .

  35. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion Using the fault (I) • More precisely, suppose we can obtain the same signature on a certain message twice, once correctly and once with a fault. Then we get: ⎧ ⎪ σ = CRT ( σ p ,σ q ) mod N ← correct ⎪ ⎨ σ ′ = CRT ( σ p ,σ q ) mod N ′ ⎪ ← faulty ⎪ ⎩ • Applying the CRT to these two relations, we obtain the value CRT ( σ p ,σ q ) mod NN ′ . • Now recall that: CRT ( σ p ,σ q ) = α ⋅ σ p + β ⋅ σ q where α = q ⋅ ( q − 1 mod p ) β = p ⋅ ( p − 1 mod q ) • In particular, CRT ( σ p ,σ q ) is an integer of size ≈ N 3 / 2 , so if we know it modulo NN ′ ≈ N 2 , we actually know its value in Z .

  36. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion Using the fault (I) • More precisely, suppose we can obtain the same signature on a certain message twice, once correctly and once with a fault. Then we get: ⎧ ⎪ σ = CRT ( σ p ,σ q ) mod N ← correct ⎪ ⎨ σ ′ = CRT ( σ p ,σ q ) mod N ′ ⎪ ← faulty ⎪ ⎩ • Applying the CRT to these two relations, we obtain the value CRT ( σ p ,σ q ) mod NN ′ . • Now recall that: CRT ( σ p ,σ q ) = α ⋅ σ p + β ⋅ σ q where α = q ⋅ ( q − 1 mod p ) β = p ⋅ ( p − 1 mod q ) • In particular, CRT ( σ p ,σ q ) is an integer of size ≈ N 3 / 2 , so if we know it modulo NN ′ ≈ N 2 , we actually know its value in Z .

  37. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion Using the fault (I) • More precisely, suppose we can obtain the same signature on a certain message twice, once correctly and once with a fault. Then we get: ⎧ ⎪ σ = CRT ( σ p ,σ q ) mod N ← correct ⎪ ⎨ σ ′ = CRT ( σ p ,σ q ) mod N ′ ⎪ ← faulty ⎪ ⎩ • Applying the CRT to these two relations, we obtain the value CRT ( σ p ,σ q ) mod NN ′ . • Now recall that: CRT ( σ p ,σ q ) = α ⋅ σ p + β ⋅ σ q where α = q ⋅ ( q − 1 mod p ) β = p ⋅ ( p − 1 mod q ) • In particular, CRT ( σ p ,σ q ) is an integer of size ≈ N 3 / 2 , so if we know it modulo NN ′ ≈ N 2 , we actually know its value in Z .

  38. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion Using the fault (I) • More precisely, suppose we can obtain the same signature on a certain message twice, once correctly and once with a fault. Then we get: ⎧ ⎪ σ = CRT ( σ p ,σ q ) mod N ← correct ⎪ ⎨ σ ′ = CRT ( σ p ,σ q ) mod N ′ ⎪ ← faulty ⎪ ⎩ • Applying the CRT to these two relations, we obtain the value CRT ( σ p ,σ q ) mod NN ′ . • Now recall that: CRT ( σ p ,σ q ) = α ⋅ σ p + β ⋅ σ q where α = q ⋅ ( q − 1 mod p ) β = p ⋅ ( p − 1 mod q ) • In particular, CRT ( σ p ,σ q ) is an integer of size ≈ N 3 / 2 , so if we know it modulo NN ′ ≈ N 2 , we actually know its value in Z .

  39. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion Using the fault (II) Each pair formed of a correct and of a faulty signature gives us an equation of the form: v = α ⋅ x + β ⋅ y where v is known, α,β are unknown, fixed and of size N , and x , y are unknown, of size N 1 / 2 , and depend on the signature. One such relation doesn’t get us far, but since ( x , y ) is small compared to ( α,β ) , we expect multiple relations of this form to allow us to recover the x ’s and y ’s, and hence factor N . So suppose we can obtain a vector v of ℓ CRT values, so that we have an equation: v = α x + β y The goal is to recover x and y from v . To do so, we can used a cryptanlytic technique introduced by Nguyen and Stern in the 1990s: orthogonal lattices.

  40. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion Using the fault (II) Each pair formed of a correct and of a faulty signature gives us an equation of the form: v = α ⋅ x + β ⋅ y where v is known, α,β are unknown, fixed and of size N , and x , y are unknown, of size N 1 / 2 , and depend on the signature. One such relation doesn’t get us far, but since ( x , y ) is small compared to ( α,β ) , we expect multiple relations of this form to allow us to recover the x ’s and y ’s, and hence factor N . So suppose we can obtain a vector v of ℓ CRT values, so that we have an equation: v = α x + β y The goal is to recover x and y from v . To do so, we can used a cryptanlytic technique introduced by Nguyen and Stern in the 1990s: orthogonal lattices.

  41. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion Using the fault (II) Each pair formed of a correct and of a faulty signature gives us an equation of the form: v = α ⋅ x + β ⋅ y where v is known, α,β are unknown, fixed and of size N , and x , y are unknown, of size N 1 / 2 , and depend on the signature. One such relation doesn’t get us far, but since ( x , y ) is small compared to ( α,β ) , we expect multiple relations of this form to allow us to recover the x ’s and y ’s, and hence factor N . So suppose we can obtain a vector v of ℓ CRT values, so that we have an equation: v = α x + β y The goal is to recover x and y from v . To do so, we can used a cryptanlytic technique introduced by Nguyen and Stern in the 1990s: orthogonal lattices.

  42. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion Lattice attack overview • Compute a reduced basis ( b 1 ,..., b ℓ − 1 ) of the lattice of vectors in Z ℓ orthogonal to v . • Since v = α x + β y , the b i ’s satisfy: α ⟨ b i , x ⟩ + β ⟨ b i , y ⟩ = 0 • But the smallest nonzero solution ( s , t ) to α s + β t = 0 is of size ≈ N , so a given b i is either orthogonal to both x and y , or it is of norm > N 1 / 2 . • Only ℓ − 2 independent vectors orthogonal to both x and y , so b ℓ − 1 must be of length N . Thus the remaining vectors ( b 1 ,..., b ℓ − 2 ) form a lattice of volume ≈ N 3 / 2 / N 1 / 2 = N . Each of them is heuristically of length ≈ N 1 /( ℓ − 2 ) . As soon as ℓ ≥ 5, they are of length ≪ N 1 / 2 and thus orthogonal to x , y . • Compute a reduced basis ( x ′ , y ′ ) of the lattice of vectors orthogonal to ( b 1 ,..., b ℓ − 2 ) . The vectors x , y are in this lattice, and can be recovered by a quick exhaustive search!

  43. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion Lattice attack overview • Compute a reduced basis ( b 1 ,..., b ℓ − 1 ) of the lattice of vectors in Z ℓ orthogonal to v . • Since v = α x + β y , the b i ’s satisfy: α ⟨ b i , x ⟩ + β ⟨ b i , y ⟩ = 0 • But the smallest nonzero solution ( s , t ) to α s + β t = 0 is of size ≈ N , so a given b i is either orthogonal to both x and y , or it is of norm > N 1 / 2 . • Only ℓ − 2 independent vectors orthogonal to both x and y , so b ℓ − 1 must be of length N . Thus the remaining vectors ( b 1 ,..., b ℓ − 2 ) form a lattice of volume ≈ N 3 / 2 / N 1 / 2 = N . Each of them is heuristically of length ≈ N 1 /( ℓ − 2 ) . As soon as ℓ ≥ 5, they are of length ≪ N 1 / 2 and thus orthogonal to x , y . • Compute a reduced basis ( x ′ , y ′ ) of the lattice of vectors orthogonal to ( b 1 ,..., b ℓ − 2 ) . The vectors x , y are in this lattice, and can be recovered by a quick exhaustive search!

  44. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion Lattice attack overview • Compute a reduced basis ( b 1 ,..., b ℓ − 1 ) of the lattice of vectors in Z ℓ orthogonal to v . • Since v = α x + β y , the b i ’s satisfy: α ⟨ b i , x ⟩ + β ⟨ b i , y ⟩ = 0 • But the smallest nonzero solution ( s , t ) to α s + β t = 0 is of size ≈ N , so a given b i is either orthogonal to both x and y , or it is of norm > N 1 / 2 . • Only ℓ − 2 independent vectors orthogonal to both x and y , so b ℓ − 1 must be of length N . Thus the remaining vectors ( b 1 ,..., b ℓ − 2 ) form a lattice of volume ≈ N 3 / 2 / N 1 / 2 = N . Each of them is heuristically of length ≈ N 1 /( ℓ − 2 ) . As soon as ℓ ≥ 5, they are of length ≪ N 1 / 2 and thus orthogonal to x , y . • Compute a reduced basis ( x ′ , y ′ ) of the lattice of vectors orthogonal to ( b 1 ,..., b ℓ − 2 ) . The vectors x , y are in this lattice, and can be recovered by a quick exhaustive search!

  45. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion Lattice attack overview • Compute a reduced basis ( b 1 ,..., b ℓ − 1 ) of the lattice of vectors in Z ℓ orthogonal to v . • Since v = α x + β y , the b i ’s satisfy: α ⟨ b i , x ⟩ + β ⟨ b i , y ⟩ = 0 • But the smallest nonzero solution ( s , t ) to α s + β t = 0 is of size ≈ N , so a given b i is either orthogonal to both x and y , or it is of norm > N 1 / 2 . • Only ℓ − 2 independent vectors orthogonal to both x and y , so b ℓ − 1 must be of length N . Thus the remaining vectors ( b 1 ,..., b ℓ − 2 ) form a lattice of volume ≈ N 3 / 2 / N 1 / 2 = N . Each of them is heuristically of length ≈ N 1 /( ℓ − 2 ) . As soon as ℓ ≥ 5, they are of length ≪ N 1 / 2 and thus orthogonal to x , y . • Compute a reduced basis ( x ′ , y ′ ) of the lattice of vectors orthogonal to ( b 1 ,..., b ℓ − 2 ) . The vectors x , y are in this lattice, and can be recovered by a quick exhaustive search!

  46. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion Lattice attack overview • Compute a reduced basis ( b 1 ,..., b ℓ − 1 ) of the lattice of vectors in Z ℓ orthogonal to v . • Since v = α x + β y , the b i ’s satisfy: α ⟨ b i , x ⟩ + β ⟨ b i , y ⟩ = 0 • But the smallest nonzero solution ( s , t ) to α s + β t = 0 is of size ≈ N , so a given b i is either orthogonal to both x and y , or it is of norm > N 1 / 2 . • Only ℓ − 2 independent vectors orthogonal to both x and y , so b ℓ − 1 must be of length N . Thus the remaining vectors ( b 1 ,..., b ℓ − 2 ) form a lattice of volume ≈ N 3 / 2 / N 1 / 2 = N . Each of them is heuristically of length ≈ N 1 /( ℓ − 2 ) . As soon as ℓ ≥ 5, they are of length ≪ N 1 / 2 and thus orthogonal to x , y . • Compute a reduced basis ( x ′ , y ′ ) of the lattice of vectors orthogonal to ( b 1 ,..., b ℓ − 2 ) . The vectors x , y are in this lattice, and can be recovered by a quick exhaustive search!

  47. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion Simulation results • We can simulate this attack by picking random p , q -parts ( x i , y i ) , computing the corresponding CRT values v i in Z and trying to factor the modulus using just the v i ’s. • For the exhaustive search, we look for all linear combinations s x ′ + t y ′ of x ′ , y ′ of length < N 1 / 2 and for each such combination, we try to factor by computing the GCD: gcd ( v − s x ′ − t y ′ , N ) If the linear combination is either x or y , we’re succesful, since v is congruent to x mod p but not mod q . • Since x ′ , y ′ are of size ≈ N 1 / 2 , the exhaustive search has a few dozen steps at most. The full attack runs in total time < 0 . 01 second on a standard PC for a 1024-bit modulus. • As predicted by the theoretical analysis, success rate is 100% for ℓ ≥ 5, regardless of modulus size. Even for ℓ = 4 we get success rates of ≈ 40%.

  48. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion Simulation results • We can simulate this attack by picking random p , q -parts ( x i , y i ) , computing the corresponding CRT values v i in Z and trying to factor the modulus using just the v i ’s. • For the exhaustive search, we look for all linear combinations s x ′ + t y ′ of x ′ , y ′ of length < N 1 / 2 and for each such combination, we try to factor by computing the GCD: gcd ( v − s x ′ − t y ′ , N ) If the linear combination is either x or y , we’re succesful, since v is congruent to x mod p but not mod q . • Since x ′ , y ′ are of size ≈ N 1 / 2 , the exhaustive search has a few dozen steps at most. The full attack runs in total time < 0 . 01 second on a standard PC for a 1024-bit modulus. • As predicted by the theoretical analysis, success rate is 100% for ℓ ≥ 5, regardless of modulus size. Even for ℓ = 4 we get success rates of ≈ 40%.

  49. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion Simulation results • We can simulate this attack by picking random p , q -parts ( x i , y i ) , computing the corresponding CRT values v i in Z and trying to factor the modulus using just the v i ’s. • For the exhaustive search, we look for all linear combinations s x ′ + t y ′ of x ′ , y ′ of length < N 1 / 2 and for each such combination, we try to factor by computing the GCD: gcd ( v − s x ′ − t y ′ , N ) If the linear combination is either x or y , we’re succesful, since v is congruent to x mod p but not mod q . • Since x ′ , y ′ are of size ≈ N 1 / 2 , the exhaustive search has a few dozen steps at most. The full attack runs in total time < 0 . 01 second on a standard PC for a 1024-bit modulus. • As predicted by the theoretical analysis, success rate is 100% for ℓ ≥ 5, regardless of modulus size. Even for ℓ = 4 we get success rates of ≈ 40%.

  50. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion Simulation results • We can simulate this attack by picking random p , q -parts ( x i , y i ) , computing the corresponding CRT values v i in Z and trying to factor the modulus using just the v i ’s. • For the exhaustive search, we look for all linear combinations s x ′ + t y ′ of x ′ , y ′ of length < N 1 / 2 and for each such combination, we try to factor by computing the GCD: gcd ( v − s x ′ − t y ′ , N ) If the linear combination is either x or y , we’re succesful, since v is congruent to x mod p but not mod q . • Since x ′ , y ′ are of size ≈ N 1 / 2 , the exhaustive search has a few dozen steps at most. The full attack runs in total time < 0 . 01 second on a standard PC for a 1024-bit modulus. • As predicted by the theoretical analysis, success rate is 100% for ℓ ≥ 5, regardless of modulus size. Even for ℓ = 4 we get success rates of ≈ 40%.

  51. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion The attack in practice We implemented the attack against an implementation of RSA-CRT signatures on an 8-bit microcontroller. 1. Decapsulate the chip. 2. Target the SRAM and find the location of the modulus N . 3. Strike with 4. After obtaining 5 pairs of correct and faulty signatures, factor N in a fraction of a second as expected.

  52. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion The attack in practice We implemented the attack against an implementation of RSA-CRT signatures on an 8-bit microcontroller. 1. Decapsulate the chip. 2. Target the SRAM and find the location of the modulus N . 3. Strike with 4. After obtaining 5 pairs of correct and faulty signatures, factor N in a fraction of a second as expected.

  53. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion The attack in practice We implemented the attack against an implementation of RSA-CRT signatures on an 8-bit microcontroller. 1. Decapsulate the chip. 2. Target the SRAM and find the location of the modulus N . 3. Strike with 4. After obtaining 5 pairs of correct and faulty signatures, factor N in a fraction of a second as expected.

  54. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion The attack in practice We implemented the attack against an implementation of RSA-CRT signatures on an 8-bit microcontroller. 1. Decapsulate the chip. 2. Target the SRAM and find the location of the modulus N . 3. Strike with lasers! 4. After obtaining 5 pairs of correct and faulty signatures, factor N in a fraction of a second as expected.

  55. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion The attack in practice We implemented the attack against an implementation of RSA-CRT signatures on an 8-bit microcontroller. 1. Decapsulate the chip. 2. Target the SRAM and find the location of the modulus N . 3. Strike with a focused laser beam. 4. After obtaining 5 pairs of correct and faulty signatures, factor N in a fraction of a second as expected.

  56. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion The attack in practice We implemented the attack against an implementation of RSA-CRT signatures on an 8-bit microcontroller. 1. Decapsulate the chip. 2. Target the SRAM and find the location of the modulus N . 3. Strike with 4. After obtaining 5 pairs of correct and faulty signatures, factor N in a fraction of a second as expected.

  57. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion Advantages and limitations This new attack presents a number of nice features: • Very fast. • Only requires 5 correct/fauly signature pairs, regardless of modulus size. • Not thwarted by standard RSA-CRT fault countermeasures such as Shamir’s. It does have some limitations: • Needs to recover the faulty modulus N ′ : this is a bit unrealistic in practice. However, with a few more faults of a reasonable shape, it is easy to overcome this limitation. • Must be able to obtain a correct and a faulty signature with the same CRT value: not possible with randomized encodings. • Most seriously: a faster, frequently used technique for CRT interpolation (Garner’s formula) avoids reducing mod N altogether, and hence defeats this attack.

  58. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion Advantages and limitations This new attack presents a number of nice features: • Very fast. • Only requires 5 correct/fauly signature pairs, regardless of modulus size. • Not thwarted by standard RSA-CRT fault countermeasures such as Shamir’s. It does have some limitations: • Needs to recover the faulty modulus N ′ : this is a bit unrealistic in practice. However, with a few more faults of a reasonable shape, it is easy to overcome this limitation. • Must be able to obtain a correct and a faulty signature with the same CRT value: not possible with randomized encodings. • Most seriously: a faster, frequently used technique for CRT interpolation (Garner’s formula) avoids reducing mod N altogether, and hence defeats this attack.

  59. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion Advantages and limitations This new attack presents a number of nice features: • Very fast. • Only requires 5 correct/fauly signature pairs, regardless of modulus size. • Not thwarted by standard RSA-CRT fault countermeasures such as Shamir’s. It does have some limitations: • Needs to recover the faulty modulus N ′ : this is a bit unrealistic in practice. However, with a few more faults of a reasonable shape, it is easy to overcome this limitation. • Must be able to obtain a correct and a faulty signature with the same CRT value: not possible with randomized encodings. • Most seriously: a faster, frequently used technique for CRT interpolation (Garner’s formula) avoids reducing mod N altogether, and hence defeats this attack.

  60. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion Advantages and limitations This new attack presents a number of nice features: • Very fast. • Only requires 5 correct/fauly signature pairs, regardless of modulus size. • Not thwarted by standard RSA-CRT fault countermeasures such as Shamir’s. It does have some limitations: • Needs to recover the faulty modulus N ′ : this is a bit unrealistic in practice. However, with a few more faults of a reasonable shape, it is easy to overcome this limitation. • Must be able to obtain a correct and a faulty signature with the same CRT value: not possible with randomized encodings. • Most seriously: a faster, frequently used technique for CRT interpolation (Garner’s formula) avoids reducing mod N altogether, and hence defeats this attack.

  61. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion Advantages and limitations This new attack presents a number of nice features: • Very fast. • Only requires 5 correct/fauly signature pairs, regardless of modulus size. • Not thwarted by standard RSA-CRT fault countermeasures such as Shamir’s. It does have some limitations: • Needs to recover the faulty modulus N ′ : this is a bit unrealistic in practice. However, with a few more faults of a reasonable shape, it is easy to overcome this limitation. • Must be able to obtain a correct and a faulty signature with the same CRT value: not possible with randomized encodings. • Most seriously: a faster, frequently used technique for CRT interpolation (Garner’s formula) avoids reducing mod N altogether, and hence defeats this attack.

  62. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion Advantages and limitations This new attack presents a number of nice features: • Very fast. • Only requires 5 correct/fauly signature pairs, regardless of modulus size. • Not thwarted by standard RSA-CRT fault countermeasures such as Shamir’s. It does have some limitations: • Needs to recover the faulty modulus N ′ : this is a bit unrealistic in practice. However, with a few more faults of a reasonable shape, it is easy to overcome this limitation. • Must be able to obtain a correct and a faulty signature with the same CRT value: not possible with randomized encodings. • Most seriously: a faster, frequently used technique for CRT interpolation (Garner’s formula) avoids reducing mod N altogether, and hence defeats this attack.

  63. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion Outline Introduction RSA Cryptanalysis RSA-CRT signatures Modulus fault attacks Hashing to Elliptic Curves Elliptic curve cryptography Hashing to elliptic curves Constructing good hash functions

  64. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion Elliptic curves A smooth curve in the plane defined by an equation of degree 3.

  65. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion Elliptic curves Can be put in Weierstrass form: y 2 = x 3 + ax + b

  66. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion Elliptic curves Observation dating back at least to Newton: the line through two points cuts the curve at a third; if a , b are rational, the third point obtained from two rational points is also rational. Makes it possible to define an addition law on rational points!

  67. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion Elliptic curves A central object in number theory (many important arithmetic problems from Diophantus to Wiles are about elliptic curves).

  68. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion Elliptic curve cryptography • Elliptic curves can be defined over any field, including finite fields F q (we restrict attention to characteristic > 3). • The set of F q -points of an elliptic curve E over F q is again an abelian group G = E ( F q ) where the Discrete Logarithm Problem and Diffie-Hellman-type problems are believed to be hard ▶ suitable for cryptography! Idea due to Miller and Koblitz in the 1980s. • In fact, the best known attack in most cases is the generic one: this means short keys and efficient protocols. • Also come with rich structures such as pairings that don’t exist in groups like Z ∗ p .

  69. Introduction RSA Cryptanalysis Hashing to Elliptic Curves Conclusion Elliptic curve cryptography • Elliptic curves can be defined over any field, including finite fields F q (we restrict attention to characteristic > 3). • The set of F q -points of an elliptic curve E over F q is again an abelian group G = E ( F q ) where the Discrete Logarithm Problem and Diffie-Hellman-type problems are believed to be hard ▶ suitable for cryptography! Idea due to Miller and Koblitz in the 1980s. • In fact, the best known attack in most cases is the generic one: this means short keys and efficient protocols. • Also come with rich structures such as pairings that don’t exist in groups like Z ∗ p .

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Verified Indifferentiable Hashing into Elliptic Curves eguelin 1 Santiago Zanella B Gilles

Verified Indifferentiable Hashing into Elliptic Curves eguelin 1 Santiago Zanella B Gilles

Verified Indifferentiable Hashing into Elliptic Curves eguelin 1 Santiago Zanella B Gilles Barthe 2 , Benjamin Gr egoire 3 , Sylvain Heraud 3 and Federico Olmedo 2 Microsoft Research Cambridge 1 IMDEA Software Institute 2 ee 3 INRIA Sophia

1.02k views • 36 slides
Deterministic Hashing to Elliptic and Hyperelliptic Curves Mehdi Tibouchi LORIA, 2010-11-08

Deterministic Hashing to Elliptic and Hyperelliptic Curves Mehdi Tibouchi LORIA, 2010-11-08

Introduction Problems Outlook and Conclusion Deterministic Hashing to Elliptic and Hyperelliptic Curves Mehdi Tibouchi LORIA, 2010-11-08 Introduction Problems Outlook and Conclusion Outline Introduction Elliptic curves Hashing to

337 views • 30 slides
Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA

Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA

Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA MathFest Boulder, Colorado August 2003 http://www.math.mcgill.ca/darmon /slides/slides.html Elliptic Curves Definition : An elliptic curve over the

494 views • 26 slides
Fast and simple constant-time hashing to the BLS12-381 elliptic curve (and other curves, too!)

Fast and simple constant-time hashing to the BLS12-381 elliptic curve (and other curves, too!)

Fast and simple constant-time hashing to the BLS12-381 elliptic curve (and other curves, too!) Riad S. Wahby, Dan Boneh Stanford December 3 rd , 2019 Motivation Our initial motivation: BLS signatures [BLS01] Motivation Our initial

1.38k views • 126 slides
Weierstra Equations 2 d 4 16 ( 1 t 2 / 4 ) Singular points

Weierstra Equations 2 d 4 16 ( 1 t 2 / 4 ) Singular points

Elliptic curves over F q Introduction History length of ellipses why Elliptic curves? Fields Weierstra Equations Singular points The Discriminant E LLIPTIC CURVES OVER FINITE FIELDS Elliptic curves / F 2 Elliptic curves / F 3 The sum of

660 views • 32 slides
Forms of elliptic curves Wouter Castryck Forms of elliptic curves First definitions Well-known

Forms of elliptic curves Wouter Castryck Forms of elliptic curves First definitions Well-known

Well-known forms of elliptic curves Toric forms of elliptic curves Forms of elliptic curves Wouter Castryck Forms of elliptic curves First definitions Well-known forms of elliptic curves Projective coordinates Toric forms of elliptic curves

478 views • 46 slides
Elliptic Curves in Sage William Stein Sage Project Functionality William Stein Demo

Elliptic Curves in Sage William Stein Sage Project Functionality William Stein Demo

Elliptic Curves in Sage Elliptic Curves in Sage William Stein Sage Project Functionality William Stein Demo Questions? October 19 at ECC 2010 Lowest (known) conductor elliptic curves of ranks 0,1,2,3,4 Abstract Elliptic Curves in Sage

628 views • 14 slides
Lecture 11: Elliptic curves and their moduli May 26, 2020 1 / 9 Elliptic curves and complex

Lecture 11: Elliptic curves and their moduli May 26, 2020 1 / 9 Elliptic curves and complex

Lecture 11: Elliptic curves and their moduli May 26, 2020 1 / 9 Elliptic curves and complex tori E a , b : y 2 x 3 ` ax ` b , 4 a 3 ` 27 b 2 0 4 a 3 j p E a , b q 1728 4 a 3 ` 27 b 2 Theorem. The map z r p z q : 1 2 1 p

646 views • 9 slides
Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft

Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft

Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft Research 15 / 09 / 2011 (Nancy) 2 / 66 Outline 1 Isogenies on elliptic curves 2 Endomorphisms 3 Supersingular elliptic curves 4 Abelian varieties

1.84k views • 79 slides
Quantum-resistant Cryptography based on Isogenies between Elliptic Curves A Brief Survey Jo ao

Quantum-resistant Cryptography based on Isogenies between Elliptic Curves A Brief Survey Jo ao

Quantum-resistant Cryptography based on Isogenies between Elliptic Curves A Brief Survey Jo ao Paulo da Silva , Ricardo Dahab, Julio L opez Institute of Computing University of Campinas Latin American Week on Coding and Information

558 views • 32 slides
The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards

The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards

What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. -Pollard and CUDA. Conclusions The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards algorithm for ECDLP Alberto

1.52k views • 103 slides
Deterministic Generation of Elliptic Curves (a.k.a. &quot;NUMS&quot; Curves) Motivation

Deterministic Generation of Elliptic Curves (a.k.a. &quot;NUMS&quot; Curves) Motivation

Deterministic Generation of Elliptic Curves (a.k.a. &quot;NUMS&quot; Curves) Motivation Reduced customer confidence in NIST-standardized curves (FIPS 186-3) Industry moving to Perfect Forward Secrecy (PFS) ciphersuites (e.g. ECDHE)

306 views • 11 slides
Faltings Heights of CM Elliptic Curves Tyler Genao Florida Atlantic University In collaboration

Faltings Heights of CM Elliptic Curves Tyler Genao Florida Atlantic University In collaboration

Faltings Heights of CM Elliptic Curves Tyler Genao Florida Atlantic University In collaboration with Adrian Barquero-Sanchez, Lindsay Cadwallader, Olivia Cannon, Riad Masri Tyler Genao Faltings Heights of CM Elliptic Curves Elliptic Curves

571 views • 41 slides
Elliptic Curves II Reinier Br oker Fields Institute &amp; University of Calgary Summer School

Elliptic Curves II Reinier Br oker Fields Institute &amp; University of Calgary Summer School

Elliptic Curves II Reinier Br oker Fields Institute &amp; University of Calgary Summer School before ECC September 2006 Elliptic curves An elliptic curve E over a field K is given by a Weierstra equation Y 2 + h ( X ) Y = f ( X ) with h, f

416 views • 13 slides
Finding Cryptographically Strong Elliptic Curves An Introduction Hamish Ivey-Law

Finding Cryptographically Strong Elliptic Curves An Introduction Hamish Ivey-Law

Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves Finding Cryptographically Strong Elliptic Curves An Introduction Hamish Ivey-Law hlaw@iml.univ-mrs.fr Institute de Math ematiques de

662 views • 41 slides
The symplectic type of congruences between elliptic curves John Cremona University of Warwick

The symplectic type of congruences between elliptic curves John Cremona University of Warwick

The symplectic type of congruences between elliptic curves John Cremona University of Warwick joint work with Nuno Freitas (Warwick) AGC 2 T Luminy, 10 June 2019 Overview 1. Elliptic curves, mod p Galois representations, Weil pairing. 2.

954 views • 70 slides
EA EARL RLY Y LUN UNG G CANC ANCER ER Pang Yong Kek Lecture Outline Why performing

EA EARL RLY Y LUN UNG G CANC ANCER ER Pang Yong Kek Lecture Outline Why performing

SCREENING FOR EA EARL RLY Y LUN UNG G CANC ANCER ER Pang Yong Kek Lecture Outline Why performing screening? How to improve early detection? Benefits and Risks of screening Challenges in screening Conclusion Why

696 views • 37 slides
Common Rheumatology Issues in Hospital Medicine Lianne Gensler, MD Associate Professor of

Common Rheumatology Issues in Hospital Medicine Lianne Gensler, MD Associate Professor of

Common Rheumatology Issues in Hospital Medicine Lianne Gensler, MD Associate Professor of Clinical Medicine UCSF Division of Rheumatology Disclosure UCB Board Member/Advisory Panels 2 1 | [footer text here] Outline 71 year old with

171 views • 15 slides
Linear Discrimination Steven J Zeil Old Dominion Univ. Fall 2010 1 Discriminant-Based

Linear Discrimination Steven J Zeil Old Dominion Univ. Fall 2010 1 Discriminant-Based

Discriminant-Based Classification Posteriors Logistic Discrimination Linear Discrimination Steven J Zeil Old Dominion Univ. Fall 2010 1 Discriminant-Based Classification Posteriors Logistic Discrimination Linear Discrimination

389 views • 21 slides
Economic &amp; Market Implications of COVID-19 Coronavirus/COVID-19: 2,518,275 Cases; &gt; 200

Economic &amp; Market Implications of COVID-19 Coronavirus/COVID-19: 2,518,275 Cases; &gt; 200

April 2020 Economic &amp; Market Implications of COVID-19 Coronavirus/COVID-19: 2,518,275 Cases; &gt; 200 Countries Source: John Hopkins; New York Times Data through 4/20 Past performance is not an indication of future results. Please

579 views • 25 slides
Charged Lepton Flavor Violation in Muon 3 Major Processes + e + + e + e +

Charged Lepton Flavor Violation in Muon 3 Major Processes + e + + e + e +

The COMET experiment: Search for muon-to-electron conversion Manabu MORITSU (KEK) On behalf of the COMET Collaboration The 3rd J-PARC Symposium (J-PARC2019) 26th Sep., 2019, Tsukuba, Japan M. Moritsu (KEK) 26/09/2019, J-PARC2019 ! 2

446 views • 40 slides
Accurate Prediction of Soft Error Vulnerability of Scientific Applications Greg Bronevetsky

Accurate Prediction of Soft Error Vulnerability of Scientific Applications Greg Bronevetsky

Accurate Prediction of Soft Error Vulnerability of Scientific Applications Greg Bronevetsky Post-doctoral Fellow Lawrence Livermore National Lab Soft error: one-time corruption of system state Examples: Memory bit-flips, erroneous

829 views • 46 slides
Lecture 9: Threads ... Lisa (Ling) Liu Overview Thread state WaitHandle Synchronization

Lecture 9: Threads ... Lisa (Ling) Liu Overview Thread state WaitHandle Synchronization

Chair of Softw are Engineering C# Programming in Depth Prof. Dr. Bertrand Meyer March 2007 May 2007 Lecture 9: Threads ... Lisa (Ling) Liu Overview Thread state WaitHandle Synchronization mechanism Synchronize access to collections

414 views • 28 slides
Logs in Incident Response Mitigating Risk. Automating Compliance. 1 LogLogic Confidential

Logs in Incident Response Mitigating Risk. Automating Compliance. 1 LogLogic Confidential

Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA Director of Security Research LogLogic anton@loglogic.com Logs in Incident Response Mitigating Risk. Automating Compliance. 1 LogLogic Confidential Tuesday, June 27, 2006 Outline - I Incident

939 views • 78 slides

More recommend