a complete and explicit security reduction algorithm for
play

A Complete and Explicit Security Reduction Algorithm for RSA-based - PowerPoint PPT Presentation

Mar 07, 2023 •18 likes •408 views

A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems Asiacrypt 2003, Taipei Kaoru Kurosawa 1 , Katja Schmidt-Samoa 2 , Tsuyoshi Takagi 2 1 Ibaraki University 2 Technische Universit at Darmstadt A Complete and

  1. A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems Asiacrypt 2003, Taipei Kaoru Kurosawa 1 , Katja Schmidt-Samoa 2 , Tsuyoshi Takagi 2 1 Ibaraki University 2 Technische Universit¨ at Darmstadt A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.1/15

  2. Introduction Problem: Find "small" solutions x, y of ax = y + c mod N Many applications in cryptanalysis and provable security Previous solutions: Brute-force method Continued fraction methods Affine variant of Euclidian algorithm Lattice-based methods A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.2/15

  3. Outline of the talk PD-OW of RSA Features of the lattice-based solution Proposed algorithm Application to PD-OW of RSA Comparison Conclusion A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.3/15

  4. RSA: OW ⇒ PD-OW Target: Compute m from C = m e mod N PD-OW Oracle O : Gets s 1 from ( s 1 · 2 k + s 2 ) e mod N Fujisaki, Okamoto, Pointcheval, Stern 2001: 1. Choose a ∈ Z × N at random 2. Define C ′ = Ca e mod N (encryption of am mod N ) 3. O ( C ) = u and O ( C ′ ) = v 4. m mod N = u · 2 k + r and am mod N = v · 2 k + s ⇒ a · ( u · 2 k + r ) mod N = v · 2 k + s ⇒ ar = s + c mod N, c = ( v − ua ) · 2 k mod N. ⇒ ax = y + c mod N A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.4/15

  5. RSA: OW ⇒ PD-OW, cont’d Problem C = ( u · 2 k + r ) e mod N , find r √ We have ar = s + c mod N, 0 ≤ r, s < B < N General answer to the problem Solve ax = y + c mod N (small solutions) � e mod N For each ( x, y ) : Check C ? u · 2 k + x � = Questions How to solve ax = y + c mod N ? How many small solutions? back A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.5/15

  6. Features of the lattice-based method √ Problem: Find 0 ≤ x, y < B < N s.t. ax = y + c mod N Define lattice L a,N = { ( x, y ) ∈ Z 2 | ax = y mod N } Precondition: L a,N contains no 0 � = v, | v | < 4 B � � 1. unique small solution ( x, y ) of ax = y + c mod N ( ֒ → no checks necessary) 2. ( x, y ) can be found efficiently (lattice reduction) A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.6/15

  7. Critical area for lattice-based solution Critical area of lattice L a,N = { ( x, y ) ∈ Z 2 | ax = y mod N } : No non-zero vector inside critical area ⇒ method works 4 B Target: New algorithm for solving ax = y + c mod N downsizes critical area A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.7/15

  8. Motivation of proposed algorithm √ Problem: Find 0 ≤ x, y < B < N s.t. ax = y + c mod N 1 st step: Specify the problem Find x -minimal solution w. r. t. B : ? → y = − c mod N x = 0 < B no ? → y = − c + a mod N x = 1 < B no . . . . . . . . . . . . . . . . . . ? → y = − c + ˆ x = ˆ x ˆ xa mod N < B yes! A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.8/15

  9. Motivation of proposed algorithm √ Problem: Find 0 ≤ x, y < B < N s.t. ax = y + c mod N � 1 st step: Specify the problem y = ax − c mod N Find x -minimal solution w. r. t. B : ? → y = − c mod N x = 0 < B no ? → y = − c + a mod N x = 1 < B no . . . . . . . . . . . . . . . . . . ? → y = − c + ˆ x = ˆ x ˆ xa mod N < B yes! A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.8/15

  10. Motivation of proposed algorithm √ Problem: Find 0 ≤ x, y < B < N s.t. ax = y + c mod N � 1 st step: Specify the problem y = ax − c mod N Find x -minimal solution w. r. t. B : ? → y = − c mod N x = 0 < B no ? → y = − c + a mod N x = 1 < B no . . . . . . . . . . . . . . . . . . ? → y = − c + ˆ x = ˆ x ˆ xa mod N < B yes! 0 B − c mod N N a A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.8/15

  11. Motivation of proposed algorithm √ Problem: Find 0 ≤ x, y < B < N s.t. ax = y + c mod N � 1 st step: Specify the problem y = ax − c mod N Find x -minimal solution w. r. t. B : ? → y = − c mod N x = 0 < B no ? → y = − c + a mod N x = 1 < B no . . . . . . . . . . . . . . . . . . ? → y = − c + ˆ x = ˆ x ˆ xa mod N < B yes! 0 B − c mod N N A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.8/15

  12. Motivation of proposed algorithm √ Problem: Find 0 ≤ x, y < B < N s.t. ax = y + c mod N � 1 st step: Specify the problem y = ax − c mod N Find x -minimal solution w. r. t. B : ? → y = − c mod N x = 0 < B no ? → y = − c + a mod N x = 1 < B no . . . . . . . . . . . . . . . . . . ? → y = − c + ˆ x = ˆ x ˆ xa mod N < B yes! 0 B − c mod N N A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.8/15

  13. Motivation of proposed algorithm √ Problem: Find 0 ≤ x, y < B < N s.t. ax = y + c mod N � 1 st step: Specify the problem y = ax − c mod N Find x -minimal solution w. r. t. B : ? → y = − c mod N x = 0 < B no ? → y = − c + a mod N x = 1 < B no . . . . . . . . . . . . . . . . . . ? → y = − c + ˆ x = ˆ x ˆ xa mod N < B yes! 0 B − c mod N N A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.8/15

  14. Motivation of proposed algorithm √ Problem: Find 0 ≤ x, y < B < N s.t. ax = y + c mod N � 1 st step: Specify the problem y = ax − c mod N Find x -minimal solution w. r. t. B : ? → y = − c mod N x = 0 < B no ? → y = − c + a mod N x = 1 < B no . . . . . . . . . . . . . . . . . . ? → y = − c + ˆ x = ˆ x ˆ xa mod N < B yes! 0 B − c mod N N A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.8/15

  15. Motivation of proposed algorithm √ Problem: Find 0 ≤ x, y < B < N s.t. ax = y + c mod N � 1 st step: Specify the problem y = ax − c mod N Find x -minimal solution w. r. t. B : ? → y = − c mod N x = 0 < B no ? → y = − c + a mod N x = 1 < B no . . . . . . . . . . . . . . . . . . ? → y = − c + ˆ x = ˆ x ˆ xa mod N < B yes! 0 B − c mod N N A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.8/15

  16. Motivation of proposed algorithm √ Problem: Find 0 ≤ x, y < B < N s.t. ax = y + c mod N � 1 st step: Specify the problem y = ax − c mod N Find x -minimal solution w. r. t. B : ? → y = − c mod N x = 0 < B no ? → y = − c + a mod N x = 1 < B no . . . . . . . . . . . . . . . . . . ? → y = − c + ˆ x = ˆ x ˆ xa mod N < B yes! 0 B − c mod N N A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.8/15

  17. Motivation of proposed algorithm √ Problem: Find 0 ≤ x, y < B < N s.t. ax = y + c mod N � 1 st step: Specify the problem y = ax − c mod N Find x -minimal solution w. r. t. B : ? → y = − c mod N x = 0 < B no ? → y = − c + a mod N x = 1 < B no . . . . . . . . . . . . . . . . . . ? → y = − c + ˆ x = ˆ x ˆ xa mod N < B yes! 0 B − c mod N N A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.8/15

  18. Motivation of proposed algorithm √ Problem: Find 0 ≤ x, y < B < N s.t. ax = y + c mod N � 1 st step: Specify the problem y = ax − c mod N Find x -minimal solution w. r. t. B : ? → y = − c mod N x = 0 < B no ? → y = − c + a mod N x = 1 < B no . . . . . . . . . . . . . . . . . . ? → y = − c + ˆ x = ˆ x ˆ xa mod N < B yes! 0 B − c mod N N A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.8/15

  19. Motivation of proposed algorithm √ Problem: Find 0 ≤ x, y < B < N s.t. ax = y + c mod N � 1 st step: Specify the problem y = ax − c mod N Find x -minimal solution w. r. t. B : ? → y = − c mod N x = 0 < B no ? → y = − c + a mod N x = 1 < B no . . . . . . . . . . . . . . . . . . ? → y = − c + ˆ x = ˆ x ˆ xa mod N < B yes! 0 B − c mod N N A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.8/15

  20. Motivation of proposed algorithm √ Problem: Find 0 ≤ x, y < B < N s.t. ax = y + c mod N � 1 st step: Specify the problem y = ax − c mod N Find x -minimal solution w. r. t. B : ? → y = − c mod N x = 0 < B no ? → y = − c + a mod N x = 1 < B no . . . . . . . . . . . . . . . . . . ? → y = − c + ˆ x = ˆ x ˆ xa mod N < B yes! 0 B − c mod N N A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.8/15

  21. Motivation of proposed algorithm √ Problem: Find 0 ≤ x, y < B < N s.t. ax = y + c mod N � 1 st step: Specify the problem y = ax − c mod N Find x -minimal solution w. r. t. B : ? → y = − c mod N x = 0 < B no ? → y = − c + a mod N x = 1 < B no . . . . . . . . . . . . . . . . . . ? → y = − c + ˆ x = ˆ x ˆ xa mod N < B yes! 0 B − c mod N N a A Complete and Explicit Security Reduction Algorithm for RSA-based Cryptosystems – p.8/15

Recommend

Line Characterizations Bresenhams Midpoint Algorithm y mx B Explicit:

Line Characterizations Bresenhams Midpoint Algorithm y mx B Explicit:

Spring 2013 Line Characterizations Bresenhams Midpoint Algorithm y mx B Explicit: F x y ax by c Implicit: ( , ) 0 CS5600 Computer Graphics Lecture Set 2 y adapted from k

513 views • 12 slides
NP-Complete Problems Algorithm : Design &amp; Analysis [20] In the last class Simple

NP-Complete Problems Algorithm : Design &amp; Analysis [20] In the last class Simple

NP-Complete Problems Algorithm : Design &amp; Analysis [20] In the last class Simple String Matching KMP Flowchart Construction Jump at Fail KMP Scan NP-Complete Problems Decision Problem The Class P The Class NP

894 views • 35 slides
Lots of NP Complete Problems When confronted with trying to show a problem is NP-Complete

Lots of NP Complete Problems When confronted with trying to show a problem is NP-Complete

Lots of NP Complete Problems When confronted with trying to show a problem is NP-Complete NP-Complete Problems There are lots to chose from which to perform a reduction. Garey and Johnson lists over 300 (and that was printed in

170 views • 6 slides
An explicit algorithm for solving the acoustic tomography problem for a moving fluid Alexey

An explicit algorithm for solving the acoustic tomography problem for a moving fluid Alexey

An explicit algorithm for solving the acoustic tomography problem for a moving fluid Alexey Agaltsov agaltsov @ cmap.polytechnique.fr Moscow September 12, 2016 Alexey Agaltsov Algorithm for acoustic tomography of moving fluid Acoustic

509 views • 24 slides
A Novel Algorithm for the Reduction of Irregular Noise in Corrupted Speech Signals ROSHAHLIZA M

A Novel Algorithm for the Reduction of Irregular Noise in Corrupted Speech Signals ROSHAHLIZA M

A Novel Algorithm for the Reduction of Irregular Noise in Corrupted Speech Signals ROSHAHLIZA M RAMLI, ALI O. ABID NOOR &amp; SALINA ABDUL SAMAD FACULTY OF ENGINEERING &amp; BUILT ENVIRONMENT UNIVERSITI KEBANGSAAN MALAYSIA (NATIONAL UNIVERSITY OF

440 views • 13 slides
A Net-Reduction based Clustering Preprocessing Algorithm Jianhua Li, Laleh Behjat University of

A Net-Reduction based Clustering Preprocessing Algorithm Jianhua Li, Laleh Behjat University of

A Net-Reduction based Clustering Preprocessing Algorithm Jianhua Li, Laleh Behjat University of Calgary, Calgary, Canada ISPD April 12, 2006 A net reduction-based clustering preprocessing algorithm - ISPD 2006 Outline Introduction

771 views • 35 slides
Outline Cryptographic Algorithm Engineering and Provable Security Crypto refresher

Outline Cryptographic Algorithm Engineering and Provable Security Crypto refresher

Bart Preneel September 2007 Cryptographic Algorithm Engineering and Provable Security Outline Cryptographic Algorithm Engineering and Provable Security Crypto refresher Basic concepts Foundations of Security Analysis and

958 views • 31 slides
Modeling Algorithm for Test Cost Reduction of Analog/RF Circuits Hugo Gonalves 1,2 , Xin Li 1 ,

Modeling Algorithm for Test Cost Reduction of Analog/RF Circuits Hugo Gonalves 1,2 , Xin Li 1 ,

A Fast Wafer-Level Spatial Variation Modeling Algorithm for Test Cost Reduction of Analog/RF Circuits Hugo Gonalves 1,2 , Xin Li 1 , Miguel Correia 2 and Vitor Tavares 2 1 ECE Department, Carnegie Mellon University, USA 2 Faculdade de

480 views • 27 slides
An Algorithm for Sample and Data Dimensionality Reduction Using Fast Simulated Annealing Szymon

An Algorithm for Sample and Data Dimensionality Reduction Using Fast Simulated Annealing Szymon

7th International Conference on Advanced Data Mining and Applications An Algorithm for Sample and Data Dimensionality Reduction Using Fast Simulated Annealing Szymon ukasik , Piotr Kulczycki Department of Automatic Control and IT, Cracow

589 views • 16 slides
CS475 / CM375 Lecture 17: Nov 8, 2011 QR Algorithm and Reduction to Hessenberg Reading: [TB] Chapt

CS475 / CM375 Lecture 17: Nov 8, 2011 QR Algorithm and Reduction to Hessenberg Reading: [TB] Chapt

08/11/2011 CS475 / CM375 Lecture 17: Nov 8, 2011 QR Algorithm and Reduction to Hessenberg Reading: [TB] Chapt 28 CS475/CM375 (c) 2011 P. Poupart &amp; J. Wan 1 Simultaneous iteration vs QR algorithm QR algorithm can be viewed as simultaneous

501 views • 8 slides
Noise Reduction in Gridded AIRS Radiance Products using the MODIS Gridding Algorithm. David

Noise Reduction in Gridded AIRS Radiance Products using the MODIS Gridding Algorithm. David

Noise Reduction in Gridded AIRS Radiance Products using the MODIS Gridding Algorithm. David Chapman, Phuong Nguyen, Jeff Avery, Milt Halem University of Maryland Baltimore County (UMBC) Introduction Gridded data is easier to work with

428 views • 17 slides
Dimensionality Reduction Algorithms (and how to interpret their output) Dalya Baron (Tel Aviv

Dimensionality Reduction Algorithms (and how to interpret their output) Dalya Baron (Tel Aviv

Dimensionality Reduction Algorithms (and how to interpret their output) Dalya Baron (Tel Aviv University) XXX Winter School, November 2018 What is Dimensionality Reduction? Dimensionality Reduction algorithm 28 x 28 features per object 2

437 views • 33 slides
Efficient cyclic reduction for QBDs with rank structured blocks: algorithm and analysis

Efficient cyclic reduction for QBDs with rank structured blocks: algorithm and analysis

Dario A. Bini, Stefano Massei, Leonardo Robol Efficient cyclic reduction for QBDs with rank structured blocks: algorithm and analysis University of Pisa Scuola Normale Superiore KU Leuven stefano.massei@sns.it Budapest, 28 June 2016 Speaker:

462 views • 19 slides
A Sound and Complete Algorithm for Simple Conceptual Logic Programs Cristina Feier and Stijn

A Sound and Complete Algorithm for Simple Conceptual Logic Programs Cristina Feier and Stijn

A Sound and Complete Algorithm for Simple Conceptual Logic Programs Cristina Feier and Stijn Heymans Institute of Information Systems, Knowledge-Based Systems Group, Vienna University of Technology 12 December 2008 1 Overview Open Answer Set

1.1k views • 45 slides
A Complete Algorithm for Generating Landmarks Blai Bonet Julio Castillo Universidad Sim on

A Complete Algorithm for Generating Landmarks Blai Bonet Julio Castillo Universidad Sim on

A Complete Algorithm for Generating Landmarks Blai Bonet Julio Castillo Universidad Sim on Bol var, Caracas, Venezuela ICAPS 2011 Freiburg, June 2011 Introduction multiple uses of landmarks in planning most powerful admissible

527 views • 38 slides
Security Cryptography Arise from resources sharing Plaintext; Encryption algorithm;

Security Cryptography Arise from resources sharing Plaintext; Encryption algorithm;

Security Cryptography Arise from resources sharing Plaintext; Encryption algorithm; keys; Ciphertext; Resources are encapsulated by process; Decryption algorithm users access them through processs interface. Three

565 views • 7 slides
NP-complete problems Informally, these are the hardest problems in the class NP CS 3813:

NP-complete problems Informally, these are the hardest problems in the class NP CS 3813:

NP-complete problems Informally, these are the hardest problems in the class NP CS 3813: Introduction to Formal If any NP-complete problem can be solved by a Languages and Automata polynomial time deterministic algorithm, then every

179 views • 3 slides
A Fast Spatial Patch Blending Algorithm for Artefact Reduction in Pattern-based Image Inpainting

A Fast Spatial Patch Blending Algorithm for Artefact Reduction in Pattern-based Image Inpainting

A Fast Spatial Patch Blending Algorithm for Artefact Reduction in Pattern-based Image Inpainting Maxime Daisy, David Tschumperl e, Olivier L ezoray GREYC - UMR 6072 CNRS, ENSICAEN, University of Caen Image team SIGGRAPH Asia 21

542 views • 42 slides
Seminar of Lattice Analysis 01 Slide Reduction Revisited Wenling Liu, Shanghai Jiao Tong

Seminar of Lattice Analysis 01 Slide Reduction Revisited Wenling Liu, Shanghai Jiao Tong

Seminar of Lattice Analysis 01 Slide Reduction Revisited Wenling Liu, Shanghai Jiao Tong University. Wenling Liu @ SJTU Table of Contents Lattice Backgrounds LenstraLenstraLov asz Reduction Hemite SVP reduction and DBKZ Algorithm

930 views • 49 slides
Resolution 1 Resolution for predicate logic Gilmores algorithm is correct and complete, but

Resolution 1 Resolution for predicate logic Gilmores algorithm is correct and complete, but

First-order Predicate Logic Resolution 1 Resolution for predicate logic Gilmores algorithm is correct and complete, but useless in practice. We upgrade resolution to make it work for predicate logic. 2 Recall: resolution in propositional

790 views • 32 slides
=: C T , 1 i n ( C i D i ) TU Dresden 2 Germany A tableau algorithm for ALC

=: C T , 1 i n ( C i D i ) TU Dresden 2 Germany A tableau algorithm for ALC

2. A tableau algorithm for ALC with TBoxes, number restrictions, and inverse roles Extend ALC -tableau algorithm from first session with general TBoxes inverse roles number restrictions Goal: Design sound and complete desicion procedures

636 views • 24 slides
More about NPC Problems Algorithm : Design &amp; Analysis [21] In the Last Class Decision

More about NPC Problems Algorithm : Design &amp; Analysis [21] In the Last Class Decision

More about NPC Problems Algorithm : Design &amp; Analysis [21] In the Last Class Decision Problem The Class P The Class NP NP -Complete Problems Polynomial Reductions NP -hard and NP -complete More about NPC Problems

475 views • 33 slides
Dimensionality Reduction Techniques for Proximity Problems Piotr Indyk, SODA 2000 CS 468 |

Dimensionality Reduction Techniques for Proximity Problems Piotr Indyk, SODA 2000 CS 468 |

Dimensionality Reduction Techniques for Proximity Problems Piotr Indyk, SODA 2000 CS 468 | Geometric Algorithms Bart Adams Talk Summary Core algorithm: dimensionality reduction using hashing Applied to: c-nearest neighbor search

629 views • 35 slides
words? Now complete activity 1 Use this to help complete activity 2 Now complete activity 2 To

words? Now complete activity 1 Use this to help complete activity 2 Now complete activity 2 To

What is meant by word class? Here are some examples: Noun adjective verb Can you think of any more types of words? Now complete activity 1 Use this to help complete activity 2 Now complete activity 2 To uplevel a sentence is to

1.41k views • 120 slides

More recommend