lattice based public key cryptosystems d j bernstein nist
play

Lattice-based public-key cryptosystems D. J. Bernstein NIST - PDF document

Dec 23, 2022 •11 likes •1.97k views

1 Lattice-based public-key cryptosystems D. J. Bernstein NIST post-quantum competition: 69 submissions in first round, from hundreds of people. (+13 submissions that NIST declared incomplete or improper.) 22 signature-system submissions. 5

  1. 13 sage: def invertmodprime(f,p): ....: Fp = Integers(p) ....: Fpx = Zx.change_ring(Fp) ....: T = Fpx.quotient(x^n-1) ....: return Zx(lift(1/T(f))) ....: sage:

  2. 13 sage: def invertmodprime(f,p): ....: Fp = Integers(p) ....: Fpx = Zx.change_ring(Fp) ....: T = Fpx.quotient(x^n-1) ....: return Zx(lift(1/T(f))) ....: sage: n = 7 sage:

  3. 13 sage: def invertmodprime(f,p): ....: Fp = Integers(p) ....: Fpx = Zx.change_ring(Fp) ....: T = Fpx.quotient(x^n-1) ....: return Zx(lift(1/T(f))) ....: sage: n = 7 sage: f = randompoly() sage:

  4. 13 sage: def invertmodprime(f,p): ....: Fp = Integers(p) ....: Fpx = Zx.change_ring(Fp) ....: T = Fpx.quotient(x^n-1) ....: return Zx(lift(1/T(f))) ....: sage: n = 7 sage: f = randompoly() sage: f3 = invertmodprime(f,3) sage:

  5. 13 sage: def invertmodprime(f,p): ....: Fp = Integers(p) ....: Fpx = Zx.change_ring(Fp) ....: T = Fpx.quotient(x^n-1) ....: return Zx(lift(1/T(f))) ....: sage: n = 7 sage: f = randompoly() sage: f3 = invertmodprime(f,3) sage: convolution(f,f3) 6*x^6 + 6*x^5 + 3*x^4 + 3*x^3 + 3*x^2 + 3*x + 4 sage:

  6. 14 def invertmodpowerof2(f,q): assert q.is_power_of(2) g = invertmodprime(f,2) M = balancedmod C = convolution while True: r = M(C(g,f),q) if r == 1: return g g = M(C(g,2-r),q) Exercise: Figure out how invertmodpowerof2 works. Hint: Compare r to previous r .

  7. 15 sage: n = 7 sage: q = 256 sage:

  8. 15 sage: n = 7 sage: q = 256 sage: f = randompoly() sage:

  9. 15 sage: n = 7 sage: q = 256 sage: f = randompoly() sage: f -x^6 - x^4 + x^2 + x - 1 sage:

  10. 15 sage: n = 7 sage: q = 256 sage: f = randompoly() sage: f -x^6 - x^4 + x^2 + x - 1 sage: g = invertmodpowerof2(f,q) sage:

  11. 15 sage: n = 7 sage: q = 256 sage: f = randompoly() sage: f -x^6 - x^4 + x^2 + x - 1 sage: g = invertmodpowerof2(f,q) sage: g 47*x^6 + 126*x^5 - 54*x^4 - 87*x^3 - 36*x^2 - 58*x + 61 sage:

  12. 15 sage: n = 7 sage: q = 256 sage: f = randompoly() sage: f -x^6 - x^4 + x^2 + x - 1 sage: g = invertmodpowerof2(f,q) sage: g 47*x^6 + 126*x^5 - 54*x^4 - 87*x^3 - 36*x^2 - 58*x + 61 sage: convolution(f,g) -256*x^5 - 256*x^4 + 256*x + 257 sage:

  13. 15 sage: n = 7 sage: q = 256 sage: f = randompoly() sage: f -x^6 - x^4 + x^2 + x - 1 sage: g = invertmodpowerof2(f,q) sage: g 47*x^6 + 126*x^5 - 54*x^4 - 87*x^3 - 36*x^2 - 58*x + 61 sage: convolution(f,g) -256*x^5 - 256*x^4 + 256*x + 257 sage: balancedmod(_,q) 1 sage:

  14. 16 NTRU key generation Parameters: n , positive integer (e.g., 701); q , power of 2 (e.g., 4096).

  15. 16 NTRU key generation Parameters: n , positive integer (e.g., 701); q , power of 2 (e.g., 4096). Secret key: random n -coeff polynomial a ; random n -coeff polynomial d ; all coefficients in {− 1 ; 0 ; 1 } .

  16. 16 NTRU key generation Parameters: n , positive integer (e.g., 701); q , power of 2 (e.g., 4096). Secret key: random n -coeff polynomial a ; random n -coeff polynomial d ; all coefficients in {− 1 ; 0 ; 1 } . Require d invertible mod q . Require d invertible mod 3.

  17. 16 NTRU key generation Parameters: n , positive integer (e.g., 701); q , power of 2 (e.g., 4096). Secret key: random n -coeff polynomial a ; random n -coeff polynomial d ; all coefficients in {− 1 ; 0 ; 1 } . Require d invertible mod q . Require d invertible mod 3. Public key: A = 3 a=d in the ring R q = ( Z =q )[ x ] = ( x n − 1).

  18. 17 def keypair(): while True: try: d = randompoly() d3 = invertmodprime(d,3) dq = invertmodpowerof2(d,q) break except: pass a = randompoly() publickey = balancedmod(3 * convolution(a,dq),q) secretkey = d,d3 return publickey,secretkey

  19. 18 sage: A,secretkey = keypair() sage:

  20. 18 sage: A,secretkey = keypair() sage: A -126*x^6 - 31*x^5 - 118*x^4 - 33*x^3 + 73*x^2 - 16*x + 7 sage:

  21. 18 sage: A,secretkey = keypair() sage: A -126*x^6 - 31*x^5 - 118*x^4 - 33*x^3 + 73*x^2 - 16*x + 7 sage: d,d3 = secretkey sage:

  22. 18 sage: A,secretkey = keypair() sage: A -126*x^6 - 31*x^5 - 118*x^4 - 33*x^3 + 73*x^2 - 16*x + 7 sage: d,d3 = secretkey sage: d -x^6 + x^5 - x^4 + x^3 - 1 sage:

  23. 18 sage: A,secretkey = keypair() sage: A -126*x^6 - 31*x^5 - 118*x^4 - 33*x^3 + 73*x^2 - 16*x + 7 sage: d,d3 = secretkey sage: d -x^6 + x^5 - x^4 + x^3 - 1 sage: convolution(d,A) -3*x^6 + 253*x^5 + 253*x^3 - 253*x^2 - 3*x - 3 sage:

  24. 18 sage: A,secretkey = keypair() sage: A -126*x^6 - 31*x^5 - 118*x^4 - 33*x^3 + 73*x^2 - 16*x + 7 sage: d,d3 = secretkey sage: d -x^6 + x^5 - x^4 + x^3 - 1 sage: convolution(d,A) -3*x^6 + 253*x^5 + 253*x^3 - 253*x^2 - 3*x - 3 sage: balancedmod(_,q) -3*x^6 - 3*x^5 - 3*x^3 + 3*x^2 - 3*x - 3 sage:

  25. 19 NTRU encryption One more parameter: w , positive integer (e.g., 467).

  26. 19 NTRU encryption One more parameter: w , positive integer (e.g., 467). Message for encryption: n -coeff weight- w polynomial c with all coeffs in {− 1 ; 0 ; 1 } . “Weight w ”: w nonzero coeffs, n − w zero coeffs.

  27. 19 NTRU encryption One more parameter: w , positive integer (e.g., 467). Message for encryption: n -coeff weight- w polynomial c with all coeffs in {− 1 ; 0 ; 1 } . “Weight w ”: w nonzero coeffs, n − w zero coeffs. Ciphertext: C = Ab + c in R q where b is chosen randomly from the set of messages.

  28. 20 sage: def randommessage(): ....: R = randrange ....: assert w <= n ....: c = n*[0] ....: for j in range(w): ....: while True: ....: r = R(n) ....: if not c[r]: break ....: c[r] = 1-2*R(2) ....: return Zx(c) ....: sage: w = 5 sage: randommessage() -x^6 - x^5 + x^4 + x^3 - x^2 sage:

  29. 21 sage: def encrypt(c,A): ....: b = randommessage() ....: Ab = convolution(A,b) ....: C = balancedmod(Ab + c,q) ....: return C ....: sage:

  30. 21 sage: def encrypt(c,A): ....: b = randommessage() ....: Ab = convolution(A,b) ....: C = balancedmod(Ab + c,q) ....: return C ....: sage: A,secretkey = keypair() sage:

  31. 21 sage: def encrypt(c,A): ....: b = randommessage() ....: Ab = convolution(A,b) ....: C = balancedmod(Ab + c,q) ....: return C ....: sage: A,secretkey = keypair() sage: c = randommessage() sage:

  32. 21 sage: def encrypt(c,A): ....: b = randommessage() ....: Ab = convolution(A,b) ....: C = balancedmod(Ab + c,q) ....: return C ....: sage: A,secretkey = keypair() sage: c = randommessage() sage: C = encrypt(c,A) sage:

  33. 21 sage: def encrypt(c,A): ....: b = randommessage() ....: Ab = convolution(A,b) ....: C = balancedmod(Ab + c,q) ....: return C ....: sage: A,secretkey = keypair() sage: c = randommessage() sage: C = encrypt(c,A) sage: C 21*x^6 - 48*x^5 + 31*x^4 - 76*x^3 - 77*x^2 + 15*x - 113 sage:

  34. 22 NTRU decryption Compute dC = 3 ab + dc in R q .

  35. 22 NTRU decryption Compute dC = 3 ab + dc in R q . a; b; c; d have small coeffs, so 3 ab + dc is not very big.

  36. 22 NTRU decryption Compute dC = 3 ab + dc in R q . a; b; c; d have small coeffs, so 3 ab + dc is not very big. Assume that coeffs of 3 ab + dc are between − q= 2 and q= 2 − 1.

  37. 22 NTRU decryption Compute dC = 3 ab + dc in R q . a; b; c; d have small coeffs, so 3 ab + dc is not very big. Assume that coeffs of 3 ab + dc are between − q= 2 and q= 2 − 1. Then 3 ab + dc in R q reveals 3 ab + dc in R = Z [ x ] = ( x n − 1).

  38. 22 NTRU decryption Compute dC = 3 ab + dc in R q . a; b; c; d have small coeffs, so 3 ab + dc is not very big. Assume that coeffs of 3 ab + dc are between − q= 2 and q= 2 − 1. Then 3 ab + dc in R q reveals 3 ab + dc in R = Z [ x ] = ( x n − 1). Reduce modulo 3: dc in R 3 .

  39. 22 NTRU decryption Compute dC = 3 ab + dc in R q . a; b; c; d have small coeffs, so 3 ab + dc is not very big. Assume that coeffs of 3 ab + dc are between − q= 2 and q= 2 − 1. Then 3 ab + dc in R q reveals 3 ab + dc in R = Z [ x ] = ( x n − 1). Reduce modulo 3: dc in R 3 . Multiply by 1 =d in R 3 to recover message c in R 3 .

  40. 22 NTRU decryption Compute dC = 3 ab + dc in R q . a; b; c; d have small coeffs, so 3 ab + dc is not very big. Assume that coeffs of 3 ab + dc are between − q= 2 and q= 2 − 1. Then 3 ab + dc in R q reveals 3 ab + dc in R = Z [ x ] = ( x n − 1). Reduce modulo 3: dc in R 3 . Multiply by 1 =d in R 3 to recover message c in R 3 . Coeffs are between − 1 and 1, so recover c in R .

  41. 23 sage: def decrypt(C,secretkey): ....: M = balancedmod ....: f,r = secretkey ....: u=M(convolution(C,f),q) ....: c=M(convolution(u,r),3) ....: return c ....: sage:

  42. 23 sage: def decrypt(C,secretkey): ....: M = balancedmod ....: f,r = secretkey ....: u=M(convolution(C,f),q) ....: c=M(convolution(u,r),3) ....: return c ....: sage: c x^5 + x^4 - x^3 + x + 1 sage:

  43. 23 sage: def decrypt(C,secretkey): ....: M = balancedmod ....: f,r = secretkey ....: u=M(convolution(C,f),q) ....: c=M(convolution(u,r),3) ....: return c ....: sage: c x^5 + x^4 - x^3 + x + 1 sage: decrypt(C,secretkey) x^5 + x^4 - x^3 + x + 1 sage:

  44. 24 sage: n = 7 sage: w = 5 sage: q = 256 sage:

  45. 24 sage: n = 7 sage: w = 5 sage: q = 256 sage: A,secretkey = keypair() sage:

  46. 24 sage: n = 7 sage: w = 5 sage: q = 256 sage: A,secretkey = keypair() sage: A -101*x^6 - 76*x^5 - 90*x^4 - 83*x^3 + 40*x^2 + 108*x - 54 sage:

  47. 24 sage: n = 7 sage: w = 5 sage: q = 256 sage: A,secretkey = keypair() sage: A -101*x^6 - 76*x^5 - 90*x^4 - 83*x^3 + 40*x^2 + 108*x - 54 sage: d,d3 = secretkey sage:

  48. 24 sage: n = 7 sage: w = 5 sage: q = 256 sage: A,secretkey = keypair() sage: A -101*x^6 - 76*x^5 - 90*x^4 - 83*x^3 + 40*x^2 + 108*x - 54 sage: d,d3 = secretkey sage: d x^5 + x^4 - x^3 + x - 1 sage:

  49. 24 sage: n = 7 sage: w = 5 sage: q = 256 sage: A,secretkey = keypair() sage: A -101*x^6 - 76*x^5 - 90*x^4 - 83*x^3 + 40*x^2 + 108*x - 54 sage: d,d3 = secretkey sage: d x^5 + x^4 - x^3 + x - 1 sage: conv = convolution sage:

  50. 24 sage: n = 7 sage: w = 5 sage: q = 256 sage: A,secretkey = keypair() sage: A -101*x^6 - 76*x^5 - 90*x^4 - 83*x^3 + 40*x^2 + 108*x - 54 sage: d,d3 = secretkey sage: d x^5 + x^4 - x^3 + x - 1 sage: conv = convolution sage: M = balancedmod sage:

  51. 24 sage: n = 7 sage: w = 5 sage: q = 256 sage: A,secretkey = keypair() sage: A -101*x^6 - 76*x^5 - 90*x^4 - 83*x^3 + 40*x^2 + 108*x - 54 sage: d,d3 = secretkey sage: d x^5 + x^4 - x^3 + x - 1 sage: conv = convolution sage: M = balancedmod sage: a3 = M(conv(d,A),q) sage:

  52. 24 sage: n = 7 sage: w = 5 sage: q = 256 sage: A,secretkey = keypair() sage: A -101*x^6 - 76*x^5 - 90*x^4 - 83*x^3 + 40*x^2 + 108*x - 54 sage: d,d3 = secretkey sage: d x^5 + x^4 - x^3 + x - 1 sage: conv = convolution sage: M = balancedmod sage: a3 = M(conv(d,A),q) sage: a3 3*x^2 - 3*x

  53. 25 sage: c = randommessage() sage:

  54. 25 sage: c = randommessage() sage: b = randommessage() sage:

  55. 25 sage: c = randommessage() sage: b = randommessage() sage: C = M(conv(A,b)+c,q) sage:

  56. 25 sage: c = randommessage() sage: b = randommessage() sage: C = M(conv(A,b)+c,q) sage: C -57*x^6 + 28*x^5 + 114*x^4 + 72*x^3 - 37*x^2 + 16*x + 119 sage:

  57. 25 sage: c = randommessage() sage: b = randommessage() sage: C = M(conv(A,b)+c,q) sage: C -57*x^6 + 28*x^5 + 114*x^4 + 72*x^3 - 37*x^2 + 16*x + 119 sage: u = M(conv(C,d),q) sage:

Recommend

Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem Chris Peikert SRI

Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem Chris Peikert SRI

Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem Chris Peikert SRI Georgia Tech Impagliazzos World Workshop 1 / 16 This Talk 1 State of Lattice-Based Cryptography 2 Main Result: Public-Key Encryption based on GapSVP

908 views • 73 slides
Discrete-Log Based Public Key Cryptosystems Jim Royer September 25, 2018 Introduction to

Discrete-Log Based Public Key Cryptosystems Jim Royer September 25, 2018 Introduction to

Note: Log = logarithm, not Discrete-Log Based Public Key Cryptosystems Jim Royer September 25, 2018 Introduction to Cryptography 1 References Symmetric and Asymmetric Cryptosystems Public-Key Cryptosystems Based on the Discrete

436 views • 9 slides
Lattice-based cryptography, day 1: simplicity D. J. Bernstein University of Illinois at Chicago;

Lattice-based cryptography, day 1: simplicity D. J. Bernstein University of Illinois at Chicago;

1 Lattice-based cryptography, day 1: simplicity D. J. Bernstein University of Illinois at Chicago; Ruhr University Bochum 2 2000 Cohen cryptosystem Public key: vector of integers K = ( K 1 ; : : : ; K N ) { X; : : : ; X } N .

1.84k views • 164 slides
Lattice-based cryptography: Episode V: the ring strikes back Daniel J. Bernstein University of

Lattice-based cryptography: Episode V: the ring strikes back Daniel J. Bernstein University of

1 Lattice-based cryptography: Episode V: the ring strikes back Daniel J. Bernstein University of Illinois at Chicago Crypto 1999 Nguyen: At Crypto 97, Goldreich, Goldwasser and Halevi proposed a public-key cryptosystem based on the

683 views • 32 slides
Exploring the parameter space in lattice attacks Daniel J. Bernstein Tanja Lange Based on

Exploring the parameter space in lattice attacks Daniel J. Bernstein Tanja Lange Based on

1 Exploring the parameter space in lattice attacks Daniel J. Bernstein Tanja Lange Based on attack survey from 2019 BernsteinChuengsatiansup Langevan Vredendaal. Some hard lattice meta-problems: Analyze cost of known attacks.

489 views • 36 slides
High-speed Instruction-set Coprocessor for Lattice-based Key Encapsulation Mechanisms: Saber in

High-speed Instruction-set Coprocessor for Lattice-based Key Encapsulation Mechanisms: Saber in

High-speed Instruction-set Coprocessor for Lattice-based Key Encapsulation Mechanisms: Saber in Hardware Sujoy Sinha Roy and Andrea Basso CHES 2020 Motivation Saber is (now) a round 3 finalist for the NIST PQC standardization process. NIST [MAA

482 views • 37 slides
The RSA Algorithm Private-key cryptosystems: - Alice and Bob agree on the key before the

The RSA Algorithm Private-key cryptosystems: - Alice and Bob agree on the key before the

The RSA Algorithm Private-key cryptosystems: - Alice and Bob agree on the key before the communication - all cryptosystems we discussed so far - also called: symmetric-key cryptosystems Public-key cryptosystems (Chapter 6) : - what to do if

281 views • 4 slides
The impact of side-channel attacks on the design of cryptosystems D. J. Bernstein University of

The impact of side-channel attacks on the design of cryptosystems D. J. Bernstein University of

The impact of side-channel attacks on the design of cryptosystems D. J. Bernstein University of Illinois at Chicago The standard model of senders, receivers, attackers, etc.: 1. Parties perform computation, send messages to other parties.

550 views • 32 slides
High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois

High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois

High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois at Chicago &amp; Technische Universiteit Eindhoven Cryptographers Working systems Cryptanalytic algorithm designers Unbroken

739 views • 44 slides
Visualizing size-security tradeoffs for lattice-based encryption Daniel J. Bernstein Horizontal

Visualizing size-security tradeoffs for lattice-based encryption Daniel J. Bernstein Horizontal

Visualizing size-security tradeoffs for lattice-based encryption Daniel J. Bernstein Horizontal axis: ciphertext size Why focus on size instead of CPU time? Fitting into existing frameworks and protocols. Data from Google. Long term:

835 views • 23 slides
Challenges in evaluating costs of known lattice attacks Daniel J. Bernstein Tanja Lange Based

Challenges in evaluating costs of known lattice attacks Daniel J. Bernstein Tanja Lange Based

1 Challenges in evaluating costs of known lattice attacks Daniel J. Bernstein Tanja Lange Based on attack survey from 2019 BernsteinChuengsatiansup Langevan Vredendaal. Why analysis is important: Guide attack optimization.

799 views • 69 slides
How cryptographic benchmarking goes wrong Daniel J. Bernstein Thanks to NIST 60NANB12D261 for

How cryptographic benchmarking goes wrong Daniel J. Bernstein Thanks to NIST 60NANB12D261 for

1 How cryptographic benchmarking goes wrong Daniel J. Bernstein Thanks to NIST 60NANB12D261 for funding this work, and for not reviewing these slides in advance. PRESERVE, ending 2015.06.30, was a European project Preparing Secure

491 views • 32 slides
Contents Introduction to data security Public key cryptosystems: Classical

Contents Introduction to data security Public key cryptosystems: Classical

Contents Introduction to data security Public key cryptosystems: Classical cryptosystems RSA Introduction to modern Prime number generation cryptography Polynomial arithmetic T-79.159 Block ciphers: DES, IDEA,

439 views • 15 slides
Security dangers of the NIST curves D. J. Bernstein University of Illinois at Chicago &amp;

Security dangers of the NIST curves D. J. Bernstein University of Illinois at Chicago &amp;

Security dangers of the NIST curves D. J. Bernstein University of Illinois at Chicago &amp; Technische Universiteit Eindhoven Joint work with: Tanja Lange Technische Universiteit Eindhoven The NIST curves were designed to make DLP

241 views • 12 slides
Symmetric Key Cryptosystems Modern Symmetric Key Cryptosystems Public key cryptosystems (PKCs) and

Symmetric Key Cryptosystems Modern Symmetric Key Cryptosystems Public key cryptosystems (PKCs) and

Modern Block Ciphers DES Games with Block Ciphers Modern Block Ciphers DES Games with Block Ciphers Symmetric Key Cryptosystems Modern Symmetric Key Cryptosystems Public key cryptosystems (PKCs) and their applications are the primary focus

521 views • 5 slides
High-speed cryptography, Cryptographers part 3: more cryptosystems Working

High-speed cryptography, Cryptographers part 3: more cryptosystems Working

High-speed cryptography, Cryptographers part 3: more cryptosystems Working systems Daniel J. Bernstein Cryptanalytic University of Illinois at Chicago &amp; algorithm designers Technische Universiteit Eindhoven Unbroken

1.49k views • 145 slides
Lattice-based cryptography: reduced to a special closest vector Episode V: problem which is much

Lattice-based cryptography: reduced to a special closest vector Episode V: problem which is much

1 2 Lattice-based cryptography: reduced to a special closest vector Episode V: problem which is much easier the ring strikes back than the general problem. As an application, we solved four out Daniel J. Bernstein of the five numerical

1.07k views • 70 slides
https://www.microsoft.com/en-us/research/people/plonga/ Quick motivation recap Quantum

https://www.microsoft.com/en-us/research/people/plonga/ Quick motivation recap Quantum

https://www.microsoft.com/en-us/research/people/plonga/ Quick motivation recap Quantum computers break public -key cryptography currently in use: cryptosystems based on factoring and (elliptic curve) discrete logarithms NIST launches

693 views • 40 slides
Verifiably random secure curves Daniel J. Bernstein Tung Chou Chitchanok Chuengsatiansup

Verifiably random secure curves Daniel J. Bernstein Tung Chou Chitchanok Chuengsatiansup

Verifiably random secure curves Daniel J. Bernstein Tung Chou Chitchanok Chuengsatiansup Andreas H ulsing Tanja Lange Ruben Niederhagen Christine van Vredendaal May 13, 2014 NSA/NIST FUD The NIST elliptic curves are behind the state of

433 views • 26 slides
Comparing proofs of security The target KEMs (all proposed for lattice-based encryption for wide

Comparing proofs of security The target KEMs (all proposed for lattice-based encryption for wide

1 2 Comparing proofs of security The target KEMs (all proposed for lattice-based encryption for wide deployment, IND-CCA2): 640 , 976 , 1344 . frodo Daniel J. Bernstein 512 , 768 , 1024 . kyber 128 , 192 , 256 . lac Primary objective of

1.2k views • 104 slides
Failures in NISTs ECC standards Daniel J. Bernstein, Tanja Lange 2015.12.15 Review of the

Failures in NISTs ECC standards Daniel J. Bernstein, Tanja Lange 2015.12.15 Review of the

Failures in NISTs ECC standards Daniel J. Bernstein, Tanja Lange 2015.12.15 Review of the (prime-field) NIST curves I Presented by NIST in 1999 Curve names: P-192, P-224, P-256, P-384, P-521 Curve is defined over F p where p has

250 views • 22 slides
A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas joint work with

A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas joint work with

A Reaction Attack against Cryptosystems based on LRPC Codes Gustavo Banegas joint work with Simona Samardjiska, Paolo Santini and Edoardo Persichetti Latincrypt 2019 October 3rd, 2019 A Reaction Attack against Cryptosystems based on LRPC

590 views • 33 slides
Security dangers of the NIST curves Daniel J. Bernstein, Tanja Lange http://xkcd.com/927

Security dangers of the NIST curves Daniel J. Bernstein, Tanja Lange http://xkcd.com/927

Security dangers of the NIST curves Daniel J. Bernstein, Tanja Lange http://xkcd.com/927 http://xkcd.com/927 But our goal today isnt unification; its security. We come to bury the standard, not to praise it. Why do people choose

572 views • 31 slides
Lattice-Based Cryptography: Constructing Trapdoors and More Applications Chris Peikert Georgia

Lattice-Based Cryptography: Constructing Trapdoors and More Applications Chris Peikert Georgia

Lattice-Based Cryptography: Constructing Trapdoors and More Applications Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 18 Lattice-Based One-Way Functions Public key Z n m A for q =

871 views • 84 slides

More recommend