DOCSLIB.ORG

Comparison of the Paillier and Elgamal Cryptosystems for Smart Grid Aggregation Protocols

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Comparison of the Paillier and Elgamal Cryptosystems for Smart Grid Aggregation Protocols Comparison of the Paillier and ElGamal Cryptosystems for Smart Grid Aggregation Protocols Fabian Knirsch1 a, Andreas Unterweger1, Maximilian Unterrainer1 and Dominik Engel1 1Center for Secure Energy Informatics, Salzburg University of Applied Sciences, Urstein Sud¨ 1, 5412 Puch/Hallein, Austria fi[email protected] Keywords: Secure aggregation, Paillier cryptosystem, ElGamal cryptosystem, Privacy Abstract: Many smart grid applications require the collection of fine-grained load data from customers. In order to pro- tect customer privacy, secure aggregation protocols have been proposed that aggregate data spatially without allowing the aggregator to learn individual load data. Many of these protocols build on the Paillier cryptosys- tem and its additively homomorphic property. Existing works provide little or no justification for the choice of this cryptosystem and there is no direct performance comparison to other schemes that allow for an additively homomorphic property. In this paper, we compare the ElGamal cryptosystem with the established Paillier cryptosystem, both, conceptually and in terms of runtime, specifically for the use in privacy-preserving aggre- gation protocols. We find that, in the ElGamal cryptosystem, when made additively homomorphic, the runtime for encryption and decryption is distributed more asymmetrically between the smart meter and the aggregator than it is in the Paillier cryptosystem. This better reflects the setup typically found in smart grid environments, where encryption is performed on low-powered smart meters and decryption is usually performed on power- ful machines. Thus, the ElGamal cryptosystem is a better, albeit overlooked, choice for secure aggregation protocols. 1 INTRODUCTION to be trusted for performing the correct aggregation (Unterweger et al., 2019). Figure 1 shows the princi- Collecting fine-grained load data from smart me- pal setup and actors of such a smart grid aggregation ters installed in the customer premises has shown to protocol. pose severe privacy risks (Wicker and Thomas, 2011; Existing works, e.g., (Li et al., 2010; Erkin and McKenna et al., 2012; Burkhart et al., 2018). To mit- Tsudik, 2012; Erkin, 2015; Rane et al., 2015) provide igate them, secure aggregation protocols have been little or no justification for the choice of the cryptosys- proposed by many authors for privacy-preserving data tem and most commonly employ the Paillier scheme aggregation in the smart gird, e.g., (Li et al., 2010; (Paillier, 1999). Only very few publications make Erkin and Tsudik, 2012; Knirsch et al., 2017). These use of the ElGamal cryptosystem in the context of protocols protect customer privacy by only providing smart grids, e.g., (Busom et al., 2016). To the best the sum of load data from a number of households at of our knowledge, there exists no performance com- one point in time (Buescher et al., 2017). parison between the Paillier cryptosystem and the El- One approach for secure aggregation protocols is to Gamal cryptosystem (ElGamal, 1985), which are the employ an additively homomorphic cryptosystem and two most commonly used homomorphic cryptosys- an entity that acts as a (semi-trusted) aggregator. Each tems (Armknecht et al., 2013) and also those with smart meter encrypts its individual measurement and the highest security guarantees (Fontaine and Galand, sends the encrypted value to the aggregator. The ag- 2007). gregator uses the additively homomorphic property While ElGamal is more lightweight in terms of of the underlying cryptosystem to calculate the en- encryption complexity, it is multiplicative homo- crypted sum and forwards this sum to the energy morphic, but can be made additively homomorphic provider, who decrypts it. This way, the aggregator (Cramer et al., 1997). This can be advantageous for does not learn individual meter readings, but needs low-powered devices such as smart meters. For this reason, the ElGamal cryptosystem is already widely a https://orcid.org/0000-0002-6346-5759 employed in e-voting applications, as presented in 1.2 CONTRIBUTION EP ! This paper briefly presents both, the Paillier and the E (∑ mi) = ∏ E(mi) i i ElGamal cryptosystems with extensions from the lit- A erature to make them comparable for additive homo- morphic operations. The main contribution of this pa- E(m1) E(mN) E(m2) per is the runtime analysis and comparison of the two cryptosystems for aggregated smart meter data. The SM1 SM2 ::: SMN detailed analysis of encryption and decryption times as well as of each relevant algorithmic step allows Figure 1: Aggregation protocol with homomorphic encryp- for conclusions on the suitability and practicability of tion: Each smart meter (SMi) sends its encrypted value both cryptosystems for secure aggregation. It also al- E(mi) to the aggregator (A). The aggregator calculates the sum of the values in the ciphertext domain using the addi- lows for recommendations on which system to prefer tive homomorphic property of the cryptosystem. The result for this smart grid aggregation use case. In this paper, is sent to the energy provider (EP) which decrypts it to ob- we find that the ElGamal cryptosystem is overlooked tain the plaintext sum ∑i mi of the readings. for many proposed protocols. The encryption is more lightweight compared to Paillier cryptosystem and the additional overhead at decryption can be mitigated by (Adida, 2008; Chaum et al., 2008; Culnane et al., powerful devices in the EP’s premises or is negligible 2015). for practical applications. 1.3 STRUCTURE 1.1 RELATED WORK The paper is structured as follows: Section 2 de- scribes the Paillier and ElGamal cryptosystems, as well as additional algorithms to make them compara- The properties of the Paillier cryptosystem have been ble. Section 3 compares both cryptosystems and their investigated in detail by, e.g., (Catalano et al., 2001; application for privacy-preserving aggregation. Sec- Damgard˚ and Jurik, 2001; Damgard˚ et al., 2010). tion 4 summarizes the findings and gives an outlook The same is true for a number of variations of the to future work. system, e.g., (Fouque et al., 2001; Galbraith, 2002; Hazay et al., 2012). Similarly, investigations for the ElGamal cryptosystem and its variations exist, e.g., (Cramer and Shoup, 2003; Kumar and Madrai, 2012; 2 BACKGROUND Armknecht et al., 2013). In this section, the Paillier and ElGamal cryptosys- A general runtime comparison between the ElGamal tems, which are compared in this paper, are explained and the multiplicative homomorphic RSA cryptosys- briefly, together with their relevant properties. In ad- tem has been conducted by (Maqsood et al., 2017). dition, the Cramer transformation is described which However, the Paillier cryptosystem has not been con- allows using the ElGamal cryptosystem in such a way sidered in their analysis, as opposed to our work. that it becomes comparable to the Paillier cryptosys- A non-peer-reviewed publication titled “An experi- tem. Furthermore, multiple algorithms for calculating mental study on Performance Evaluation of Asym- the aggregate after ElGamal decryption are described. metric Encryption Algorithms” by Farah et al. exists which describes runtime results for both, the Paillier 2.1 PAILLIER CRYPTOSYSTEM and ElGamal cryptosystems. However, their reported results do not increase with increasing plaintext size The Paillier cryptosystem is an additively homomor- and even drop to zero for some plaintexts, casting phic, semantically secure public-private key cryp- doubts on their numbers and thus their conclusions. tosystem (Paillier, 1999; Catalano et al., 2001). To the best of our knowledge there is currently no An additively homomorphic cryptosystem fulfills the comparison of the Paillier and ElGamal cryptosystem equation in the context of smart grid aggregation protocols and D(E(m ) · E(m )) = m + m no analysis of the suitability of the latter in practical 1 2 1 2 setups exists. Thus, this aspect is investigated in this for two plaintexts m1 and m2, where E and D denote paper. the encryption and decryption functions, respectively. Given two large prime number p and q of the same 2.4 BRUTE FORCE ALGORITHM length, the public key (n;g) is calculated by n = pq; g = n + 1 To recover m from m0 = gm (mod q) with known g 0 and the private key l is calculated by and q, the discrete logarithm logg(m ) = m (mod q) can be solved by brute forcing all possible values of l = j(n); µ = j(n)−1 mod n; m, until a solution is found. The complexity of this al- where j(n) = (p − 1)(q − 1). gorithm is O(q). If it is known that m is within a given Encryption of a plaintext m 2 f0;1;:::;n−1g to a interval [0;b], the complexity is reduced to O(b). ciphertext c is performed by Linear speedup can be achieved by parallelizing the c = gmrn mod n2; brute-force search. While not reducing the complex- with a random number r 2 f1;2;:::;n − 1g. ity itself, the constant factor of the runtime is reduced Given two ciphertexts c1 and c2, the additive ho- proportional to the number of parallel searches. momorphic property can be shown by m1+m2 n 2 c1 · c2 = g (r1 · r2) mod n : 2.5 POLLARD’S LAMBDA Decryption of the above expression will result in the ALGORITHM sum of m1 and m2. Pollard’s Lambda algorithm is designed to solve the 2.2 ELGAMAL CRYPTOSYSTEM discretep logarithm and achieves a runtime complexity of O b − a for a plaintext in the interval m 2 [a;b] The ElGamal cryptosystem is a public-private key (Pollard, 1978). This assumes that m is with certainty cryptosystem with a multiplicatively homomorphic within the defined interval. property (ElGamal, 1985). A multiplicatively homo- Pollard’s Lambda algorithm rewrites m = b + d − dk morphic cryptosystem fulfills the equation (mod q) for a k 2 [0;I −1]. I can be chosen according to (Pollard, 1978). First, a sequence x is computed D(E(m1) · E(m2)) = m1 · m2: 0:::I where x = gb and Given a publicly known cyclic group G of order q 0 g f (xi) with a publicly known generator , the public key is xi+1 = xig ; h = gr; with f being a parameterizable pseudorandom func- r 2 f ; ;:::;q − g r with 1 2 1 being randomly chosen.
Load more

Recommended publications
  • Authenticating Computation on Groups: New Homomorphic Primitives and Applications
    Universita` degli Studi di Catania Dipartimento di Matematica ed Informatica Dottorato di Ricerca in Matematica Pura ed Applicata XXVI ciclo Orazio Puglisi Authenticating Computation on Groups: New Homomorphic Primitives and Applications Advisor: Ch.mo Prof. Dario Catalano ANNO ACCADEMICO 2013-2014 Contents Contents i Acknowledgments iv 1 Introduction 1 1.1 Afewwordsaboutcryptographyhistory . 1 1.2 From Encryption to Homomorphic Encryption . 3 1.3 Whatabouthomomorphicsignatures? . 4 1.4 Fromaconcreteproblemtoanewprimitive . 6 1.5 Organizationofthisthesis . 8 2 Preliminaries and notations 10 2.1 BasicNotations .......................... 10 2.1.1 Probabilisticnotation. 10 2.1.2 NumberTheory...................... 11 2.1.3 Pairings .......................... 11 2.1.4 Computationalassumptions . 12 2.2 PrimitivesandSecurity. 13 2.2.1 Usersandprimitives . 13 2.2.2 Indistinguishability under CPA and CCA . 15 2.2.3 Theasymptoticapproach . 16 2.2.4 Primitives ......................... 17 2.2.4.1 HashFunction . 17 2.2.4.2 ChameleonHashFunction . 18 2.2.4.3 PublicKeyEncryption. 19 i CONTENTS ii 2.2.4.3.1 Security for Public Key Encryption Schemes. ............... 20 2.2.4.3.2 Paillier Encryption Scheme . 22 2.2.4.4 Signatures. 23 2.2.4.4.1 Security for Digital Signatures Schemes 24 2.2.4.4.2 WatersSignature . 26 2.2.4.5 AuthenticatedEncryption . 27 2.2.4.6 SigmaProtocol . 28 2.2.4.6.1 SchnorrSigmaProtocol . 30 2.2.5 Homomorphicprimitives . 30 3 A linearly homomorphic signature scheme to sign elements in bilinear groups 32 3.1 Linear Network Coding and Linearly Homomorphic Signatures 33 3.2 HomomorphicSignaturesscheme . 34 3.2.1 Correctness and Security for Homomorphic Signatures 35 3.3 LHSG:Definition ........................
    [Show full text]
  • The Twin Diffie-Hellman Problem and Applications
    The Twin Diffie-Hellman Problem and Applications David Cash1 Eike Kiltz2 Victor Shoup3 February 10, 2009 Abstract We propose a new computational problem called the twin Diffie-Hellman problem. This problem is closely related to the usual (computational) Diffie-Hellman problem and can be used in many of the same cryptographic constructions that are based on the Diffie-Hellman problem. Moreover, the twin Diffie-Hellman problem is at least as hard as the ordinary Diffie-Hellman problem. However, we are able to show that the twin Diffie-Hellman problem remains hard, even in the presence of a decision oracle that recognizes solutions to the problem — this is a feature not enjoyed by the Diffie-Hellman problem in general. Specifically, we show how to build a certain “trapdoor test” that allows us to effectively answer decision oracle queries for the twin Diffie-Hellman problem without knowing any of the corresponding discrete logarithms. Our new techniques have many applications. As one such application, we present a new variant of ElGamal encryption with very short ciphertexts, and with a very simple and tight security proof, in the random oracle model, under the assumption that the ordinary Diffie-Hellman problem is hard. We present several other applications as well, including: a new variant of Diffie and Hellman’s non-interactive key exchange protocol; a new variant of Cramer-Shoup encryption, with a very simple proof in the standard model; a new variant of Boneh-Franklin identity-based encryption, with very short ciphertexts; a more robust version of a password-authenticated key exchange protocol of Abdalla and Pointcheval.
    [Show full text]
  • Blind Schnorr Signatures in the Algebraic Group Model
    An extended abstract of this work appears in EUROCRYPT’20. This is the full version. Blind Schnorr Signatures and Signed ElGamal Encryption in the Algebraic Group Model Georg Fuchsbauer1, Antoine Plouviez2, and Yannick Seurin3 1 TU Wien, Austria 2 Inria, ENS, CNRS, PSL, Paris, France 3 ANSSI, Paris, France first.last@{tuwien.ac.at,ens.fr,m4x.org} January 16, 2021 Abstract. The Schnorr blind signing protocol allows blind issuing of Schnorr signatures, one of the most widely used signatures. Despite its practical relevance, its security analysis is unsatisfactory. The only known security proof is rather informal and in the combination of the generic group model (GGM) and the random oracle model (ROM) assuming that the “ROS problem” is hard. The situation is similar for (Schnorr-)signed ElGamal encryption, a simple CCA2-secure variant of ElGamal. We analyze the security of these schemes in the algebraic group model (AGM), an idealized model closer to the standard model than the GGM. We first prove tight security of Schnorr signatures from the discrete logarithm assumption (DL) in the AGM+ROM. We then give a rigorous proof for blind Schnorr signatures in the AGM+ROM assuming hardness of the one-more discrete logarithm problem and ROS. As ROS can be solved in sub-exponential time using Wagner’s algorithm, we propose a simple modification of the signing protocol, which leaves the signatures unchanged. It is therefore compatible with systems that already use Schnorr signatures, such as blockchain protocols. We show that the security of our modified scheme relies on the hardness of a problem related to ROS that appears much harder.
    [Show full text]
  • Implementation and Performance Evaluation of XTR Over Wireless Network
    Implementation and Performance Evaluation of XTR over Wireless Network By Basem Shihada [email protected] Dept. of Computer Science 200 University Avenue West Waterloo, Ontario, Canada (519) 888-4567 ext. 6238 CS 887 Final Project 19th of April 2002 Implementation and Performance Evaluation of XTR over Wireless Network 1. Abstract Wireless systems require reliable data transmission, large bandwidth and maximum data security. Most current implementations of wireless security algorithms perform lots of operations on the wireless device. This result in a large number of computation overhead, thus reducing the device performance. Furthermore, many current implementations do not provide a fast level of security measures such as client authentication, authorization, data validation and data encryption. XTR is an abbreviation of Efficient and Compact Subgroup Trace Representation (ECSTR). Developed by Arjen Lenstra & Eric Verheul and considered a new public key cryptographic security system that merges high level of security GF(p6) with less number of computation GF(p2). The claim here is that XTR has less communication requirements, and significant computation advantages, which indicate that XTR is suitable for the small computing devices such as, wireless devices, wireless internet, and general wireless applications. The hoping result is a more flexible and powerful secure wireless network that can be easily used for application deployment. This project presents an implementation and performance evaluation to XTR public key cryptographic system over wireless network. The goal of this project is to develop an efficient and portable secure wireless network, which perform a variety of wireless applications in a secure manner. The project literately surveys XTR mathematical and theoretical background as well as system implementation and deployment over wireless network.
    [Show full text]
  • Secure E-Voting System by Utilizing Homomorphic Properties of the Encryption Algorithm
    View metadata, citation and similar papers at core.ac.uk brought to you by CORE provided by TELKOMNIKA (Telecommunication Computing Electronics and Control) TELKOMNIKA, Vol.16, No.2, April 2018, pp. 862~867 ISSN: 1693-6930, accredited A by DIKTI, Decree No: 58/DIKTI/Kep/2013 DOI: 10.12928/TELKOMNIKA.v16i2.8420 862 Secure E-voting System by Utilizing Homomorphic Properties of the Encryption Algorithm Rifki Suwandi*, Surya Michrandi Nasution, Fairuz Azmi Electrical Engineering Faculty, Telkom University, Bandung, Indonesia *Corresponding author, e-mail: [email protected], [email protected], [email protected] Abstract The use of cryptography in the e-voting system to secure data is a must to ensure the authenticity of the data. In contrast to common encryption algorithms, homomorphic encryption algorithms had unique properties that can perform mathematical operations against ciphertext. This paper proposed the use of the Paillier and Okamoto-Uchiyama algorithms as two homomorphic encryption algorithms that have the additional properties so that it can calculate the results of voting data that has been encrypted without having to be decrypted first. The main purpose is to avoid manipulation and data falsification during vote tallying process by comparing the advantages and disadvantages of each algorithm. Keywords: cryptography, encryption, homomorphic, Paillier, Okamoto-Uchiyama Copyright © 2018 Universitas Ahmad Dahlan. All rights reserved. 1. Introduction There are numerous issues with the electronic vote casting system, together with system errors, network safety, information security, and so on. One of the primary issues is cheating committed by either insider or outsider, especially for some important role holders with authority that can access the system itself.
    [Show full text]
  • Lecture 14: Elgamal Encryption, Hash Functions from DL, Prgs from DDH 1 Topics Covered 2 Recall 3 Key Agreement from the Diffie
    CS 7880 Graduate Cryptography October 29, 2015 Lecture 14: ElGamal Encryption, Hash Functions from DL, PRGs from DDH Lecturer: Daniel Wichs Scribe: Biswaroop Maiti 1 Topics Covered • Public Key Encryption • A Public Key Encryption from the DDH Assumption • El Gamal Encryption • CRHF from Discrete Log • PRG from DDH 2 Recall Recall the three number theoretic assumptions we saw last time. We will build Crypto- graphic schemes or protocols based on the hardness of these problems. Definition 1 (G; g; q) Groupgen(1n) } Assumption 1 DL Given g; gX , it is hard to find X. Assumption 2 Computational Diffie Hellman Given g; gX ; gY , it is hard to find gXY . Assumption 3 Decisional Diffie Hellman Given g; gX ; gY , it is hard to distinguish between gXY and gZ , where Z is chosen at random. (g; gX ; gY ; gXY ) ≈ (g; gX ; gY ; gZ ) 3 Key Agreement from the Diffie Helman scheme AB x Zq X hA = g −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−£ Y hB = g ¡−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− Y Zq X XY Y XY hB = g hA = g The keys agreed upon by A and B is gXY . Lecture 14, Page 1 It is interesting to note that in this scheme, A and B were able to agree upon a key without communicating about it. Each party generates a puzzle uniformly at random: A X Y generates hA = g , and B generates hB = g . Then, they send their puzzles to each other, and establish the key to be gXY . Proving this scheme is secure is equivalent to showing that the DDH assumption holds. 4 Public Key Encryption The general syntax of Public Key Encryption is the following.
    [Show full text]
  • Two-Party ECDSA from Hash Proof Systems and Efficient Instantiations
    Two-Party ECDSA from Hash Proof Systems and Efficient Instantiations Guilhem Castagnos, Dario Catalano, Fabien Laguillaumie, Federico Savasta, Ida Tucker To cite this version: Guilhem Castagnos, Dario Catalano, Fabien Laguillaumie, Federico Savasta, Ida Tucker. Two-Party ECDSA from Hash Proof Systems and Efficient Instantiations. CRYPTO 2019 - 39th Annual Inter- national Cryptology Conference, Aug 2019, Santa Barbara, United States. pp.191-221, 10.1007/978- 3-030-26954-8_7. hal-02281931 HAL Id: hal-02281931 https://hal.archives-ouvertes.fr/hal-02281931 Submitted on 9 Sep 2019 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Two-Party ECDSA from Hash Proof Systems and Efficient Instantiations Guilhem Castagnos1, Dario Catalano2, Fabien Laguillaumie3, Federico Savasta2;4, and Ida Tucker3 1 Université de Bordeaux, INRIA, CNRS, IMB UMR 5251, F-33405 Talence, France. 2 Università di Catania, Italy. 3 Univ Lyon, EnsL, UCBL, CNRS, Inria, LIP, F-69342, LYON Cedex 07, France. 4 Scuola Superiore di Catania, Italy Abstract. ECDSA is a widely adopted digital signature standard. Unfortunately, efficient distributed variants of this primitive are notoriously hard to achieveand known solutions often require expensive zero knowledge proofs to deal with malicious adversaries.
    [Show full text]
  • Implementing Several Attacks on Plain Elgamal Encryption Bryce D
    Iowa State University Capstones, Theses and Graduate Theses and Dissertations Dissertations 2008 Implementing several attacks on plain ElGamal encryption Bryce D. Allen Iowa State University Follow this and additional works at: https://lib.dr.iastate.edu/etd Part of the Mathematics Commons Recommended Citation Allen, Bryce D., "Implementing several attacks on plain ElGamal encryption" (2008). Graduate Theses and Dissertations. 11535. https://lib.dr.iastate.edu/etd/11535 This Thesis is brought to you for free and open access by the Iowa State University Capstones, Theses and Dissertations at Iowa State University Digital Repository. It has been accepted for inclusion in Graduate Theses and Dissertations by an authorized administrator of Iowa State University Digital Repository. For more information, please contact [email protected]. Implementing several attacks on plain ElGamal encryption by Bryce Allen A thesis submitted to the graduate faculty in partial fulfillment of the requirements for the degree of MASTER OF SCIENCE Major: Mathematics Program of Study Committee: Clifford Bergman, Major Professor Paul Sacks Sung-Yell Song Iowa State University Ames, Iowa 2008 Copyright c Bryce Allen, 2008. All rights reserved. ii Contents CHAPTER 1. OVERVIEW . 1 1.1 Introduction . .1 1.2 Hybrid Cryptosystems . .2 1.2.1 Symmetric key cryptosystems . .2 1.2.2 Public key cryptosystems . .3 1.2.3 Combining the two systems . .3 1.2.4 Short messages and public key systems . .4 1.3 Implementation . .4 1.4 Splitting Probabilities . .5 CHAPTER 2. THE ELGAMAL CRYPTOSYSTEM . 7 2.1 The Discrete Log Problem . .7 2.2 Encryption and Decryption . .8 2.3 Security . .9 2.4 Efficiency .
    [Show full text]
  • Power Analysis on NTRU Prime
    Power Analysis on NTRU Prime Wei-Lun Huang, Jiun-Peng Chen and Bo-Yin Yang Academia Sinica, Taiwan, [email protected], [email protected], [email protected] Abstract. This paper applies a variety of power analysis techniques to several imple- mentations of NTRU Prime, a Round 2 submission to the NIST PQC Standardization Project. The techniques include vertical correlation power analysis, horizontal in- depth correlation power analysis, online template attacks, and chosen-input simple power analysis. The implementations include the reference one, the one optimized using smladx, and three protected ones. Adversaries in this study can fully recover private keys with one single trace of short observation span, with few template traces from a fully controlled device similar to the target and no a priori power model, or sometimes even with the naked eye. The techniques target the constant-time generic polynomial multiplications in the product scanning method. Though in this work they focus on the decapsulation, they also work on the key generation and encapsulation of NTRU Prime. Moreover, they apply to the ideal-lattice-based cryptosystems where each private-key coefficient comes from a small set of possibilities. Keywords: Ideal Lattice Cryptography · Single-Trace Attack · Correlation Power Analysis · Template Attack · Simple Power Analysis · NTRU Prime 1 Introduction Due to Shor’s algorithm [Sho97], quantum computing is a potential threat to all public-key cryptosystems based on the hardness of integer factorization and discrete logarithms, in- cluding RSA [RSA78], Diffie-Hellman key agreement [DH76], ElGamal encryption [Gam85], and ECDSA [JMV01]. Recently, quantum computers have been estimated as arriving in 10 to 15 years [Sni16, WLYZ18], which identifies an urgent need for the examination and standardization of post-quantum cryptosystems.
    [Show full text]
  • Comparison of Two Public Key Cryptosystems
    Journal of Optoelectronical Nanostructures Summer 2018 / Vol. 3, No. 3 Islamic Azad University Comparison of two Public Key Cryptosystems 1 *,2 1 Mahnaz Mohammadi , Alireza Zolghadr , Mohammad Ali Purmina 1 Department of Electrical and Electronic Eng., Science and Research Branch, Islamic Azad University, Tehran, Iran 2 Faculty of Computer and Electrical Eng., Department of Communication and Electronics, Shiraz University, Shiraz, Iran (Received 10 Jun. 2018; Revised 11 Jul. 2018; Accepted 26 Aug. 2018; Published 15 Sep. 2018) Abstract: Since the time public-key cryptography was introduced by Diffie and Hellman in 1976, numerous public-key algorithms have been proposed. Some of these algorithms are insecure and the others that seem secure, many are impractical, either they have too large keys or the cipher text they produce is much longer than the plaintext. This paper focuses on efficient implementation and analysis of two most popular of these algorithms, RSA and ElGamal for key generation and the encryption scheme (encryption/decryption operation). RSA relies on the difficulty of prime factorization of a very large number, and the hardness of ElGamal algorithm is essentially equivalent to the hardness of finding discrete logarithm modulo a large prime. These two systems are compared to each other from different parameters points of view such as performance, security, speed and applications. To have a good comparison and also to have a good level of security correspond to users need the systems implemented are designed flexibly in terms of the key size. Keywords: Cryptography, Public Key Cryptosystems, RSA, ElGamal. 1. INTRODUCTION The security is a necessary for the network to do all the works related to ATM cards, computer passwords and electronic commerce.
    [Show full text]
  • Timing Attacks and the NTRU Public-Key Cryptosystem
    Eindhoven University of Technology BACHELOR Timing attacks and the NTRU public-key cryptosystem Gunter, S.P. Award date: 2019 Link to publication Disclaimer This document contains a student thesis (bachelor's or master's), as authored by a student at Eindhoven University of Technology. Student theses are made available in the TU/e repository upon obtaining the required degree. The grade received is not published on the document as presented in the repository. The required complexity or quality of research of student theses may vary by program, and the required minimum study period may vary in duration. General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. • Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain Timing Attacks and the NTRU Public-Key Cryptosystem by Stijn Gunter supervised by prof.dr. Tanja Lange ir. Leon Groot Bruinderink A thesis submitted in partial fulfilment of the requirements for the degree of Bachelor of Science July 2019 Abstract As we inch ever closer to a future in which quantum computers exist and are capable of break- ing many of the cryptographic algorithms that are in use today, more and more research is being done in the field of post-quantum cryptography.
    [Show full text]
  • Lecture 19: Public-Key Cryptography (Diffie-Hellman Key Exchange & Elgamal Encryption)
    Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access to the secret key sk For example, consider a private-key encryption scheme $ 1 The Alice and Bob generate sk Gen() ahead of time 2 Later, when Alice wants to encrypt and send a message to Bob, she computes the cipher-text c = Encsk(m) 3 The eavesdropping adversary see c but gains no additional information about the message m 4 Bob can decrypt the message me = Decsk(c) 5 Note that the knowledge of sk distinguishes Bob from the eavesdropping adversary Public-key Cryptography Perspective If jskj >jmj, then we can construct private-key encryption schemes (like, one-time pad) that is secure even against adversaries with unbounded computational power If jskj = O(jmj"), where " 2 (0; 1) is a constant, then we can construction private-key encryption schemes using pseudorandom generators (PRGs) What if, jskj = 0? That is, what if Alice and Bob never met? How is “Bob” any different from an “adversary”? Public-key Cryptography In this Lecture We shall introduce the Decisional Diffie-Hellmann (DDH) Assumption and the Diffie-Hellman key-exchange protocol, We shall introduce the El Gamal (public-key) Encryption Scheme, and Finally, abstract out the principal design principles learned. Public-key Cryptography Decisional Diffie-Hellman (DDH) Computational Hardness AssumptionI Let (G; ◦) be a group of size N that is generated by g.
    [Show full text]