DOCSLIB.ORG

Birthday Attack to Discrete Logarithm

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Birthday Attack to Discrete Logarithm Birthday attack to discrete logarithm Li An-Ping Beijing 100080, P.R. China [email protected] Abstract: The discrete logarithm in a finite group of large order has been widely applied in public key cryptosystem. In this paper, we will present a probabilistic algorithm for discrete logarithm. Keywords: discrete logarithm, collisions, probability, birthday paradox, linear system. 1. Introduction The generalized Discrete Logarithm problem (GDLP) has been taken as an intractable problem widely applied in public key cryptosystems since it firstly was proposed by W. Diffie and M.E. Hellman in their key exchange system [1]. The problem is the one to find the solution for the exponential equation abx = in a group G . Since then, there have been several algorithms for GDLP presented, in which main three ones are that, the baby-step giant-step algorithm, Silver- Pohlig- Hellman’s algorithm and the index calculus algorithm. Suppose that the order ofG ||GN= , then the required operations of the first algorithm will take about ON()group multiplications and ON(log)⋅ Ncomparisons. The second one is similar to the method of solving the congruence in number theory by resolve the equation into the subgroups of groupG with the order of prime powers, so it is more efficient if the prime factors of group G all are smaller. In the case the base groups G are from the multiplication groups of finite fields, the index calculus is the most powerful one. For the detail about GDLP, refer to see [2] and A.M. Odlyzko’s survey papers [3], [4]. In this paper, we will present a probabilistic algorithm for discrete logarithm, which is a development of the birthday attack. As usual, for two integers x and r , we will represent []xxxr = ⋅−⋅⋅−+ ( 1) ( xr 1), and []xxxr =⋅ ( +⋅ 1) ⋅ ( xr +− 1). Let A be a set of t elements, in which elements repetitions are allowed, suppose that there are just td− different elements in A , then we call A has d collisions. 2. The description and analysis Suppose that G is the base group of discrete logarithm, the order ofG , ||GN= , and gG∈ xi is a generator of G . Let Syg=={|1}i ≤≤ imbe a set of m public keys. Denoted by ⎡⎤1/2 , for each arbitrary takes distinct integers ()i , nN=+⎢⎥1 yi ∈≤≤Sim,1 , n rjnj ,1≤≤ and makes a set ()i rj Syii=≤≤≤≤{|1},1. jnim (0) Moreover, arbitrary takes n distinct integers rjnj ,1≤ ≤ , and makes a set ()i rj Sg0 =≤≤{|1}. jn Proposition 1 Let Ω= ∪ Si , suppose that k is a non-negative integer, km≤ , denoted by 0≤≤im pk ()Ω (or simply, pk ) the probability that there are at least k collisions in the set Ω , it has −++(1)mk2 ε 2 pk ≥−1(1)/!.emk ⋅ + (2.1) where ε ≺ 2(Tk− )32 / 3 N . Proof. Let Tmn=Ω=||(1) + , for each integer iim,0≤ < ,denoted by λi the number of all possible T -subsets of N distinct elements with i collisions, then it is easy to know that Ti−− i Ti i λiN=⋅−=⋅CTiiCC[]/! NT−1 , Hence, TiT pki≥−1/([]/!)1[][]/[]∑∑λ NT ≥− N TiiT−− ⋅ TC ⋅ 1 N 00≤<ik ≤< ik 2i ≥−1(1)(1)/!∏ − ⋅∑ mi + 2i 1≤<iT − k Ni+ ) 0≤<ik −2i ≥−1 exp(∑ )(mk + 1)2k / ! 1≤<iT − kNi+ −22ii2 ≥−1 exp( + )(mk + 1)2k / ! ∑ 2 1≤<iT − k NN 232 ≥−1(1)/!.emk−++(1)2()/3mTkN − ⋅ + 2 k From the proposition above, we know that the probability pm ()Ω will be greater than 0.99 as m ≥ 2 . m Clearly, a collision in the set Ω is just a linear equation of the privacy keys{}xi 1 , say in detail, if ij,0≠ ()ij ( ) rrst ()ij ( ) yyij=⇔⋅=⋅ rxrx sitjmod N , and ()i (0) rrst ()i (0) yyij=⇔⋅= rxr sit mod N . So, in the case that these m linear equations are linear independent, then all the privacy m keys{}xi 1 will be discovered by solving the obtained linear system. On the other hand, we know the probability that randomly take m m -vectors which are linear independent is very great, which is about 1(1/)− N . It is clear that the main computations required in this new analysis are the comparisons to find m collisions in the set Ω and the group multiplications in making the sets Si . By the simple way that classifying the elements of Ω in bits one by one, the required comparisons to order the elements in Ω are about OT(log) T , which is about equal to the required comparisons in the ()i baby-step giant-step algorithm. If properly selecting the constants rj , the amount of group multiplications required in the new algorithm also will be about equal to the one of the baby-step giant-step algorithm. However, in the case that m is greater, we can reduce the size n of the sets 1/2 ⎡⎤⎛⎞2N Si into n =+⎢⎥⎜⎟1, then we have the following estimation ⎢⎥⎝⎠m +1 −++2(mm 1) ε pemmm ()1Ω≥ − ⋅ (2 + 2)/ ! m e−+1 ε ⎛⎞2 (2.2) ≥−1.⎜⎟ 2π m ⎝⎠e So, in this way, the required group multiplications in the presented algorithm will be less than the ones in the baby-step giant-step algorithm. Finally, similar to Silver- Pohlig- Hellman’s algorithm, we can resolve the original GDLP into the subgroups of the cyclic group generated by element g , and then apply this analysis above to the subgroups. References [1] W. Diffie, M.E. Hellman, “New directions in cryptography”, IEEE Transactions on Information Theory, 22(1976), 644–654. [2] A. Menezes, P. van Oorschot, S. Vanstone, Handbook of Applied Cryptograpgy, CRC Press, 1997. [3] A.M. Odlyzko, “Discrete logarithms in finite fields and their cryptographic significance”, Advances in Cryptology –Proceedings of EUROCRYPT 84 (LNCS 209), 224–314, 1985. [4] ------------, Discrete logarithms: The past and the future, Designs, Codes, and cryptography 19 (2000), pp. 129-145. .
Load more

Recommended publications
  • Improvements in Computing Discrete Logarithms in Finite Fields
    ISSN (Print): 2476-8316 ISSN (Online): 2635-3490 Dutse Journal of Pure and Applied Sciences (DUJOPAS), Vol. 5 No. 1a June 2019 Improvements in Computing Discrete Logarithms in Finite Fields 1*Ali Maianguwa Shuaibu, 2Sunday Babuba & 3James Andrawus 1, 2,3 Department of Mathematics, Federal University Dutse, Jigawa State Email: [email protected] Abstract The discrete logarithm problem forms the basis of numerous cryptographic systems. The most efficient attack on the discrete logarithm problem in the multiplicative group of a finite field is via the index calculus. In this paper, we examined a non-generic algorithm that uses index calculus. If α is a generator × × for 퐹푝 then the discrete logarithm of 훽 ∈ 퐹푝 with respect to 훼 is also called the index of 훽 (with respect to 훼), whence the term index calculus. This algorithm depends critically on the distribution of smooth numbers (integers with small prime factors), which naturally leads to a discussion of two algorithms for factoring integers that also depend on smooth numbers: the Pollard 푝 − 1method and the elliptic curve method. In conclusion, we suggest improved elliptic curve as well as hyperelliptic curve cryptography methods as fertile ground for further research. Keywords: Elliptic curve, Index calculus, Multiplicative group, Smooth numbers Introduction 푥 It is known that the logarithm 푙표푔푏 푎 is a number x such that 푏 = 푎, for given numbers a and b. Similarly, in any group G, powers 푏푘 can be defined for all integers 푘, and 푘 the discrete logarithm푙표푔푏 푎 is an integer k such that 푏 = 푎. In number theory,푥 = 푥 푖푛푑푟푎(푚표푑 푚) is read as the index of 푎 to the base r modulo m which is equivalent to 푟 = 푎(푚표푑 푚) if r is the primitive root of m and greatest common divisor, 푔푐푑( 푎, 푚) = 1.
    [Show full text]
  • MD5 Collisions the Effect on Computer Forensics April 2006
    Paper MD5 Collisions The Effect on Computer Forensics April 2006 ACCESS DATA , ON YOUR RADAR MD5 Collisions: The Impact on Computer Forensics Hash functions are one of the basic building blocks of modern cryptography. They are used for everything from password verification to digital signatures. A hash function has three fundamental properties: • It must be able to easily convert digital information (i.e. a message) into a fixed length hash value. • It must be computationally impossible to derive any information about the input message from just the hash. • It must be computationally impossible to find two files to have the same hash. A collision is when you find two files to have the same hash. The research published by Wang, Feng, Lai and Yu demonstrated that MD5 fails this third requirement since they were able to generate two different messages that have the same hash. In computer forensics hash functions are important because they provide a means of identifying and classifying electronic evidence. Because hash functions play a critical role in evidence authentication, a judge and jury must be able trust the hash values to uniquely identify electronic evidence. A hash function is unreliable when you can find any two messages that have the same hash. Birthday Paradox The easiest method explaining a hash collision is through what is frequently referred to as the Birthday Paradox. How many people one the street would you have to ask before there is greater than 50% probability that one of those people will share your birthday (same day not the same year)? The answer is 183 (i.e.
    [Show full text]
  • The Index Calculus Method Using Non-Smooth Polynomials
    MATHEMATICS OF COMPUTATION Volume 70, Number 235, Pages 1253{1264 S 0025-5718(01)01298-4 Article electronically published on March 7, 2001 THE INDEX CALCULUS METHOD USING NON-SMOOTH POLYNOMIALS THEODOULOS GAREFALAKIS AND DANIEL PANARIO Abstract. We study a generalized version of the index calculus method for n the discrete logarithm problem in Fq ,whenq = p , p is a small prime and n !1. The database consists of the logarithms of all irreducible polynomials of degree between given bounds; the original version of the algorithm uses lower bound equal to one. We show theoretically that the algorithm has the same asymptotic running time as the original version. The analysis shows that the best upper limit for the interval coincides with the one for the original version. The lower limit for the interval remains a free variable of the process. We provide experimental results that indicate practical values for that bound. We also give heuristic arguments for the running time of the Waterloo variant and of the Coppersmith method with our generalized database. 1. Introduction Let G denote a group written multiplicatively and hgi the cyclic subgroup gen- erated by g 2 G.Giveng and y 2hgi,thediscrete logarithm problem for G is to find the smallest integer x such that y = gx.Theintegerx is called the discrete logarithm of y in the base g, and is written x =logg y. The main reason for the intense current interest on the discrete logarithm prob- lem (apart from being interesting on a purely mathematical level) is that the se- curity of many public-key cryptosystems depends on the assumption that finding discrete logarithms is hard, at least for certain groups.
    [Show full text]
  • Index Calculus in the Trace Zero Variety 3
    INDEX CALCULUS IN THE TRACE ZERO VARIETY ELISA GORLA AND MAIKE MASSIERER Abstract. We discuss how to apply Gaudry’s index calculus algorithm for abelian varieties to solve the discrete logarithm problem in the trace zero variety of an elliptic curve. We treat in particular the practically relevant cases of field extensions of degree 3 or 5. Our theoretical analysis is compared to other algorithms present in the literature, and is complemented by results from a prototype implementation. 1. Introduction Given an elliptic curve E defined over a finite field Fq, consider the group E(Fqn ) of rational points over a field extension of prime degree n. Since E is defined over Fq, the group E(Fqn ) contains the subgroup E(Fq) of Fq-rational points of E. Moreover, it contains the subgroup Tn of − points P E(F n ) whose trace P + ϕ(P )+ ... + ϕn 1(P ) is zero, where ϕ denotes the Frobenius ∈ q homomorphism on E. The group Tn is called the trace zero subgroup of E(Fqn ), and it is the group of Fq-rational points of the trace zero variety relative to the field extension Fqn Fq. In this paper, we study the hardness of the DLP in the trace zero variety. Our| interest in this question has several motivations. First of all, supersingular trace zero varieties can achieve higher security per bit than supersingular elliptic curves, as shown by Rubin and Silverberg in [RS02, RS09] and by Avanzi and Cesena in [AC07, Ces10]. Ideally, in pairing-based proto- F∗ cols the embedding degree k is such that the DLP in Tn and in qkn have the same complexity.
    [Show full text]
  • Network Security Chapter 8
    Network Security Chapter 8 Network security problems can be divided roughly into 4 closely intertwined areas: secrecy (confidentiality), authentication, nonrepudiation, and integrity control. Question: what does non-repudiation mean? What does “integrity” mean? • Cryptography • Symmetric-Key Algorithms • Public-Key Algorithms • Digital Signatures • Management of Public Keys • Communication Security • Authentication Protocols • Email Security -- skip • Web Security • Social Issues -- skip Revised: August 2011 CN5E by Tanenbaum & Wetherall, © Pearson Education-Prentice Hall and D. Wetherall, 2011 Network Security Security concerns a variety of threats and defenses across all layers Application Authentication, Authorization, and non-repudiation Transport End-to-end encryption Network Firewalls, IP Security Link Packets can be encrypted on data link layer basis Physical Wireless transmissions can be encrypted CN5E by Tanenbaum & Wetherall, © Pearson Education-Prentice Hall and D. Wetherall, 2011 Network Security (1) Some different adversaries and security threats • Different threats require different defenses CN5E by Tanenbaum & Wetherall, © Pearson Education-Prentice Hall and D. Wetherall, 2011 Cryptography Cryptography – 2 Greek words meaning “Secret Writing” Vocabulary: • Cipher – character-for-character or bit-by-bit transformation • Code – replaces one word with another word or symbol Cryptography is a fundamental building block for security mechanisms. • Introduction » • Substitution ciphers » • Transposition ciphers » • One-time pads
    [Show full text]
  • Modes of Operation for Compressed Sensing Based Encryption
    Modes of Operation for Compressed Sensing based Encryption DISSERTATION zur Erlangung des Grades eines Doktors der Naturwissenschaften Dr. rer. nat. vorgelegt von Robin Fay, M. Sc. eingereicht bei der Naturwissenschaftlich-Technischen Fakultät der Universität Siegen Siegen 2017 1. Gutachter: Prof. Dr. rer. nat. Christoph Ruland 2. Gutachter: Prof. Dr.-Ing. Robert Fischer Tag der mündlichen Prüfung: 14.06.2017 To Verena ... s7+OZThMeDz6/wjq29ACJxERLMATbFdP2jZ7I6tpyLJDYa/yjCz6OYmBOK548fer 76 zoelzF8dNf /0k8H1KgTuMdPQg4ukQNmadG8vSnHGOVpXNEPWX7sBOTpn3CJzei d3hbFD/cOgYP4N5wFs8auDaUaycgRicPAWGowa18aYbTkbjNfswk4zPvRIF++EGH UbdBMdOWWQp4Gf44ZbMiMTlzzm6xLa5gRQ65eSUgnOoZLyt3qEY+DIZW5+N s B C A j GBttjsJtaS6XheB7mIOphMZUTj5lJM0CDMNVJiL39bq/TQLocvV/4inFUNhfa8ZM 7kazoz5tqjxCZocBi153PSsFae0BksynaA9ZIvPZM9N4++oAkBiFeZxRRdGLUQ6H e5A6HFyxsMELs8WN65SCDpQNd2FwdkzuiTZ4RkDCiJ1Dl9vXICuZVx05StDmYrgx S6mWzcg1aAsEm2k+Skhayux4a+qtl9sDJ5JcDLECo8acz+RL7/ ovnzuExZ3trm+O 6GN9c7mJBgCfEDkeror5Af4VHUtZbD4vALyqWCr42u4yxVjSj5fWIC9k4aJy6XzQ cRKGnsNrV0ZcGokFRO+IAcuWBIp4o3m3Amst8MyayKU+b94VgnrJAo02Fp0873wa hyJlqVF9fYyRX+couaIvi5dW/e15YX/xPd9hdTYd7S5mCmpoLo7cqYHCVuKWyOGw ZLu1ziPXKIYNEegeAP8iyeaJLnPInI1+z4447IsovnbgZxM3ktWO6k07IOH7zTy9 w+0UzbXdD/qdJI1rENyriAO986J4bUib+9sY/2/kLlL7nPy5Kxg3 Et0Fi3I9/+c/ IYOwNYaCotW+hPtHlw46dcDO1Jz0rMQMf1XCdn0kDQ61nHe5MGTz2uNtR3bty+7U CLgNPkv17hFPu/lX3YtlKvw04p6AZJTyktsSPjubqrE9PG00L5np1V3B/x+CCe2p niojR2m01TK17/oT1p0enFvDV8C351BRnjC86Z2OlbadnB9DnQSP3XH4JdQfbtN8 BXhOglfobjt5T9SHVZpBbzhDzeXAF1dmoZQ8JhdZ03EEDHjzYsXD1KUA6Xey03wU uwnrpTPzD99cdQM7vwCBdJnIPYaD2fT9NwAHICXdlp0pVy5NH20biAADH6GQr4Vc
    [Show full text]
  • Integer Factorization and Computing Discrete Logarithms in Maple
    Integer Factorization and Computing Discrete Logarithms in Maple Aaron Bradford∗, Michael Monagan∗, Colin Percival∗ [email protected], [email protected], [email protected] Department of Mathematics, Simon Fraser University, Burnaby, B.C., V5A 1S6, Canada. 1 Introduction As part of our MITACS research project at Simon Fraser University, we have investigated algorithms for integer factorization and computing discrete logarithms. We have implemented a quadratic sieve algorithm for integer factorization in Maple to replace Maple's implementation of the Morrison- Brillhart continued fraction algorithm which was done by Gaston Gonnet in the early 1980's. We have also implemented an indexed calculus algorithm for discrete logarithms in GF(q) to replace Maple's implementation of Shanks' baby-step giant-step algorithm, also done by Gaston Gonnet in the early 1980's. In this paper we describe the algorithms and our optimizations made to them. We give some details of our Maple implementations and present some initial timings. Since Maple is an interpreted language, see [7], there is room for improvement of both implementations by coding critical parts of the algorithms in C. For example, one of the bottle-necks of the indexed calculus algorithm is finding and integers which are B-smooth. Let B be a set of primes. A positive integer y is said to be B-smooth if its prime divisors are all in B. Typically B might be the first 200 primes and y might be a 50 bit integer. ∗This work was supported by the MITACS NCE of Canada. 1 2 Integer Factorization Starting from some very simple instructions | \make integer factorization faster in Maple" | we have implemented the Quadratic Sieve factoring al- gorithm in a combination of Maple and C (which is accessed via Maple's capabilities for external linking).
    [Show full text]
  • Generic Attacks Against Beyond-Birthday-Bound Macs
    Generic Attacks against Beyond-Birthday-Bound MACs Gaëtan Leurent1, Mridul Nandi2, and Ferdinand Sibleyras1 1 Inria, France {gaetan.leurent,ferdinand.sibleyras}@inria.fr 2 Indian Statistical Institute, Kolkata [email protected] Abstract. In this work, we study the security of several recent MAC constructions with provable security beyond the birthday bound. We con- sider block-cipher based constructions with a double-block internal state, such as SUM-ECBC, PMAC+, 3kf9, GCM-SIV2, and some variants (LightMAC+, 1kPMAC+). All these MACs have a security proof up to 22n/3 queries, but there are no known attacks with less than 2n queries. We describe a new cryptanalysis technique for double-block MACs based on finding quadruples of messages with four pairwise collisions in halves of the state. We show how to detect such quadruples in SUM-ECBC, PMAC+, 3kf9, GCM-SIV2 and their variants with O(23n/4) queries, and how to build a forgery attack with the same query complexity. The time com- plexity of these attacks is above 2n, but it shows that the schemes do not reach full security in the information theoretic model. Surprisingly, our attack on LightMAC+ also invalidates a recent security proof by Naito. Moreover, we give a variant of the attack against SUM-ECBC and GCM-SIV2 with time and data complexity O˜(26n/7). As far as we know, this is the first attack with complexity below 2n against a deterministic beyond- birthday-bound secure MAC. As a side result, we also give a birthday attack against 1kf9, a single-key variant of 3kf9 that was withdrawn due to issues with the proof.
    [Show full text]
  • Hash Functions & Macs ECE 646 Lecture 9
    ECE 646 Lecture 9 Required Reading W. Stallings, "Cryptography and Network-Security,” Chapter 11 Cryptographic Hash Functions Appendix 11A Mathematical Basis of Birthday Attack Hash functions & MACs Chapter 12 Message Authentication Codes Recommended Reading SHA-3 Project https://csrc.nist.gov/projects/hash-functions/sha-3-project 1 2 Digital Signature Hash function Alice Bob arbitrary length Message Signature Message Signature m message Hash Hash function function hash h Hash value 1 function Hash value yes no Hash value 2 Public key Public key h(m) hash value algorithm algorithm fixed length Alice’s private key Alice’s public key 3 4 1 Vocabulary Hash functions Basic requirements hash function hash value 1. Public description, NO key message digest message digest hash total 2. Compression fingerprint arbitrary length input ® fixed length output imprint 3. Ease of computation cryptographic checksum compressed encoding MDC, Message Digest Code 5 6 Hash functions Hash functions Security requirements Dependence between requirements It is computationally infeasible Given To Find 1. Preimage resistance 2nd preimage resistant y x, such that h(x) = y collision resistant 2. 2nd preimage resistance x’ ¹ x, such that x and y=h(x) h(x’) = h(x) = y 3. Collision resistance x’ ¹ x, such that h(x’) = h(x) 7 8 2 Hash functions Brute force attack against (unkeyed) One-Way Hash Function Given y mi’ One-Way Collision-Resistant i=1..2n Hash Functions Hash Functions 2n messages with the contents required by the forger OWHF CRHF h preimage resistance ? 2nd preimage resistance h(mi’) = y collision resistance n - bits 9 10 Creating multiple versions of Brute force attack against Yuval the required message Collision Resistant Hash Function state thereby borrowed I confirm - that I received r messages r messages acceptable for the signer required by the forger $10,000 Mr.
    [Show full text]
  • Hash Function Luffa Supporting Document
    Hash Function Luffa Supporting Document Christophe De Canni`ere ESAT-COSIC, Katholieke Universiteit Leuven Hisayoshi Sato, Dai Watanabe Systems Development Laboratory, Hitachi, Ltd. 15 September 2009 Copyright °c 2008-2009 Hitachi, Ltd. All rights reserved. 1 Luffa Supporting Document NIST SHA3 Proposal (Round 2) Contents 1 Introduction 4 1.1 Updates of This Document .................... 4 1.2 Organization of This Document ................. 4 2 Design Rationale 5 2.1 Chaining .............................. 5 2.2 Non-Linear Permutation ..................... 6 2.2.1 Sbox in SubCrumb ..................... 6 2.2.2 MixWord .......................... 7 2.2.3 Constants ......................... 9 2.2.4 Number of Steps ..................... 9 2.2.5 Tweaks .......................... 9 3 Security Analysis of Permutation 10 3.1 Basic Properties .......................... 10 3.1.1 Sbox S (Luffav2) ..................... 10 3.1.2 Differential Propagation . 11 3.2 Collision Attack Based on A Differential Path . 13 3.2.1 General Discussion .................... 13 3.2.2 How to Find A Collision for 5 Steps without Tweaks . 14 3.3 Birthday Problem on The Unbalanced Function . 15 3.4 Higher Order Differential Distinguisher . 15 3.4.1 Higher Order Difference . 16 3.4.2 Higher Order Differential Attack on Luffav1 . 16 3.4.3 Higher Order Differential Property of Qj of Luffav2 . 17 3.4.4 Higher Order Differential Attack on Luffav2 . 18 4 Security Analysis of Chaining 18 4.1 Basic Properties of The Message Injection Functions . 20 4.2 First Naive Attack ........................ 21 4.2.1 Long Message Attack to Find An Inner Collision . 21 4.2.2 How to Reduce The Message Length . 21 4.2.3 Complexity of The Naive Attack .
    [Show full text]
  • INDEX CALCULUS in the TRACE ZERO VARIETY 1. Introduction
    INDEX CALCULUS IN THE TRACE ZERO VARIETY ELISA GORLA AND MAIKE MASSIERER Abstract. We discuss how to apply Gaudry's index calculus algorithm for abelian varieties to solve the discrete logarithm problem in the trace zero variety of an elliptic curve. We treat in particular the practically relevant cases of field extensions of degree 3 or 5. Our theoretical analysis is compared to other algorithms present in the literature, and is complemented by results from a prototype implementation. 1. Introduction Given an elliptic curve E defined over a finite field Fq, consider the group E(Fqn ) of rational points over a field extension of prime degree n. Since E is defined over Fq, the group E(Fqn ) contains the subgroup E(Fq) of Fq-rational points of E. Moreover, it contains the subgroup Tn of n−1 points P 2 E(Fqn ) whose trace P + '(P ) + ::: + ' (P ) is zero, where ' denotes the Frobenius homomorphism on E. The group Tn is called the trace zero subgroup of E(Fqn ), and it is the group of Fq-rational points of the trace zero variety relative to the field extension Fqn jFq. In this paper, we study the hardness of the DLP in the trace zero variety. Our interest in this question has several motivations. First of all, supersingular trace zero varieties can achieve higher security per bit than supersingular elliptic curves, as shown by Rubin and Silverberg in [RS02, RS09] and by Avanzi and Cesena in [AC07, Ces10]. Ideally, in pairing-based proto- ∗ cols the embedding degree k is such that the DLP in Tn and in Fqkn have the same complexity.
    [Show full text]
  • International Journal of Advance Engineering and Research Development Birthday Attack on Cryptography Applications
    International Journal of Advance Engineering and Research Development Scientific Journal of Impact Factor (SJIF): 4.72 Special Issue SIEICON-2017,April -2017 e-ISSN : 2348-4470 p-ISSN : 2348-6406 Birthday Attack on Cryptography Applications Concept and Real Time Uses Keyur Patel1, Digvijaysinh Mahida2 1Asst. Prof. Department of Information Technology, Sigma Institute of Engineering 2 Asst. Prof. Department of Information Technology, Sigma Institute of Engineering Abstract — In many network communications it is crucial to be able to authenticate both the contents and the origin of a message. This paper will study in detail the problem known in probability theory as the Birthday Paradox (or the Birthday problem), as well as its implications and different related aspects we consider relevant. The Birthday attack makes use of what’s known as the Birthday paradox to try to attack cryptographic hash functions. Among other desirable properties of hash functions, an interesting one is that it should be collision-resistant, that is it should be difficult to find two messages with the same hash value. To find a collision the birthday attack is used, which shows that attacker may not need to examine too many messages before he finds a collision. The purpose of this paper is thus to give the reader a general overview of the general aspects and applications of the Birthday Paradox. Keywords-Birthday Paradox, Hash Function, Cryptography Algorithm, Application. I. INTRODUCTION Computer networks are used today for many applications (like banking, e-government etc.) where security is an absolute necessary. Changing or stealing data stored in electronic form is so widely spread that not having cryptographic tools to preserve the safety of information would make pointless any serious communication or data exchange.
    [Show full text]