DOCSLIB.ORG

On the Security of Mix-Nets and Hierarchical Group Signatures

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
On the Security of Mix-Nets and Hierarchical Group Signatures On the Security of Mix-Nets and Hierarchical Group Signatures DOUGLAS WIKSTRÖM Doctoral Thesis Stockholm, Sweden 2005 Skolan för datavetenskap och kommunikation Kungliga Tekniska högskolan SE-100 44 Stockholm SWEDEN TRITA NA 05-38 ISSN 0348-2952 ISRN KTH/NA/R--05/38--SE ISBN 91-7178-200-1 c Douglas Wikström, december 2005 Tryck: Universitetsservice US AB iii Abstract In this thesis we investigate two separate cryptographic notions: mix-nets and hier- archical group signatures. The former notion was introduced by Chaum (1981). The latter notion is introduced in this thesis, but it generalizes the notion of group signatures which was introduced by Chaum and Heyst (1991). Numerous proposals for mix-nets are given in the literature, but these are presented with informal security arguments or at best partial proofs. We illustrate the need for a rigorous treatment of the security mix-nets by giving several practical attacks against a construction of Golle et al. (2002). Then we provide the first definition of security of a mix-net in the universally composable security framework (UC-framework) introduced by Canetti (2001). We construct two distinct efficient mix-nets that are provably secure under standard assumptions in the UC-framework against an adversary that corrupts any minority of the mix-servers and any set of senders. The first construction is based on the El Gamal cryptosystem (1985) and is secure against a static adversary, i.e., an adversary that decides which parties to corrupt before the execution of the protocol. This is the first efficient UC-secure mix-net in the literature and the first sender verifiable mix-net that is robust. The second construction is based on the Paillier cryptosystem (1999) and secure against an adaptive adversary, i.e., an adversary that decides which parties to corrupt during the execution of the protocol. This is the first efficient adaptively secure mix-net in any model. An important subprotocol in the above constructions is a zero-knowledge proof of knowledge of a witness that a party behaves as expected. There are two known approaches for constructing such a protocol given by Neff (2002) and Furukawa and Sako (2002) respectively. We present a third independent approach. We introduce the notion of hierarchical group signatures. This is a generalization of group signatures. There are several group managers, and the signers and group managers are organized in a tree in which the signers are the leaves and the group managers are internal nodes. Given a signature, a group manager learns if it is an ancestor of the signer, and if so to which of its immediate subtrees the signer belongs, but it learns nothing else. Thus, the identity of the signer is revealed in a hierarchical way. We provide a definition of security of hierarchical group signatures and give two provably secure constructions. The first construction is secure under general assumptions. It is impractical and of purely theoretical interest. The second construction is provably secure under standard complexity assumptions and almost practical. v Sammanfattning Vi undersöker två olika kryptografiska begrepp: mixnät och hierarkiska gruppsigna- turer. Det första begreppet introducerades av Chaum (1981). Det senare introduceras i denna avhandling, men det är en generalisering Chaums och Heysts gruppsignaturer (1991). Det finns många förslag på hur man konstruerar mixnät i literaturen, men de ges endast med informella säkerhetsresonemang eller i bästa fall ofullständiga bevis. Vi illustrerar hur viktigt det är med en rigorös behandling av säkerhet för mixnät genom att presentera flera olika praktiska attacker mot en konstruktion av Golle et al. (2002). Sedan presenterar vi den första definitionen av ett mixnät i Canettis (2001) “universally composable security”- ramverk (UC-ramverket). We konstruerar två effektiva mixnät som är bevisbart säkra i UC-ramverket. Den första konstruktionen är baserad på El Gamals kryptosystem (1985) och är säker mot en statisk angripare, dvs en angripare som bestämmer sig för vilka parter den skall korrumpera innan protokollet börjar köras. Detta är det första kända effektiva och UC-säkra mixnätet. Det är också det första robusta mixnätet som även är avsändar- verifierbart. Den andra konstruktionen är baserad på Pailliers kryptosystem (1999) och är säker mot en adaptiv angripare, dvs en angripare som bestämmer sig för vilka parter den skall korrumpera under körningen av protokollet. Det är det första effektiva adaptivt säkra mixnätet i någon modell över huvud taget. Ett viktigt delprotokoll i konstruktionerna är ett nollkunskapsbevis av kunskap att varje deltagare följer protokollbeskrivningen. Det finns två kända metoder för att konstruera ett sådant protokoll beskrivna av Neff (2002) respektive Furukawa och Sako (2002). Vi beskriver ett tredje oberoende alternativ. Vi inför begreppet hierarkiska gruppsignaturer som är en generalisering av gruppsig- naturer. Det finns flera gruppchefer, och signatörerna och gruppcheferna är ordnade i ett träd där signatörerna är löv och gruppcheferna är inre noder. En gruppchef kan given en signatur avgöra till vilket av dess direkta delträd signatören tillhör, men erhåller ingen an- nan kunskap om vem signatören är. Alltså avslöjas signatörens identitet på ett hierarkiskt vis. Vi ger en formell definition av säkerheten hos hierarkiska gruppsignatursystem och beskriver två bevisbart säkra konstruktioner. Den första konstruktionen är bevisbart säker under allmänna antaganden, men inte praktisk användbar. Den andra konstruktionen är säker under standardantaganden och nästan praktisk användbar. Acknowledgments First of all I would like to thank my advisor Johan Håstad. It is hard to imagine a better teacher and guide to the world of science. He has an amazing ability to quickly understand new ideas and suggest improvements, and I can not recall him ever saying that he has not the time to discuss an idea. I would also like to express my deepest gratitude to Nada and Johan for giving me the opportunity to complete my studies at Nada. I thank Mikael Goldmann for his advise during Johan’s stay at Princeton. I am grateful to my co-authors Mårten Trolin and Jens Groth. The work on hierarchical group signatures is joint work with Mårten, and the construction of the adaptively secure mix-net is joint work with Jens. During my first years of study I worked at the Swedish Institute of Computer Science (SICS). I thank Torsten Ekedahl, Björn Grönvall and Gunnar Sjödin for many discussions on mix-nets. A special thanks also goes to Torsten for his advise on computing greatest common divisors and residue symbols in rings of integers. My work on this topic did not fit in this thesis. My fellow students Gustaf Hast, Rafael Pass, and Mårten Trolin deserve my gratitude for listening to my unfinished ideas and sharing their own. Mårten and Jakob Nordström also deserves my gratitude for proof reading parts of the thesis. It was a pleasure to share my office with Jesper Fredriksson and Klas Wallenius. Klas also kindly answered many of my questions about writing in English. I thank Ran Canetti for explaining the universally composable framework to me at an early stage and Ronald Cramer for giving me the chance to present my work at the ECRYPT provable security workshop 2004. I also thank Jun Furukawa, Markus Jakobsson, and Andrew Neff for answering my questions about their respective constructions and for interesting discussions on mix-nets in general. I gratefully acknowledge that my research was funded by the Swedish Research Institute for Information Technology (SITI), Verket för innovationssystem (VIN- NOVA), and Vetenskapsrådet (VR). During my studies I enjoyed the company of numerous other colleagues, both at SICS and at Nada. I thank all of you for making my everyday life interesting! Finally, I thank Sofie for her unending support and for believing in me those days when I did not. vii Contents Contents ix List of Figures 1 I Background 1 1 Introduction 3 1.1 CryptographicProtocols.......................... 3 1.2 ProvableSecurity.............................. 5 1.3 Mix-Nets.................................. 7 1.4 HierarchicalGroupSignatures....................... 13 1.5 OrganizationoftheThesis......................... 18 1.6 OurPublications.............................. 19 2 Notation and Basic Definitions 21 2.1 NotationandConventions......................... 21 2.2 One-Way and Collision-Free Hash Functions . 22 2.3 Trapdoor Permutation Families and Hard-Core Bits . 23 2.4 Pseudo-RandomGenerators........................ 24 2.5 PublicKeyCryptosystems......................... 25 2.6 SignatureSchemes............................. 28 2.7 StatisticalCloseness............................ 29 2.8 Proofs of Knowledge, Proofs, and Zero-Knowledge . 29 2.9 Non-InteractiveZero-KnowledgeProofs................. 36 2.10 TheRandomOracleModel........................ 38 3 Cryptographic Assumptions and Concrete Primitives 41 3.1 TheGoldwasser-MicaliCryptosystem................... 41 3.2 AssumptionsOntheDistributionofthePrimes............. 42 3.3 The Discrete Logarithm Assumption . 43 3.4 The Chaum-van Heijst-Pfitzmann Hash Function . 44 3.5 TheDecisionDiffie-HellmanAssumption................. 44 ix xContents 3.6 TheElGamalCryptosystem....................... 46 3.7 TheCramer-ShoupCryptosystem..................... 47 3.8 TheStrongRSA-Assumption....................... 47 3.9 TheShamirHashFunction........................ 50 3.10 TheCramer-ShoupSignatureScheme.................. 51 3.11 The Composite Residuosity Class Assumptions . 52 3.12 The Paillier
Load more

Recommended publications
  • Abstract in This Paper, D-Strong and Almost D-Strong Near-Rings Ha
    Periodica Mathematica Hungarlca Vol. 17 (1), (1986), pp. 13--20 D-STRONG AND ALMOST D-STRONG NEAR-RINGS A. K. GOYAL (Udaipur) Abstract In this paper, D-strong and almost D-strong near-rings have been defined. It has been proved that if R is a D-strong S-near ring, then prime ideals, strictly prime ideals and completely prime ideals coincide. Also if R is a D-strong near-ring with iden- tity, then every maximal right ideal becomes a maximal ideal and moreover every 2- primitive near-ring becomes a near-field. Several properties, chain conditions and structure theorems have also been discussed. Introduction In this paper, we have generalized some of the results obtained for rings by Wong [12]. Corresponding to the prime and strictly prime ideals in near-rings, we have defined D-strong and almost D-strong near-rings. It has been shown that a regular near-ring having all idempotents central in R is a D-strong and hence almost D-strong near-ring. If R is a D-strong S-near ring, then it has been shown that prime ideals, strictly prime ideals and com- pletely prime ideals coincide and g(R) = H(R) ~ ~(R), where H(R) is the intersection of all strictly prime ideals of R. Also if R is a D-strong near-ring with identity, then every maximal right ideal becomes a maximal ideal and moreover every 2-primitive near-ring becomes a near-field. Some structure theorems have also been discussed. Preliminaries Throughout R will denote a zero-symmetric left near-ring, i.e., R -- Ro in the sense of Pilz [10].
    [Show full text]
  • Neural Networks and the Search for a Quadratic Residue Detector
    Neural Networks and the Search for a Quadratic Residue Detector Michael Potter∗ Leon Reznik∗ Stanisław Radziszowski∗ [email protected] [email protected] [email protected] ∗ Department of Computer Science Rochester Institute of Technology Rochester, NY 14623 Abstract—This paper investigates the feasibility of employing This paper investigates the possibility of employing ANNs artificial neural network techniques for solving fundamental in the search for a solution to the quadratic residues (QR) cryptography problems, taking quadratic residue detection problem, which is defined as follows: as an example. The problem of quadratic residue detection Suppose that you have two integers a and b. Then a is is one which is well known in both number theory and a quadratic residue of b if and only if the following two cryptography. While it garners less attention than problems conditions hold: [1] such as factoring or discrete logarithms, it is similar in both 1) The greatest common divisor of a and b is 1, and difficulty and importance. No polynomial–time algorithm is 2) There exists an integer c such that c2 ≡ a (mod b). currently known to the public by which the quadratic residue status of one number modulo another may be determined. This The first condition is satisfied automatically so long as ∗ work leverages machine learning algorithms in an attempt to a 2 Zb . There is, however, no known polynomial–time (in create a detector capable of solving instances of the problem the number of bits of a and b) algorithm for determining more efficiently. A variety of neural networks, currently at the whether the second condition is satisfied.
    [Show full text]
  • A Scalable System-On-A-Chip Architecture for Prime Number Validation
    A SCALABLE SYSTEM-ON-A-CHIP ARCHITECTURE FOR PRIME NUMBER VALIDATION Ray C.C. Cheung and Ashley Brown Department of Computing, Imperial College London, United Kingdom Abstract This paper presents a scalable SoC architecture for prime number validation which targets reconfigurable hardware This paper presents a scalable SoC architecture for prime such as FPGAs. In particular, users are allowed to se- number validation which targets reconfigurable hardware. lect predefined scalable or non-scalable modular opera- The primality test is crucial for security systems, especially tors for their designs [4]. Our main contributions in- for most public-key schemes. The Rabin-Miller Strong clude: (1) Parallel designs for Montgomery modular arith- Pseudoprime Test has been mapped into hardware, which metic operations (Section 3). (2) A scalable design method makes use of a circuit for computing Montgomery modu- for mapping the Rabin-Miller Strong Pseudoprime Test lar exponentiation to further speed up the validation and to into hardware (Section 4). (3) An architecture of RAM- reduce the hardware cost. A design generator has been de- based Radix-2 Scalable Montgomery multiplier (Section veloped to generate a variety of scalable and non-scalable 4). (4) A design generator for producing hardware prime Montgomery multipliers based on user-defined parameters. number validators based on user-specified parameters (Sec- The performance and resource usage of our designs, im- tion 5). (5) Implementation of the proposed hardware ar- plemented in Xilinx reconfigurable devices, have been ex- chitectures in FPGAs, with an evaluation of its effective- plored using the embedded PowerPC processor and the soft ness compared with different size and speed tradeoffs (Sec- MicroBlaze processor.
    [Show full text]
  • Diffie-Hellman Key Exchange
    Public Key Cryptosystems - Diffie Hellman Public Key Cryptosystems - Diffie Hellman Get two parties to share a secret number that no one else knows Public Key Cryptosystems - Diffie Hellman Get two parties to share a secret number that no one else knows Receiver Sender Public Key Cryptosystems - Diffie Hellman Get two parties to share a secret number that no one else knows Can only use an insecure communications channel for exchange Receiver Sender Attacker Public Key Cryptosystems - Diffie Hellman Get two parties to share a secret number that no one else knows Can only use an insecure communications channel for exchange p,g Receiver Sender p: prime & (p-1)/2 prime g: less than p n = gk mod p Attacker for all 0<n<p and some k (see http://gauss.ececs.uc.edu/Courses/c6053/lectures/Math/Group/group.html) Public Key Cryptosystems - Diffie Hellman A safe prime p: p = 2q + 1 where q is also prime Example: 479 = 2*239 + 1 If p is a safe prime, then p-1 has large prime factor, namely q. If all the factors of p-1 are less than logcp, then the problem of solving the discrete logarithm modulo p is in P (it©s easy). Therefore, for cryptosystems based on discrete logarithm (such as Diffie-Hellman) it is required that p-1 has at least one large prime factor. Public Key Cryptosystems - Diffie Hellman A strong prime p: p is large p-1 has large prime factors (p = aq+1 for integer a and prime q) q-1 has large prime factors (q = br+1 for integer b, prime r) p+1 has large prime factors.
    [Show full text]
  • WHAT IS the BEST APPROACH to COUNTING PRIMES? Andrew Granville 1. How Many Primes Are There? Predictions You Have Probably Seen
    WHAT IS THE BEST APPROACH TO COUNTING PRIMES? Andrew Granville As long as people have studied mathematics, they have wanted to know how many primes there are. Getting precise answers is a notoriously difficult problem, and the first suitable technique, due to Riemann, inspired an enormous amount of great mathematics, the techniques and insights penetrating many different fields. In this article we will review some of the best techniques for counting primes, centering our discussion around Riemann's seminal paper. We will go on to discuss its limitations, and then recent efforts to replace Riemann's theory with one that is significantly simpler. 1. How many primes are there? Predictions You have probably seen a proof that there are infinitely many prime numbers. This was known to the ancient Greeks, and today there are many different proofs, using tools from all sorts of fields. Once one knows that there are infinitely many prime numbers then it is natural to ask whether we can give an exact formula, or at least a good approximation, for the number of primes up to a given point. Such questions were no doubt asked, since antiquity, by those people who thought about prime numbers. With the advent of tables of factorizations, it was possible to make predictions supported by lots of data. Figure 1 is a photograph of Chernac's Table of Factorizations of all integers up to one million, published in 1811.1 There are exactly one thousand pages of factorization tables in the book, each giving the factorizations of one thousand numbers. For example, Page 677, seen here, enables us to factor all numbers between 676000 and 676999.
    [Show full text]
  • Local Prime Factor Decomposition of Approximate Strong Product Graphs
    Local Prime Factor Decomposition of Approximate Strong Product Graphs Von der Fakultät für Mathematik und Informatik der Universität Leipzig angenommene DISSERTATION zur Erlangung des akademischen Grades DOCTOR RERUM NATURALIUM (Dr. rer. nat.) im Fachgebiet Informatik vorgelegt von Diplom Wirtschaftsmathematiker Marc Hellmuth geboren am 25. Juni 1980 in Nordhausen Die Annahme der Dissertation wurde empfohlen von: 1. Professor Dr. Peter F. Stadler (Leipzig, Deutschland) 2. Professor Dr. Sandi Klavžar (Ljubljana, Slowenien) Die Verleihung des akademischen Grades erfolgt mit Bestehen der Vertei- digung am 22.04.2010 mit dem Gesamtprädikat summa cum laude. Acknowledgements Let me thank you very much !! peter F. stadler and wilfried imrich paula werner kloeckl, daniel merkle, lydia gringmann, maribel hernandez-rosales, steve hoffmann, phil ostermeier, kon- stantin klemm, sven findeisz, and the entire beerinformatics community my family christine rahn, marlen pelny, dietrich becker, gilbert spiegel, min choe, and my old friends in nordhausen jens steuck and petra pregel josef leydold, manja marz, sonja prohaska, and martin middendorf ... and all other persons that are in the closed neighborhood of mine !! Abstract In practice, graphs often occur as perturbed product structures, so-called approximate graph products. The practical application of the well-known prime factorization algorithms is therefore limited, since most graphs are prime, although they can have a product-like structure. This work is concerned with the strong graph product. Since strong product graphs G contain subgraphs that are itself products of subgraphs of the underlying factors of G, we follow the idea to develop local approaches that cover a graph by factorizable patches and then use this information to derive the global factors.
    [Show full text]
  • UK Aerospace Supply Chain Study
    BIS RESEARCH PAPER NUMBER 294 UK Aerospace Supply Chain Study JULY 2016 Contents Contents ........................................................................................................................................ 2 Executive Summary ...................................................................................................................... 4 Introduction ................................................................................................................................. 12 Context ..................................................................................................................................... 12 Scope of the Study .................................................................................................................... 14 Methodology overview ............................................................................................................... 14 Structure and Value of the Supply Chain .................................................................................. 16 Primes views ............................................................................................................................. 16 Supply chain view ..................................................................................................................... 18 Participant company overview ............................................................................................... 18 Employment .........................................................................................................................
    [Show full text]
  • An Introduction to Cryptography, Second Edition Richard A
    DISCRETE MATHEMATICS AND ITS APPLICATIONS Series Editor KENNETH H. ROSEN An INTRODUCTION to CRYPTOGRAPHY Second Edition © 2007 by Taylor & Francis Group, LLC DISCRETE MATHEMATICS and ITS APPLICATIONS Series Editor Kenneth H. Rosen, Ph.D. Juergen Bierbrauer, Introduction to Coding Theory Kun-Mao Chao and Bang Ye Wu, Spanning Trees and Optimization Problems Charalambos A. Charalambides, Enumerative Combinatorics Henri Cohen, Gerhard Frey, et al., Handbook of Elliptic and Hyperelliptic Curve Cryptography Charles J. Colbourn and Jeffrey H. Dinitz, The CRC Handbook of Combinatorial Designs Steven Furino, Ying Miao, and Jianxing Yin, Frames and Resolvable Designs: Uses, Constructions, and Existence Randy Goldberg and Lance Riek, A Practical Handbook of Speech Coders Jacob E. Goodman and Joseph O’Rourke, Handbook of Discrete and Computational Geometry, Second Edition Jonathan L. Gross and Jay Yellen, Graph Theory and Its Applications, Second Edition Jonathan L. Gross and Jay Yellen, Handbook of Graph Theory Darrel R. Hankerson, Greg A. Harris, and Peter D. Johnson, Introduction to Information Theory and Data Compression, Second Edition Daryl D. Harms, Miroslav Kraetzl, Charles J. Colbourn, and John S. Devitt, Network Reliability: Experiments with a Symbolic Algebra Environment Leslie Hogben, Handbook of Linear Algebra Derek F. Holt with Bettina Eick and Eamonn A. O’Brien, Handbook of Computational Group Theory David M. Jackson and Terry I. Visentin, An Atlas of Smaller Maps in Orientable and Nonorientable Surfaces Richard E. Klima, Neil P. Sigmon, and Ernest L. Stitzinger, Applications of Abstract Algebra with Maple™ and MATLAB®, Second Edition Patrick Knupp and Kambiz Salari, Verification of Computer Codes in Computational Science and Engineering William Kocay and Donald L.
    [Show full text]
  • Deconfounding Hypothesis Generation and Evaluation In
    Deconfounding Hypothesis Generation and Evaluation in Bayesian Models Elizabeth Baraff Bonawitz (liz [email protected]) Department of Psychology, 5427 Tolman Hall Berkeley, CA 94720 USA Thomas L. Griffiths (tom griffi[email protected]) Department of Psychology, 3210 Tolman Hall Berkeley, CA 94720 USA Abstract as data are observed. However, the assumption that learners possess all relevant hypotheses before seeing data is at odds Bayesian models of cognition are typically used to describe human learning and inference at the computational level, iden- with numerous findings suggesting that generating appropri- tifying which hypotheses people should select to explain ob- ate hypotheses can be one of the hardest parts of inductive in- served data given a particular set of inductive biases. However, ference (e.g., Kuhn, 1989; Klahr, Fay, & Dunbar, 1993). We such an analysis can be consistent with human behavior even if people are not actually carrying out exact Bayesian infer- thus consider the consequences of separating the processes of ence. We analyze a simple algorithm by which people might generating hypotheses and evaluating those hypotheses, as- be approximating Bayesian inference, in which a limited set of suming that learners perform Bayesian inference with only hypotheses are generated and then evaluated using Bayes’ rule. Our mathematical results indicate that a purely computational- the set of hypotheses they generate. level analysis of learners using this algorithm would confound To investigate this, we present a mathematical analysis of the distinct processes of hypothesis generation and hypothe- sis evaluation. We use a causal learning experiment to estab- a simple algorithm in which hypothesis generation and evalu- lish empirically that the processes of generation and evalua- ation are separated.
    [Show full text]
  • Plasmodium Subtilisin-Like Protease 1 (SUB1): Insights Into the Active-Site Structure, Specificity and Function of a Pan-Malaria Drug Target
    International Journal for Parasitology 42 (2012) 597–612 Contents lists available at SciVerse ScienceDirect International Journal for Parasitology journal homepage: www.elsevier.com/locate/ijpara Plasmodium subtilisin-like protease 1 (SUB1): Insights into the active-site structure, specificity and function of a pan-malaria drug target Chrislaine Withers-Martinez a, Catherine Suarez a, Simone Fulle b, Samir Kher c, Maria Penzo a, ⇑ Jean-Paul Ebejer b, Kostas Koussis a, Fiona Hackett a, Aigars Jirgensons c, Paul Finn b, Michael J. Blackman a, a Division of Parasitology, MRC National Institute for Medical Research (NIMR), Mill Hill, London NW7 1AA, UK b InhibOx Ltd., New Road, Oxford OX1 1BY, UK c Latvian Institute of Organic Synthesis, Aizkraukles 21, LV-1006 Riga, Latvia article info abstract Article history: Release of the malaria merozoite from its host erythrocyte (egress) and invasion of a fresh cell are crucial Received 2 January 2012 steps in the life cycle of the malaria pathogen. Subtilisin-like protease 1 (SUB1) is a parasite serine pro- Received in revised form 29 March 2012 tease implicated in both processes. In the most dangerous human malarial species, Plasmodium falcipa- Accepted 12 April 2012 rum, SUB1 has previously been shown to have several parasite-derived substrates, proteolytic cleavage Available online 27 April 2012 of which is important both for egress and maturation of the merozoite surface to enable invasion. Here we have used molecular modelling, existing knowledge of SUB1 substrates, and recombinant expression Keywords: and characterisation of additional Plasmodium SUB1 orthologues, to examine the active site architecture Plasmodium and substrate specificity of P.
    [Show full text]
  • Recent Advances in Information Technology
    RECENT ADVANCES IN INFORMATION TECHNOLOGY EDITED BY WALDEMAR WÓJCIK AND JAN SIKORA Faculty of Electrical Engineering and Computer Science, Lublin University of Technology, Lublin, Poland LUBLIN 2017 CONTENS 1. CHAPTER 1: SECURITY ESTIMATES UPDATING OF ASYMMETRIC CRYPTOSYSTEMS FOR MODERN COMPUTING 1.1. The effectiveness of different computational models for numbers factorization 1.2. Rho-pollard algorithm 1.3. Selecting crypto parameters 1.4. Distribution and amount of strong primes 1.5. Features of factorization algorithm elaboration for cloud computing 1.6. Conclusions 2. CHAPTER 2: GAME PROBLEMS OF CONTROL FOR FUNCTIONAL- DIFFERENTIAL SYSTEMS 2.1. Problem statement, time of the “first absorption” 2.2. Sufficient conditions for the game termination 2.3. Integro-differential approach 2.4. Example of the integro-differential game approach 2.5. Quasilinear positional integral games approach 2.6. Case of the pursuit problem 2.7. Connection of integral and differential games of approach 2.8. Positional control in differential- difference games 2.9. Time of the ”first absorption” in the linear nonstationary differential game 2.10. Conflict-controlled impulse systems 2.11. Game problems for processes with fractional derivatives 3. CHAPTER 3: INFORMATION TECHNOLOGY FOR AUTOMATED TRANSLATION FROM INFLECTED LANGUAGES TO SIGN LANGUAGE 3.1. Theoretical principles of automated translation system design 3.2. Algorithmic models of automated information technology of translation from inflectional language to sign language 3.3. Experimental testing of informational technology of translation from ukrainian to sign language 3.4. Conclusion 4. CHAPTER 4: INTEROPERABILITY OF THE HEALTH CARE INFORMATION RESOURCES 4.1. Strategy for his development 4.2. The fhir specification concept 4.3.
    [Show full text]
  • On Improving Integer Factorization and Discrete Logarithm Computation Using Partial Triangulation
    On Improving Integer Factorization and Discrete Logarithm Computation using Partial Triangulation Fabrice Boudot [email protected] Abstract. The number field sieve is the best-known algorithm for fac- toring integers and solving the discrete logarithm problem in prime fields. In this paper, we present some new improvements to various steps of the number field sieve. We apply these improvements on the current 768- bit discrete logarithm record and show that we are able to perform the overall computing time in about 1260 core·years using these improve- ments instead of 2350 core·years using the best known parameters for this problem. Moreover, we show that the pre-computation phase for a 768-bit discrete logarithm problem, that allows for example to build a massive decryption tool of IPsec traffic protected by the Oakley group 1, was feasible in reasonable time using technologies available before the year 2000. Keywords: discrete logarithm, integer factorization, number field sieve, sparse linear algebra 1 Introduction 1.1 The discrete logarithm problem The hardness of the discrete logarithm problem in prime fields is one of the most used assumptions in asymmetric cryptography, alongside with the hardness of integer factorization and discrete logarithm computations on elliptic curves. The security of well-known cryptographic primitives, such as the Diffie-Hellman key exchange protocol [12], the El-Gamal encryption [13], and the Digital Signature Algorithm [14], are based on the discrete logarithm problem, and these primitives are used in the most used security protocols such as TLS, IPsec or SSH. The discrete logarithm problem over prime fields can be defined as follows.
    [Show full text]