DOCSLIB.ORG

A Low Data Complexity Attack on the GMR-2 Cipher Used in the Satellite Phones

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

A Low Data Complexity Attack on the GMR-2 Cipher Used in the Satellite Phones Ruilin Li, Heng Li, Chao Li, Bing Sun National University of Defense Technology, Changsha, China FSE 2013, Singapore 11th ~13th March, 2013 Outline • Backgrounds and the GMR-2 Cipher • Revisit the Component of the GMR-2 Cipher • The Low Data Complexity Attack • Experimental Result • Conclusion 2 Outline • Backgrounds and the GMR-2 Cipher • Revisit each Component of the GMR-2 Cipher • The Low Data Complexity Attack • Experimental Result • Conclusion 3 Backgrounds and the GMR-2 Cipher • Mobile communication systems have revolutionized the way we interact with each other – GSM, UMTS, CDMA2000, 3GPP LTE • When do we need satellite based mobile system? – In some special cases • researchers on a field trip in a desert • crew on ships on open sea • people living in remote areas or areas that are affected by a natural disaster 4 Backgrounds and the GMR-2 Cipher • What is GMR? – GMR stands for GEO-Mobile Radio – GEO stands for Geostationary Earth Orbit – Design heavily inspired from GSM 5 Backgrounds and the GMR-2 Cipher • Two major GMR Standards – GMR-1 (de-facto standard, Thuraya etc) – GMR-2 (Inmarsat and AcES) • How to protect the security of the communication in GMR system? – Using symmetric cryptography – Both the authentication and encryption are similar as that of GSM A3/A5 algorithms. 6 Backgrounds and the GMR-2 Cipher • Encryption Algorithms in GMR – Stream ciphers – Reconstructed by Driessen et al. • GMR-1 Cipher – Based on A5/2 of GSM – Totally broken by ciphertext-only attack • GMR-2 Cipher – New design strategy – Can be broken by known-plaintext attack – Read-collision based technique 7 Backgrounds and the GMR-2 Cipher • In this talk, we focus on GMR-2 stream cipher – Revisit components of the GMR-2 cipher – Propose dynamic guess and determine strategy – Present a low data complexity attack 8 Outline • Backgrounds and the GMR-2 Cipher • Revisit each Component of the GMR-2 Cipher • The Low Data Complexity Attack • Experimental Result • Conclusion 9 Revisit each Component of the GMR-2 Cipher • Encryption mechanism of the GMR-2 cipher – Data are divided into frames identified by the frame number with 22-bits – New frame is re-initialized – Each frame contains 120-bit (15-byte) • Parameters of the GMR-2 cipher – Key length: 64-bit (Session key) – IV length: 22-bit (Frame number) – Key stream bits length within a frame: 120-bit 10 Revisit each Component of the GMR-2 Cipher K t 1 8 6 Z c F G H 8 l 3 4 6 s7 s6 …… s1 s0 8 p • An overview on the GMR-2 cipher – 8-byte shift register S, a 3-bit counter c, and a toggle bit t – byte-oriented, three major components – F combines two bytes of session key with previous output – G is a linear function for mixing purpose – H consists two DES Sboxes as a nonlinear filter 11 Revisit each Component of the GMR-2 Cipher K t O0 t 2 >>> 8 a K0 K1 K2 K3 K4 K5 K6 K7 t O1 1 Å 4 c 4 4 Å 8 p • The F component – At the l-th clock, the input • 8-byte array holding the session key K, read from two sides. • a counter c ranging from 0 to 7 sequentially and repeatedly. • a toggle bit t=c mod 2. • the previous key stream byte p=Zl-1 12 Revisit each Component of the GMR-2 Cipher K t O0 t 2 >>> 8 a K0 K1 K2 K3 K4 K5 K6 K7 t O1 1 Å 4 c 4 4 Å 8 p • The F component – The lower side outputs Kc with the help of the counter c. – The upper output depends on the lower output Kc , the previous key stream byte p and the toggle bit t. – t1 maps 4-bit to 3-bit which select the upper output. – t 2 maps 3-bit to 3-bit which determine the rotation. 13 Revisit each Component of the GMR-2 Cipher K t O0 t 2 >>> 8 a K0 K1 K2 K3 K4 K5 K6 K7 t O1 1 Å 4 c 4 4 Å 8 p • The F component – The output is ìOK= t( t ( a )) ï 0t1 ( a )• 2 1 í îïO1 =((( Kc Å p )? 4) & 0xF) Å (( K c Å p ) & 0xF) ì(KÅ p ) & 0xF, if t = 0 a = c í 14 î((Kc Å p )? 4)&0xF, if t = 1 Revisit each Component of the GMR-2 Cipher B1 O0¢ O0 6 8 B1 O1 B3 Å 4 B2 O¢ 8 1 B2 6 S0 • The G component ìB13210:(,,,)( x x x xa x 3032031ÅÅx , x x Å x ,,); x x ï íB2:(,,,) x 3 x 2 x 1 x 0a (, x1 x 3 , x 0 , x2 ); ï îB3:(,,,)(x 3 x 2 x 1 x 0a x2, x 0, x 3Å x 1 Å x 0 , x 3 Å x 0 ). 15 Revisit each Component of the GMR-2 Cipher t O¢ 2 Z 0 6 S 4 l 8 O¢ 6 1 S 4 6 • The H component ( (O¢ ), ( O ¢ )) if t = 0 ì SS2 1 6 0 8 Zl =í ( (O¢ ), ( O ¢ )) if t = 1 î SS2 0 6 1 8 where and are the two sboxes of DES. Assume the input of SS2 6 is (x , x , x , x , x , x ), then ( x , x ) selects the row index, and S 5 4 3 2 1 0 1 0 16 (x5 , x 4 , x3 , x 2 ) selects the column index. Revisit each Component of the GMR-2 Cipher F G H • Initialization Mode – Set c=0, t=0, and initialize S with frame number N – 8-byte key is written into the resister in F – Clock the cipher 8 times and discard the output Zl 17 Revisit each Component of the GMR-2 Cipher F G H • Generation Mode – For each frame number N, further clock the cipher 15 times, and the output keystream is ¢ (0) (0) (0) (1) (1) (1) (2) ZZZZZZZZ=(,,,;,,;,)0 1LLL 14 0 1 14 0 ()N Zl denotes the l-th byte of keystream generated after initialization with N 18 Revisit each Component of the GMR-2 Cipher • Property of F ì(Kc Å p ) & 0xF, if t = 0 a = í î((Kc Å p )? 4)&0xF, if t = 1 – If p is known, then we can get the value of a only by the most/least significant four bits of Kc K t O0 t 2 >>> 8 a K0 K1 K2 K3 K4 K5 K6 K7 t O1 1 Å 4 c 4 4 Å 8 19 p Revisit each Component of the GMR-2 Cipher • Property of H – We can “invert ” / SS2 6 • Given the row index and the output, the column index can be uniquely obtained. • Given the column index and the output, the row index can be uniquely obtained, except for when the column index is 4 and S 6 the output is 9, the row index can be either 0 or 3. • Given the outputs of both S-boxes, there will be 16 possible inputs. 2 O0¢ S Z l ¢ O1 S6 20 Revisit each Component of the GMR-2 Cipher • Property of G – The key point – The links between the input and output of the G component can be expressed by a well-structured matrix B1 O0¢ O0 6 8 B1 O1 B3 Å 4 B2 O¢ 8 1 B2 6 21 S0 æO ' ö 0 , 5 æO ö ç ÷ 0 , 7 æS 0 , 5 ö çO ' ÷ é100100000000 ù ç ÷ ç ÷ 0 , 4 ê ú O ç ÷ ç0 , 6 ÷ çS 0 , 7 ÷ ' ê1 1 0 1 0 0 0 0 0 0 0 0 ú çO 0 , 3 ÷ ç ÷ ç ÷ O 0 , 5 S ç ÷ ê1 0 0 0 0 0 0 0 0 0 0 0 ú ç ÷ ç0 , 4 ÷ ' ê ú çO 0 , 2 ÷ çO ÷ ç ÷ ê 0 0 1 0 0 0 0 0 0 0 0 0 ú 0 , 4 S 0 , 6 ç' ÷ ç ÷ ç ÷ O 1, 5 ê ú O ç ÷ 0 0 0 0 1 0 0 1 0 0 0 0 ç0 , 3 ÷ çS 0 ,1 ÷ ç' ÷ ê ú ç ÷ ç ÷ O 1, 4 ê 0 0 0 0 1 1 0 1 0 0 0 0 ú O 0 , 2 S ç ÷ = ç ÷ Å ç 0 , 3 ÷ ç' ÷ ê ú gç ÷ O 000010000000 O 0 ,1 ç S ÷ ç1, 3 ÷ ê ú ç ÷ ç 0 , 0 ÷ ' ê 000000100000 ú çO ÷ çO 1, 2 ÷ 0 , 0 ç S 0 , 2 ÷ ç ÷ ê ú ç ÷ ç ÷ ' 0 0 0 0 0 0 0 0 1 0 1 1 ê ú çO 1 , 3 ÷ 0 çO 0 ,1 ÷ ç ÷ ê0 0 0 0 0 0 0 0 1 0 0 1 ú ç ÷ ç' ÷ O ç ÷ O ê ú ç1 , 2 ÷ 0 ç0 , 0 ÷ 0 0 0 0 0 0 0 0 0 1 0 0 ç ÷ ç ÷ ê ú çO ÷ ç 0 ÷ ' ê ú 1 ,1 çO 1,1 ÷ 0 0 0 0 0 0 0 0 0 0 0 1 ç ÷ ç ÷ ë û ç ÷ 0 ç' ÷ èO 1 , 0 ø è ø èO 1, 0 ø 22 æO ' ö 0 , 5 æO ö ç ÷ 0 , 7 æS 0 , 5 ö çO ' ÷ é100100000000 ù ç ÷ ç ÷ 0 , 4 ê ú O ç ÷ ç0 , 6 ÷ çS 0 , 7 ÷ ' ê1 1 0 1 0 0 0 0 0 0 0 0 ú çO 0 , 3 ÷ ç ÷ ç ÷ O 0 , 5 S ç ÷ ê1 0 0 0 0 0 0 0 0 0 0 0 ú ç ÷ ç0 , 4 ÷ ' ê ú çO 0 , 2 ÷ çO ÷ ç ÷ ê 0 0 1 0 0 0 0 0 0 0 0 0 ú 0 , 4 S 0 , 6 ç' ÷ ç ÷ ç ÷ O 1, 5 ê ú O ç ÷ 0 0 0 0 1 0 0 1 0 0 0 0 ç0 , 3 ÷ çS 0 ,1 ÷ ç' ÷ ê ú ç ÷ ç ÷ O 1, 4 ê 0 0 0 0 1 1 0 1 0 0 0 0 ú O 0 , 2 S ç ÷ = ç ÷ Å ç 0 , 3 ÷ ç' ÷ ê ú gç ÷ O 000010000000 O 0 ,1 ç S ÷ ç1, 3 ÷ ê ú ç ÷ ç 0 , 0 ÷ ' ê 000000100000 ú çO ÷ çO 1, 2 ÷ 0 , 0 ç S 0 , 2 ÷ ç ÷ ê ú ç ÷ ç ÷ ' 0 0 0 0 0 0 0 0 1 0 1 1 ê ú çO 1 , 3 ÷ 0 çO 0 ,1 ÷ ç ÷ ê0 0 0 0 0 0 0 0 1 0 0 1 ú ç ÷ ç' ÷ O ç ÷ O ê ú ç1 , 2 ÷ 0 ç0 , 0 ÷ 0 0 0 0 0 0 0 0 0 1 0 0 ç ÷ ç ÷ ê ú çO ÷ ç 0 ÷ ' ê ú 1 ,1 çO 1,1 ÷ 0 0 0 0 0 0 0 0 0 0 0 1 ç ÷ ç ÷ ë û ç ÷ 0 ç' ÷ èO 1 , 0 ø è ø èO 1, 0 ø 23 æO ' ö 0 , 5 æO ö ç ÷ 0 , 7 æS 0 , 5 ö çO ' ÷ é100100000000 ù ç ÷ ç ÷ 0 , 4 ê ú O ç ÷ ç0 , 6 ÷ çS 0 , 7 ÷ ' ê1 1 0 1 0 0 0 0 0 0 0 0 ú çO 0 , 3 ÷ A ç ÷ ç ÷ O 0 , 5 S ç ÷ ê1 0 0 0 0 0 0 0 0 0 0 0 ú ç ÷ ç0 , 4 ÷ y ' ê ú 1 çO 0 , 2 ÷ çO ÷ x ç ÷ ê 0 0 1 0 0 0 0 0 0 0 0 0 ú 0 , 4 1 S 0 , 6 v1 ç' ÷ ç ÷ ç ÷ O 1, 5 ê ú O ç ÷ 0 0 0 0 1 0 0 1 0 0 0 0 ç0 , 3 ÷ çS 0 ,1 ÷ ç' ÷ ê ú ç ÷ ç ÷ O 1, 4 ê 0 0 0 0 1 1 0 1 0 0 0 0 ú O 0 , 2 S ç ÷ = ç ÷ Å ç 0 , 3 ÷ ç' ÷ ê A ú gç ÷ O 000010000000 O 0 ,1 ç S ÷ ç1, 3 ÷ ê ú ç ÷ ç 0 , 0 ÷ ' ê 000000100000 ú çO ÷ çO 1, 2 ÷ 0 , 0 ç S 0 , 2 ÷ ç ÷ ê ú ç ÷ ç ÷ ' 0 0 0 0 0 0 0 0 1 0 1 1 ê ú çO 1 , 3 ÷ 0 çO 0 ,1 ÷ ç ÷ ê0 0 0 0 0 0 0 0 1 0 0 1 ú ç ÷ ç' ÷ O ç ÷ O ê ú ç1 , 2 ÷ 0 y ç0 , 0 ÷ 0 0 0 0 0 0 0 0 0 1B 0 0 ç ÷ 2 ç ÷ ê ú çO ÷ x ç 0 ÷ ' ê ú 1 ,1 2 v2 çO 1,1 ÷ 0 0 0 0 0 0 0 0 0 0 0 1 ç ÷ ç ÷ ë û ç ÷ 0 ç' ÷ èO 1 , 0 ø è ø èO 1, 0 ø 24 Revisit each Component of the GMR-2 Cipher • Three linear systems 25 Revisit each Component of the GMR-2 Cipher • Another linear system – Let then thus from we obtain 26 Revisit each Component of the GMR-2 Cipher ìy =W· x Å v ï ïy1 =W1· x1 Å v 1 ï íy2 =W2· x2 Å v 2 ïy =W· kÅ W· k Å W· uÅ v ï 2 2h 2 l 2 2 ïx = K t(() t a ) î 1 t1 ( a )• 2 1 • W,,, W1 W 2, v v 1, v 2 u are known values.
Recommended publications
  • GMR-1 and GMR-2) and finally a Widely Deployed Digital Locking System

    GMR-1 and GMR-2) and finally a Widely Deployed Digital Locking System

    PRACTICAL CRYPTANALYSIS OF REAL-WORLD SYSTEMS An Engineer’s Approach DISSERTATION zur Erlangung des Grades eines Doktor-Ingenieurs der Fakultät für Elektrotechnik und Informationstechnik an der Ruhr-Universität Bochum Benedikt Driessen Bochum, July 2013 Practical Cryptanalysis of Real-World Systems Thesis Advisor Prof. Christof Paar, Ruhr-Universität Bochum, Germany External Referee Prof. Ross Anderson, University of Cambridge, England Date of submission May 22, 2013 Date of defense July 9, 2013 Date of last revision July 16, 2013 To Ursula and Walter, my parents. iii Abstract This thesis is dedicated to the analysis of symmetric cryptographic algorithms. More specifically, this doc- ument focuses on proprietary constructions found in four globally distributed systems. All of these con- structions were uncovered by means of reverse engineering, three of them while working on this thesis, but only one by the author of this document. The recovered designs were subsequently analyzed and attacked. Targeted systems range from the GSM standard for mobile communication to the two major standards for satellite communication (GMR-1 and GMR-2) and finally a widely deployed digital locking system. Surpris- ingly, although much progress has been made in the area of specialized cryptography, our attacks on the newly reverse engineered systems show that even younger designs still suffer from severe design flaws. The GSM stream ciphers A5/1 and A5/2 were reverse engineered and cryptanalyzed more than a decade ago. While the published attacks can nowadays be implemented and executed in practice, they also inspired our research into alternative, more efficient hardware architectures. In this work, we first propose a design to solve linear equation systems with binary coefficients in an unconventional, but supposedly fast way.
  • TS 101 377-3-10 V1.1.1 (2001-03) Technical Specification

    TS 101 377-3-10 V1.1.1 (2001-03) Technical Specification

    ETSI TS 101 377-3-10 V1.1.1 (2001-03) Technical Specification GEO-Mobile Radio Interface Specifications; Part 3: Network specifications; Sub-part 10: Security Related Network Functions; GMR-2 03.020 GMR-2 03.020 2 ETSI TS 101 377-3-10 V1.1.1 (2001-03) Reference DTS/SES-002-03020 Keywords GMR, GSM, GSO, interface, MES, mobile, MSS, network, radio, satellite, security, S-PCN ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.:+33492944200 Fax:+33493654716 Siret N° 348 623 562 00017 - NAF 742 C Association à but non lucratif enregistrée à la Sous-Préfecture de Grasse (06) N° 7803/88 Important notice Individual copies of the present document can be downloaded from: http://www.etsi.org The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF). In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at http://www.etsi.org/tb/status/ If you find errors in the present document, send your comment to: [email protected] Copyright Notification No part may be reproduced except as authorized by written permission. The copyright and the foregoing restriction extend to reproduction in all media.
  • NTRU Cryptosystem: Recent Developments and Emerging Mathematical Problems in Finite Polynomial Rings

    NTRU Cryptosystem: Recent Developments and Emerging Mathematical Problems in Finite Polynomial Rings

    XXXX, 1–33 © De Gruyter YYYY NTRU Cryptosystem: Recent Developments and Emerging Mathematical Problems in Finite Polynomial Rings Ron Steinfeld Abstract. The NTRU public-key cryptosystem, proposed in 1996 by Hoffstein, Pipher and Silverman, is a fast and practical alternative to classical schemes based on factorization or discrete logarithms. In contrast to the latter schemes, it offers quasi-optimal asymptotic effi- ciency and conjectured security against quantum computing attacks. The scheme is defined over finite polynomial rings, and its security analysis involves the study of natural statistical and computational problems defined over these rings. We survey several recent developments in both the security analysis and in the applica- tions of NTRU and its variants, within the broader field of lattice-based cryptography. These developments include a provable relation between the security of NTRU and the computa- tional hardness of worst-case instances of certain lattice problems, and the construction of fully homomorphic and multilinear cryptographic algorithms. In the process, we identify the underlying statistical and computational problems in finite rings. Keywords. NTRU Cryptosystem, lattice-based cryptography, fully homomorphic encryption, multilinear maps. AMS classification. 68Q17, 68Q87, 68Q12, 11T55, 11T71, 11T22. 1 Introduction The NTRU public-key cryptosystem has attracted much attention by the cryptographic community since its introduction in 1996 by Hoffstein, Pipher and Silverman [32, 33]. Unlike more classical public-key cryptosystems based on the hardness of integer factorisation or the discrete logarithm over finite fields and elliptic curves, NTRU is based on the hardness of finding ‘small’ solutions to systems of linear equations over polynomial rings, and as a consequence is closely related to geometric problems on certain classes of high-dimensional Euclidean lattices.
  • 11 Digital Signatures

    11 Digital Signatures

    This is a Chapter from the Handbook of Applied Cryptography, by A. Menezes, P. van Oorschot, and S. Vanstone, CRC Press, 1996. For further information, see www.cacr.math.uwaterloo.ca/hac CRC Press has granted the following specific permissions for the electronic version of this book: Permission is granted to retrieve, print and store a single copy of this chapter for personal use. This permission does not extend to binding multiple chapters of the book, photocopying or producing copies for other than personal use of the person creating the copy, or making electronic copies available for retrieval by others without prior permission in writing from CRC Press. Except where over-ridden by the specific permission above, the standard copyright notice from CRC Press applies to this electronic version: Neither this book nor any part may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, microfilming, and recording, or by any information storage or retrieval system, without prior permission in writing from the publisher. The consent of CRC Press does not extend to copying for general distribution, for promotion, for creating new works, or for resale. Specific permission must be obtained in writing from CRC Press for such copying. c 1997 by CRC Press, Inc. Chapter 11 Digital Signatures Contents in Brief 11.1 Introduction :::::::::::::::::::::::::::::425 11.2 A framework for digital signature mechanisms ::::::::::426 11.3 RSA and related signature schemes :::::::::::::::::433 11.4 Fiat-Shamir signature schemes :::::::::::::::::::447 11.5 The DSA and related signature schemes ::::::::::::::451 11.6 One-time digital signatures :::::::::::::::::::::462 11.7 Other signature schemes ::::::::::::::::::::::471 11.8 Signatures with additional functionality ::::::::::::::474 11.9 Notes and further references ::::::::::::::::::::481 11.1 Introduction This chapter considers techniques designed to provide the digital counterpart to a handwrit- ten signature.
  • State of the Art in Lightweight Symmetric Cryptography

    State of the Art in Lightweight Symmetric Cryptography

    State of the Art in Lightweight Symmetric Cryptography Alex Biryukov1 and Léo Perrin2 1 SnT, CSC, University of Luxembourg, [email protected] 2 SnT, University of Luxembourg, [email protected] Abstract. Lightweight cryptography has been one of the “hot topics” in symmetric cryptography in the recent years. A huge number of lightweight algorithms have been published, standardized and/or used in commercial products. In this paper, we discuss the different implementation constraints that a “lightweight” algorithm is usually designed to satisfy. We also present an extensive survey of all lightweight symmetric primitives we are aware of. It covers designs from the academic community, from government agencies and proprietary algorithms which were reverse-engineered or leaked. Relevant national (nist...) and international (iso/iec...) standards are listed. We then discuss some trends we identified in the design of lightweight algorithms, namely the designers’ preference for arx-based and bitsliced-S-Box-based designs and simple key schedules. Finally, we argue that lightweight cryptography is too large a field and that it should be split into two related but distinct areas: ultra-lightweight and IoT cryptography. The former deals only with the smallest of devices for which a lower security level may be justified by the very harsh design constraints. The latter corresponds to low-power embedded processors for which the Aes and modern hash function are costly but which have to provide a high level security due to their greater connectivity. Keywords: Lightweight cryptography · Ultra-Lightweight · IoT · Internet of Things · SoK · Survey · Standards · Industry 1 Introduction The Internet of Things (IoT) is one of the foremost buzzwords in computer science and information technology at the time of writing.
  • DIGITAL SIGNATURES Introduc�On > Whoami WHOAMI

    DIGITAL SIGNATURES IntroducOn > Whoami WHOAMI

    DAVID ACLAND - DIGITAL SIGNATURES Introduc6on > whoami WHOAMI David Acland @davidacland Introduc6on > whoami Introduc6on > About this talk ABOUT THIS TALK Introduc6on > About this talk > Progress Progress Bar Where are we? Introduc6on > About this talk > What WHAT WE’RE TALKING ABOUT Cryptology Cryptography Cryptanalysis Asymmetric Symmetric Encrypon Digital Signatures Introduc6on > About this talk > Why WHY WE’RE TALKING ABOUT IT DNSSEC Signed Packages Gatekeeper TCC Secure boot SSL DKIM AutoPkg SSH Kernel Extensions Introduc6on > About this talk > Why WHY WE’RE TALKING ABOUT IT Introduc6on > About this talk > Why WHY WE’RE TALKING ABOUT IT Trusted signatures are becoming a requirement Introduc6on > About this talk > Contents CONTENTS ▸ Introduc6on to digital signatures ▸ Underlying technologies ▸ Prac6cal usage Introduc6on > About this talk > Warning THERE’S MATHS IN HERE (sorry) Introduc6on > About this talk > Follow along IT’S INTERACTIVE https://bit.ly/2TR6y9a Introduc6on > Introduc6on to digital signatures INTRODUCTION TO DIGITAL SIGNATURES Introduc6on > Introduc6on to digital signatures WHAT IS A SIGNATURE? Introduc6on > Introduc6on to digital signatures > What’s a signature? WHAT’S A SIGNATURE? Introduc6on > Introduc6on to digital signatures > What’s a signature? WHAT DO THEY GIVE YOU? ▸ Authen6ca6on ▸ Integrity Security Services ▸ Non-repudia6on Introduc6on > Introduc6on to digital signatures > Paper Signatures ARE PAPER SIGNATURES EFFECTIVE? Introduc6on > Introduc6on to digital signatures > Paper Signatures ARE PAPER SIGNATURES
  • The Early Days of RSA -- History and Lessons Ronald L. Rivest MIT Lab for Computer Science

    The Early Days of RSA -- History and Lessons Ronald L. Rivest MIT Lab for Computer Science

    The Early Days of RSA -- History and Lessons Ronald L. Rivest MIT Lab for Computer Science ACM Turing Award Lecture Lessons Learned Try to solve “real-world” problems … using computer science theory … and number theory. Be optimistic: do the “impossible”. Invention of RSA. Moore’s Law matters. Do cryptography in public. Crypto theory matters. Organizations matter: ACM, IACR, RSA Try to solve real-world problems Diffie and Hellman published “New Directions in Cryptography” Nov ’76: “We stand today at the brink of a revolution in cryptography.” Proposed “Public-Key Cryptosystem” . (This remarkable idea developed jointly with Merkle.) Introduced even more remarkable notion of digital signatures. Good cryptography is motivated by applications. (e-commerce, mental poker, voting, auctions, …) … using computer science theory In 1976 “complexity theory” and “algorithms” were just beginning… Cryptography is a “theory consumer”: it needs – easy problems (such as multiplication or prime-finding, for the “good guys”) and – hard problems (such as factorization, to defeat an adversary). …and number theory Diffie/Hellman used number theory for “key agreement” (two parties agree on a secret key, using exponentiation modulo a prime number). Some algebraic structure seemed essential for a PKC; we kept returning to number theory and modular arithmetic… Difficulty of factoring not well studied then, but seemed hard… Be optimistic: do the “impossible” Diffie and Hellman left open the problem of realizing a PKC: D(E(M)) = E(D(M)) = M where E is public, D is private. At times, we thought it impossible… Since then, we have learned “Meta-theorem of Cryptography”: Any apparently contradictory set of requirements can be met using right mathematical approach… Invention of RSA Tried and discarded many approaches, including some “knapsack-based” ones.
  • Draft Lecture Notes

    Draft Lecture Notes

    CS-282A / MATH-209A Foundations of Cryptography Draft Lecture Notes Winter 2010 Rafail Ostrovsky UCLA Copyright © Rafail Ostrovsky 2003-2010 Acknowledgements: These lecture notes were produced while I was teaching this graduate course at UCLA. After each lecture, I asked students to read old notes and update them according to the lecture. I am grateful to all of the students who participated in this massive endeavor throughout the years, for asking questions, taking notes and improving these lecture notes each time. Table of contents PART 1: Overview, Complexity classes, Weak and Strong One-way functions, Number Theory Background. PART 2: Hard-Core Bits. PART 3: Private Key Encryption, Perfectly Secure Encryption and its limitations, Semantic Security, Pseudo-Random Generators. PART 4: Implications of Pseudo-Random Generators, Pseudo-random Functions and its applications. PART 5: Digital Signatures. PART 6: Trapdoor Permutations, Public-Key Encryption and its definitions, Goldwasser-Micali, El-Gamal and Cramer-Shoup cryptosystems. PART 7: Interactive Proofs and Zero-Knowledge. PART 8: Bit Commitment Protocols in different settings. PART 9: Non-Interactive Zero Knowledge (NIZK) PART 10: CCA1 and CCA2 Public Key Encryption from general Assumptions: Naor-Yung, DDN. PART 11: Non-Malleable Commitments, Non-Malleable NIZK. PART 12: Multi-Server PIR PART 13: Single-Server PIR, OT, 1-2-OT, MPC, Program Obfuscation. PART 14: More on MPC including GMW and BGW protocols in the honest-but-curious setting. PART 15: Yao’s garbled circuits, Efficient ZK Arguments, Non-Black-Box Zero Knowledge. PART 16: Remote Secure Data Storage (in a Cloud), Oblivious RAMs. CS 282A/MATH 209A: Foundations of Cryptography °c 2006-2010 Prof.
  • Cryptography from Worst-Case Complexity Assumptions

    Cryptography from Worst-Case Complexity Assumptions

    Cryptography from worst-case complexity assumptions Daniele Micciancio UC San Diego LLL+25 June 2007 (Caen, France) Outline ● Introduction – Lattices and algorithms – Complexity and Cryptography ● Lattice based cryptography – Lattice based hash functions – Other cryptographic primitives ● Conclusion / Open Problems – Choosing security parameters – Using lattices with special properties Outline ● Introduction – Lattices and algorithms – Complexity and Cryptography ● Lattice based cryptography – Lattice based hash functions – Other cryptographic primitives ● Conclusion / Open Problems – Choosing security parameters – Using lattices with special properties Point Lattices ● Set of all integer linear combinations of n basis vectors B = [b1,...,bn] ⊂ R ● n n L(B)={Bx: x Z } ⊂ span(B)={Bx: x R } b1+3b2 B b1 b2 Successive Minima ● For every n-dimensional lattice L, and i=1,...,n, the ith successive minimum (L) is li the smallest radius r such that Ball(0,r) contains i linearly independent lattice vectors l1 l2 Lattice problems ● Shortest Vector Problems (SVP) – Given a lattice L, find the nonzero lattice vector v closest to the origin (||v||£ g l1(L)) ● Shortest Independent Vect. Prob. (SIVP) – Given a lattice L, find n lin. independent vectors v1,...,vn of length maxi ||vi|| £ g ln(L) ● Approximation factor g(n) usually a function of the lattice dimension n. Lattice Reduction Algorithms O(n) ● [LLL] solves SVP and SIVP for g = 2 g g – Still useful in many algorithmic applications ● [Sch,NS] Improve polynomial running time of LLL ● [Sch,AKS]
  • Time for a Paradigm Shift in Our Disciplinary Culture?

    Time for a Paradigm Shift in Our Disciplinary Culture?

    Time for a Paradigm Shift in Our Disciplinary Culture? Neal Koblitz Department of Mathematics, University of Washington [email protected] 1 Introduction The well-known KISS principle of engineering | Keep It Simple, Stupid! | is also of value in cryptography. In certain subfields, such as lattice-based crypto and indistinguishability obfuscation, the proposed constructions pay little heed to the KISS principle. Even the descriptions of the proper functioning of the protocols are frightfully complicated (by comparison with RSA or ECC, for example), and the security analyses and guidelines for parameter selection are even more problematic. But even something as wonderful as the KISS principle can be taken too far, as I learned to my chagrin during my early years of work in cryptography. In the late 1980s, when I wrote or spoke about ECC, I wanted to use the simplest possible examples, and these were the supersingular curves. For instance, just take the equation y2 = x3 − x over a field of p elements with p ≡ 3 (mod 4) or else y2 = x3 − 1 with p ≡ 2 (mod 3), where p is chosen so that respectively (p + 1)=4 or (p + 1)=6 is prime. As long as log2 p ≥ 163 we would have 80 bits of security, which at the time was enough. A few years later, Menezes{Okamoto{Vanstone [14] showed that the discrete log problem (DLP) on such a curve can be reduced to the DLP in the finite field of p2 elements, and even in the early 1990s this was insecure. A short time later, when I proposed Hyperelliptic Curve Cryptography (HCC), I again made a very erroneous judgment about parameter selection.
  • International Airport Codes

    International Airport Codes

    Airport Code Airport Name City Code City Name Country Code Country Name AAA Anaa AAA Anaa PF French Polynesia AAB Arrabury QL AAB Arrabury QL AU Australia AAC El Arish AAC El Arish EG Egypt AAE Rabah Bitat AAE Annaba DZ Algeria AAG Arapoti PR AAG Arapoti PR BR Brazil AAH Merzbrueck AAH Aachen DE Germany AAI Arraias TO AAI Arraias TO BR Brazil AAJ Cayana Airstrip AAJ Awaradam SR Suriname AAK Aranuka AAK Aranuka KI Kiribati AAL Aalborg AAL Aalborg DK Denmark AAM Mala Mala AAM Mala Mala ZA South Africa AAN Al Ain AAN Al Ain AE United Arab Emirates AAO Anaco AAO Anaco VE Venezuela AAQ Vityazevo AAQ Anapa RU Russia AAR Aarhus AAR Aarhus DK Denmark AAS Apalapsili AAS Apalapsili ID Indonesia AAT Altay AAT Altay CN China AAU Asau AAU Asau WS Samoa AAV Allah Valley AAV Surallah PH Philippines AAX Araxa MG AAX Araxa MG BR Brazil AAY Al Ghaydah AAY Al Ghaydah YE Yemen AAZ Quetzaltenango AAZ Quetzaltenango GT Guatemala ABA Abakan ABA Abakan RU Russia ABB Asaba ABB Asaba NG Nigeria ABC Albacete ABC Albacete ES Spain ABD Abadan ABD Abadan IR Iran ABF Abaiang ABF Abaiang KI Kiribati ABG Abingdon Downs QL ABG Abingdon Downs QL AU Australia ABH Alpha QL ABH Alpha QL AU Australia ABJ Felix Houphouet-Boigny ABJ Abidjan CI Ivory Coast ABK Kebri Dehar ABK Kebri Dehar ET Ethiopia ABM Northern Peninsula ABM Bamaga QL AU Australia ABN Albina ABN Albina SR Suriname ABO Aboisso ABO Aboisso CI Ivory Coast ABP Atkamba ABP Atkamba PG Papua New Guinea ABS Abu Simbel ABS Abu Simbel EG Egypt ABT Al-Aqiq ABT Al Baha SA Saudi Arabia ABU Haliwen ABU Atambua ID Indonesia ABV Nnamdi Azikiwe Intl ABV Abuja NG Nigeria ABW Abau ABW Abau PG Papua New Guinea ABX Albury NS ABX Albury NS AU Australia ABZ Dyce ABZ Aberdeen GB United Kingdom ACA Juan N.
  • Armed SPHINCS Computing a 41 KB Signature in 16 KB of RAM

    Armed SPHINCS Computing a 41 KB Signature in 16 KB of RAM

    ARMed SPHINCS Computing a 41 KB signature in 16 KB of RAM Andreas Hülsing1, Joost Rijneveld2, and Peter Schwabe2 1 Technische Universiteit Eindhoven, Department of Mathematics and Computer Science, P.O. Box 513, 5600 MB Eindhoven, The Netherlands [email protected] 2 Radboud University, Digital Security Group, P.O. Box 9010, 6500 GL Nijmegen, The Netherlands [email protected], [email protected] Abstract. This paper shows that it is feasible to implement the state- less hash-based signature scheme SPHINCS-256 on an embedded mi- croprocessor with memory even smaller than a signature and limited computing power. We demonstrate that it is possible to generate and verify the 41 KB signature on an ARM Cortex M3 that only has 16 KB of memory available. We provide benchmarks for our implementation which show that this can be used in practice. To analyze the costs of using the stateless SPHINCS scheme instead of its stateful alternatives, we also implement XMSSMT on this platform and give a comparison. Keywords: post-quantum cryptography, hash-based signature schemes, microcontroller, resource-constrained devices, ARM Cortex M3, SPHINCS- 256, XMSSMT 1 Introduction It is dicult to precisely predict the future of computing, but once large-scale quantum computers become feasible in practice, all of the asymmetric cryptogra- phy that is widely deployed today will be broken. Over the past few years, several schemes have been proposed that address this issue. One of the most promis- ing classes of schemes that provide post-quantum secure digital signatures are hash-based schemes [21]. Hash-based schemes come with well-understood security guarantees, build- ing only on the assumption of a secure cryptographic hash function.