DOCSLIB.ORG

Twenty Years of Attacks on the RSA Cryptosystem 1 Introduction

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Twenty Years of Attacks on the RSA Cryptosystem Dan Boneh dab [email protected] 1 Intro duction The RSA cryptosystem, invented by Ron Rivest, Adi Shamir, and Len Adleman [21 ], was rst publicized in the August 1977 issue of Scienti c American. The cryptosystem is most commonly used for providing privacy and ensuring authenticity of digital data. These days RSA is deployed in many commercial systems. It is used by web servers and browsers to secure web trac, it is used to ensure privacy and authenticity of Email, it is used to secure remote login sessions, and it is at the heart of electronic credit-card payment systems. In short, RSA is frequently used in applications where security of digital data is a concern. Since its initial publication, the RSA system has b een analyzed for vulnerability by many researchers. Although twentyyears of researchhave led to a numb er of fascinating attacks, none of them is devastating. They mostly illustrate the dangers of improp er use of RSA. Indeed, securely implementing RSA is a nontrivial task. Our goal is to survey some of these attacks and describ e the underlying mathematical to ols they use. Throughout the survey we follow standard naming conventions and use Alice and Bob to denote two generic parties wishing to communicate with each other. We use Marvin to denote a malicious attacker wishing to eavesdrop or tamp er with the communication b etween Alice and Bob. We b egin by describing a simpli ed version of RSA encryption. Let N = pq b e the pro duct of two large primes of the same size n=2 bits each. A typical size for N is n = 1024 bits, i.e. 309 decimal digits. Each of the factors is 512 bits. Let e; d be twointegers satisfying ed =1mod'N where 'N = p 1q 1 is the order of the multiplicative group Z . We call N the RSA N modulus, e the encryption exponent, and d the decryption exponent. The pair hN; ei is the public key. As its name suggests, it is public and is used to encrypt messages. The pair hN; di is called the secret key or private key and is known only to the recipient of encrypted messages. The secret key enables decryption of ciphertexts. e A message is an integer M 2 Z . To encrypt M , one computes C = M mo d N . To decrypt N d the ciphertext, the legitimate receiver computes C mo d N . Indeed, d ed C = M = M mo d N ; 1 where the last equality follows by Euler's theorem . One de nes the RSA function as x 7! e x mo d N . If d is given, the function can b e easily inverted using the ab ove equality. We refer to d as a trapdoor enabling one to invert the function. In this survey we study the dicultyofinverting 1 Our description slightly oversimpli es RSA encryption. In practice, messages are padded prior to encryption using some randomness [1]. For instance, a simple but insucient padding algorithm may pad a plaintext M by app ending a few random bits to one of the ends prior to encryption. Adding randomness to the encryption pro cess is necessary for prop er security. 1 the RSA function without the trap do or. We refer to this as breaking RSA. More precisely, given th the triple hN ; e; C i, we ask how hard is it to compute the e ro ot of C mo dulo N = pq when the factorization of N is unknown. Since Z is a nite set, one mayenumerate all elements of Z until N N the correct M is found. Unfortunately, this results in an algorithm with running time of order N , namely exponential in the size of its input, which is of the order log N . We are interested mostly 2 c in algorithms with a substantially lower running time, namely on the order of n where n = log N 2 and c is some small constant less than 5, say. Such algorithms often p erform well in practice on the inputs in question. Throughout the pap er we refer to such algorithms as ecient. In this survey we mainly study the RSA function as opp osed to the RSA cryptosystem. Lo osely sp eaking, the dicultyofinverting the RSA function on random inputs implies that given hN ; e; C i an attacker cannot recover the plaintext M . However, a cryptosystem must resist more subtle attacks. If hN ; e; C i is given, it should b e intractable to recover any information ab out M . This is 2 known as semantic security . We do not discuss these subtle attacks, but p oint out that RSA as describ ed ab ove is not semantically secure: given hN ; e; C i, one can easily deduce some information ab out the plaintext M for instance, the Jacobi symbol of M over N can b e easily deduced from C . RSA can b e made semantically secure by adding randomness to the encryption pro cess [1]. e The RSA function x 7! x mo d N is an example of a trapdoor one-way function. It can b e easily computed, but as far as we know cannot b e eciently inverted without the trap do or d except in sp ecial circumstances. Trap do or one-way functions can b e used for digital signatures [19 ]. Digital signatures provide authenticity and nonrepudiation of electronic legal do cuments. For instance, they are used for signing digital checks or electronic purchase orders. To sign a message M 2 Z N d using RSA, Alice applies her private key hN; di to M and obtains a signature S = M mo d N . e Given hM; Si, anyone can verify Alice's signature on M by checking that S = M mo d N . Since only Alice can generate S , one may susp ect that an adversary cannot forge Alice's signature. Unfortunately, things are not so simple; extra measures are needed for prop er security. Digital signatures are an imp ortant application of RSA. Some of the attacks we survey sp eci cally target RSA digital signatures. n -bit primes and multiplying them to An RSA key pair is generated by picking two random 2 1 obtain N . Then, for a given encryption exp onent e < 'N , one computes d = e mo d 'N using the extended Euclidean algorithm. Since the set of primes is suciently dense, a random n n -bit prime can b e quickly generated by rep eatedly picking random -bit integers and testing each 2 2 one for primality using a probabilistic primality test [19 ]. 1.1 Factoring Large Integers The rst attack on an RSA public key hN; ei to consider is factoring the mo dulus N . Given the factorization of N , an attacker can easily construct 'N , from which the decryption exp onent 1 d = e mo d 'N can be found. We refer to factoring the mo dulus as a brute-force attack on RSA. Although factoring algorithms have b een steadily improving, the current state of the art is still far from p osing a threat to the security of RSA when RSA is used prop erly. Factoring large integers is one of the most b eautiful problems of computational mathematics [18 , 20 ], but it is not the topic of this article. For completeness we note that the current fastest factoring algorithm is 2=3 1=3 log n the General Numb er Field Sieve. Its running time on n-bit integers is exp c + o1n for some c<2. Attacks on RSA that take longer than this time b ound are not interesting. These 2 A source that explains semantic security and gives examples of semantically secure ciphers is [11 ]. 2 include attacks such as exhaustive search for M and some older attacks published right after the initial publication of RSA. Our ob jective is to survey attacks on RSA that decrypt messages without directly factoring the RSA mo dulus N . Nevertheless, it is worth noting that some sparse sets of RSA mo duli, N = pq , can b e easily factored. For instance, if p 1 is a pro duct of prime factors less than B , then N can 3 b e factored in time less than B . Some implementations explicitly reject primes p for which p 1 is a pro duct of small primes. As noted ab ove, if an ecient factoring algorithm exists, then RSA is insecure. The converse is th a long standing op en problem: must one factor N in order to eciently compute e ro ots mo dulo N ? Is breaking RSA as hard as factoring? We state the concrete op en problem b elow. Op en Problem 1 Given integers N and e satisfying gcde; 'N = 1, de ne the function f : e;N 1=e Z ! Z by f x = x mo d N . Is there a polynomial-time algorithm A that computes the e;N N N factorization of N given N and access to an \oracle" f x for some e? e;N An oracle for f x evaluates the function on any input x in unit time. Recently Boneh and Venkatesan [6] provided evidence that for small e the answer to the ab ove problem may b e \no". In other words, for small e there may not exist a p olynomial-time reduction from factoring to breaking RSA. They do so by showing that in a certain mo del, a p ositive answer to the problem for small e yields an ecient factoring algorithm.
Recommended publications
  • Public Key Cryptography And

    Public Key Cryptography And

    PublicPublic KeyKey CryptographyCryptography andand RSARSA Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 [email protected] Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-11/ Washington University in St. Louis CSE571S ©2011 Raj Jain 9-1 OverviewOverview 1. Public Key Encryption 2. Symmetric vs. Public-Key 3. RSA Public Key Encryption 4. RSA Key Construction 5. Optimizing Private Key Operations 6. RSA Security These slides are based partly on Lawrie Brown’s slides supplied with William Stallings’s book “Cryptography and Network Security: Principles and Practice,” 5th Ed, 2011. Washington University in St. Louis CSE571S ©2011 Raj Jain 9-2 PublicPublic KeyKey EncryptionEncryption Invented in 1975 by Diffie and Hellman at Stanford Encrypted_Message = Encrypt(Key1, Message) Message = Decrypt(Key2, Encrypted_Message) Key1 Key2 Text Ciphertext Text Keys are interchangeable: Key2 Key1 Text Ciphertext Text One key is made public while the other is kept private Sender knows only public key of the receiver Asymmetric Washington University in St. Louis CSE571S ©2011 Raj Jain 9-3 PublicPublic KeyKey EncryptionEncryption ExampleExample Rivest, Shamir, and Adleman at MIT RSA: Encrypted_Message = m3 mod 187 Message = Encrypted_Message107 mod 187 Key1 = <3,187>, Key2 = <107,187> Message = 5 Encrypted Message = 53 = 125 Message = 125107 mod 187 = 5 = 125(64+32+8+2+1) mod 187 = {(12564 mod 187)(12532 mod 187)... (1252 mod 187)(125 mod 187)} mod 187 Washington University in
  • Practical Homomorphic Encryption and Cryptanalysis

    Practical Homomorphic Encryption and Cryptanalysis

    Practical Homomorphic Encryption and Cryptanalysis Dissertation zur Erlangung des Doktorgrades der Naturwissenschaften (Dr. rer. nat.) an der Fakult¨atf¨urMathematik der Ruhr-Universit¨atBochum vorgelegt von Dipl. Ing. Matthias Minihold unter der Betreuung von Prof. Dr. Alexander May Bochum April 2019 First reviewer: Prof. Dr. Alexander May Second reviewer: Prof. Dr. Gregor Leander Date of oral examination (Defense): 3rd May 2019 Author's declaration The work presented in this thesis is the result of original research carried out by the candidate, partly in collaboration with others, whilst enrolled in and carried out in accordance with the requirements of the Department of Mathematics at Ruhr-University Bochum as a candidate for the degree of doctor rerum naturalium (Dr. rer. nat.). Except where indicated by reference in the text, the work is the candidates own work and has not been submitted for any other degree or award in any other university or educational establishment. Views expressed in this dissertation are those of the author. Place, Date Signature Chapter 1 Abstract My thesis on Practical Homomorphic Encryption and Cryptanalysis, is dedicated to efficient homomor- phic constructions, underlying primitives, and their practical security vetted by cryptanalytic methods. The wide-spread RSA cryptosystem serves as an early (partially) homomorphic example of a public- key encryption scheme, whose security reduction leads to problems believed to be have lower solution- complexity on average than nowadays fully homomorphic encryption schemes are based on. The reader goes on a journey towards designing a practical fully homomorphic encryption scheme, and one exemplary application of growing importance: privacy-preserving use of machine learning.
  • The Twin Diffie-Hellman Problem and Applications

    The Twin Diffie-Hellman Problem and Applications

    The Twin Diffie-Hellman Problem and Applications David Cash1 Eike Kiltz2 Victor Shoup3 February 10, 2009 Abstract We propose a new computational problem called the twin Diffie-Hellman problem. This problem is closely related to the usual (computational) Diffie-Hellman problem and can be used in many of the same cryptographic constructions that are based on the Diffie-Hellman problem. Moreover, the twin Diffie-Hellman problem is at least as hard as the ordinary Diffie-Hellman problem. However, we are able to show that the twin Diffie-Hellman problem remains hard, even in the presence of a decision oracle that recognizes solutions to the problem — this is a feature not enjoyed by the Diffie-Hellman problem in general. Specifically, we show how to build a certain “trapdoor test” that allows us to effectively answer decision oracle queries for the twin Diffie-Hellman problem without knowing any of the corresponding discrete logarithms. Our new techniques have many applications. As one such application, we present a new variant of ElGamal encryption with very short ciphertexts, and with a very simple and tight security proof, in the random oracle model, under the assumption that the ordinary Diffie-Hellman problem is hard. We present several other applications as well, including: a new variant of Diffie and Hellman’s non-interactive key exchange protocol; a new variant of Cramer-Shoup encryption, with a very simple proof in the standard model; a new variant of Boneh-Franklin identity-based encryption, with very short ciphertexts; a more robust version of a password-authenticated key exchange protocol of Abdalla and Pointcheval.
  • Ch 13 Digital Signature

    Ch 13 Digital Signature

    1 CH 13 DIGITAL SIGNATURE Cryptography and Network Security HanJung Mason Yun 2 Index 13.1 Digital Signatures 13.2 Elgamal Digital Signature Scheme 13.3 Schnorr Digital Signature Scheme 13.4 NIST Digital Signature Algorithm 13.6 RSA-PSS Digital Signature Algorithm 3 13.1 Digital Signature - Properties • It must verify the author and the date and time of the signature. • It must authenticate the contents at the time of the signature. • It must be verifiable by third parties, to resolve disputes. • The digital signature function includes authentication. 4 5 6 Attacks and Forgeries • Key-Only attack • Known message attack • Generic chosen message attack • Directed chosen message attack • Adaptive chosen message attack 7 Attacks and Forgeries • Total break • Universal forgery • Selective forgery • Existential forgery 8 Digital Signature Requirements • It must be a bit pattern that depends on the message. • It must use some information unique to the sender to prevent both forgery and denial. • It must be relatively easy to produce the digital signature. • It must be relatively easy to recognize and verify the digital signature. • It must be computationally infeasible to forge a digital signature, either by constructing a new message for an existing digital signature or by constructing a fraudulent digital signature for a given message. • It must be practical to retain a copy of the digital signature in storage. 9 Direct Digital Signature • Digital signature scheme that involves only the communication parties. • It must authenticate the contents at the time of the signature. • It must be verifiable by third parties, to resolve disputes. • Thus, the digital signature function includes the authentication function.
  • Implementation and Performance Evaluation of XTR Over Wireless Network

    Implementation and Performance Evaluation of XTR Over Wireless Network

    Implementation and Performance Evaluation of XTR over Wireless Network By Basem Shihada [email protected] Dept. of Computer Science 200 University Avenue West Waterloo, Ontario, Canada (519) 888-4567 ext. 6238 CS 887 Final Project 19th of April 2002 Implementation and Performance Evaluation of XTR over Wireless Network 1. Abstract Wireless systems require reliable data transmission, large bandwidth and maximum data security. Most current implementations of wireless security algorithms perform lots of operations on the wireless device. This result in a large number of computation overhead, thus reducing the device performance. Furthermore, many current implementations do not provide a fast level of security measures such as client authentication, authorization, data validation and data encryption. XTR is an abbreviation of Efficient and Compact Subgroup Trace Representation (ECSTR). Developed by Arjen Lenstra & Eric Verheul and considered a new public key cryptographic security system that merges high level of security GF(p6) with less number of computation GF(p2). The claim here is that XTR has less communication requirements, and significant computation advantages, which indicate that XTR is suitable for the small computing devices such as, wireless devices, wireless internet, and general wireless applications. The hoping result is a more flexible and powerful secure wireless network that can be easily used for application deployment. This project presents an implementation and performance evaluation to XTR public key cryptographic system over wireless network. The goal of this project is to develop an efficient and portable secure wireless network, which perform a variety of wireless applications in a secure manner. The project literately surveys XTR mathematical and theoretical background as well as system implementation and deployment over wireless network.
  • Key Improvements to XTR

    Key Improvements to XTR

    To appear in Advances in Cryptology|Asiacrypt 2000, Lecture Notes in Computer Science 1976, Springer-Verlag 2000, 220-223. Key improvements to XTR Arjen K. Lenstra1, Eric R. Verheul2 1 Citibank, N.A., Technical University Eindhoven, 1 North Gate Road, Mendham, NJ 07945-3104, U.S.A., [email protected] 2 PricewaterhouseCoopers, GRMS Crypto Group, Goudsbloemstraat 14, 5644 KE Eindhoven, The Netherlands, Eric.Verheul@[nl.pwcglobal.com, pobox.com] Abstract. This paper describes improved methods for XTR key rep- resentation and parameter generation (cf. [4]). If the ¯eld characteristic is properly chosen, the size of the XTR public key for signature appli- cations can be reduced by a factor of three at the cost of a small one time computation for the recipient of the key. Furthermore, the para- meter set-up for an XTR system can be simpli¯ed because the trace of a proper subgroup generator can, with very high probability, be com- puted directly, thus avoiding the probabilistic approach from [4]. These non-trivial extensions further enhance the practical potential of XTR. 1 Introduction In [1] it was shown that conjugates of elements of a subgroup of GF(p6)¤ of order 2 dividing Á6(p) = p ¡ p + 1 can be represented using 2 log2(p) bits, as opposed to the 6 log2(p) bits that would be required for their traditional representation. In [4] an improved version of the method from [1] was introduced that achieves the same communication advantage at a much lower computational cost. The resulting representation method is referred to as XTR, which stands for E±cient and Compact Subgroup Trace Representation.
  • Efficient Encryption on Limited Devices

    Efficient Encryption on Limited Devices

    Rochester Institute of Technology RIT Scholar Works Theses 2006 Efficient encryption on limited devices Roderic Campbell Follow this and additional works at: https://scholarworks.rit.edu/theses Recommended Citation Campbell, Roderic, "Efficient encryption on limited devices" (2006). Thesis. Rochester Institute of Technology. Accessed from This Master's Project is brought to you for free and open access by RIT Scholar Works. It has been accepted for inclusion in Theses by an authorized administrator of RIT Scholar Works. For more information, please contact [email protected]. Masters Project Proposal: Efficient Encryption on Limited Devices Roderic Campbell Department of Computer Science Rochester Institute of Technology Rochester, NY, USA [email protected] June 24, 2004 ________________________________________ Chair: Prof. Alan Kaminsky Date ________________________________________ Reader: Prof. Hans-Peter Bischof Date ________________________________________ Observer: Prof. Leonid Reznik Date 1 1 Summary As the capstone of my Master’s education, I intend to perform a comparison of Elliptic Curve Cryptography(ECC) and The XTR Public Key System to the well known RSA encryption algorithm. The purpose of such a project is to provide a further understanding of such types of encryption, as well as present an analysis and recommendation for the appropriate technique for given circumstances. This comparison will be done by developing a series of tests on which to run identical tasks using each of the previously mentioned algorithms. Metrics such as running time, maximum and average memory usage will be measured as applicable. There are four main goals of Crypto-systems: Confidentiality, Data Integrity, Authentication and Non-repudiation[5]. This implementation deals only with confidentiality of symmetric key exchange.
  • Linear Generalized Elgamal Encryption Scheme Pascal Lafourcade, Léo Robert, Demba Sow

    Linear Generalized Elgamal Encryption Scheme Pascal Lafourcade, Léo Robert, Demba Sow

    Linear Generalized ElGamal Encryption Scheme Pascal Lafourcade, Léo Robert, Demba Sow To cite this version: Pascal Lafourcade, Léo Robert, Demba Sow. Linear Generalized ElGamal Encryption Scheme. In- ternational Conference on Security and Cryptography (SECRYPT), Jul 2020, Paris, France. hal- 02559556 HAL Id: hal-02559556 https://hal.archives-ouvertes.fr/hal-02559556 Submitted on 30 Apr 2020 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Linear Generalized ElGamal Encryption Scheme Pascal Lafourcade1,Leo´ Robert1, and Demba Sow2 1LIMOS, Universite´ Clermont Auvergne, France, [email protected] , [email protected] 2LACGAA, Universite´ Cheikh Anta Diop de Dakar, Sen´ egal´ , [email protected] Keywords: Cryptography, Partial homomorphic encryption, Linear Assumption, ElGamal encryption scheme. Abstract: ElGamal public key encryption scheme has been designed in the 80’s. It is one of the first partial homomorphic encryption and one of the first IND-CPA probabilistic public key encryption scheme. A linear version has been recently proposed by Boneh et al. In this paper, we present a linear encryption based on a generalized version of ElGamal encryption scheme. We prove that our scheme is IND-CPA secure under linear assumption.
  • Semantic Security and Indistinguishability in the Quantum World June 1, 2016?

    Semantic Security and Indistinguishability in the Quantum World June 1, 2016?

    Semantic Security and Indistinguishability in the Quantum World June 1, 2016? Tommaso Gagliardoni1, Andreas H¨ulsing2, and Christian Schaffner3;4;5 1 CASED, Technische Universit¨atDarmstadt, Germany [email protected] 2 TU Eindhoven, The Netherlands [email protected] 3 Institute for Logic, Language and Compuation (ILLC), University of Amsterdam, The Netherlands [email protected] 4 Centrum Wiskunde & Informatica (CWI) Amsterdam, The Netherlands 5 QuSoft, The Netherlands Abstract. At CRYPTO 2013, Boneh and Zhandry initiated the study of quantum-secure encryption. They proposed first indistinguishability def- initions for the quantum world where the actual indistinguishability only holds for classical messages, and they provide arguments why it might be hard to achieve a stronger notion. In this work, we show that stronger notions are achievable, where the indistinguishability holds for quantum superpositions of messages. We investigate exhaustively the possibilities and subtle differences in defining such a quantum indistinguishability notion for symmetric-key encryption schemes. We justify our stronger definition by showing its equivalence to novel quantum semantic-security notions that we introduce. Furthermore, we show that our new security definitions cannot be achieved by a large class of ciphers { those which are quasi-preserving the message length. On the other hand, we pro- vide a secure construction based on quantum-resistant pseudorandom permutations; this construction can be used as a generic transformation for turning a large class of encryption schemes into quantum indistin- guishable and hence quantum semantically secure ones. Moreover, our construction is the first completely classical encryption scheme shown to be secure against an even stronger notion of indistinguishability, which was previously known to be achievable only by using quantum messages and arbitrary quantum encryption circuits.
  • Exploring Naccache-Stern Knapsack Encryption

    Exploring Naccache-Stern Knapsack Encryption

    Exploring Naccache-Stern Knapsack Encryption Éric Brier1, Rémi Géraud2, and David Naccache2 1 Ingenico Terminals Avenue de la Gare f- Alixan, France [email protected] 2 École normale supérieure rue d’Ulm, f- Paris cedex , France {remi.geraud,david.naccache}@ens.fr Abstract. The Naccache–Stern public-key cryptosystem (NS) relies on the conjectured hardness of the modular multiplicative knapsack problem: Q mi Given p, {vi}, vi mod p, find the {mi}. Given this scheme’s algebraic structure it is interesting to systematically explore its variants and generalizations. In particular it might be useful to enhance NS with features such as semantic security, re-randomizability or an extension to higher-residues. This paper addresses these questions and proposes several such variants. Introduction In , Naccache and Stern (NS, []) presented a public-key cryptosystem based on the conjectured hardness of the modular multiplicative knapsack problem. This problem is defined as follows: Let p be a modulus and let v0, . , vn−1 ∈ Zp. n−1 Y mi Given p, v0, . , vn−1, and vi mod p, find the {mi}. i=0 Given this scheme’s algebraic structure it is interesting to determine if vari- ants and generalizations can add to NS features such as semantic security, re-randomizability or extend it to operate on higher-residues. This paper addresses these questions and explores several such variants. The Original Naccache–Stern Cryptosystem The NS cryptosystem uses the following sub-algorithms: p is usually prime but nothing prevents extending the problem to composite RSA moduli. – Setup: Pick a large prime p and a positive integer n.
  • Research Notices

    Research Notices

    AMERICAN MATHEMATICAL SOCIETY Research in Collegiate Mathematics Education. V Annie Selden, Tennessee Technological University, Cookeville, Ed Dubinsky, Kent State University, OH, Guershon Hare I, University of California San Diego, La jolla, and Fernando Hitt, C/NVESTAV, Mexico, Editors This volume presents state-of-the-art research on understanding, teaching, and learning mathematics at the post-secondary level. The articles are peer-reviewed for two major features: (I) advancing our understanding of collegiate mathematics education, and (2) readability by a wide audience of practicing mathematicians interested in issues affecting their students. This is not a collection of scholarly arcana, but a compilation of useful and informative research regarding how students think about and learn mathematics. This series is published in cooperation with the Mathematical Association of America. CBMS Issues in Mathematics Education, Volume 12; 2003; 206 pages; Softcover; ISBN 0-8218-3302-2; List $49;AII individuals $39; Order code CBMATH/12N044 MATHEMATICS EDUCATION Also of interest .. RESEARCH: AGul<lelbrthe Mathematics Education Research: Hothomatldan- A Guide for the Research Mathematician --lllll'tj.M...,.a.,-- Curtis McKnight, Andy Magid, and -- Teri J. Murphy, University of Oklahoma, Norman, and Michelynn McKnight, Norman, OK 2000; I 06 pages; Softcover; ISBN 0-8218-20 16-8; List $20;AII AMS members $16; Order code MERN044 Teaching Mathematics in Colleges and Universities: Case Studies for Today's Classroom Graduate Student Edition Faculty
  • A Decade of Lattice Cryptography

    A Decade of Lattice Cryptography

    Full text available at: http://dx.doi.org/10.1561/0400000074 A Decade of Lattice Cryptography Chris Peikert Computer Science and Engineering University of Michigan, United States Boston — Delft Full text available at: http://dx.doi.org/10.1561/0400000074 Foundations and Trends R in Theoretical Computer Science Published, sold and distributed by: now Publishers Inc. PO Box 1024 Hanover, MA 02339 United States Tel. +1-781-985-4510 www.nowpublishers.com [email protected] Outside North America: now Publishers Inc. PO Box 179 2600 AD Delft The Netherlands Tel. +31-6-51115274 The preferred citation for this publication is C. Peikert. A Decade of Lattice Cryptography. Foundations and Trends R in Theoretical Computer Science, vol. 10, no. 4, pp. 283–424, 2014. R This Foundations and Trends issue was typeset in LATEX using a class file designed by Neal Parikh. Printed on acid-free paper. ISBN: 978-1-68083-113-9 c 2016 C. Peikert All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, mechanical, photocopying, recording or otherwise, without prior written permission of the publishers. Photocopying. In the USA: This journal is registered at the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923. Authorization to photocopy items for in- ternal or personal use, or the internal or personal use of specific clients, is granted by now Publishers Inc for users registered with the Copyright Clearance Center (CCC). The ‘services’ for users can be found on the internet at: www.copyright.com For those organizations that have been granted a photocopy license, a separate system of payment has been arranged.