DOCSLIB.ORG

Securely Instantiating Cryptographic Schemes Based on the Learning with Errors Assumption

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Securely Instantiating Cryptographic Schemes Based on the Learning with Errors Assumption Securely Instantiating Cryptographic Schemes Based on the Learning with Errors Assumption Vom Fachbereich Informatik der Technischen Universit¨atDarmstadt genehmigte Dissertation zur Erlangung des Grades Doktor rerum naturalium (Dr. rer. nat.) von Dipl.-Math. Florian G¨opfert geboren in W¨urzburg. Referenten: Prof. Dr. Johannes Buchmann Prof. Dr. Jintai Ding Tag der Einreichung: 11.08.2016 Tag der m¨undlichen Pr¨ufung: 22.09.2016 Hochschulkennziffer: D 17 Darmstadt 2016 August 11, 2016 Abstract Since its proposal by Regev in 2005 [Reg05], the Learning With Errors (LWE) problem was used as the underlying problem for a great variety of schemes. Its applications are many-fold, reaching from basic and highly practical primitives like key exchange [ADPS16], public-key encryption [LP11, LPR10], and signature schemes [ABBD15, DDLL13] to very advanced solutions like fully homomorphic encryption [BV14, BGV11], group signatures [LLLS13], and identity based encryp- tion [ABV+11]. One of the underlying reasons for this fertility is the flexibility with that LWE can be instantiated. Unfortunately, this comes at a cost: It makes selecting parameters for cryptographic applications complicated. When selecting parameters for a new LWE-based primitive, a researcher has to take the influence of several parameters on the efficiency of the scheme and the runtime of a variety of attacks into consideration. In fact, the missing trust in the concrete hardness of LWE is one of the main problems to overcome to bring LWE-based schemes to practice. This thesis aims at closing the gap between the theoretical knowledge of the hardness of LWE, and the concrete problem of selecting parameters for an LWE- based scheme. To this end, we analyze the existing methods to estimate the hardness of LWE, and introduce new estimation techniques where necessary. Afterwards, we show how to transfer this knowledge into instantiations that are at the same time secure and efficient. We show this process on three examples: • A highly optimized public-key encryption scheme for embedded devices that is based on a variant of Ring-LWE. • A practical signature scheme that served as the foundation of one of the best lattice-based signature schemes based on standard lattices. • An advanced public-key encryption scheme that enjoys the unique property of natural double hardness based on LWE instances similar to those used for fully homomorphic encryption. iii Zusammenfassung Einer der Grundpfeiler unserer modernen digitalen Gesellschaft sind asymmetrische Verschl¨usselungs- und Signaturverfahren. Asymmetrische Verfahren zeichnen sich dadurch aus, dass es nicht einen geheimen Schl¨usselgibt, sondern ein Schl¨usselpaar bestehend aus einem geheimen und einem ¨offentlichen Schl¨ussel. Der ¨offentliche Schl¨usselerlaubt etwa das Verschl¨usselneiner Nachricht oder das verifizieren einer Signatur, zum Entschl¨usselnder Nachricht oder erzeugen der Signatur ist hingegen der geheime Schl¨usselnotwendig. Allen diesen Verfahren gemein ist dass ihre Sicherheit auf einem numerisch schwer zu l¨osendenProblem beruht. In nahezu allen heute in der Praxis benutzen Verfahren ist dieses Problem entweder das Faktorisieren großer Zahlen, oder das diskrete Loga- rithmus Problem in verschiedenen Gruppen. Die auf diesen Problemen beruhenden Verfahren sind effizient und werden f¨ursicher gehalten, haben jedoch ein großes Problem: Wie Peter Shor 1994 zeigte, k¨onnen sie von Quantencomputern in poly- nomieller Zeit gel¨ostwerden. In einer Zukunft, in der Quantencomputer existieren (was zufolge vieler Experten bereits in 20 Jahren der Fall sein k¨onnte), sind auf sie also zum sichern vertraulicher Kommunikation ungeeignet. Diese Arbeit befasst sich mit der Schwere des Learning With Errors (LWE) Prob- lems. Auf LWE basierende Verfahren geh¨orenzu den vielversprechendsten Kandi- daten, um Faktorisierungs- und diskrete Logarithmus basierte Verfahren abzul¨osen. Sie sind sehr effizient und k¨onnennach dem aktuellen Stand der Forschung nicht von Quantencomputern angegriffen werden. Die Verfahren sind ¨ublicherweise mithilfe eines Sicherheitsbeweises an LWE gebunden. Dieser besagt dass man eine bestimmte LWE Instanz l¨osenmuss, um das Verfahren zu brechen. Uber¨ die theoretische Schwere von LWE ist bereits viel bekannt. Wie Regev bereits 2005 zeigte, sind zuf¨alligeInstanzen von LWE (asymptotisch) mindestens so schwer wie die schwersten Instanzen verschiedener, etablierter Gitterprobleme. Leider sagen weder Regev's Resultat ¨uber die asymptotische Schwere von LWE, noch der Sicherheitsbeweis etwas dar¨uber aus, wie schwer diese LWE Instanz ist. Folglich ist es von erheblicher Bedeutung f¨urTheorie und Praxis, die Schwere konkreter LWE Instanzen zu untersuchen, und aus diesen Erkenntnissen korrekte Parameter f¨urdie LWE-basierten Verfahren abzuleiten. Folglich ist diese Arbeit in zwei Abschnitte unterteilt. Der Erste pr¨asentiert neue v Abstract theoretische und experimentelle Ergebnisse ¨uber die Schwere von LWE. Es besteht aus neuen Resultaten ¨uber die Schwere von LWE Instanzen unter Einschr¨ankungen, die in der Praxis auftreten (Kapitel 3), eine experimentelle Untersuchung der Pa- rallelisierbarkeit eines der vielversprechendsten LWE-L¨osers(Kapitel 4), ein neuer Algorithmus zum L¨osenvon LWE (Kapitel 5), und eine neue Methode zum expe- rimentellen Vergleich verschiedener LWE-L¨oser(Kapitel 6). Der zweite Abschnitt zeigt anhand dreier Beispiele, wie sich die Erkenntnisse ¨uber die Schwere von LWE nutzen lassen, um Parameter f¨urkryptographische Verfahren zu w¨ahlen. Die Ver- fahren sind ein Signaturverfahren (Kapitel 7), ein Verschl¨usselungsverfahren (Kapi- tel 8), und ein Verschl¨usselungsverfahren mit erweiterten Sicherheitseigenschaften (Kapitel 9). vi Contents Abstract iii Zusammenfassung v Publications 1 1. Introduction 3 1.1. Organisation . .4 2. Background 7 2.1. Lattices . .7 2.1.1. Lattices and Bases . .7 2.1.2. Basis Quality and Basis Reduction . .8 2.2. Computational Problems . 10 2.2.1. Short Vector Problems (SVP) . 10 2.2.2. Short Integer Solution (SIS) . 11 2.2.3. Learning with Errors (LWE) . 11 2.3. Algorithms for LWE . 12 2.3.1. The Blum Kalai Wasserman Algorithm . 13 2.3.2. The Distinguishing Attack . 14 2.3.3. The Decoding Attack . 15 2.3.4. Kannan's Reduction to unique SVP . 18 2.3.5. Reduction to Inhomogeneous SIS . 18 I. Hardness of LWE 19 3. LWE Instances with Few Samples 21 3.1. Known Solvers . 21 3.1.1. Distinguishing Attack . 21 3.1.2. Decoding Attack . 22 3.1.3. Kannan's Embedding Attack . 23 vii Contents 3.1.4. Reduction to uSVP via ISIS . 25 3.2. Concrete Complexity of LWE with Few Samples . 27 4. Attacking LWE with Parallel Enumeration 29 4.1. Parallel Version of Enumeration . 30 4.1.1. On the Necessity of the Projection . 30 4.1.2. Returning the Error Vector . 31 4.1.3. Parallelization . 32 4.2. Further Possible Improvements . 33 4.3. Bounds on the Speedup . 34 5. LWE with Binary Error 39 5.1. The Hybrid Lattice-Reduction and Meet-in-the-Middle Attack . 40 5.1.1. The Hybrid Attack . 40 5.1.2. Runtime Analysis . 41 5.1.3. Minimizing the Expected Runtime . 51 5.2. Performance of Known Attacks . 51 5.2.1. Number of Samples . 52 5.2.2. Algorithms for solving LWE . 52 5.2.3. Comparison . 56 6. The LWE Challenge 57 6.1. Instances Provided by the LWE Challenge . 58 6.1.1. Choice of Parameters . 58 6.1.2. Uniqueness and Correctness of Solutions . 61 6.2. The Challenge Web Page . 64 6.2.1. How to Download Challenges . 64 6.2.2. How to Submit Solutions . 65 6.3. First Results of the LWE Challenge . 65 II. Selecting Parameters 67 7. Signature Scheme by Bai/Galbraith 69 7.1. The Scheme . 70 7.1.1. Description of the BG Signature Scheme . 70 7.1.2. Optimizing Rejection Sampling . 71 7.2. Revisiting the Old Parameter Sets . 72 7.3. Security Analysis and Parameter Selection . 74 7.3.1. Hardness of LWE . 74 7.3.2. Hardness of SIS . 75 7.3.3. An Instantiation for Software Efficiency . 75 viii Contents 8. A New and Highly Efficient Encryption Scheme 79 8.1. Ring-LWE Based Public Key Encryption Scheme . 80 8.1.1. Preliminaries . 80 8.1.2. The Scheme . 81 8.2. Correctness and Security of R-BinLWEEnc . 82 8.2.1. Parameter Selection . 83 8.2.2. Hardness Assessment of Binary LWE . 83 8.3. Instantiation and Results . 86 9. A Double Secure Encryption Scheme 89 9.1. The Representation Problem . 90 9.1.1. Definition and Properties . 90 9.2. Learning with Errors in the Exponent . 93 9.2.1. Definition . 93 9.2.2. Relations to Group and Lattice Problems . 94 9.2.3. On the Generic Hardness of LWEE . 97 9.3. Public Key Encryption from LWEE . 97 9.3.1. The High-Level Idea . 97 9.3.2. Our Construction . 98 9.3.3. Correctness . 98 9.3.4. Ciphertext Indistinguishability . 99 9.4. Parameter Selection . 101 9.4.1. Hardness of the Decisional Representation Problem . 101 9.4.2. Hardness of the Learning with Errors Problem . 104 9.4.3. Candidate Instantiations of our Encryption Scheme . 106 10.Conclusion 109 Bibliography 111 ix Publications Publication Used in This Thesis 1. Johannes Buchmann, Christian Bischof, Ozg¨urDagdelen,¨ Robert Fitzpatrick, Florian G¨opfertand Artur Mariano: Nearest Planes in Practice. BalkanCrypt- Sec 2014. Chapter 4. [BBD+14] 2. Florian G¨opfert,Rachel Player, Thomas Wunderer: On the Hardness of LWE with Binary Error: Revisiting the Hybrid Lattice-Reduction and Meet-in-the- Middle Attack. Africacrypt 2016. Chapter 5. [BGPW16] 3. Johannes Buchmann, Niklas B¨uscher, Florian G¨opfert,Juliane Kr¨amer,Daniele Micciancio, Christine van Vredendaal, Michael Walter: Creating Cryptographic Challenges Using Multi-Party Computation: The LWE Challenge. PKC@AsiaCCS. Chapter 6. [BBG+16] 4. Ozg¨urDagdelen,¨ Rachid El Bansarkhani, Florian G¨opfert, Tim G¨uneysu, Tobias Oder, Thomas P¨oppelmann, Ana Helena Sanchez, Peter Schwabe: High-speed signatures from standard lattices. Latincrypt 2014. Chapter 7. [DBG+14] 5. Johannes Buchmann, Florian G¨opfert,Tim G¨uneysu,Tobias Oder, Thomas P¨oppelmann: High-Performance and Lightweight Lattice-Based Public-Key Encryption.
Load more

Recommended publications
  • Double-Authentication-Preventing Signatures
    A preliminary version of this paper appears in the proceedings of ESORICS 2014 [PS14]. The full version appears in the International Journal of Information Security [PS15]. This is the author's copy of the full version. The final publication is available at Springer via http://dx.doi.org/10.1007/s10207-015-0307-8. Double-authentication-preventing signatures Bertram Poettering1 and Douglas Stebila2 1 Foundations of Cryptography, Ruhr University Bochum, Germany 2 School of Electrical Engineering and Computer Science and School of Mathematical Sciences, Queensland University of Technology, Brisbane, Australia [email protected] [email protected] January 18, 2016 Abstract Digital signatures are often used by trusted authorities to make unique bindings between a subject and a digital object; for example, certificate authorities certify a public key belongs to a domain name, and time-stamping authorities certify that a certain piece of information existed at a certain time. Traditional digital signature schemes however impose no uniqueness conditions, so a trusted authority could make multiple certifications for the same subject but different objects, be it intentionally, by accident, or following a (legal or illegal) coercion. We propose the notion of a double-authentication-preventing signature, in which a value to be signed is split into two parts: a subject and a message. If a signer ever signs two different messages for the same subject, enough information is revealed to allow anyone to compute valid signatures on behalf of the signer. This double-signature forgeability property discourages signers from misbehaving|a form of self-enforcement|and would give binding authorities like CAs some cryptographic arguments to resist legal coercion.
    [Show full text]
  • Secret Sharing and Perfect Zero Knowledge*
    Secret Sharing and Perfect Zero Knowledge* A. De Santis,l G. Di Crescenzo,l G. Persiano2 Dipartimento di Informatica ed Applicazioni, Universiti di Salerno, 84081 Baronissi (SA), Italy Dipartimento di Matematica, Universitk di Catania, 95125 Catania, Italy Abstract. In this work we study relations between secret sharing and perfect zero knowledge in the non-interactive model. Both secret sharing schemes and non-interactive zero knowledge are important cryptographic primitives with several applications in the management of cryptographic keys, in multi-party secure protocols, and many other areas. Secret shar- ing schemes are very well-studied objects while non-interactive perfect zer-knowledge proofs seem to be very elusive. In fact, since the intro- duction of the non-interactive model for zero knowledge, the only perfect zero-knowledge proof known was for quadratic non residues. In this work, we show that a large class of languages related to quadratic residuosity admits non-interactive perfect zero-knowledge proofs. More precisely, we give a protocol for proving non-interactively and in perfect zero knowledge the veridicity of any “threshold” statement where atoms are statements about the quadratic character of input elements. We show that our technique is very general and extend this result to any secret sharing scheme (of which threshold schemes are just an example). 1 Introduction Secret Sharing. The fascinating concept of Secret Sharing scheme has been first considered in [18] and [3]. A secret sharing scheme is a method of dividing a secret s among a set of participants in such a way that only qualified subsets of participants can reconstruct s but non-qualified subsets have absolutely no information on s.
    [Show full text]
  • Practical Forward Secure Signatures Using Minimal Security Assumptions
    Practical Forward Secure Signatures using Minimal Security Assumptions Vom Fachbereich Informatik der Technischen Universit¨atDarmstadt genehmigte Dissertation zur Erlangung des Grades Doktor rerum naturalium (Dr. rer. nat.) von Dipl.-Inform. Andreas H¨ulsing geboren in Karlsruhe. Referenten: Prof. Dr. Johannes Buchmann Prof. Dr. Tanja Lange Tag der Einreichung: 07. August 2013 Tag der m¨undlichen Pr¨ufung: 23. September 2013 Hochschulkennziffer: D 17 Darmstadt 2013 List of Publications [1] Johannes Buchmann, Erik Dahmen, Sarah Ereth, Andreas H¨ulsing,and Markus R¨uckert. On the security of the Winternitz one-time signature scheme. In A. Ni- taj and D. Pointcheval, editors, Africacrypt 2011, volume 6737 of Lecture Notes in Computer Science, pages 363{378. Springer Berlin / Heidelberg, 2011. Cited on page 17. [2] Johannes Buchmann, Erik Dahmen, and Andreas H¨ulsing.XMSS - a practical forward secure signature scheme based on minimal security assumptions. In Bo- Yin Yang, editor, Post-Quantum Cryptography, volume 7071 of Lecture Notes in Computer Science, pages 117{129. Springer Berlin / Heidelberg, 2011. Cited on pages 41, 73, and 81. [3] Andreas H¨ulsing,Albrecht Petzoldt, Michael Schneider, and Sidi Mohamed El Yousfi Alaoui. Postquantum Signaturverfahren Heute. In Ulrich Waldmann, editor, 22. SIT-Smartcard Workshop 2012, IHK Darmstadt, Feb 2012. Fraun- hofer Verlag Stuttgart. [4] Andreas H¨ulsing,Christoph Busold, and Johannes Buchmann. Forward secure signatures on smart cards. In Lars R. Knudsen and Huapeng Wu, editors, Se- lected Areas in Cryptography, volume 7707 of Lecture Notes in Computer Science, pages 66{80. Springer Berlin Heidelberg, 2013. Cited on pages 63, 73, and 81. [5] Johannes Braun, Andreas H¨ulsing,Alex Wiesmaier, Martin A.G.
    [Show full text]
  • 1 Abelian Group 266 Absolute Value 307 Addition Mod P 427 Additive
    1 abelian group 266 certificate authority 280 absolute value 307 certificate of primality 405 addition mod P 427 characteristic equation 341, 347 additive identity 293, 497 characteristic of field 313 additive inverse 293 cheating xvi, 279, 280 adjoin root 425, 469 Chebycheff’s inequality 93 Advanced Encryption Standard Chebycheff’s theorem 193 (AES) 100, 106, 159 Chinese Remainder Theorem 214 affine cipher 13 chosen-plaintext attack xviii, 4, 14, algorithm xix, 150 141, 178 anagram 43, 98 cipher xvii Arithmetica key exchange 183 ciphertext xvii, 2 Artin group 185 ciphertext-only attack xviii, 4, 14, 142 ASCII xix classic block interleaver 56 asymmetric cipher xviii, 160 classical cipher xviii asynchronous cipher 99 code xvii Atlantic City algorithm 153 code-book attack 105 attack xviii common divisor 110 authentication 189, 288 common modulus attack 169 common multiple 110 baby-step giant-step 432 common words 32 Bell’s theorem 187 complex analysis 452 bijective 14, 486 complexity 149 binary search 489 composite function 487 binomial coefficient 19, 90, 200 compositeness test 264 birthday paradox 28, 389 composition of permutations 48 bit operation 149 compression permutation 102 block chaining 105 conditional probability 27 block cipher 98, 139 confusion 99, 101 block interleaver 56 congruence 130, 216 Blum integer 164 congruence class 130, 424 Blum–Blum–Shub generator 337 congruential generator 333 braid group 184 conjugacy problem 184 broadcast attack 170 contact method 44 brute force attack 3, 14 convolution product 237 bubble sort 490 coprime
    [Show full text]
  • Discrete Square Roots Cryptosystems Rabin Cryptosystem
    CHAPTER 6: OTHER CRYPTOSYSTEMS and BASIC CRYPTOGRAPHY PRIMITIVES A large number of interesting and important cryptosystems have already been designed. In this chapter we present several other of them in order to illustrate other principles and techniques that can be used to design cryptosystems. Part VI At first, we present several cryptosystems security of which is based on the fact that computation of square roots and discrete logarithms is in general infeasible in some Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash groups. functions Secondly, we discuss one of the fundamental questions of modern cryptography: when can a cryptosystem be considered as (computationally) perfectly secure? In order to do that we will: discuss the role randomness play in the cryptography; introduce the very fundamental definitions of perfect security of cryptosystem present some examples of perfectly secure cryptosystems. Finally, we discuss in some details such important cryptography primitives as pseudo-random number generators and hash functions prof. Jozef Gruska IV054 6. Public-key cryptosystems, II. Other cryptosystems, security, PRG, hash functions 2/66 DISCRETE SQUARE ROOTS CRYPTOSYSTEMS RABIN CRYPTOSYSTEM Let Blum primes p, q are kept secret, and let the Blum integer n = pq be the public key. Encryption: of a plaintext w < n c = w 2 (mod n) Decryption: -briefly It is easy to verify (using Euler’s criterion which says that if c is a quadratic residue (p 1)/2 modulo p, then c − 1 (mod p),) that DISCRETE SQUARE ROOTS CRYPTOSYSTEMS ≡ c(p+1)/4mod p and c(q+1)/4mod q ± ± p+1 p 1 are two square roots of c modulo p and q.
    [Show full text]
  • Lecture 21 April 11, 2019
    Outline QR QR encryption Secure PRSG BBS Finding sqrt Distributions Legendre/Jacobi BBS Security CPSC 367: Cryptography and Security Michael J. Fischer Lecture 21 April 11, 2019 CPSC 367, Lecture 21 1/72 Outline QR QR encryption Secure PRSG BBS Finding sqrt Distributions Legendre/Jacobi BBS Security Quadratic Residues Revisited Euler criterion Distinguishing Residues from Non-Residues Encryption Based on Quadratic Residues Summary Secure Random Sequence Generators Pseudorandom sequence generators Looking random BBS Pseudorandom Sequence Generator Appendix: Finding Square Roots Square roots modulo special primes Square roots modulo general odd primes Appendix: Similarity of Probability Distributions Cryptographically secure PRSG Indistinguishability CPSC 367, Lecture 21 2/72 Outline QR QR encryption Secure PRSG BBS Finding sqrt Distributions Legendre/Jacobi BBS Security Appendix: The Legendre and Jacobi Symbols The Legendre symbol Jacobi symbol Computing the Jacobi symbol Appendix: Security of BBS CPSC 367, Lecture 21 3/72 Outline QR QR encryption Secure PRSG BBS Finding sqrt Distributions Legendre/Jacobi BBS Security Quadratic Residues Revisited CPSC 367, Lecture 21 4/72 Outline QR QR encryption Secure PRSG BBS Finding sqrt Distributions Legendre/Jacobi BBS Security QR reprise Quadratic residues play a key role in the Feige-Fiat-Shamir zero knowledge authentication protocol. They can also be used to produce a secure probabilistic cryptosystem and a cryptographically strong pseudorandom bit generator. Before we can proceed to these protocols, we need some more number-theoretic properties of quadratic residues. CPSC 367, Lecture 21 5/72 Outline QR QR encryption Secure PRSG BBS Finding sqrt Distributions Legendre/Jacobi BBS Security Euler criterion Euler criterion The Euler criterion gives a feasible method for testing membership in QRp when p is an odd prime.
    [Show full text]
  • Integer Sequences
    UHX6PF65ITVK Book > Integer sequences Integer sequences Filesize: 5.04 MB Reviews A very wonderful book with lucid and perfect answers. It is probably the most incredible book i have study. Its been designed in an exceptionally simple way and is particularly just after i finished reading through this publication by which in fact transformed me, alter the way in my opinion. (Macey Schneider) DISCLAIMER | DMCA 4VUBA9SJ1UP6 PDF > Integer sequences INTEGER SEQUENCES Reference Series Books LLC Dez 2011, 2011. Taschenbuch. Book Condition: Neu. 247x192x7 mm. This item is printed on demand - Print on Demand Neuware - Source: Wikipedia. Pages: 141. Chapters: Prime number, Factorial, Binomial coeicient, Perfect number, Carmichael number, Integer sequence, Mersenne prime, Bernoulli number, Euler numbers, Fermat number, Square-free integer, Amicable number, Stirling number, Partition, Lah number, Super-Poulet number, Arithmetic progression, Derangement, Composite number, On-Line Encyclopedia of Integer Sequences, Catalan number, Pell number, Power of two, Sylvester's sequence, Regular number, Polite number, Ménage problem, Greedy algorithm for Egyptian fractions, Practical number, Bell number, Dedekind number, Hofstadter sequence, Beatty sequence, Hyperperfect number, Elliptic divisibility sequence, Powerful number, Znám's problem, Eulerian number, Singly and doubly even, Highly composite number, Strict weak ordering, Calkin Wilf tree, Lucas sequence, Padovan sequence, Triangular number, Squared triangular number, Figurate number, Cube, Square triangular
    [Show full text]
  • In the Last Lecture We Considered Only Symmetric Key Cryptosystems - in Which Both Communicating Party Used the Same (That Is Symmetric) Key
    INGENIOUS IDEA In the last lecture we considered only symmetric key cryptosystems - in which both communicating party used the same (that is symmetric) key. Till 1977 all Part I cryptosystems used were symmetric. The main issue was then absolutely secure distribution of the symmetric key. Public-key cryptosystems basics: I. Key exchange, knapsack, RSA Symmetric key cyptosystms are also called private key cryptosystems because the communicating parties use unique private key - no one else should know that key. The realization that a cryptosystem does not need to be symmetric/private can be seen as the single most important breakthrough in the modern cryptography and as one of the key discoveries leading to the internet and to information society. IV054 1. Public-key cryptosystems basics: I. Key exchange, knapsack, RSA 2/75 MOST POWERFUL SUPERCOMPUTERS - 2018 MOST POWERFUL SUPERCOMPUTERS - 2019 1 Summit, USA, 2018, 122.23 petaflops, 2,282.544 cores, 8,806 kW power 2 Sunway, TaihuLights, China, Wuxi, 93 petaflops, 10,650.000 cores, 15,371 kW 3 Siare, US, 71.6 petaflops, 1,572.400 cores, 4 Tianhe-2, China, Guangzhou, 34.55 petaflops, 4,981.760 cores, 18,482 kW:wq Among first 10 only one new one on the fifth position 5 ABCI, Japan, 19,9 petaflops, 39, 680 cores, 1,649 kW In April 2013 (June 2014) [June 2015] there were 26 (37) [68] computer systems with 1 Summit, USA, increased performance to 200 petaflops more than one teraflop performance. 2 Siare, USA, increased performance to 94.6 , 3 Sunway, TaihuLights, China, Wuxi, 93 petaflops Performance of the 100th computer increased in six months from 172 to 241 Teraflops 4 Tianhe-2, China, Guangzhou, increased performance to 61.4 petaflops, Out of 500 most powerful computer systems in June 2014, 233 was in US, 123 in Asia, 5 Frontera, USA 23.5 petaaflops, Uni.
    [Show full text]
  • Asymmetric Cryptography and Trapdoor One-Way Functions
    AUTOMATYKA/ AUTOMATICS 2016 Vol. 20 No. 2 http://dx.doi.org/10.7494/automat.2016.20.2.39 Natalia Krzyworzeka* Asymmetric cryptography and trapdoor one-way functions 1. Introduction The asymmetric encryption scheme was invented in 1969 by James H. Ellis (a British engineer and mathematician) and is now considered to be the starting point for modern cryptography. The first successful implementation of the public-key algorithm was achieved in 1973 by Clifford C. Cocks (another British mathematician and cryptogra- pher); however, his discovery was not published until 1997 due to its classified nature. Surprisingly, the same encryption mechanism was independently re-discovered by anoth- er group of cryptographers: Ron Rivest, Adi Shamir, and Len Adleman (from whom the RSA algorithm took its name). As opposed to symmetric cryptography, public-key encryption allows us to send and receive messages without the need of exchanging a secret key with the other party. Instead, the encryption algorithm generates a pair of two complementary cryptographic keys: the encryption (public) and decryption (private) keys. Though the private key must be highly protected by the owner, the public key can be widely disseminated to anyone for the purpose of secret data transfer. The asymmetric-key scheme, presented in Figure 1, is based on the assumption that the public key will neither provide any information about the private key nor will it allow others to recreate it and that the message encrypted according to the public key will not be possible to decrypt by any known cryptographic attack method. In reality, the public and private keys are used as a metaphor to describe the operations of a chosen trapdoor one-way function and its inverse.
    [Show full text]
  • Asymmetric Cryptographic Schemes Based on Noncommutative Structures by Shamsa Kanwal a Thesis Submitted in Partial Fulfillment for the Degree of Doctor of Philosophy
    CAPITAL UNIVERSITY OF SCIENCE AND TECHNOLOGY, ISLAMABAD Asymmetric Cryptographic Schemes Based on Noncommutative Structures by Shamsa Kanwal A thesis submitted in partial fulfillment for the degree of Doctor of Philosophy in the Faculty of Computing Department of Mathematics 2019 i Asymmetric Cryptographic Schemes Based on Noncommutative Structures By Shamsa Kanwal (PA-131001) Dr. Ayesha Khalid Queen's University Belfast, UK (Foreign Evaluator 1) Dr. Leo Zhang Deakin University, Australia (Foreign Evaluator 2) Dr. Rashid Ali (Thesis Supervisor) Dr. Muhammad Sagheer (Head, Department of Mathematics) Dr. Muhammad Abdul Qadir (Dean, Faculty of Computing) DEPARTMENT OF MATHEMATICS CAPITAL UNIVERSITY OF SCIENCE AND TECHNOLOGY ISLAMABAD 2019 ii Copyright c 2019 by Shamsa Kanwal All rights reserved. No part of this thesis may be reproduced, distributed, or transmitted in any form or by any means, including photocopying, recording, or other electronic or mechanical methods, by any information storage and retrieval system without the prior written permission of the author. iii This dissertation is dedicated to My Father For earning a good and honest living for us and teaching me that so much could be done with little My Mother A strong and gentle soul who taught me to trust in Almighty Allah, believed in hard work and encouraged me to believe in myself vii List of Publications It is certified that following publication has been made out of the research work that has been carried out for this thesis:- 1. S. Kanwal and R. Ali, \A cryptosystem with noncommutative platform groups", Neural Computing and Application, volume 29, issue 11, 1273-1278, June 2018. Shamsa Kanwal (PA-131001) viii Acknowledgements In the name of Allah, the Most Gracious and the Most Merciful.
    [Show full text]
  • Post-Quantum Cryptography Daniel J
    Post-Quantum Cryptography Daniel J. Bernstein · Johannes Buchmann Erik Dahmen Editors Post-Quantum Cryptography ABC Editors Daniel J. Bernstein Johannes Buchmann Department of Computer Science Erik Dahmen University of Illinois, Chicago Technische Universität Darmstadt 851 S. Morgan St. Department of Computer Science Chicago IL 60607-7053 Hochschulstr. 10 USA 64289 Darmstadt [email protected] Germany [email protected] [email protected] ISBN: 978-3-540-88701-0 e-ISBN: 978-3-540-88702-7 Library of Congress Control Number: 2008937466 Mathematics Subject Classification Numbers (2000): 94A60 c 2009 Springer-Verlag Berlin Heidelberg This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilm or in any other way, and storage in data banks. Duplication of this publication or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, in its current version, and permission for use must always be obtained from Springer. Violations are liable to prosecution under the German Copyright Law. The use of general descriptive names, registered names, trademarks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use. Cover design: WMX Design GmbH, Heidelberg Printed on acid-free paper springer.com Preface The first International Workshop on Post-Quantum Cryptography took place at the Katholieke Universiteit Leuven in 2006.
    [Show full text]
  • Numbers 1 to 100
    Numbers 1 to 100 PDF generated using the open source mwlib toolkit. See http://code.pediapress.com/ for more information. PDF generated at: Tue, 30 Nov 2010 02:36:24 UTC Contents Articles −1 (number) 1 0 (number) 3 1 (number) 12 2 (number) 17 3 (number) 23 4 (number) 32 5 (number) 42 6 (number) 50 7 (number) 58 8 (number) 73 9 (number) 77 10 (number) 82 11 (number) 88 12 (number) 94 13 (number) 102 14 (number) 107 15 (number) 111 16 (number) 114 17 (number) 118 18 (number) 124 19 (number) 127 20 (number) 132 21 (number) 136 22 (number) 140 23 (number) 144 24 (number) 148 25 (number) 152 26 (number) 155 27 (number) 158 28 (number) 162 29 (number) 165 30 (number) 168 31 (number) 172 32 (number) 175 33 (number) 179 34 (number) 182 35 (number) 185 36 (number) 188 37 (number) 191 38 (number) 193 39 (number) 196 40 (number) 199 41 (number) 204 42 (number) 207 43 (number) 214 44 (number) 217 45 (number) 220 46 (number) 222 47 (number) 225 48 (number) 229 49 (number) 232 50 (number) 235 51 (number) 238 52 (number) 241 53 (number) 243 54 (number) 246 55 (number) 248 56 (number) 251 57 (number) 255 58 (number) 258 59 (number) 260 60 (number) 263 61 (number) 267 62 (number) 270 63 (number) 272 64 (number) 274 66 (number) 277 67 (number) 280 68 (number) 282 69 (number) 284 70 (number) 286 71 (number) 289 72 (number) 292 73 (number) 296 74 (number) 298 75 (number) 301 77 (number) 302 78 (number) 305 79 (number) 307 80 (number) 309 81 (number) 311 82 (number) 313 83 (number) 315 84 (number) 318 85 (number) 320 86 (number) 323 87 (number) 326 88 (number)
    [Show full text]