-0.3cm from rubik's to cryptography a tour of …...ch.petit - ulg - nov 2012 1 from rubik’s...
TRANSCRIPT
![Page 1: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/1.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 1
From Rubik’s to cryptographyA tour of computational challenges in the field
Christophe Petit
![Page 2: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/2.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 2
Mary Stuart, Queen of Scots
I Born on Dec 8th, 1542
I Queen of Scots on Dec 14th
I 1558 : marries Francois II ofFrance, who dies in 1560
I 1565 : marries Lord Darnley, whois murdered in 1567
I 1567 : marries James Hepburn
I 1567 : forced to abdicate, sheflies to England
![Page 3: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/3.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 2
Mary Stuart, Queen of Scots
I Born on Dec 8th, 1542
I Queen of Scots on Dec 14th
I 1558 : marries Francois II ofFrance, who dies in 1560
I 1565 : marries Lord Darnley, whois murdered in 1567
I 1567 : marries James Hepburn
I 1567 : forced to abdicate, sheflies to England
![Page 4: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/4.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 2
Mary Stuart, Queen of Scots
I Born on Dec 8th, 1542
I Queen of Scots on Dec 14th
I 1558 : marries Francois II ofFrance, who dies in 1560
I 1565 : marries Lord Darnley, whois murdered in 1567
I 1567 : marries James Hepburn
I 1567 : forced to abdicate, sheflies to England
![Page 5: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/5.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 3
The Babington Plot
I Mary is made captive by hercousin Queen Elisabeth
I Contacted by Babington toconspire against Queen Elisabeth
I They encipher theircorrespondence to keep it secret
I Conspiracy suspected but QueenElisabeth needs proofs
![Page 6: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/6.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 3
The Babington Plot
I Mary is made captive by hercousin Queen Elisabeth
I Contacted by Babington toconspire against Queen Elisabeth
I They encipher theircorrespondence to keep it secret
I Conspiracy suspected but QueenElisabeth needs proofs
![Page 7: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/7.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 4
A good cipher or the Death
I Principal secretary Walsingham,also chief of intelligence services,puts Thomas Phelippes on dutyto break Mary’s code
I Mary’s life now relies on thestrength of her cipher. . .
![Page 8: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/8.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 4
A good cipher or the Death
I Principal secretary Walsingham,also chief of intelligence services,puts Thomas Phelippes on dutyto break Mary’s code
I Mary’s life now relies on thestrength of her cipher. . .
![Page 9: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/9.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 5
Outline
Elliptic curve cryptography
Hash functions and the Rubik’s cube
Side-channel attacks
![Page 10: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/10.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 6
Outline
Elliptic curve cryptography
Hash functions and the Rubik’s cube
Side-channel attacks
![Page 11: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/11.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 7
Cryptography
I Cryptos = secret, hidden ; graphein = writingI Securing communication in the presence of adversaries
I ConfidentialityI Data integrityI AuthenticationI Non-repudiation
I Building blocks : encryption, MACs, signature, . . .
I Many applications today : ATM cards, computerpasswords, electronic commerce, electronic voting,. . .
![Page 12: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/12.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 7
Cryptography
I Cryptos = secret, hidden ; graphein = writingI Securing communication in the presence of adversaries
I ConfidentialityI Data integrityI AuthenticationI Non-repudiation
I Building blocks : encryption, MACs, signature, . . .
I Many applications today : ATM cards, computerpasswords, electronic commerce, electronic voting,. . .
![Page 13: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/13.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 7
Cryptography
I Cryptos = secret, hidden ; graphein = writingI Securing communication in the presence of adversaries
I ConfidentialityI Data integrityI AuthenticationI Non-repudiation
I Building blocks : encryption, MACs, signature, . . .
I Many applications today : ATM cards, computerpasswords, electronic commerce, electronic voting,. . .
![Page 14: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/14.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 8
Cryptography Wall of Fame
I Julius Caesar
I Abu al-Kindi
I Blaise de Vigenere
I Charles Babagge
I Auguste Kerckhoffs (ULG !)
I Claude Shannon
I Alan Turing
I Whitfield Diffie and Martin Hellman
I Ronald Rivest, Adi Shamir and Leonard Adleman
I Neal Koblitz and Victor Miller
I . . .
![Page 15: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/15.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 9
How to “prove” security ?
I In cryptography, proofs are never absolute
I Typical theorem :If Computational problem A is hard,then Attack B against protocol C is hard as well
I Pro : can focus on studying Problem A
I Contra : only considers Attack B
I Contra : only meaningful if Problem A is hard
I Good news : some computational problems seem hard
![Page 16: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/16.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 9
How to “prove” security ?
I In cryptography, proofs are never absolute
I Typical theorem :If Computational problem A is hard,then Attack B against protocol C is hard as well
I Pro : can focus on studying Problem A
I Contra : only considers Attack B
I Contra : only meaningful if Problem A is hard
I Good news : some computational problems seem hard
![Page 17: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/17.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 9
How to “prove” security ?
I In cryptography, proofs are never absolute
I Typical theorem :If Computational problem A is hard,then Attack B against protocol C is hard as well
I Pro : can focus on studying Problem A
I Contra : only considers Attack B
I Contra : only meaningful if Problem A is hard
I Good news : some computational problems seem hard
![Page 18: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/18.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 9
How to “prove” security ?
I In cryptography, proofs are never absolute
I Typical theorem :If Computational problem A is hard,then Attack B against protocol C is hard as well
I Pro : can focus on studying Problem A
I Contra : only considers Attack B
I Contra : only meaningful if Problem A is hard
I Good news : some computational problems seem hard
![Page 19: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/19.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 10
Popular cryptographic “hard problems”
I Integer factorization (IFP)Given n = pq where p and q are two large primes,find p and q
I Discrete logarithm (DLP)Given a large prime p, given g , h < p,find k such that h = g k mod p
I Elliptic curve discrete logarithm (ECDLP)Similar as DLP but multiplicative group of a finite fieldreplaced by group of points of an elliptic curve (see below)
![Page 20: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/20.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 10
Popular cryptographic “hard problems”
I Integer factorization (IFP)Given n = pq where p and q are two large primes,find p and q
I Discrete logarithm (DLP)Given a large prime p, given g , h < p,find k such that h = g k mod p
I Elliptic curve discrete logarithm (ECDLP)Similar as DLP but multiplicative group of a finite fieldreplaced by group of points of an elliptic curve (see below)
![Page 21: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/21.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 10
Popular cryptographic “hard problems”
I Integer factorization (IFP)Given n = pq where p and q are two large primes,find p and q
I Discrete logarithm (DLP)Given a large prime p, given g , h < p,find k such that h = g k mod p
I Elliptic curve discrete logarithm (ECDLP)Similar as DLP but multiplicative group of a finite fieldreplaced by group of points of an elliptic curve (see below)
![Page 22: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/22.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 11
Additional cryptographic assumptions
I AES is a “good pseudorandom permutation”
I SHA-2 is a “good hash function” (see below)
I Lattice problems, coding theory problems,solving polynomial systems of equations
I Many variants of previous problems
I . . .
![Page 23: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/23.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 11
Additional cryptographic assumptions
I AES is a “good pseudorandom permutation”
I SHA-2 is a “good hash function” (see below)
I Lattice problems, coding theory problems,solving polynomial systems of equations
I Many variants of previous problems
I . . .
![Page 24: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/24.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 11
Additional cryptographic assumptions
I AES is a “good pseudorandom permutation”
I SHA-2 is a “good hash function” (see below)
I Lattice problems, coding theory problems,solving polynomial systems of equations
I Many variants of previous problems
I . . .
![Page 25: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/25.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 11
Additional cryptographic assumptions
I AES is a “good pseudorandom permutation”
I SHA-2 is a “good hash function” (see below)
I Lattice problems, coding theory problems,solving polynomial systems of equations
I Many variants of previous problems
I . . .
![Page 26: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/26.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 12
Strength of the assumptions
I Some are stronger thanothers
I Depends on the size ofparameters
I Evaluated based onI Best algorithmsI Computing powerI Fame of the problem
I See www.keylength.com
![Page 27: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/27.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 13
Protocol example : Diffie-Hellman key exchange
I Mary and Babington exchange messages that can be seenby Elisabeth. They want to share a secret key KMB
I They agree on a prime number p and on g < p
I Mary sends hm := gm mod p for random mI Babington sends hb := gb mod p for random b
I Mary computes KMB := hmb mod p
I Babington computes KBM := hbm mod p
I We have KMB = gbm mod p = gmb mod p = KBM
I Recovering m from gm mod p (or b from gb mod p) isthe discrete logarithm problem
![Page 28: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/28.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 13
Protocol example : Diffie-Hellman key exchange
I Mary and Babington exchange messages that can be seenby Elisabeth. They want to share a secret key KMB
I They agree on a prime number p and on g < p
I Mary sends hm := gm mod p for random mI Babington sends hb := gb mod p for random b
I Mary computes KMB := hmb mod p
I Babington computes KBM := hbm mod p
I We have KMB = gbm mod p = gmb mod p = KBM
I Recovering m from gm mod p (or b from gb mod p) isthe discrete logarithm problem
![Page 29: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/29.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 13
Protocol example : Diffie-Hellman key exchange
I Mary and Babington exchange messages that can be seenby Elisabeth. They want to share a secret key KMB
I They agree on a prime number p and on g < p
I Mary sends hm := gm mod p for random mI Babington sends hb := gb mod p for random b
I Mary computes KMB := hmb mod p
I Babington computes KBM := hbm mod p
I We have KMB = gbm mod p = gmb mod p = KBM
I Recovering m from gm mod p (or b from gb mod p) isthe discrete logarithm problem
![Page 30: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/30.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 13
Protocol example : Diffie-Hellman key exchange
I Mary and Babington exchange messages that can be seenby Elisabeth. They want to share a secret key KMB
I They agree on a prime number p and on g < p
I Mary sends hm := gm mod p for random mI Babington sends hb := gb mod p for random b
I Mary computes KMB := hmb mod p
I Babington computes KBM := hbm mod p
I We have KMB = gbm mod p = gmb mod p = KBM
I Recovering m from gm mod p (or b from gb mod p) isthe discrete logarithm problem
![Page 31: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/31.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 13
Protocol example : Diffie-Hellman key exchange
I Mary and Babington exchange messages that can be seenby Elisabeth. They want to share a secret key KMB
I They agree on a prime number p and on g < p
I Mary sends hm := gm mod p for random mI Babington sends hb := gb mod p for random b
I Mary computes KMB := hmb mod p
I Babington computes KBM := hbm mod p
I We have KMB = gbm mod p = gmb mod p = KBM
I Recovering m from gm mod p (or b from gb mod p) isthe discrete logarithm problem
![Page 32: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/32.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 13
Protocol example : Diffie-Hellman key exchange
I Mary and Babington exchange messages that can be seenby Elisabeth. They want to share a secret key KMB
I They agree on a prime number p and on g < p
I Mary sends hm := gm mod p for random mI Babington sends hb := gb mod p for random b
I Mary computes KMB := hmb mod p
I Babington computes KBM := hbm mod p
I We have KMB = gbm mod p = gmb mod p = KBM
I Recovering m from gm mod p (or b from gb mod p) isthe discrete logarithm problem
![Page 33: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/33.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 14
Symmetric key vs. Public key
I In symmetric key cryptography,single secret key shared between sender and receiver
I In public key cryptography, one key is public, butonly one person knows corresponding secret key
I Everybody can encrypt, only one can decryptI Only one can sign, everybody can check the signature
I Key management harder for symmetric keys
I Symmetric key algorithms often more efficient
I Public key algorithms rely on “simpler and nicer”complexity assumptions
![Page 34: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/34.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 14
Symmetric key vs. Public key
I In symmetric key cryptography,single secret key shared between sender and receiver
I In public key cryptography, one key is public, butonly one person knows corresponding secret key
I Everybody can encrypt, only one can decryptI Only one can sign, everybody can check the signature
I Key management harder for symmetric keys
I Symmetric key algorithms often more efficient
I Public key algorithms rely on “simpler and nicer”complexity assumptions
![Page 35: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/35.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 15
General advices to Mary Stuart
I Don’t build your own algorithm !
I AES, SHA-2, RSA, (EC)DSA well-studied
I Combine the power of symmetric and public key cryptoI Key management easier with public keyI Secret key algorithms more efficientI Use long term public keys to derive session secret keys
I Beware of authentication issues !I Textbook Diffie-Hellman can be broken with a simple
man-in-the-middle attackI Use certificates to authenticate public keys
![Page 36: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/36.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 15
General advices to Mary Stuart
I Don’t build your own algorithm !
I AES, SHA-2, RSA, (EC)DSA well-studied
I Combine the power of symmetric and public key cryptoI Key management easier with public keyI Secret key algorithms more efficientI Use long term public keys to derive session secret keys
I Beware of authentication issues !I Textbook Diffie-Hellman can be broken with a simple
man-in-the-middle attackI Use certificates to authenticate public keys
![Page 37: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/37.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 15
General advices to Mary Stuart
I Don’t build your own algorithm !
I AES, SHA-2, RSA, (EC)DSA well-studied
I Combine the power of symmetric and public key cryptoI Key management easier with public keyI Secret key algorithms more efficientI Use long term public keys to derive session secret keys
I Beware of authentication issues !I Textbook Diffie-Hellman can be broken with a simple
man-in-the-middle attackI Use certificates to authenticate public keys
![Page 38: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/38.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 16
Elliptic curve cryptograpy
I Diffie-Hellman (and many other protocols) first describedfor the group F∗p
I 1985 : Koblitz and Miller independently proposed to usethe group of points of an elliptic curve instead
![Page 39: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/39.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 16
Elliptic curve cryptograpy
I Diffie-Hellman (and many other protocols) first describedfor the group F∗p
I 1985 : Koblitz and Miller independently proposed to usethe group of points of an elliptic curve instead
![Page 40: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/40.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 17
Elliptic curves
I Points (x , y) satisfying an equation y 2 = x3 + Ax + BCan be defined over any field K
I Form an Abelian group
I Elliptic curve discrete logarithm problemGiven P and Q = [k]P , find k
![Page 41: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/41.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 17
Elliptic curves
I Points (x , y) satisfying an equation y 2 = x3 + Ax + BCan be defined over any field K
I Form an Abelian group
I Elliptic curve discrete logarithm problemGiven P and Q = [k]P , find k
![Page 42: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/42.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 17
Elliptic curves
I Points (x , y) satisfying an equation y 2 = x3 + Ax + BCan be defined over any field K
I Form an Abelian group
I Elliptic curve discrete logarithm problemGiven P and Q = [k]P , find k
![Page 43: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/43.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 17
Elliptic curves
I Points (x , y) satisfying an equation y 2 = x3 + Ax + BCan be defined over any field K
I Form an Abelian group
I Elliptic curve discrete logarithm problemGiven P and Q = [k]P , find k
![Page 44: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/44.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 18
ECDLP vs DLP or Factoring
I ECDLP much harder than DLP or factoringI We have much better algorithms for DLP and factoring
than for ECDLPI 1300-bit RSA or DL ≈ 160-bit ECDLP
I Group addition is now rather efficient
I Elliptic curves offer additional features
I 2000 : 15 curves recommended by NIST in FIPS 186-2
I 2009 : NSA advocates use of ECC
![Page 45: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/45.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 18
ECDLP vs DLP or Factoring
I ECDLP much harder than DLP or factoringI We have much better algorithms for DLP and factoring
than for ECDLPI 1300-bit RSA or DL ≈ 160-bit ECDLP
I Group addition is now rather efficient
I Elliptic curves offer additional features
I 2000 : 15 curves recommended by NIST in FIPS 186-2
I 2009 : NSA advocates use of ECC
![Page 46: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/46.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 18
ECDLP vs DLP or Factoring
I ECDLP much harder than DLP or factoringI We have much better algorithms for DLP and factoring
than for ECDLPI 1300-bit RSA or DL ≈ 160-bit ECDLP
I Group addition is now rather efficient
I Elliptic curves offer additional features
I 2000 : 15 curves recommended by NIST in FIPS 186-2
I 2009 : NSA advocates use of ECC
![Page 47: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/47.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 18
ECDLP vs DLP or Factoring
I ECDLP much harder than DLP or factoringI We have much better algorithms for DLP and factoring
than for ECDLPI 1300-bit RSA or DL ≈ 160-bit ECDLP
I Group addition is now rather efficient
I Elliptic curves offer additional features
I 2000 : 15 curves recommended by NIST in FIPS 186-2
I 2009 : NSA advocates use of ECC
![Page 48: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/48.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 18
ECDLP vs DLP or Factoring
I ECDLP much harder than DLP or factoringI We have much better algorithms for DLP and factoring
than for ECDLPI 1300-bit RSA or DL ≈ 160-bit ECDLP
I Group addition is now rather efficient
I Elliptic curves offer additional features
I 2000 : 15 curves recommended by NIST in FIPS 186-2
I 2009 : NSA advocates use of ECC
![Page 49: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/49.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 19
A theoretical breakthrough
I 30-year old subexponential algorithms for DLP andfactoring, now ≈ exp
(c(log |G |)1/3(log log |G |)2/3
)
I Except for special curves, ECDLP remained exponentialBest attacks were generic attacks in ≈ exp ((log |G |)/2)
I 2012 : binary curves ECDLP subexponential[FPPR12,PQ12]
I Complexity ≈ exp(c ′(log |G |)2/3(log |G |)
)I 10/15 NIST curves are binary curvesI Beats Pollard rho for “large” parametersI Index calculus algorithm
![Page 50: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/50.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 19
A theoretical breakthrough
I 30-year old subexponential algorithms for DLP andfactoring, now ≈ exp
(c(log |G |)1/3(log log |G |)2/3
)I Except for special curves, ECDLP remained exponential
Best attacks were generic attacks in ≈ exp ((log |G |)/2)
I 2012 : binary curves ECDLP subexponential[FPPR12,PQ12]
I Complexity ≈ exp(c ′(log |G |)2/3(log |G |)
)I 10/15 NIST curves are binary curvesI Beats Pollard rho for “large” parametersI Index calculus algorithm
![Page 51: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/51.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 19
A theoretical breakthrough
I 30-year old subexponential algorithms for DLP andfactoring, now ≈ exp
(c(log |G |)1/3(log log |G |)2/3
)I Except for special curves, ECDLP remained exponential
Best attacks were generic attacks in ≈ exp ((log |G |)/2)
I 2012 : binary curves ECDLP subexponential[FPPR12,PQ12]
I Complexity ≈ exp(c ′(log |G |)2/3(log |G |)
)
I 10/15 NIST curves are binary curvesI Beats Pollard rho for “large” parametersI Index calculus algorithm
![Page 52: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/52.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 19
A theoretical breakthrough
I 30-year old subexponential algorithms for DLP andfactoring, now ≈ exp
(c(log |G |)1/3(log log |G |)2/3
)I Except for special curves, ECDLP remained exponential
Best attacks were generic attacks in ≈ exp ((log |G |)/2)
I 2012 : binary curves ECDLP subexponential[FPPR12,PQ12]
I Complexity ≈ exp(c ′(log |G |)2/3(log |G |)
)I 10/15 NIST curves are binary curves
I Beats Pollard rho for “large” parametersI Index calculus algorithm
![Page 53: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/53.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 19
A theoretical breakthrough
I 30-year old subexponential algorithms for DLP andfactoring, now ≈ exp
(c(log |G |)1/3(log log |G |)2/3
)I Except for special curves, ECDLP remained exponential
Best attacks were generic attacks in ≈ exp ((log |G |)/2)
I 2012 : binary curves ECDLP subexponential[FPPR12,PQ12]
I Complexity ≈ exp(c ′(log |G |)2/3(log |G |)
)I 10/15 NIST curves are binary curvesI Beats Pollard rho for “large” parameters
I Index calculus algorithm
![Page 54: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/54.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 19
A theoretical breakthrough
I 30-year old subexponential algorithms for DLP andfactoring, now ≈ exp
(c(log |G |)1/3(log log |G |)2/3
)I Except for special curves, ECDLP remained exponential
Best attacks were generic attacks in ≈ exp ((log |G |)/2)
I 2012 : binary curves ECDLP subexponential[FPPR12,PQ12]
I Complexity ≈ exp(c ′(log |G |)2/3(log |G |)
)I 10/15 NIST curves are binary curvesI Beats Pollard rho for “large” parametersI Index calculus algorithm
![Page 55: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/55.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 20
A generic DLP algorithm : Pollard’s rho
I Let P and Q = [k]P in a group G . We want to find k
I Define a “pseudorandom” function f suchthat f (R) is either [2]R , (R + S) or (R + T )
I Start from P0 := O and iterate f
I Store Pi = [ai ]P + [bi ]Q
I When a collision Pm = Pn is found,
Deduce Q =[am−anbm−bn
]P
I Time complexity ≈ |G |1/2 ⇒ today we need |G | > 2160
![Page 56: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/56.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 20
A generic DLP algorithm : Pollard’s rho
I Let P and Q = [k]P in a group G . We want to find k
I Define a “pseudorandom” function f suchthat f (R) is either [2]R , (R + S) or (R + T )
I Start from P0 := O and iterate f
I Store Pi = [ai ]P + [bi ]Q
I When a collision Pm = Pn is found,
Deduce Q =[am−anbm−bn
]P
I Time complexity ≈ |G |1/2 ⇒ today we need |G | > 2160
![Page 57: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/57.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 20
A generic DLP algorithm : Pollard’s rho
I Let P and Q = [k]P in a group G . We want to find k
I Define a “pseudorandom” function f suchthat f (R) is either [2]R , (R + S) or (R + T )
I Start from P0 := O and iterate f
I Store Pi = [ai ]P + [bi ]Q
I When a collision Pm = Pn is found,
Deduce Q =[am−anbm−bn
]P
I Time complexity ≈ |G |1/2 ⇒ today we need |G | > 2160
![Page 58: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/58.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 20
A generic DLP algorithm : Pollard’s rho
I Let P and Q = [k]P in a group G . We want to find k
I Define a “pseudorandom” function f suchthat f (R) is either [2]R , (R + S) or (R + T )
I Start from P0 := O and iterate f
I Store Pi = [ai ]P + [bi ]Q
I When a collision Pm = Pn is found,
Deduce Q =[am−anbm−bn
]P
I Time complexity ≈ |G |1/2 ⇒ today we need |G | > 2160
![Page 59: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/59.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 20
A generic DLP algorithm : Pollard’s rho
I Let P and Q = [k]P in a group G . We want to find k
I Define a “pseudorandom” function f suchthat f (R) is either [2]R , (R + S) or (R + T )
I Start from P0 := O and iterate f
I Store Pi = [ai ]P + [bi ]Q
I When a collision Pm = Pn is found,
Deduce Q =[am−anbm−bn
]P
I Time complexity ≈ |G |1/2 ⇒ today we need |G | > 2160
![Page 60: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/60.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 20
A generic DLP algorithm : Pollard’s rho
I Let P and Q = [k]P in a group G . We want to find k
I Define a “pseudorandom” function f suchthat f (R) is either [2]R , (R + S) or (R + T )
I Start from P0 := O and iterate f
I Store Pi = [ai ]P + [bi ]Q
I When a collision Pm = Pn is found,
Deduce Q =[am−anbm−bn
]P
I Time complexity ≈ |G |1/2 ⇒ today we need |G | > 2160
![Page 61: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/61.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 21
Index calculus
I General method to solve discrete logarithm problems
1. Define a factor basis F ⊂ G2. Relation search : find about |F| relations
aiP + biQ =∑Pj∈F
eijPj
3. Do linear algebra modulo |G | on the relations to get
aP + bQ = 0
I Success depends on the group
I Can be adapted for factoring
![Page 62: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/62.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 21
Index calculus
I General method to solve discrete logarithm problems
1. Define a factor basis F ⊂ G
2. Relation search : find about |F| relations
aiP + biQ =∑Pj∈F
eijPj
3. Do linear algebra modulo |G | on the relations to get
aP + bQ = 0
I Success depends on the group
I Can be adapted for factoring
![Page 63: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/63.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 21
Index calculus
I General method to solve discrete logarithm problems
1. Define a factor basis F ⊂ G2. Relation search : find about |F| relations
aiP + biQ =∑Pj∈F
eijPj
3. Do linear algebra modulo |G | on the relations to get
aP + bQ = 0
I Success depends on the group
I Can be adapted for factoring
![Page 64: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/64.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 21
Index calculus
I General method to solve discrete logarithm problems
1. Define a factor basis F ⊂ G2. Relation search : find about |F| relations
aiP + biQ =∑Pj∈F
eijPj
3. Do linear algebra modulo |G | on the relations to get
aP + bQ = 0
I Success depends on the group
I Can be adapted for factoring
![Page 65: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/65.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 21
Index calculus
I General method to solve discrete logarithm problems
1. Define a factor basis F ⊂ G2. Relation search : find about |F| relations
aiP + biQ =∑Pj∈F
eijPj
3. Do linear algebra modulo |G | on the relations to get
aP + bQ = 0
I Success depends on the group
I Can be adapted for factoring
![Page 66: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/66.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 21
Index calculus
I General method to solve discrete logarithm problems
1. Define a factor basis F ⊂ G2. Relation search : find about |F| relations
aiP + biQ =∑Pj∈F
eijPj
3. Do linear algebra modulo |G | on the relations to get
aP + bQ = 0
I Success depends on the group
I Can be adapted for factoring
![Page 67: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/67.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 22
Example : a naive index calculus for F∗p
I DLP : given g , h ∈ F∗p, find k such that h = g k
I Factor basis made of small “primes”
FB := {primes pi ≤ B}I Relation search
I Choose random a, b ∈ {1, . . . , p − 1}I Compute r := gahb mod pI If all factors of r are ≤ B, store a relation
[a]g + [b]h =∑
pi∈FB[ei ]pi
I Linear algebra modulo p − 1 on the relations
I For B ≈ exp((log p)1/2), subexponential complexity
![Page 68: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/68.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 22
Example : a naive index calculus for F∗p
I DLP : given g , h ∈ F∗p, find k such that h = g k
I Factor basis made of small “primes”
FB := {primes pi ≤ B}
I Relation searchI Choose random a, b ∈ {1, . . . , p − 1}I Compute r := gahb mod pI If all factors of r are ≤ B, store a relation
[a]g + [b]h =∑
pi∈FB[ei ]pi
I Linear algebra modulo p − 1 on the relations
I For B ≈ exp((log p)1/2), subexponential complexity
![Page 69: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/69.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 22
Example : a naive index calculus for F∗p
I DLP : given g , h ∈ F∗p, find k such that h = g k
I Factor basis made of small “primes”
FB := {primes pi ≤ B}I Relation search
I Choose random a, b ∈ {1, . . . , p − 1}I Compute r := gahb mod p
I If all factors of r are ≤ B, store a relation[a]g + [b]h =
∑pi∈FB
[ei ]pi
I Linear algebra modulo p − 1 on the relations
I For B ≈ exp((log p)1/2), subexponential complexity
![Page 70: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/70.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 22
Example : a naive index calculus for F∗p
I DLP : given g , h ∈ F∗p, find k such that h = g k
I Factor basis made of small “primes”
FB := {primes pi ≤ B}I Relation search
I Choose random a, b ∈ {1, . . . , p − 1}I Compute r := gahb mod pI If all factors of r are ≤ B, store a relation
[a]g + [b]h =∑
pi∈FB[ei ]pi
I Linear algebra modulo p − 1 on the relations
I For B ≈ exp((log p)1/2), subexponential complexity
![Page 71: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/71.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 22
Example : a naive index calculus for F∗p
I DLP : given g , h ∈ F∗p, find k such that h = g k
I Factor basis made of small “primes”
FB := {primes pi ≤ B}I Relation search
I Choose random a, b ∈ {1, . . . , p − 1}I Compute r := gahb mod pI If all factors of r are ≤ B, store a relation
[a]g + [b]h =∑
pi∈FB[ei ]pi
I Linear algebra modulo p − 1 on the relations
I For B ≈ exp((log p)1/2), subexponential complexity
![Page 72: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/72.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 22
Example : a naive index calculus for F∗p
I DLP : given g , h ∈ F∗p, find k such that h = g k
I Factor basis made of small “primes”
FB := {primes pi ≤ B}I Relation search
I Choose random a, b ∈ {1, . . . , p − 1}I Compute r := gahb mod pI If all factors of r are ≤ B, store a relation
[a]g + [b]h =∑
pi∈FB[ei ]pi
I Linear algebra modulo p − 1 on the relations
I For B ≈ exp((log p)1/2), subexponential complexity
![Page 73: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/73.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 23
Index calculus in practice
I Relation search is distributedI Can use FPGAs, graphic cards, playstations, cloud
computing. . .I RSA-768 factorization : 2000 computer cores years
I Linear algebra is not trivialI Memory may be larger constraint than timeI Preprocessing, block algorithms, sparse algorithms,. . .I RSA-768 factorization : 252.735.215 square matrix with
14.7 non-zero entries per row on average
I Main costs include power and building costs. . .
![Page 74: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/74.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 23
Index calculus in practice
I Relation search is distributedI Can use FPGAs, graphic cards, playstations, cloud
computing. . .I RSA-768 factorization : 2000 computer cores years
I Linear algebra is not trivialI Memory may be larger constraint than timeI Preprocessing, block algorithms, sparse algorithms,. . .I RSA-768 factorization : 252.735.215 square matrix with
14.7 non-zero entries per row on average
I Main costs include power and building costs. . .
![Page 75: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/75.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 23
Index calculus in practice
I Relation search is distributedI Can use FPGAs, graphic cards, playstations, cloud
computing. . .I RSA-768 factorization : 2000 computer cores years
I Linear algebra is not trivialI Memory may be larger constraint than timeI Preprocessing, block algorithms, sparse algorithms,. . .I RSA-768 factorization : 252.735.215 square matrix with
14.7 non-zero entries per row on average
I Main costs include power and building costs. . .
![Page 76: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/76.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 24
My personal advice to Mary Stuart
I Elliptic curves are smaller, faster, cuter
I BUT there is a new attack on binary curvesI Practical impact still unclear
I Could remain theoreticalI Improvements might break current parametersI Could be extended to prime field elliptic curves
I Avoid binary curves for at least five years
I Beware that algorithm improvements are more likely tocome for ECDLP than DLP or factoring
![Page 77: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/77.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 24
My personal advice to Mary Stuart
I Elliptic curves are smaller, faster, cuter
I BUT there is a new attack on binary curvesI Practical impact still unclear
I Could remain theoreticalI Improvements might break current parametersI Could be extended to prime field elliptic curves
I Avoid binary curves for at least five years
I Beware that algorithm improvements are more likely tocome for ECDLP than DLP or factoring
![Page 78: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/78.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 24
My personal advice to Mary Stuart
I Elliptic curves are smaller, faster, cuter
I BUT there is a new attack on binary curvesI Practical impact still unclear
I Could remain theoreticalI Improvements might break current parametersI Could be extended to prime field elliptic curves
I Avoid binary curves for at least five years
I Beware that algorithm improvements are more likely tocome for ECDLP than DLP or factoring
![Page 79: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/79.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 25
Outline
Elliptic curve cryptography
Hash functions and the Rubik’s cube
Side-channel attacks
![Page 80: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/80.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 26
Cryptographic hash functions
I “Compressing” functions
H : {0, 1}∗ → {0, 1}n
I Main security propertiesI Collision resistance :
hard to find m,m′ such that H(m) = H(m′)I Preimage resistance :
given h, hard to find m such that H(m) = hI Second preimage resistance :
given m, hard to find m′ such that H(m′) = h
I Often used as “pseudo-random functions”
![Page 81: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/81.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 26
Cryptographic hash functions
I “Compressing” functions
H : {0, 1}∗ → {0, 1}n
I Main security propertiesI Collision resistance :
hard to find m,m′ such that H(m) = H(m′)
I Preimage resistance :given h, hard to find m such that H(m) = h
I Second preimage resistance :given m, hard to find m′ such that H(m′) = h
I Often used as “pseudo-random functions”
![Page 82: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/82.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 26
Cryptographic hash functions
I “Compressing” functions
H : {0, 1}∗ → {0, 1}n
I Main security propertiesI Collision resistance :
hard to find m,m′ such that H(m) = H(m′)I Preimage resistance :
given h, hard to find m such that H(m) = h
I Second preimage resistance :given m, hard to find m′ such that H(m′) = h
I Often used as “pseudo-random functions”
![Page 83: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/83.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 26
Cryptographic hash functions
I “Compressing” functions
H : {0, 1}∗ → {0, 1}n
I Main security propertiesI Collision resistance :
hard to find m,m′ such that H(m) = H(m′)I Preimage resistance :
given h, hard to find m such that H(m) = hI Second preimage resistance :
given m, hard to find m′ such that H(m′) = h
I Often used as “pseudo-random functions”
![Page 84: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/84.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 26
Cryptographic hash functions
I “Compressing” functions
H : {0, 1}∗ → {0, 1}n
I Main security propertiesI Collision resistance :
hard to find m,m′ such that H(m) = H(m′)I Preimage resistance :
given h, hard to find m such that H(m) = hI Second preimage resistance :
given m, hard to find m′ such that H(m′) = h
I Often used as “pseudo-random functions”
![Page 85: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/85.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 27
Applications
I Message authenticationcodes
I Digital signatures
I Password storage
I Pseudorandom numbergeneration
I Entropy extraction
I Key derivationtechniques
I ...
I ...
![Page 86: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/86.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 28
Popular hash algorithms
I MD5, SHA-1, RIPEMD-128, GOST, SHA-2, SHA-3
I MD5 is dead !I 1996 : first weaknesses, shift to SHA-1 recommendedI 2004 : first actual collisionsI 2005 : Nostradamus attackI 2008 : fake root CA certificatesI 2012 : still widely used
I 2005 : Security of SHA-1 questionned
I 2012 : SHA-3 selected after public competition
I All of them have “block cipher-like strucure”
![Page 87: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/87.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 28
Popular hash algorithms
I MD5, SHA-1, RIPEMD-128, GOST, SHA-2, SHA-3I MD5 is dead !
I 1996 : first weaknesses, shift to SHA-1 recommendedI 2004 : first actual collisionsI 2005 : Nostradamus attackI 2008 : fake root CA certificatesI 2012 : still widely used
I 2005 : Security of SHA-1 questionned
I 2012 : SHA-3 selected after public competition
I All of them have “block cipher-like strucure”
![Page 88: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/88.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 28
Popular hash algorithms
I MD5, SHA-1, RIPEMD-128, GOST, SHA-2, SHA-3I MD5 is dead !
I 1996 : first weaknesses, shift to SHA-1 recommendedI 2004 : first actual collisionsI 2005 : Nostradamus attackI 2008 : fake root CA certificatesI 2012 : still widely used
I 2005 : Security of SHA-1 questionned
I 2012 : SHA-3 selected after public competition
I All of them have “block cipher-like strucure”
![Page 89: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/89.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 28
Popular hash algorithms
I MD5, SHA-1, RIPEMD-128, GOST, SHA-2, SHA-3I MD5 is dead !
I 1996 : first weaknesses, shift to SHA-1 recommendedI 2004 : first actual collisionsI 2005 : Nostradamus attackI 2008 : fake root CA certificatesI 2012 : still widely used
I 2005 : Security of SHA-1 questionned
I 2012 : SHA-3 selected after public competition
I All of them have “block cipher-like strucure”
![Page 90: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/90.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 28
Popular hash algorithms
I MD5, SHA-1, RIPEMD-128, GOST, SHA-2, SHA-3I MD5 is dead !
I 1996 : first weaknesses, shift to SHA-1 recommendedI 2004 : first actual collisionsI 2005 : Nostradamus attackI 2008 : fake root CA certificatesI 2012 : still widely used
I 2005 : Security of SHA-1 questionned
I 2012 : SHA-3 selected after public competition
I All of them have “block cipher-like strucure”
![Page 91: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/91.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 29
Hash functions from Cayley graphs
I Goal : relate main security properties of a hash functionto “simple” hard problems from group/graph theory
I Parameters G a group, and S = {s0, ..., sk−1} ⊂ G
I Write m = m1m2...mN with mi ∈ {0, ..., k − 1}Define
H(m) := sm1sm2 ...smN
I Efficiency can be good, depending on G and S
I Parallelism : H(m||m′) = H(m)H(m′)
![Page 92: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/92.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 29
Hash functions from Cayley graphs
I Goal : relate main security properties of a hash functionto “simple” hard problems from group/graph theory
I Parameters G a group, and S = {s0, ..., sk−1} ⊂ G
I Write m = m1m2...mN with mi ∈ {0, ..., k − 1}Define
H(m) := sm1sm2 ...smN
I Efficiency can be good, depending on G and S
I Parallelism : H(m||m′) = H(m)H(m′)
![Page 93: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/93.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 29
Hash functions from Cayley graphs
I Goal : relate main security properties of a hash functionto “simple” hard problems from group/graph theory
I Parameters G a group, and S = {s0, ..., sk−1} ⊂ G
I Write m = m1m2...mN with mi ∈ {0, ..., k − 1}Define
H(m) := sm1sm2 ...smN
I Efficiency can be good, depending on G and S
I Parallelism : H(m||m′) = H(m)H(m′)
![Page 94: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/94.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 30
Cayley graph perspective
I Hash computation ∼ walk in the Cayley graph
I Example : G = (Z/8Z,+), S = {1, 2}
0 1
2
3
45
6
7
0
I Preimage algorithm ∼ path-finding algorithm
![Page 95: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/95.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 30
Cayley graph perspective
I Hash computation ∼ walk in the Cayley graph
I Example : G = (Z/8Z,+), S = {1, 2}
0 1
2
3
45
6
7
0
I Preimage algorithm ∼ path-finding algorithm
![Page 96: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/96.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 30
Cayley graph perspective
I Hash computation ∼ walk in the Cayley graph
I Example : G = (Z/8Z,+), S = {1, 2}
0 1
2
3
45
6
7
0
m = 101H(m) = 0 + 1 + 2 + 1 = 4
4
I Preimage algorithm ∼ path-finding algorithm
![Page 97: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/97.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 30
Cayley graph perspective
I Hash computation ∼ walk in the Cayley graph
I Example : G = (Z/8Z,+), S = {1, 2}
0 1
2
3
45
6
7
0
m = 101H(m) = 0 + 1 + 2 + 1 = 4
4
I Preimage algorithm ∼ path-finding algorithm
![Page 98: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/98.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 31
Example : Tillich-Zemor [TZ94]
G = SL(2,F2n), S = {A0 = ( X 11 0 ) ,A1 = ( X X+1
1 1 )}
![Page 99: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/99.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 32
A hard ( ?) problem
I Factorization problem in finite groups :Given G , g ∈ G and S = {s0, ..., sk−1} ⊂ G ,find a short product
∏smi
= g
I Corresponds to finding preimages
I Similar problems for collision, second preimage
I Has this problem been sufficiently studied ?
![Page 100: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/100.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 32
A hard ( ?) problem
I Factorization problem in finite groups :Given G , g ∈ G and S = {s0, ..., sk−1} ⊂ G ,find a short product
∏smi
= g
I Corresponds to finding preimages
I Similar problems for collision, second preimage
I Has this problem been sufficiently studied ?
![Page 101: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/101.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 32
A hard ( ?) problem
I Factorization problem in finite groups :Given G , g ∈ G and S = {s0, ..., sk−1} ⊂ G ,find a short product
∏smi
= g
I Corresponds to finding preimages
I Similar problems for collision, second preimage
I Has this problem been sufficiently studied ?
![Page 102: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/102.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 33
Popular example : the Rubik’s cube
I Rubik’s cube ∼ subgroup of all permutations of thecorners, the central edge elements and their orientations
I Generated by the faces’ rotations
I Neutral element ∼ Rubik’s cube when solved
I Solution = combination of the elementary permutationsleading to the neutral element
![Page 103: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/103.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 33
Popular example : the Rubik’s cube
I Rubik’s cube ∼ subgroup of all permutations of thecorners, the central edge elements and their orientations
I Generated by the faces’ rotations
I Neutral element ∼ Rubik’s cube when solved
I Solution = combination of the elementary permutationsleading to the neutral element
![Page 104: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/104.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 33
Popular example : the Rubik’s cube
I Rubik’s cube ∼ subgroup of all permutations of thecorners, the central edge elements and their orientations
I Generated by the faces’ rotations
I Neutral element ∼ Rubik’s cube when solved
I Solution = combination of the elementary permutationsleading to the neutral element
![Page 105: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/105.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 34
Is Rubik hard enough ?
![Page 106: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/106.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 34
Is Rubik hard enough ?
Not really, but generalizations might be
![Page 107: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/107.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 35
Related problems
I Babai’s conjecture [BS92]
I There is a constant c such that, for any non-Abelianfinite simple group G , for all generator sets S, thediameter of the Cayley graph arising from G and S issmaller than (log |G |)c .
I Partial proofs by Helfgott, Tao, Bourgain,. . .
I Factoring problem ∼ constructive proof of the conjecture
I Expander graphsI Cayley graphs tend to be good expandersI Expanders have a lot of applications [HLW06]I Traveling in those graphs will be useful, too
![Page 108: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/108.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 35
Related problems
I Babai’s conjecture [BS92]
I There is a constant c such that, for any non-Abelianfinite simple group G , for all generator sets S, thediameter of the Cayley graph arising from G and S issmaller than (log |G |)c .
I Partial proofs by Helfgott, Tao, Bourgain,. . .I Factoring problem ∼ constructive proof of the conjecture
I Expander graphsI Cayley graphs tend to be good expandersI Expanders have a lot of applications [HLW06]I Traveling in those graphs will be useful, too
![Page 109: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/109.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 35
Related problems
I Babai’s conjecture [BS92]
I There is a constant c such that, for any non-Abelianfinite simple group G , for all generator sets S, thediameter of the Cayley graph arising from G and S issmaller than (log |G |)c .
I Partial proofs by Helfgott, Tao, Bourgain,. . .I Factoring problem ∼ constructive proof of the conjecture
I Expander graphsI Cayley graphs tend to be good expandersI Expanders have a lot of applications [HLW06]I Traveling in those graphs will be useful, too
![Page 110: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/110.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 36
Is the problem hard enough ?
I LPS hash function [CGL07]
I Collision and preimage attacks [TZ08,PLQ08]
I Tillich-Zemor hash function [TZ94]
I Collision and preimage attacks [GIMS11,PQ10]
I Other particular parameters broken
I General parameters : work in progress
![Page 111: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/111.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 36
Is the problem hard enough ?
I LPS hash function [CGL07]
I Collision and preimage attacks [TZ08,PLQ08]
I Tillich-Zemor hash function [TZ94]
I Collision and preimage attacks [GIMS11,PQ10]
I Other particular parameters broken
I General parameters : work in progress
![Page 112: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/112.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 36
Is the problem hard enough ?
I LPS hash function [CGL07]
I Collision and preimage attacks [TZ08,PLQ08]
I Tillich-Zemor hash function [TZ94]
I Collision and preimage attacks [GIMS11,PQ10]
I Other particular parameters broken
I General parameters : work in progress
![Page 113: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/113.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 36
Is the problem hard enough ?
I LPS hash function [CGL07]
I Collision and preimage attacks [TZ08,PLQ08]
I Tillich-Zemor hash function [TZ94]
I Collision and preimage attacks [GIMS11,PQ10]
I Other particular parameters broken
I General parameters : work in progress
![Page 114: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/114.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 37
Some advices to Mary Stuart
I Use MACs or signatures to authenticate the messages
I Don’t use MD5 !
I Too risky to use hash functions from Cayley graphsI Working on generalizations of the Rubik’s cube will be a
funny and useful way to spend your time in prisonI Expander graphs and their applicationsI Babai’s conjectureI Cryptographic applications
![Page 115: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/115.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 37
Some advices to Mary Stuart
I Use MACs or signatures to authenticate the messages
I Don’t use MD5 !
I Too risky to use hash functions from Cayley graphs
I Working on generalizations of the Rubik’s cube will be afunny and useful way to spend your time in prison
I Expander graphs and their applicationsI Babai’s conjectureI Cryptographic applications
![Page 116: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/116.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 37
Some advices to Mary Stuart
I Use MACs or signatures to authenticate the messages
I Don’t use MD5 !
I Too risky to use hash functions from Cayley graphsI Working on generalizations of the Rubik’s cube will be a
funny and useful way to spend your time in prisonI Expander graphs and their applicationsI Babai’s conjectureI Cryptographic applications
![Page 117: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/117.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 38
Outline
Elliptic curve cryptography
Hash functions and the Rubik’s cube
Side-channel attacks
![Page 118: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/118.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 39
An example of side-channel attack
I Choose a random bit b ∈ {0, 1}. Keep it perfectly secret.
I Let x := b × 123456789. Keep this number secret.
I Let y := x2. Keep this number secret.When you’re done, raise a hand.
I Let z := 0× y . Return z .
I From z only, I know nothing about b
I From computing time, I can guess b with a goodprobability.
![Page 119: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/119.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 39
An example of side-channel attack
I Choose a random bit b ∈ {0, 1}. Keep it perfectly secret.
I Let x := b × 123456789. Keep this number secret.
I Let y := x2. Keep this number secret.When you’re done, raise a hand.
I Let z := 0× y . Return z .
I From z only, I know nothing about b
I From computing time, I can guess b with a goodprobability.
![Page 120: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/120.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 39
An example of side-channel attack
I Choose a random bit b ∈ {0, 1}. Keep it perfectly secret.
I Let x := b × 123456789. Keep this number secret.
I Let y := x2. Keep this number secret.When you’re done, raise a hand.
I Let z := 0× y . Return z .
I From z only, I know nothing about b
I From computing time, I can guess b with a goodprobability.
![Page 121: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/121.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 39
An example of side-channel attack
I Choose a random bit b ∈ {0, 1}. Keep it perfectly secret.
I Let x := b × 123456789. Keep this number secret.
I Let y := x2. Keep this number secret.When you’re done, raise a hand.
I Let z := 0× y . Return z .
I From z only, I know nothing about b
I From computing time, I can guess b with a goodprobability.
![Page 122: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/122.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 39
An example of side-channel attack
I Choose a random bit b ∈ {0, 1}. Keep it perfectly secret.
I Let x := b × 123456789. Keep this number secret.
I Let y := x2. Keep this number secret.When you’re done, raise a hand.
I Let z := 0× y . Return z .
I From z only, I know nothing about b
I From computing time, I can guess b with a goodprobability.
![Page 123: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/123.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 40
CMOS inverter dynamic consumption
P = CLV 2DDP0→1f
![Page 124: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/124.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 41
If you can’t get through it, go around it
I In most crypto algorithms, recovering the private key fromthe messages would require solving a very hard problem
I Side-channel attacks : use computing side informationI Timing, computing power, electromagnetic variations,
keyboard noise,. . .
I Fault attacks : induce faults during computation,deduce relevant information from the result
I Alter memoryI Skip some instructions
![Page 125: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/125.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 41
If you can’t get through it, go around it
I In most crypto algorithms, recovering the private key fromthe messages would require solving a very hard problem
I Side-channel attacks : use computing side informationI Timing, computing power, electromagnetic variations,
keyboard noise,. . .
I Fault attacks : induce faults during computation,deduce relevant information from the result
I Alter memoryI Skip some instructions
![Page 126: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/126.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 41
If you can’t get through it, go around it
I In most crypto algorithms, recovering the private key fromthe messages would require solving a very hard problem
I Side-channel attacks : use computing side informationI Timing, computing power, electromagnetic variations,
keyboard noise,. . .
I Fault attacks : induce faults during computation,deduce relevant information from the result
I Alter memoryI Skip some instructions
![Page 127: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/127.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 42
Square and Multiply algorithm (SM)
I In RSA, need to compute gd mod n where d is secret
I Modular exponentiations use SM algorithm1. Let d = d0 + d12 + d222 + ... + dN2`
2. Let h := 13. For i := `, . . . , 0 do4. h← h2 mod n5. If di = 1 then6. h← hg mod n7. end if8. end for
I Always square, but multiply only when the bit is 1I What is the power consumption ?
![Page 128: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/128.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 42
Square and Multiply algorithm (SM)
I In RSA, need to compute gd mod n where d is secretI Modular exponentiations use SM algorithm
1. Let d = d0 + d12 + d222 + ... + dN2`
2. Let h := 13. For i := `, . . . , 0 do4. h← h2 mod n5. If di = 1 then6. h← hg mod n7. end if8. end for
I Always square, but multiply only when the bit is 1I What is the power consumption ?
![Page 129: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/129.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 42
Square and Multiply algorithm (SM)
I In RSA, need to compute gd mod n where d is secretI Modular exponentiations use SM algorithm
1. Let d = d0 + d12 + d222 + ... + dN2`
2. Let h := 13. For i := `, . . . , 0 do4. h← h2 mod n5. If di = 1 then6. h← hg mod n7. end if8. end for
I Always square, but multiply only when the bit is 1I What is the power consumption ?
![Page 130: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/130.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 42
Square and Multiply algorithm (SM)
I In RSA, need to compute gd mod n where d is secretI Modular exponentiations use SM algorithm
1. Let d = d0 + d12 + d222 + ... + dN2`
2. Let h := 13. For i := `, . . . , 0 do4. h← h2 mod n5. If di = 1 then6. h← hg mod n7. end if8. end for
I Always square, but multiply only when the bit is 1
I What is the power consumption ?
![Page 131: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/131.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 42
Square and Multiply algorithm (SM)
I In RSA, need to compute gd mod n where d is secretI Modular exponentiations use SM algorithm
1. Let d = d0 + d12 + d222 + ... + dN2`
2. Let h := 13. For i := `, . . . , 0 do4. h← h2 mod n5. If di = 1 then6. h← hg mod n7. end if8. end for
I Always square, but multiply only when the bit is 1I What is the power consumption ?
![Page 132: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/132.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 43
A power attack against SM
![Page 133: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/133.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 44
Correlation power attack
I Divide and conquer : succesively recover key bytes
I Leakage modelI Hamming distance
I Hamming weight
I Correlation attackI Make a guess on a key byteI Deduce Hamming weight (variations) of the registersI Correlate with the power trace(s)
![Page 134: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/134.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 44
Correlation power attack
I Divide and conquer : succesively recover key bytes
I Leakage modelI Hamming distance
I Hamming weight
I Correlation attackI Make a guess on a key byteI Deduce Hamming weight (variations) of the registersI Correlate with the power trace(s)
![Page 135: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/135.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 44
Correlation power attack
I Divide and conquer : succesively recover key bytes
I Leakage modelI Hamming distance
I Hamming weight
I Correlation attackI Make a guess on a key byteI Deduce Hamming weight (variations) of the registersI Correlate with the power trace(s)
![Page 136: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/136.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 45
Variations
I Signal preprocessing to reduce noise
I Dimensionality reduction to select points on the traces
I If another device available, build leakage templatesto improve the leakage model
I Other statistics or machine learning tools to identifythe right key candidate
I Brute-force to eliminate last wrong key candidates
![Page 137: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/137.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 45
Variations
I Signal preprocessing to reduce noise
I Dimensionality reduction to select points on the traces
I If another device available, build leakage templatesto improve the leakage model
I Other statistics or machine learning tools to identifythe right key candidate
I Brute-force to eliminate last wrong key candidates
![Page 138: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/138.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 45
Variations
I Signal preprocessing to reduce noise
I Dimensionality reduction to select points on the traces
I If another device available, build leakage templatesto improve the leakage model
I Other statistics or machine learning tools to identifythe right key candidate
I Brute-force to eliminate last wrong key candidates
![Page 139: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/139.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 45
Variations
I Signal preprocessing to reduce noise
I Dimensionality reduction to select points on the traces
I If another device available, build leakage templatesto improve the leakage model
I Other statistics or machine learning tools to identifythe right key candidate
I Brute-force to eliminate last wrong key candidates
![Page 140: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/140.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 45
Variations
I Signal preprocessing to reduce noise
I Dimensionality reduction to select points on the traces
I If another device available, build leakage templatesto improve the leakage model
I Other statistics or machine learning tools to identifythe right key candidate
I Brute-force to eliminate last wrong key candidates
![Page 141: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/141.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 46
Countermeasures
I Physical countermeasuresI Physical and chemical shieldsI Noise additionI Dual-rail logic stylesI . . .
I Algorithmic countermeasuresI Dummy operationsI Noise additionI MaskingI ShufflingI . . .
![Page 142: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/142.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 46
Countermeasures
I Physical countermeasuresI Physical and chemical shieldsI Noise additionI Dual-rail logic stylesI . . .
I Algorithmic countermeasuresI Dummy operationsI Noise additionI MaskingI ShufflingI . . .
![Page 143: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/143.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 47
Fresh rekeying
I Because of noise, side-channel attacks typically requiremany traces from the same key
I Idea : build new algorithms/protocols for which thekey is frequently updated [PSPMY08,MPRRS11,. . . ]
I If possible, build them from standard algorithms
![Page 144: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/144.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 47
Fresh rekeying
I Because of noise, side-channel attacks typically requiremany traces from the same key
I Idea : build new algorithms/protocols for which thekey is frequently updated [PSPMY08,MPRRS11,. . . ]
I If possible, build them from standard algorithms
![Page 145: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/145.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 47
Fresh rekeying
I Because of noise, side-channel attacks typically requiremany traces from the same key
I Idea : build new algorithms/protocols for which thekey is frequently updated [PSPMY08,MPRRS11,. . . ]
I If possible, build them from standard algorithms
![Page 146: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/146.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 48
A general advice to Mary Stuart
I Beware that even a secure algorithm can becomeunsecure if badly implemented
I Include appropriate side-channel counter-measures in yourfavorite crypto computing machine
![Page 147: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/147.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 48
A general advice to Mary Stuart
I Beware that even a secure algorithm can becomeunsecure if badly implemented
I Include appropriate side-channel counter-measures in yourfavorite crypto computing machine
![Page 148: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/148.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 49
Outline
Elliptic curve cryptography
Hash functions and the Rubik’s cube
Side-channel attacks
![Page 149: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/149.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 50
“Cipher of Death”
I Mary Stuart didn’t use good cryptoI Her code was broken by Thomas Phelippes
I Walsingham sent her a fake message askingconfirmation of her commitment ; she answered
I Mary sentenced to death and executed on Feb 8th, 1587
![Page 150: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/150.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 50
“Cipher of Death”
I Mary Stuart didn’t use good cryptoI Her code was broken by Thomas Phelippes
I Walsingham sent her a fake message askingconfirmation of her commitment ; she answered
I Mary sentenced to death and executed on Feb 8th, 1587
![Page 151: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/151.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 51
Conclusion
I We all need a good cryptographerI More than military and government usage todayI Private communications, ATMs, e-banking, e-voting,. . .
I Challenges for the good ( ?) guyI Make algorithms fast, tiny and secureI New crypto applications
I Challenges for the bad ( ?) guyI New algorithms for hard problems (ECDLP,. . . ...)I Perform huge cryptanalysis tasksI New side-channel attacks
![Page 152: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/152.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 51
Conclusion
I We all need a good cryptographerI More than military and government usage todayI Private communications, ATMs, e-banking, e-voting,. . .
I Challenges for the good ( ?) guyI Make algorithms fast, tiny and secureI New crypto applications
I Challenges for the bad ( ?) guyI New algorithms for hard problems (ECDLP,. . . ...)I Perform huge cryptanalysis tasksI New side-channel attacks
![Page 153: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/153.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 51
Conclusion
I We all need a good cryptographerI More than military and government usage todayI Private communications, ATMs, e-banking, e-voting,. . .
I Challenges for the good ( ?) guyI Make algorithms fast, tiny and secureI New crypto applications
I Challenges for the bad ( ?) guyI New algorithms for hard problems (ECDLP,. . . ...)I Perform huge cryptanalysis tasksI New side-channel attacks
![Page 154: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/154.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 52
Credits
I The first chapter of Simon Singh’s Code Book clearlyinspired the introduction of this talk.
![Page 155: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/155.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 53
References
I [B92] L Babai, A Seress, On the diameter of permutationgroups.
I [CGL09] D Charles, E Goren, K Lauter, CryptographicHash Functions from Expander Graphs.
I [FPPG12] JC Faugere, L Perret, C Petit, G Renault,Improving the complexity of index calculus for ellipticcurves over binary fields.
I [GIMS11] M Grassl, I Ilic, S Magliveras, R Steinwandt,Cryptanalysis of the Tillich-Zemor hash function.
I [H08] H Helfgott, Growth and generation in SL2(Z/pZ ).
![Page 156: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/156.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 54
References
I [MPRRS11] M Medwed, C Petit, F Regazzoni, M Renauld,FX Standaert, Fresh Re-keying II : Securing MultipleParties against Side-Channel and Fault Attacks.
I [PLQ08] C Petit, K Lauter, JJ Quisquater, FullCryptanalysis of LPS and Morgenstern Hash Functions.
I [PSPMY08] C Petit, FX Standaert, O Pereira, T Malkin,M Yung, A block cipher based pseudo random numbergenerator secure against side-channel key recovery.
I [PQ10] C Petit, JJ Quisquater. Preimages for theTillich-Zemor hash function.
![Page 157: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/157.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 55
References
I [PQ12] C Petit, JJ Quisquater. On polynomial systemsarising from a Weil descent.
I [S99] S Singh, The Code Book.
I [TZ94] JP Tillich, G Zemor. Group-theoretic hashfunctions.
I [TZ08] JP Tillich, G Zemor. Collisions for the LPSExpander Graph Hash Function.
![Page 158: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/158.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 56
RSA encryption algorithm
I Key generationI Private key is a couple of primes (p, q).I Public key is (n, e) where n = pq.
I EncryptionI Given a message m, compute c := me mod n
I Decryption :I Knowing (p, q), compute d such that
ed = 1 mod (p − 1)(q − 1)I Compute cd mod n = med mod n = m mod n
I Everybody can encrypt, but private key needed to decryptI Computing (p, q) from the public key is the
integer factorization problem
![Page 159: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/159.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 56
RSA encryption algorithm
I Key generationI Private key is a couple of primes (p, q).I Public key is (n, e) where n = pq.
I EncryptionI Given a message m, compute c := me mod n
I Decryption :I Knowing (p, q), compute d such that
ed = 1 mod (p − 1)(q − 1)I Compute cd mod n = med mod n = m mod n
I Everybody can encrypt, but private key needed to decryptI Computing (p, q) from the public key is the
integer factorization problem
![Page 160: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/160.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 56
RSA encryption algorithm
I Key generationI Private key is a couple of primes (p, q).I Public key is (n, e) where n = pq.
I EncryptionI Given a message m, compute c := me mod n
I Decryption :I Knowing (p, q), compute d such that
ed = 1 mod (p − 1)(q − 1)I Compute cd mod n = med mod n = m mod n
I Everybody can encrypt, but private key needed to decryptI Computing (p, q) from the public key is the
integer factorization problem
![Page 161: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/161.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 56
RSA encryption algorithm
I Key generationI Private key is a couple of primes (p, q).I Public key is (n, e) where n = pq.
I EncryptionI Given a message m, compute c := me mod n
I Decryption :I Knowing (p, q), compute d such that
ed = 1 mod (p − 1)(q − 1)I Compute cd mod n = med mod n = m mod n
I Everybody can encrypt, but private key needed to decryptI Computing (p, q) from the public key is the
integer factorization problem
![Page 162: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/162.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 57
Advanced Encryption Standard (AES)
I Algorithm Rijndael (Vincent Rijmen and Joan Daemen)
I Selected in 2001 after public competition
I Replaced previous standards DES and 3-DES
I Key size of 128, 192, or256 bits
I Block size 128 bits
I 10, 12, or 14 rounds
I Assumption : AES good pseudo-random permutation
![Page 163: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/163.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 57
Advanced Encryption Standard (AES)
I Algorithm Rijndael (Vincent Rijmen and Joan Daemen)
I Selected in 2001 after public competition
I Replaced previous standards DES and 3-DES
I Key size of 128, 192, or256 bits
I Block size 128 bits
I 10, 12, or 14 rounds
I Assumption : AES good pseudo-random permutation
![Page 164: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/164.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 57
Advanced Encryption Standard (AES)
I Algorithm Rijndael (Vincent Rijmen and Joan Daemen)
I Selected in 2001 after public competition
I Replaced previous standards DES and 3-DES
I Key size of 128, 192, or256 bits
I Block size 128 bits
I 10, 12, or 14 rounds
I Assumption : AES good pseudo-random permutation
![Page 165: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/165.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 58
Example : a naive index calculus for F∗p
I DLP : given g , h ∈ F∗p, find k such that h = g k
I Factor basis made of small “primes”
FB := {primes pi ≤ B}
I Relation searchI Choose random a, b ∈ {1, . . . , p − 1}I Compute r := gahb mod pI If all factors of r are ≤ B, store a relation
[a]g + [b]h =∑
pi∈FB[ei ]pi
I Linear algebra modulo p − 1 on the relations
I For B ≈ exp((log p)1/2), subexponential complexity
![Page 166: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/166.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 58
Example : a naive index calculus for F∗p
I DLP : given g , h ∈ F∗p, find k such that h = g k
I Factor basis made of small “primes”
FB := {primes pi ≤ B}I Relation search
I Choose random a, b ∈ {1, . . . , p − 1}I Compute r := gahb mod p
I If all factors of r are ≤ B, store a relation[a]g + [b]h =
∑pi∈FB
[ei ]pi
I Linear algebra modulo p − 1 on the relations
I For B ≈ exp((log p)1/2), subexponential complexity
![Page 167: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/167.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 58
Example : a naive index calculus for F∗p
I DLP : given g , h ∈ F∗p, find k such that h = g k
I Factor basis made of small “primes”
FB := {primes pi ≤ B}I Relation search
I Choose random a, b ∈ {1, . . . , p − 1}I Compute r := gahb mod pI If all factors of r are ≤ B, store a relation
[a]g + [b]h =∑
pi∈FB[ei ]pi
I Linear algebra modulo p − 1 on the relations
I For B ≈ exp((log p)1/2), subexponential complexity
![Page 168: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/168.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 58
Example : a naive index calculus for F∗p
I DLP : given g , h ∈ F∗p, find k such that h = g k
I Factor basis made of small “primes”
FB := {primes pi ≤ B}I Relation search
I Choose random a, b ∈ {1, . . . , p − 1}I Compute r := gahb mod pI If all factors of r are ≤ B, store a relation
[a]g + [b]h =∑
pi∈FB[ei ]pi
I Linear algebra modulo p − 1 on the relations
I For B ≈ exp((log p)1/2), subexponential complexity
![Page 169: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/169.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 58
Example : a naive index calculus for F∗p
I DLP : given g , h ∈ F∗p, find k such that h = g k
I Factor basis made of small “primes”
FB := {primes pi ≤ B}I Relation search
I Choose random a, b ∈ {1, . . . , p − 1}I Compute r := gahb mod pI If all factors of r are ≤ B, store a relation
[a]g + [b]h =∑
pi∈FB[ei ]pi
I Linear algebra modulo p − 1 on the relations
I For B ≈ exp((log p)1/2), subexponential complexity
![Page 170: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/170.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 59
A very high-level look at SHA-1
I Most hash functionshave a similar structure
I Security : variousheuristic arguments
![Page 171: -0.3cm From Rubik's to cryptography A tour of …...Ch.Petit - ULG - Nov 2012 1 From Rubik’s to cryptography A tour of computational challenges in the eld Christophe Petit UCL Crypto](https://reader034.vdocument.in/reader034/viewer/2022050412/5f892423fef0434af6458c08/html5/thumbnails/171.jpg)
UCL Crypto GroupMicroelectronics Laboratory Ch.Petit - ULG - Nov 2012 59
A very high-level look at SHA-1
I Most hash functionshave a similar structure
I Security : variousheuristic arguments