Longitud de la clave RSA vs poder computacional

Millions Instructions Per Second (MIPS) es una, aunque no la única, de las métricas tradicionales de performance de los procesadores. Por otro lado Bit Length (BL) puede ser considerado como una métrica para medir la fortaleza de un método de encriptación asimétrico. Dentro del contexto de desarrollo de sistemas y métodos de seguridad, esta investigación tiene como objetivo el concretar un análisis integral de las fortalezas y debilidades de métodos de encriptación asimétricos que permita predecir el nivel de seguridad que dichos métodos presentan hacia el futuro, considerando la longitud de la clave con relación al poder computacional existente. Proponemos estudiar la seguridad, en un lapso de tiempo dado, de un método de encriptación basado en factorización, tal como RSA, estableciendo una relación entre el poder computacional necesario para quebrar una clave y el BL usado en la encriptación. Esta relación permitirá una estimación del lapso de tiempo en que una encriptación con un BL dado será segura frente a posibles ataques.Eje: Seguridad Informática.Red de Universidades con Carreras en Informática (RedUNCI

Longitud de la clave RSA vs poder computacional

Millions Instructions Per Second (MIPS) es una, aunque no la única, de las métricas tradicionales de performance de los procesadores. Por otro lado Bit Length (BL) puede ser considerado como una métrica para medir la fortaleza de un método de encriptación asimétrico. Dentro del contexto de desarrollo de sistemas y métodos de seguridad, esta investigación tiene como objetivo el concretar un análisis integral de las fortalezas y debilidades de métodos de encriptación asimétricos que permita predecir el nivel de seguridad que dichos métodos presentan hacia el futuro, considerando la longitud de la clave con relación al poder computacional existente. Proponemos estudiar la seguridad, en un lapso de tiempo dado, de un método de encriptación basado en factorización, tal como RSA, estableciendo una relación entre el poder computacional necesario para quebrar una clave y el BL usado en la encriptación. Esta relación permitirá una estimación del lapso de tiempo en que una encriptación con un BL dado será segura frente a posibles ataques.Eje: Seguridad Informática.Red de Universidades con Carreras en Informática (RedUNCI

The PASSERINE Public Key Encryption and Authentication Mechanism

PASSERINE is a lightweight public key encryption mechanism which is based on a hybrid, randomized variant of the Rabin public key encryption scheme. Its design is targeted for extremely low-resource applications such as wireless sensor networks, RFID tags, embedded systems, and smart cards. As is the case with the Rabin scheme, the security of PASSERINE can be shown to be equivalent to factoring the public modulus. On many low-resource implementation platforms PASSERINE offers smaller transmission latency, hardware and software footprint and better encryption speed when compared to RSA or Elliptic Curve Cryptography. This is mainly due to the fact that PASSERINE implementations can avoid expensive big integer arithmetic in favor of a fully parallelizable CRT randomized-square operation. In order to reduce latency and memory requirements, PASSERINE uses Naccache-Shamir randomized multiplication, which is implemented with a system of simultaneous congruences modulo small coprime numbers. The PASSERINE private key operation is of comparable computational complexity to the RSA private key operation. The private key operation is typically performed by a computationally superior recipient such as a base station

Statistical Properties of Short RSA Distribution and Their Cryptographic Applications

International audienceIn this paper, we study some computational security assump-tions involve in two cryptographic applications related to the RSA cryp-tosystem. To this end, we use exponential sums to bound the statistical distances between these distributions and the uniform distribution. We are interesting studying the k least (or most) significant bits of x e mod N , where N is a RSA modulus when x is restricted to a small part of [0, N). First of all, we provide the first rigorous evidence that the cryptographic pseudo-random generator proposed by Micali and Schnorr is based on firm foundations. This proof is missing in the original paper and do not cover the parameters chosen by the authors. Consequently, we extend the proof to get a new result closer to the parameters using a recent work of Wooley on exponential sums and we show some limitations of our technique. Finally, we look at the semantic security of the RSA padding scheme called PKCS#1 v1.5 which is still used a lot in practice. We show that parts of the ciphertexts are indistinguisable from uniform bitstrings

Limitations of the Meta-reduction Technique: The Case of Schnorr Signatures

We revisit the security of Fiat-Shamir signatures in the non-programmable random oracle model. The well-known proof by Pointcheval and Stern for such signature schemes (Journal of Cryptology, 2000) relies on the ability to re-program the random oracle, and it has been unknown if this property is inherent. Pailler and Vergnaud (Asiacrypt 2005) gave some first evidence of the hardness by showing via meta-reduction techniques that algebraic reductions cannot succeed in reducing key-only attacks against unforgeability to the discrete-log assumptions. We also use meta-reductions to show that the security of Schnorr signatures cannot be proven equivalent to the discrete logarithm problem without programming the random oracle. Our result also holds under the one-more discrete logarithm assumption but applies to a large class of reductions, we call *single-instance* reductions, subsuming those used in previous proofs of security in the (programmable) random oracle model. In contrast to algebraic reductions, our class allows arbitrary operations, but can only invoke a single resettable adversary instance, making our class incomparable to algebraic reductions. Our main result, however, is about meta-reductions and the question if this technique can be used to further strengthen the separations above. Our answer is negative. We present, to the best of our knowledge for the first time, limitations of the meta-reduction technique in the sense that finding a meta-reduction for general reductions is most likely infeasible. In fact, we prove that finding a meta-reduction against a potential reduction is equivalent to finding a ``meta-meta-reduction\u27\u27 against the strong existential unforgeability of the signature scheme. This means that the existence of a meta-reduction implies that the scheme must be insecure (against a slightly stronger attack) in the first place

Hard isogeny problems over RSA moduli and groups with infeasible inversion

We initiate the study of computational problems on elliptic curve isogeny graphs defined over RSA moduli. We conjecture that several variants of the neighbor-search problem over these graphs are hard, and provide a comprehensive list of cryptanalytic attempts on these problems. Moreover, based on the hardness of these problems, we provide a construction of groups with infeasible inversion, where the underlying groups are the ideal class groups of imaginary quadratic orders. Recall that in a group with infeasible inversion, computing the inverse of a group element is required to be hard, while performing the group operation is easy. Motivated by the potential cryptographic application of building a directed transitive signature scheme, the search for a group with infeasible inversion was initiated in the theses of Hohenberger and Molnar (2003). Later it was also shown to provide a broadcast encryption scheme by Irrer et al. (2004). However, to date the only case of a group with infeasible inversion is implied by the much stronger primitive of self-bilinear map constructed by Yamakawa et al. (2014) based on the hardness of factoring and indistinguishability obfuscation (iO). Our construction gives a candidate without using iO.Comment: Significant revision of the article previously titled "A Candidate Group with Infeasible Inversion" (arXiv:1810.00022v1). Cleared up the constructions by giving toy examples, added "The Parallelogram Attack" (Sec 5.3.2). 54 pages, 8 figure