1,315 research outputs found

    Formal Analysis of CRT-RSA Vigilant's Countermeasure Against the BellCoRe Attack: A Pledge for Formal Methods in the Field of Implementation Security

    Full text link
    In our paper at PROOFS 2013, we formally studied a few known countermeasures to protect CRT-RSA against the BellCoRe fault injection attack. However, we left Vigilant's countermeasure and its alleged repaired version by Coron et al. as future work, because the arithmetical framework of our tool was not sufficiently powerful. In this paper we bridge this gap and then use the same methodology to formally study both versions of the countermeasure. We obtain surprising results, which we believe demonstrate the importance of formal analysis in the field of implementation security. Indeed, the original version of Vigilant's countermeasure is actually broken, but not as much as Coron et al. thought it was. As a consequence, the repaired version they proposed can be simplified. It can actually be simplified even further as two of the nine modular verifications happen to be unnecessary. Fortunately, we could formally prove the simplified repaired version to be resistant to the BellCoRe attack, which was considered a "challenging issue" by the authors of the countermeasure themselves.Comment: arXiv admin note: substantial text overlap with arXiv:1401.817

    Cloud-based Quadratic Optimization with Partially Homomorphic Encryption

    Get PDF
    The development of large-scale distributed control systems has led to the outsourcing of costly computations to cloud-computing platforms, as well as to concerns about privacy of the collected sensitive data. This paper develops a cloud-based protocol for a quadratic optimization problem involving multiple parties, each holding information it seeks to maintain private. The protocol is based on the projected gradient ascent on the Lagrange dual problem and exploits partially homomorphic encryption and secure multi-party computation techniques. Using formal cryptographic definitions of indistinguishability, the protocol is shown to achieve computational privacy, i.e., there is no computationally efficient algorithm that any involved party can employ to obtain private information beyond what can be inferred from the party's inputs and outputs only. In order to reduce the communication complexity of the proposed protocol, we introduced a variant that achieves this objective at the expense of weaker privacy guarantees. We discuss in detail the computational and communication complexity properties of both algorithms theoretically and also through implementations. We conclude the paper with a discussion on computational privacy and other notions of privacy such as the non-unique retrieval of the private information from the protocol outputs

    Normal Elliptic Bases and Torus-Based Cryptography

    Full text link
    We consider representations of algebraic tori Tn(Fq)T_n(F_q) over finite fields. We make use of normal elliptic bases to show that, for infinitely many squarefree integers nn and infinitely many values of qq, we can encode mm torus elements, to a small fixed overhead and to mm ϕ(n)\phi(n)-tuples of FqF_q elements, in quasi-linear time in logq\log q. This improves upon previously known algorithms, which all have a quasi-quadratic complexity. As a result, the cost of the encoding phase is now negligible in Diffie-Hellman cryptographic schemes

    Generalised Mersenne Numbers Revisited

    Get PDF
    Generalised Mersenne Numbers (GMNs) were defined by Solinas in 1999 and feature in the NIST (FIPS 186-2) and SECG standards for use in elliptic curve cryptography. Their form is such that modular reduction is extremely efficient, thus making them an attractive choice for modular multiplication implementation. However, the issue of residue multiplication efficiency seems to have been overlooked. Asymptotically, using a cyclic rather than a linear convolution, residue multiplication modulo a Mersenne number is twice as fast as integer multiplication; this property does not hold for prime GMNs, unless they are of Mersenne's form. In this work we exploit an alternative generalisation of Mersenne numbers for which an analogue of the above property --- and hence the same efficiency ratio --- holds, even at bitlengths for which schoolbook multiplication is optimal, while also maintaining very efficient reduction. Moreover, our proposed primes are abundant at any bitlength, whereas GMNs are extremely rare. Our multiplication and reduction algorithms can also be easily parallelised, making our arithmetic particularly suitable for hardware implementation. Furthermore, the field representation we propose also naturally protects against side-channel attacks, including timing attacks, simple power analysis and differential power analysis, which is essential in many cryptographic scenarios, in constrast to GMNs.Comment: 32 pages. Accepted to Mathematics of Computatio

    Security systems based on Gaussian integers : Analysis of basic operations and time complexity of secret transformations

    Get PDF
    Many security algorithms currently in use rely heavily on integer arithmetic modulo prime numbers. Gaussian integers can be used with most security algorithms that are formulated for real integers. The aim of this work is to study the benefits of common security protocols with Gaussian integers. Although the main contribution of this work is to analyze and improve the application of Gaussian integers for various public key (PK) algorithms, Gaussian integers were studied in the context of image watermarking as well. The significant benefits of the application of Gaussian integers become apparent when they are used with Discrete Logarithm Problem (DLP) based PK algorithms. In order to quantify the complexity of the Gaussian integer DLP, it is reduced to two other well known problems: DLP for Lucas sequences and the real integer DLP. Additionally, a novel exponentiation algorithm for Gaussian integers, called Lucas sequence Exponentiation of Gaussian integers (LSEG) is introduced and its performance assessed, both analytically and experimentally. The LSEG achieves about 35% theoretical improvement in CPU time over real integer exponentiation. Under an implementation with the GMP 5.0.1 library, it outperformed the GMP\u27s mpz_powm function (the particularly efficient modular exponentiation function that comes with the GMP library) by 40% for bit sizes 1000-4000, because of low overhead associated with LSEG. Further improvements to real execution time can be easily achieved on multiprocessor or multicore platforms. In fact, over 50% improvement is achieved with a parallelized implementation of LSEG. All the mentioned improvements do not require any special hardware or software and are easy to implement. Furthermore, an efficient way for finding generators for DLP based PK algorithms with Gaussian integers is presented. In addition to DLP based PK algorithms, applications of Gaussian integers for factoring-based PK cryptosystems are considered. Unfortunately, the advantages of Gaussian integers for these algorithms are not as clear because the extended order of Gaussian integers does not directly come into play. Nevertheless, this dissertation describes the Extended Square Root algorithm for Gaussian integers used to extend the Rabin Cryptography algorithm into the field of Gaussian integers. The extended Rabin Cryptography algorithm with Gaussian integers allows using fewer preset bits that are required by the algorithm to guard against various attacks. Additionally, the extension of RSA into the domain of Gaussian integers is analyzed. The extended RSA algorithm could add security only if breaking the original RSA is not as hard as factoring. Even in this case, it is not clear whether the extended algorithm would increase security. Finally, the randomness property of the Gaussian integer exponentiation is utilized to derive a novel algorithm to rearrange the image pixels to be used for image watermarking. The new algorithm is more efficient than the one currently used and it provides a degree of cryptoimmunity. The proposed method can be used to enhance most picture watermarking algorithms
    corecore