Factoring Safe Semiprimes with a Single Quantum Query

Shor's factoring algorithm (SFA), by its ability to efficiently factor large numbers, has the potential to undermine contemporary encryption. At its heart is a process called order finding, which quantum mechanics lets us perform efficiently. SFA thus consists of a \emph{quantum order finding algorithm} (QOFA), bookended by classical routines which, given the order, return the factors. But, with probability up to $1/2$, these classical routines fail, and QOFA must be rerun. We modify these routines using elementary results in number theory, improving the likelihood that they return the factors. The resulting quantum factoring algorithm is better than SFA at factoring safe semiprimes, an important class of numbers used in cryptography. With just one call to QOFA, our algorithm almost always factors safe semiprimes. As well as a speed-up, improving efficiency gives our algorithm other, practical advantages: unlike SFA, it does not need a randomly picked input, making it simpler to construct in the lab; and in the (unlikely) case of failure, the same circuit can be rerun, without modification. We consider generalizing this result to other cases, although we do not find a simple extension, and conclude that SFA is still the best algorithm for general numbers (non safe semiprimes, in other words). Even so, we present some simple number theoretic tricks for improving SFA in this case.Comment: v2 : Typo correction and rewriting for improved clarity v3 : Slight expansion, for improved clarit

GRUP RSA MERUPAKAN GRUP PSEUDO-FREE DI BAWAH ASUMSI RSA KUAT

Di   bawah   asumsi   RSA   kuat,   dibuktikan bahwa  grup  perkalian  modulo hasil  kali  dua  prima selamat  merupakan  grup  pseudo-free.  Dengan  kata lain,   jika   permasalahan   RSA   kuat   sulit   secara asimtotik  berkenaan  dengan  distribusi  ensembel atas hasil kali dua bilangan prima selamat berbeda, maka  keluarga  grup  komputasional  ℤ∗                    (   =          , dengan          dan         bilangan  prima  selamat  berbeda, dengan   operasi   perkalian   modulo   dan   prosedur sampling        seragam       atas      QR   )     merupakan         grup pseudo-free  berkenaan  dengan  ensembel  distribusi yang sama. Keywords:  asumsi  RSA  kuat,  grup  RSA,  residu kuadratik, pseudo-free, prima selamat

On the efficiency of revocation in RSA-based anonymous systems

© 2016 IEEEThe problem of revocation in anonymous authentication systems is subtle and has motivated a lot of work. One of the preferable solutions consists in maintaining either a whitelist L-W of non-revoked users or a blacklist L-B of revoked users, and then requiring users to additionally prove, when authenticating themselves, that they are in L-W (membership proof) or that they are not in L-B (non-membership proof). Of course, these additional proofs must not break the anonymity properties of the system, so they must be zero-knowledge proofs, revealing nothing about the identity of the users. In this paper, we focus on the RSA-based setting, and we consider the case of non-membership proofs to blacklists L = L-B. The existing solutions for this setting rely on the use of universal dynamic accumulators; the underlying zero-knowledge proofs are bit complicated, and thus their efficiency; although being independent from the size of the blacklist L, seems to be improvable. Peng and Bao already tried to propose simpler and more efficient zero-knowledge proofs for this setting, but we prove in this paper that their protocol is not secure. We fix the problem by designing a new protocol, and formally proving its security properties. We then compare the efficiency of the new zero-knowledge non-membership protocol with that of the protocol, when they are integrated with anonymous authentication systems based on RSA (notably, the IBM product Idemix for anonymous credentials). We discuss for which values of the size k of the blacklist L, one protocol is preferable to the other one, and we propose different ways to combine and implement the two protocols.Postprint (author's final draft

Close to Uniform Prime Number Generation With Fewer Random Bits

In this paper, we analyze several variants of a simple method for generating prime numbers with fewer random bits. To generate a prime $p$ less than $x$, the basic idea is to fix a constant $q\propto x^{1-\varepsilon}$, pick a uniformly random $a<q$ coprime to $q$, and choose $p$ of the form $a+t\cdot q$, where only $t$ is updated if the primality test fails. We prove that variants of this approach provide prime generation algorithms requiring few random bits and whose output distribution is close to uniform, under less and less expensive assumptions: first a relatively strong conjecture by H.L. Montgomery, made precise by Friedlander and Granville; then the Extended Riemann Hypothesis; and finally fully unconditionally using the Barban-Davenport-Halberstam theorem. We argue that this approach has a number of desirable properties compared to previous algorithms.Comment: Full version of ICALP 2014 paper. Alternate version of IACR ePrint Report 2011/48

Efficient non-malleable commitment schemes

We present efficient non-malleable commitment schemes based on standard assumptions such as RSA and Discrete-Log, and under the condition that the network provides publicly available RSA or Discrete-Log parameters generated by a trusted party. Our protocols require only three rounds and a few modular exponentiations. We also discuss the difference between the notion of non-malleable commitment schemes used by Dolev, Dwork and Naor [DDN00] and the one given by Di Crescenzo, Ishai and Ostrovsky [DIO98]

Threshold cryptography based on Asmuth–Bloom secret sharing

Cataloged from PDF version of article.In this paper, we investigate how threshold cryptography can be conducted with the Asmuth-Bloom secret sharing scheme and present three novel function sharing schemes for RSA, ElGamal and Paillier cryptosysterns. To the best of our knowledge, these are the first provably secure threshold cryptosystems realized using the Asmuth-Bloom secret sharing. Proposed schemes are comparable in performance to earlier proposals in threshold cryptography. (c) 2007 Elsevier Inc. All rights reserved

Algorithmic Tamper-Proof (ATP) Security: Theoretical Foundations for Security against Hardware Tampering

Abstract. Traditionally, secure cryptographic algorithms provide security against an adversary who has only black-box access to the secret information of honest parties. However, such models are not always adequate. In particular, the security of these algorithms may completely break under (feasible) attacks that tamper with the secret key. In this paper we propose a theoretical framework to investigate the algorithmic aspects related to tamper-proof security. In particular, we define a model of security against an adversary who is allowed to apply arbitrary feasible functions f to the secret key sk, and obtain the result of the cryptographic algorithms using the new secret key f(sk). We prove that in the most general setting it is impossible to achieve this strong notion of security. We then show minimal additions to the model, which are needed in order to obtain provable security. We prove that these additions are necessary and also sufficient for most common cryptographic primitives, such as encryption and signature schemes. We discuss the applications to portable devices protected by PINs and show how to integrate PIN security into the generic security design. Finally we investigate restrictions of the model in which the tampering powers of the adversary are limited. These restrictions model realistic attacks (like differential fault analysis) that have been demonstrated in practice. In these settings we show security solutions that work even without the additions mentioned above

GRUP RSA MERUPAKAN GRUP PSEUDO-FREE DI BAWAH ASUMSI RSA KUAT

Di&nbsp;&nbsp;&nbsp;bawah&nbsp;&nbsp;&nbsp;asumsi&nbsp;&nbsp;&nbsp;RSA&nbsp;&nbsp;&nbsp;kuat,&nbsp;&nbsp;&nbsp;dibuktikan bahwa&nbsp;&nbsp;grup&nbsp;&nbsp;perkalian&nbsp;&nbsp;modulo&nbsp;hasil&nbsp;&nbsp;kali&nbsp;&nbsp;dua&nbsp;&nbsp;prima selamat&nbsp;&nbsp;merupakan&nbsp;&nbsp;grup&nbsp;&nbsp;pseudo-free.&nbsp;&nbsp;Dengan&nbsp;&nbsp;kata lain,&nbsp;&nbsp;&nbsp;jika&nbsp;&nbsp;&nbsp;permasalahan&nbsp;&nbsp;&nbsp;RSA&nbsp;&nbsp;&nbsp;kuat&nbsp;&nbsp;&nbsp;sulit&nbsp;&nbsp;&nbsp;secara asimtotik&nbsp;&nbsp;berkenaan&nbsp;&nbsp;dengan&nbsp;&nbsp;distribusi&nbsp;&nbsp;ensembel atas&nbsp;hasil&nbsp;kali&nbsp;dua&nbsp;bilangan&nbsp;prima&nbsp;selamat&nbsp;berbeda, maka&nbsp;&nbsp;keluarga&nbsp;&nbsp;grup&nbsp;&nbsp;komputasional&nbsp;&nbsp;ℤ&lowast;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; (&nbsp;&nbsp;&nbsp;=&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; , dengan&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dan&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; bilangan&nbsp;&nbsp;prima&nbsp;&nbsp;selamat&nbsp;&nbsp;berbeda, dengan&nbsp;&nbsp;&nbsp;operasi&nbsp;&nbsp;&nbsp;perkalian&nbsp;&nbsp;&nbsp;modulo&nbsp;&nbsp;&nbsp;dan&nbsp;&nbsp;&nbsp;prosedur sampling&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; seragam&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; atas&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; QR&nbsp;&nbsp;&nbsp;)&nbsp;&nbsp;&nbsp;&nbsp; merupakan&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; grup pseudo-free&nbsp;&nbsp;berkenaan&nbsp;&nbsp;dengan&nbsp;&nbsp;ensembel&nbsp;&nbsp;distribusi yang&nbsp;sama. Keywords:&nbsp;&nbsp;asumsi&nbsp;&nbsp;RSA&nbsp;&nbsp;kuat,&nbsp;&nbsp;grup&nbsp;&nbsp;RSA,&nbsp;&nbsp;residu kuadratik,&nbsp;pseudo-free,&nbsp;prima&nbsp;selamat

Realistic Threats to Self-Enforcing Privacy

A recent privacy protocol for secure e-polls aims at en-suring the submitting individuals that the pollster will pre-serve the privacy of their submitted preferences. Otherwise the individuals can indict the pollster, provided that the poll-ster participates actively in this phase. The analysis of the protocol in a realistic threat model denounces that a ma-licious pollster that abuses the private preferences by dis-closure will arguably not help out during its own indict-ment. Therefore, the protocol ensures insufficient fairness among their participants because it gives the pollster some advantage over the individuals. Two variant protocols are introduced and analysed in the same threat model — one is found to move the advantage over the individuals, the other is found to achieve a satisfactory level of fairness