98 research outputs found
Simultaneous Diagonalization of Incomplete Matrices and Applications
We consider the problem of recovering the entries of diagonal matrices
for from multiple "incomplete" samples
of the form , where and are unknown matrices of low rank. We
devise practical algorithms for this problem depending on the ranks of and
. This problem finds its motivation in cryptanalysis: we show how to
significantly improve previous algorithms for solving the approximate common
divisor problem and breaking CLT13 cryptographic multilinear maps.Comment: 16 page
Revisiting Shared Data Protection Against Key Exposure
This paper puts a new light on secure data storage inside distributed
systems. Specifically, it revisits computational secret sharing in a situation
where the encryption key is exposed to an attacker. It comes with several
contributions: First, it defines a security model for encryption schemes, where
we ask for additional resilience against exposure of the encryption key.
Precisely we ask for (1) indistinguishability of plaintexts under full
ciphertext knowledge, (2) indistinguishability for an adversary who learns: the
encryption key, plus all but one share of the ciphertext. (2) relaxes the
"all-or-nothing" property to a more realistic setting, where the ciphertext is
transformed into a number of shares, such that the adversary can't access one
of them. (1) asks that, unless the user's key is disclosed, noone else than the
user can retrieve information about the plaintext. Second, it introduces a new
computationally secure encryption-then-sharing scheme, that protects the data
in the previously defined attacker model. It consists in data encryption
followed by a linear transformation of the ciphertext, then its fragmentation
into shares, along with secret sharing of the randomness used for encryption.
The computational overhead in addition to data encryption is reduced by half
with respect to state of the art. Third, it provides for the first time
cryptographic proofs in this context of key exposure. It emphasizes that the
security of our scheme relies only on a simple cryptanalysis resilience
assumption for blockciphers in public key mode: indistinguishability from
random, of the sequence of diferentials of a random value. Fourth, it provides
an alternative scheme relying on the more theoretical random permutation model.
It consists in encrypting with sponge functions in duplex mode then, as before,
secret-sharing the randomness
Batch Fully Homomorphic Encryption over the Integers
We extend the fully homomorphic encryption scheme over the integers of van Dijk et al. (DGHV) to batch fully homomorphic encryption, i.e. to a scheme that supports encrypting and homomorphically processing a vector of plaintext bits as a single ciphertext. Our variant remains semantically secure under the (error-free) approximate GCD problem. We also show how to perform arbitrary permutations on the underlying plaintext vector given the ciphertext and the public key. Our scheme offers competitive performance: we describe an implementation of the fully homomorphic evaluation of AES encryption, with an amortized cost of about 12 minutes per AES ciphertext on a standard desktop computer; this is comparable to the timings presented by Gentry et al. at Crypto 2012 for their implementation of a Ring-LWE based fully homomorphic encryption scheme
Externalized Fingerprint Matching
The 9/11 tragedy triggered an increased interest in biometric
passports. According to several sources \cite{sp2}, the electronic
ID market is expected to increase by more than 50\% {\sl per
annum} over the three coming years, excluding China.
\smallskip
To cost-effectively address this foreseen explosion, a very
inexpensive memory card (phonecard-like card) capable of
performing fingerprint matching is paramount.\smallskip
This paper presents such a solution. The proposed protocol is
based on the following idea: the card stores the user\u27s
fingerprint information to which random minutiae were added at
enrolment time (we denote this scrambled template by ). The
card also stores a binary string encoding which of the
minutiae in actually belong to the holder. When an
identification session starts, the terminal reads from the
card and, based upon the incoming scanner data, determines which
of the minutiae in are genuine. The terminal forms a candidate
and sends it to the card. All the card needs to do is test
that the Hamming weight of is smaller than a
security threshold . \smallskip
It follows that the card only needs to embark passive data storage
capabilities, one exclusive-or gate, a shift register, a counter
and a comparator (less than 40 logical gates)
Factoring for Large and
International audienceBoneh et al. showed at Crypto 99 that moduli of the form N = p^r q can be factored in polynomial time when r ≃ log(p). Their algorithm is based on Coppersmith’s technique for finding small roots of polynomial equations. In this paper we show that N = p^r q^s can also be factored in polynomial time when r or s is at least (log p)^3; therefore we identify a new class of integers that can be efficiently factored.We also generalize our algorithm to moduli with k prime factors N = \prod_{i=1}^k p_i^{r_i} ; we show that a non-trivial factor of N can be extracted in polynomial-time if one of the exponents r_i is large enough
A Variant of Coppersmith\u27s Algorithm with Improved Complexity and Efficient Exhaustive Search
Coppersmith described at Eurocrypt 96 a polynomial-time algorithm for finding small roots of univariate modular equations, based on lattice reduction. In this paper we describe the first improvement of the asymptotic complexity of Coppersmith\u27s algorithm. Our method consists in taking advantage of Coppersmith\u27s matrix structure, in order to apply LLL algorithm on a matrix whose elements are smaller than those of Coppersmith\u27s original matrix. Using the algorithm, the asymptotic complexity of our method is for any , instead of previously. Furthermore, we devise a method that allows to speed up the exhaustive search which is usually performed to reach Coppersmith\u27s theoretical bound. Our approach takes advantage of the LLL performed to test one guess, to reduce complexity of the LLL performed for the next guess. Experimental results confirm that it leads to a considerable performance improvement
Supplemental Access Control (PACE v2): Security Analysis of PACE Integrated Mapping
We describe and analyze the password-based key establishment protocol PACE v2 Integrated Mapping (IM), an evolution of PACE v1 jointly proposed by Gemalto and Sagem Sécurité.
PACE v2 IM enjoys the following properties:
patent-freeness3 (to the best of current knowledge in the field);
full resistance to dictionary attacks, secrecy and forward secrecy in the security model agreed upon by the CEN TC224 WG16 group;
optimal performances.
The PACE v2 IM protocol is intended to provide an alternative to the German PACE v1 protocol, which is also the German PACE v2 Generic Mapping (GM) protocol, proposed by the German Federal
Office for Information Security (BSI). In this document, we provide
a description of PACE v2 IM, a description of the security requirements one expects from a password-based key establishment
protocol in order to support secure applications,
and a security proof of PACE v2 IM in the so-called Bellare-Pointcheval-Rogaway (BPR) security model
New attacks on PKCS#1 v1.5 encryption
Abstract. This paper introduces two new attacks on pkcs#1 v1.5, an rsa-based encryption standard proposed by RSA Laboratories. As opposed to Bleichenbacher's attack, our attacks are chosen-plaintext only, i.e. they do not make use of a decryption oracle. The first attack applies to small public exponents and shows that a plaintext ending by sufficiently many zeroes can be recovered efficiently when two or more ciphertexts corresponding to the same plaintext are available. We believe the technique we employ to be of independent interest, as it extends Coppersmith's low-exponent attack to certain length parameters. Our second attack is applicable to arbitrary public exponents, provided that most message bits are zeroes. It seems to constitute the first chosen-plaintext attack on an rsa-based encryption standard that yields to practical results for any public exponent
- …