Xianhui Lu,Jiang Zhang

DOI: https://doi.org/10.1093/nsr/nwab090

IF: 20.6

2021-05-24

National Science Review

Abstract:The invention of public-key cryptography (PKC) by Diffie and Hellman in 1976 is one of two milestones marking the beginning of modern cryptography. The security of a PKC system requires that it should be infeasible to compute the private key from a given public key, which in turn is typically guaranteed by the difficulty in solving some cryptographic-friendly mathematical problems. Among those problems, the integer factorization and discrete logarithm problems play pivotal roles in the development of public-key cryptography. In particular, the assumption that there is no polynomial time (classical) algorithm that solves the above two problems constitutes the basis for the security of almost all currently used public-key cryptosystems, such as RSA and ElGamal. However, Shor [1] found an efficient quantum solving algorithm for the integer factorization and discrete logarithm problems in 1994, which would destroy the security basis for most real deployed PKC systems if large-scale quantum computers become available. The rapid development of quantum technology in recent years suggests that we are getting closer to the quantum crisis of current PKC systems.

multidisciplinary sciences

Zhen Liu,Xiaoyuan Yang

DOI: https://doi.org/10.1109/incos.2013.108

2013-01-01

Abstract:The cipher text consistency check that can be implemented publicly has practical significance, and it is always an interested studying aspect to construct cryptographic algorithm without pairings in the field of cryptographic. On the other hand, it is one of the most important research topics to design CCA-secure PKE schemes with weaker assumptions. Especially, there have been no CCA-secure PKE scheme under factoring assumption, except for a recent work by Hofheinz, D., Kiltz, E. A fly in the ointment is that HK09's scheme is not a public verifiable construction. Using the Gap quality that the Decisional Diffie-Hellman problem is easy but the Computational Diffie-Hellman problem is difficult as factoring, we instantiated HK09's scheme over the group of signed quadratic residues, and realized public verifiable construct. It will be used to construct threshold schemes.

Shuai Han,Shengli Liu,Lin Lyu

DOI: https://doi.org/10.1007/978-3-662-53890-6_11

2016-01-01

Abstract:KDM[F]-CCA secure public-key encryption (PKE) protects the security of message f(sk), with f. F, that is computed directly from the secret key, even if the adversary has access to a decryption oracle. An efficient KDM[F-aff]-CCA secure PKE scheme for affine functions was proposed by Lu, Li and Jia (LLJ, EuroCrypt2015). We point out that their security proof cannot go through based on the DDH assumption. In this paper, we introduce a new concept Authenticated Encryption with Auxiliary-Input AIAE and define for it new security notions dealing with related-key attacks, namely IND-RKA security and weak INT-RKA security. We also construct such an AIAE w.r.t. a set of restricted affine functions from the DDH assumption. With our AIAE,- we construct the first efficient KDM[F-aff]-CCA secure PKE w.r.t. affine functions with compact ciphertexts, which consist only of a constant number of group elements;- we construct the first efficient KDM[F-poly(d)]-CCA secure PKE w.r.t. polynomial functions of bounded degree d with almost compact ciphertexts, and the number of group elements in a ciphertext is polynomial in d, independent of the security parameter.Our PKEs are both based on the DDH & DCR assumptions, free of NIZK and free of pairing.

Xiujie Zhang,Chunxiang Xu,Wenzheng Zhang

DOI: https://doi.org/10.1109/EIDWT.2013.76

2013-01-01

Abstract:Threshold Public Key Encryption allows a set of servers to decrypt a cipher text if a given threshold of authorized servers cooperate. Forward security allows one to mitigate the damage caused by exposure of secret keys. Forward-secure public encryptions are used to the threshold setting, this model guarantees that even if an adversary have broken into more than t distinct servers(for some i), messages encrypted during all time periods prior to i remain secret. In this paper, we present the first probably secure (non-interactive) forward-secure threshold public-key encryption scheme against chosen-cipher text attacks in the random oracle model. The encryption and update operations are very efficient when compared with the scheme presented by Libert et al. A formal definition, as well as a detailed analysis of the security performance of this scheme, is presented. The security of this scheme is based on the Computational Bilinear Diffie Hellman assumption, which leads to a unique approach to prove security in the random oracle model. Furthermore, in our model, the servers update their keys individually and asynchronously, without any communication between them.

Shuai Han,Shengli Liu,Lin Lyu

DOI: https://doi.org/10.1155/2017/2148534

IF: 1.968

2017-01-01

Security and Communication Networks

Abstract:KDM[F]-CCA security of public-key encryption (PKE) ensures the privacy of key-dependent messages f(sk) which are closely related to the secret key sk, where f∈F, even if the adversary is allowed to make decryption queries. In this paper, we study the design of KDM-CCA secure PKE. To this end, we develop a new primitive named Auxiliary-Input Authenticated Encryption (AIAE). For AIAE, we introduce two related-key attack (RKA) security notions, including IND-RKA and weak-INT-RKA. We present a generic construction of AIAE from tag-based hash proof system (HPS) and one-time secure authenticated encryption (AE) and give an instantiation of AIAE under the Decisional Diffie-Hellman (DDH) assumption. Using AIAE as an essential building block, we give two constructions of efficient KDM-CCA secure PKE based on the DDH and the Decisional Composite Residuosity (DCR) assumptions. Specifically, (i) our first PKE construction is the first one achieving KDM[Faff]-CCA security for the set of affine functions and compactness of ciphertexts simultaneously. (ii) Our second PKE construction is the first one achieving KDM[Fpolyd]-CCA security for the set of polynomial functions and almost compactness of ciphertexts simultaneously. Our PKE constructions are very efficient; in particular, they are pairing-free and NIZK-free.

Edward Gerjuoy

DOI: https://doi.org/10.1119/1.1891170

IF: 0.835

2005-06-01

American Journal of Physics

Abstract:The security of messages encoded via the widely used RSA public key encryption system rests on the enormous computational effort required to find the prime factors of a large number N using classical (conventional) computers. In 1994 Peter Shor showed that for sufficiently large N, a quantum computer could perform the factoring with much less computational effort. This paper endeavors to explain, in a fashion comprehensible to the nonexpert, the RSA encryption protocol; the various quantum computer manipulations constituting the Shor algorithm; how the Shor algorithm performs the factoring; and the precise sense in which a quantum computer employing Shor’s algorithm can be said to accomplish the factoring of very large numbers with less computational effort than a classical computer. It is made apparent that factoring N generally requires many successive runs of the algorithm. Our analysis reveals that the probability of achieving a successful factorization on a single run is about twice as large as commonly quoted in the literature.

physics, multidisciplinary,education, scientific disciplines

Baodong Qin,Shengli Liu,Kefei Chen

DOI: https://doi.org/10.1049/iet-ifs.2013.0173

2014-01-01

IET Information Security

Abstract:A leakage-resilient public-key encryption (PKE) scheme provides security even if an adversary obtains some information on the secret key. In recent years, much attention has been focused on designing provably secure PKE in the presence of key-leakage and almost all the constructions rely on an important building block namely hash proof system (HPS). However, in the setting of adaptive chosen-ciphertext attacks (CCA2), there are not many HPS-based leakage-resilient PKE schemes available. Moreover, most of them have an unsatisfactory leakage rate. In this study, the authors propose a new method of constructing leakage-resilient CCA2-secure PKE scheme from any tag-based strongly universal(2) HPS. The striking advantage of the authors scheme is the leakage rate, which is the best one among all known HPS-based indistinguishability key leakage CCA2-secure constructions. In particular, they present an instantiation under the n-linear assumption. In the cases of n = 1 (resp. n = 2), they actually obtain a decisional Diffie-Hellman (DDH)-based [resp. decisional linear (DLIN)-based] PKE scheme, where the leakage rate can be made to 1/4 (resp. 1/6). The authors DDH-based scheme achieves the best leakage rate among all known DDH-based (Cramer-Shoup-type) schemes. Their DLIN-based scheme is the first one that can achieve leakage of L/6 bits without pairing, where L is the length of the secret key.

SF Sun,Udaya Parampalli,TH Yuen,Yong Yu,Dawu Gu

2016-01-01

Abstract:© Springer International Publishing Switzerland 2016.Motivated by tampering attacks in practice, two different but related security notions, termed complete non-malleability and relatedkey attack security, have been proposed recently. In this work, we study their relations and present the first public key encryption scheme that is secure in both notions under standard assumptions. Moreover, by exploiting the technique for achieving complete non-malleability, we give a practical scheme for the related-key attack security. Precisely, the scheme is proven secure against polynomial functions of bounded degree d under a newly introduced hardness assumption called dmodified extended decisional bilinear Diffie-Hellman assumption. Since the schemes are constructed in a direct way instead of relying on the noninteractive zero knowledge proof or signature techniques, they not only achieve the strong security notions but also have better performances.

Yao Lu,Rui Zhang,Dongdai Lin

DOI: https://doi.org/10.1007/978-3-642-39059-3_5

2013-01-01

Abstract:Factoring large integers is a fundamental problem in algebraic number theory and modern cryptography, which many cryptosystems, e.g. RSA, are based on. Up to now, there is no known polynomial-time algorithm to solve it with classical computers. However, in practice side-channel attacks usually cause serious damage: Even if a small proportion of bits in the secret primes is leaked, one may efficiently factor. In this paper, we study the problem of factoring with partial known bits for multi-power RSA modulus N = pr q. In 1999, Boneh, Durfee and Howgrave-Graham showed that this problem can be solved efficiently given a 1/r+1-fraction of the most significant bits (MSB) of p. In their attack, the unknown bits are located in one consecutive block. We propose two lattice-based approaches that extend the number of unknown blocks to arbitrary n (n ≥ 1). The advantage of our approaches is that now knowledge of a ln(1+r)/r-fraction of the bits of p is already sufficient (for any n). In fact, our result is a first step towards unifying and extending previous works by Boneh-Durfee-Howgrave (Crypto'99) and Herrmann-May (Asiacrypt'08). © 2013 Springer-Verlag.

Puwen Wei,Xiaoyun Wang,Yuliang Zheng

DOI: https://doi.org/10.1016/j.compeleceng.2012.02.001

2009-01-01

Abstract:In this paper, we report our success in identifying an efficient public key encryption scheme whose formal security proof does not require a random oracle. Specifically, we focus our attention on a universal hash based public key encryption scheme proposed by Zheng and Seberry at Crypto'92. Although Zheng and Seberry's encryption scheme is very simple and efficient, its reductionist security proof has not been provided. We show how to tweak the Zheng-Seberry scheme so that the resultant scheme not only preserves the efficiency of the original scheme but also admits provable security against adaptive chosen ciphertext attack without random oracle. For the security proof, our first attempt is based on a strong assumption called the oracle Diffie-Hellman^+ assumption. This is followed by a more challenging proof that employs a weaker assumption called the adaptive decisional Diffie-Hellman assumption, which is in alignment with adaptively secure assumptions advocated by Pandey, Pass and Vaikuntanathan.

Mei Qi-xiang,He Da-ke,Yu Zheng

2006-01-01

Abstract:In Eurocrypt 2004, Canetti, Halevi and Katz proposed a method for constructing Chosen Ciphertext secure ( ie., CCA secure) public key encryption from any Selective-ID secure ID-Based Encryption (IBE). However, this method needs one time signature and thus adds noticeable overhead to the underling scheme. In this paper, a new CCA secure public key cryptosystem is constructed from the Adaptive-ID secure IBE scheme proposed by Waters. Here, the "identity" is the hash of the first two parts of the ciphertext, and the bilinear map is used to test the ciphertext validity. The proposal is much more efficient than those obtained from the general CHK. method. The security of the new scheme is proved under the standard Decisional Bilinear Diffie-Hellman (DBDH) assumption.

Mengce Zheng,Noboru Kunihiro,Honggang Hu

DOI: https://doi.org/10.1007/978-3-319-60055-0_17

2017-01-01

Abstract:In this paper, we study the security of multi-prime RSA with small prime difference and propose two improved factoring attacks. The modulus involved in this variant is the product of r distinct prime factors of same bit-size. Zhang and Takagi (ACISP 2013) showed a Fermat-like factoring attack on multi-prime RSA. In order to improve the previous result, we gather more information about the prime factors to derive r simultaneous modular equations. The first attack is based on combining r equations to solve one multivariate modular equation by a generic lattice approach. Since the equation form is similar to multi-prime Phi-hiding problem, we propose the second attack by applying the optimal linearization technique. We also show that our attacks can achieve better bounds in the experiments.

Anthony Overmars,Sitalakshmi Venkatraman

DOI: https://doi.org/10.3390/jcp4010003

2024-01-10

Journal of Cybersecurity and Privacy

Abstract:The RSA (Rivest–Shamir–Adleman) cryptosystem is an asymmetric public key cryptosystem popular for its use in encryptions and digital signatures. However, the Wiener’s attack on the RSA cryptosystem utilizes continued fractions, which has generated much interest in developing competitive factoring algorithms. A general-purpose integer factorization method first proposed by Lehmer and Powers formed the basis of the well-known Continued Fraction Factorization (CFRAC) method. Recent work on the one line factoring algorithm by Hart and its connection with Lehman’s factoring method have motivated this paper. The emphasis of this paper is to explore the representations of PQ as continued fractions and the suitability of lower ordered convergences as representations of ab. These simpler convergences are then prescribed to Hart’s one line factoring algorithm. As an illustration, we demonstrate the working of our approach with two numbers: one smaller number and another larger number occupying 95 bits. Using our method, the fourth convergence finds the factors as the solution for the smaller number, while the eleventh convergence finds the factors for the larger number. The security of the RSA public key cryptosystem relies on the computational difficulty of factoring large integers. Among the challenges in breaking RSA semi-primes, RSA250, which is an 829-bit semi-prime, continues to hold a research record. In this paper, we apply our method to factorize RSA250 and present the practical implementation of our algorithm. Our approach’s theoretical and experimental findings demonstrate the reduction of the search space and a faster solution to the semi-prime factorization problem, resulting in key contributions and practical implications. We identify further research to extend our approach by exploring limitations and additional considerations such as the difference of squares method, paving the way for further research in this direction.

computer science, information systems, interdisciplinary applications, software engineering

Hung-Min Sun,Mu-En Wu

2005-01-01

Abstract:Based on the Chinese Remainder Theorem (CRT), Quisquater and Couvreur proposed an RSA variant, RSA-CRT, to speed up RSA decryption. Then, Wiener suggested another RSA variant, Rebalanced RSA-CRT, to further accelerate RSA-CRT decryption by shifting decryp- tion cost to encryption cost. However, such an approach makes RSA encryption very time- consuming because the public exponent e in Rebalanced RSA-CRT is of the same order of magnitude as φ(N). In this paper we study the following problem: does there exist any secure variant of Rebalanced RSA-CRT, whose public exponent e is much shorter than φ(N) ?W e solve this problem by designing two variants of Rebalanced RSA-CRT, Scheme A and Scheme B. In Scheme A, we focus on designing a variant in which dp and dq are of 160 bits, and e =2 567 +1. Thus the encryption time is reduced to about 1 2.7 of the time required by the original Rebalanced RSA-CRT. Scheme B is a variant in which dp and dq are of 198 bits, and e =2 511 +1 .T hus its encryption is about 3 times faster than that of Rebalanced RSA-CRT, but the decryption is a little slower than that of Rebalanced RSA-CRT.

Shengli Liu,Fangguo Zhang,Kefei Chen

DOI: https://doi.org/10.1002/cpe.3021

2013-01-01

Abstract:SUMMARYChosen‐ciphertext security has been well‐accepted as a standard security notion for public‐key encryption. But in a multi‐user surrounding, it may not be sufficient, because the adversary may corrupt some users to obtain the random coins as well as the plaintexts used to generate ciphertexts. The attack is named ‘selective opening attack’. We study how to achieve full‐fledged chosen‐ciphertext security in selective opening setting directly from the Decisional Diffie–Hellman assumption. Our construction is actually a tag‐based public‐key encryption scheme free of chameleon hashing and has a tight security reduction to the Decisional Diffie–Hellman assumption and the collision‐resistant assumption of hash functions. The tag for each ciphertext is generated in a flexible way to serve the chosen‐ciphertext security proof in selective opening settings. Copyright © 2013 John Wiley & Sons, Ltd.

Houzhen Wang,Huanguo Zhang,Shaohua Tang

DOI: https://doi.org/10.1049/iet-ifs.2015.0183

2015-01-01

IET Information Security

Abstract:Eight years ago, Pei et al. described a matrix public-key encryption scheme based on the matrix factorisation over a finite field. Recently, Gu and Zheng also proposed a similar scheme based on the non-abelian factorisation assumption. The security of these schemes is essentially based on a two-side matrices exponentiation (TSME) problem. In this study, the authors show that the TSME problem is susceptible to a very efficient linearisation equations attack. Regardless of the public key parameters, the authors can easily find an equivalent key only in polynomial time O(2n(5)(log n +1)) from the public key alone, and thus it is very practical and can be implemented within less than 1/20 of a second on the recommended system parameters of the schemes.

Shi-Feng Sun,Shuai Han,Dawu Gu,Shengli Liu

DOI: https://doi.org/10.1049/iet-ifs.2015.0195

2016-01-01

IET Information Security

Abstract:The authors present a new general construction of public key encryption (PKE) based on the restricted subset membership (RSM) assumption, which can achieve the bounded-memory leakage resilient security and the auxiliary-input leakage resilient security simultaneously. The construction is BHHO-type, as Brakerski et al. work, but the message space is much larger and the proof is more concise benefiting from the RSM assumption. Instantiating the construction with the QR assumption, the authors get the first QR-based auxiliary-input secure PKE with a larger message space than {0,1}. Moreover, the authors generalise the Goldreich-Levin theorem to large rings. This theorem helps to improve the construction to achieve the same security level with fewer public parameters and shorter ciphertexts compared with Brakerski et al. work. For the bounded-memory leakage resilient security, the construction can achieve leakage rate of 1-o(1) and avoid the dependence between the message length and the amount of leakage. Based on the general construction, the authors also can achieve both bounded-memory leakage resilient chosen ciphertext attack (CCA) security and the auxiliary-input leakage resilient CCA security via the well-known Naor-Yung paradigm.

John Proos,Christof Zalka

DOI: https://doi.org/10.48550/arXiv.quant-ph/0301141

2004-01-23

Abstract:We show in some detail how to implement Shor's efficient quantum algorithm for discrete logarithms for the particular case of elliptic curve groups. It turns out that for this problem a smaller quantum computer can solve problems further beyond current computing than for integer factorisation. A 160 bit elliptic curve cryptographic key could be broken on a quantum computer using around 1000 qubits while factoring the security-wise equivalent 1024 bit RSA modulus would require about 2000 qubits. In this paper we only consider elliptic curves over GF($p$) and not yet the equally important ones over GF($2^n$) or other finite fields. The main technical difficulty is to implement Euclid's gcd algorithm to compute multiplicative inverses modulo $p$. As the runtime of Euclid's algorithm depends on the input, one difficulty encountered is the ``quantum halting problem''.

Quantum Physics

Haibo Yu,Guoqiang Bai

DOI: https://doi.org/10.1007/978-3-319-29814-6_16

2015-01-01

Abstract:In this paper, we propose a new strategy of relations collection in factoring RSA modulus. The strategy has absolute advantage at computation efficiency with a highly parallel structure, and the reports have higher probability of being relations, since the strategy only considers small and medium primes in factor base without large primes. Besides, it is worth noting that the proposed algorithm used in strategy, only involves a multiplication, which can speed up relations collection step. Furthermore, we propose an architecture for multiplier that is based on our algorithm. Due to the inherent characters of the algorithm, our proposed architecture can perform with less registers, which makes for VLSI area optimization. Additionally, the comparison results with the published achievements show that our strategy could be a good choice for relations collection in factoring RSA modulus.

Mengce Zheng,Honggang Hu

DOI: https://doi.org/10.1007/978-3-030-31578-8_29

2019-01-01

Abstract:In this paper, we address the implicit related-key factorization problem on the RSA cryptosystem. Informally, we investigate under what condition it is possible to efficiently factor RSA moduli in polynomial time given the implicit information of related private keys. We propose lattice-based attacks using Coppersmith's techniques. We first analyze the special case given two RSA instances with known amounts of shared most significant bits (MSBs) and least significant bits (LSBs) of unknown related private keys. Subsequently a generic attack is proposed using a heuristic lattice construction when given more RSA instances. Furthermore, we conduct numerical experiments to verify the validity of the proposed attacks.