Results 1  10
of
15
Unbiased Bits from Sources of Weak Randomness and Probabilistic Communication Complexity
, 1988
"... , Introduction and References only) Benny Chor Oded Goldreich MIT \Gamma Laboratory for Computer Science Cambridge, Massachusetts 02139 ABSTRACT \Gamma A new model for weak random physical sources is presented. The new model strictly generalizes previous models (e.g. the Santha and Vazirani model [2 ..."
Abstract

Cited by 184 (5 self)
 Add to MetaCart
, Introduction and References only) Benny Chor Oded Goldreich MIT \Gamma Laboratory for Computer Science Cambridge, Massachusetts 02139 ABSTRACT \Gamma A new model for weak random physical sources is presented. The new model strictly generalizes previous models (e.g. the Santha and Vazirani model [24]). The sources considered output strings according to probability distributions in which no single string is too probable. The new model provides a fruitful viewpoint on problems studied previously as: ffl Extracting almost perfect bits from sources of weak randomness: the question of possibility as well as the question of efficiency of such extraction schemes are addressed. ffl Probabilistic Communication Complexity: it is shown that most functions have linear communication complexity in a very strong probabilistic sense. ffl Robustness of BPP with respect to sources of weak randomness (generalizing a result of Vazirani and Vazirani [27]). The paper has appeared in SIAM Journal o...
Towards the Equivalence of Breaking the DiffieHellman Protocol and Computing Discrete Logarithms
, 1994
"... Let G be an arbitrary cyclic group with generator g and order jGj with known factorization. G could be the subgroup generated by g within a larger group H. Based on an assumption about the existence of smooth numbers in short intervals, we prove that breaking the DiffieHellman protocol for G and ..."
Abstract

Cited by 70 (6 self)
 Add to MetaCart
Let G be an arbitrary cyclic group with generator g and order jGj with known factorization. G could be the subgroup generated by g within a larger group H. Based on an assumption about the existence of smooth numbers in short intervals, we prove that breaking the DiffieHellman protocol for G and base g is equivalent to computing discrete logarithms in G to the base g when a certain side information string S of length 2 log jGj is given, where S depends only on jGj but not on the definition of G and appears to be of no help for computing discrete logarithms in G. If every prime factor p of jGj is such that one of a list of expressions in p, including p \Gamma 1 and p + 1, is smooth for an appropriate smoothness bound, then S can efficiently be constructed and therefore breaking the DiffieHellman protocol is equivalent to computing discrete logarithms.
The Relationship Between Breaking the DiffieHellman Protocol and Computing Discrete Logarithms
, 1998
"... Both uniform and nonuniform results concerning the security of the DiffieHellman keyexchange protocol are proved. First, it is shown that in a cyclic group G of order jGj = Q p e i i , where all the multiple prime factors of jGj are polynomial in log jGj, there exists an algorithm that re ..."
Abstract

Cited by 42 (3 self)
 Add to MetaCart
Both uniform and nonuniform results concerning the security of the DiffieHellman keyexchange protocol are proved. First, it is shown that in a cyclic group G of order jGj = Q p e i i , where all the multiple prime factors of jGj are polynomial in log jGj, there exists an algorithm that reduces the computation of discrete logarithms in G to breaking the DiffieHellman protocol in G and has complexity p maxf(p i )g \Delta (log jGj) O(1) , where (p) stands for the minimum of the set of largest prime factors of all the numbers d in the interval [p \Gamma 2 p p+1; p+2 p p+ 1]. Under the unproven but plausible assumption that (p) is polynomial in log p, this reduction implies that the DiffieHellman problem and the discrete logarithm problem are polynomialtime equivalent in G. Second, it is proved that the DiffieHellman problem and the discrete logarithm problem are equivalent in a uniform sense for groups whose orders belong to certain classes: there exists a p...
DiffieHellman Oracles
 ADVANCES IN CRYPTOLOGY  CRYPTO '96 , LECTURE NOTES IN COMPUTER SCIENCE
, 1996
"... This paper consists of three parts. First, various types of DiffieHellman oracles for a cyclic group G and subgroups of G are defined and their equivalence is proved. In particular, the security of using a subgroup of G instead of G in the DiffieHellman protocol is investigated. Second, we derive ..."
Abstract

Cited by 37 (3 self)
 Add to MetaCart
(Show Context)
This paper consists of three parts. First, various types of DiffieHellman oracles for a cyclic group G and subgroups of G are defined and their equivalence is proved. In particular, the security of using a subgroup of G instead of G in the DiffieHellman protocol is investigated. Second, we derive several new conditions for the polynomialtime equivalence of breaking the DiffieHellman protocol and computing discrete logarithms in G which extend former results by den Boer and Maurer. Finally, efficient constructions of DiffieHellman groups with provable equivalence are described.
The DiffieHellman Protocol
 DESIGNS, CODES, AND CRYPTOGRAPHY
, 1999
"... The 1976 seminal paper of Diffie and Hellman is a landmark in the history of cryptography. They introduced the fundamental concepts of a trapdoor oneway function, a publickey cryptosystem, and a digital signature scheme. Moreover, they presented a protocol, the socalled DiffieHellman protoco ..."
Abstract

Cited by 29 (0 self)
 Add to MetaCart
(Show Context)
The 1976 seminal paper of Diffie and Hellman is a landmark in the history of cryptography. They introduced the fundamental concepts of a trapdoor oneway function, a publickey cryptosystem, and a digital signature scheme. Moreover, they presented a protocol, the socalled DiffieHellman protocol, allowing two parties who share no secret information initially, to generate a mutual secret key. This paper summarizes the present knowledge on the security of this protocol.
Multiple Polylogarithms: A Brief Survey
"... . We survey various results and conjectures concerning multiple polylogarithms and the multiple zeta function. Among the results, we announce our resolution of several conjectures on multiple zeta values. We also provide a new integral representation for the general multiple polylogarithm, and devel ..."
Abstract

Cited by 21 (6 self)
 Add to MetaCart
. We survey various results and conjectures concerning multiple polylogarithms and the multiple zeta function. Among the results, we announce our resolution of several conjectures on multiple zeta values. We also provide a new integral representation for the general multiple polylogarithm, and develop a qanalogue of the shuffle product. 1.
Period of the power generator and small values of Carmichael’s function
 Math.Comp.,70
"... Abstract. Consider the pseudorandom number generator un ≡ u e n−1 (mod m), 0 ≤ un ≤ m − 1, n =1, 2,..., where we are given the modulus m, the initial value u0 = ϑ and the exponent e. One case of particular interest is when the modulus m is of the form pl, where p, l are different primes of the same ..."
Abstract

Cited by 19 (12 self)
 Add to MetaCart
Abstract. Consider the pseudorandom number generator un ≡ u e n−1 (mod m), 0 ≤ un ≤ m − 1, n =1, 2,..., where we are given the modulus m, the initial value u0 = ϑ and the exponent e. One case of particular interest is when the modulus m is of the form pl, where p, l are different primes of the same magnitude. It is known from work of the first and third authors that for moduli m = pl, if the period of the sequence (un) exceeds m3/4+ε, then the sequence is uniformly distributed. We show rigorously that for almost all choices of p, l it is the case that for almost all choices of ϑ, e, the period of the power generator exceeds (pl) 1−ε. And so, in this case, the power generator is uniformly distributed. We also give some other cryptographic applications, namely, to rulingout the cycling attack on the RSA cryptosystem and to socalled timerelease crypto. The principal tool is an estimate related to the Carmichael function λ(m), the size of the largest cyclic subgroup of the multiplicative group of residues modulo m. In particular, we show that for any ∆ ≥ (log log N) 3,wehave λ(m) ≥ N exp(−∆) for all integers m with 1 ≤ m ≤ N, apartfromatmost N exp −0.69 ( ∆ log ∆) 1/3) exceptions. 1.
FixedParameter Complexity and Cryptography
, 1993
"... . We discuss the issue of the parameterized computational complexity of a number of problems of interest in cryptography. We show that the problem of determining whether an ndigit number has a prime divisor less than or equal to n k can be solved in expected time f(k)n 3 by a randomized algo ..."
Abstract

Cited by 15 (11 self)
 Add to MetaCart
. We discuss the issue of the parameterized computational complexity of a number of problems of interest in cryptography. We show that the problem of determining whether an ndigit number has a prime divisor less than or equal to n k can be solved in expected time f(k)n 3 by a randomized algorithm that employs elliptic curve factorization techniques (this result depends on an unproved but plausible numbertheoretic conjecture). An analogous computational problem concerning discrete logarithms is directly relevant to some proposed cryptosystem implementations. Our result suggests caution about implementations which fix a parameter such as the size or Hamming weight of keys. We show that several parameterized problems of relevance to cryptography, including kSubset Sum, kPerfect Code, and kSubset Product are likely to be intractable with respect to fixedparameter complexity. In particular, we show that they cannot be solved in time f(k)n ff , where ff is independent...
Uniform Circuits for Division: Consequences and Problems
 ELECTRONIC COLLOQUIUM ON COMPUTATIONAL COMPLEXITY 7:065
, 2000
"... Integer division has been known to lie in Puniform TC 0 since the mid1980's, and recently this was improved to L uniform TC 0 . At the time that the results in this paper were proved and submitted for conference presentation, it was unknown whether division lay in DLOGTIMEuniform TC 0 ( ..."
Abstract

Cited by 14 (6 self)
 Add to MetaCart
(Show Context)
Integer division has been known to lie in Puniform TC 0 since the mid1980's, and recently this was improved to L uniform TC 0 . At the time that the results in this paper were proved and submitted for conference presentation, it was unknown whether division lay in DLOGTIMEuniform TC 0 (also known as FOM). We obtain tight bounds on the uniformity required for division, by showing that division is complete for the complexity class FOM + POW obtained by augmenting FOM with a predicate for powering modulo small primes. We also show that, under a wellknown numbertheoretic conjecture (that there are many "smooth" primes), POW (and hence division) lies in FOM. Building on this work, Hesse has shown recently that division is in FOM [17]. The essential
On the Implementation of Huge Random Objects
 IN 44TH ANNUAL SYMPOSIUM ON FOUNDATIONS OF COMPUTER SCIENCE
, 2003
"... We initiate a general study of pseudorandom implementations of huge random objects, and apply it to a few areas in which random objects occur naturally. For example, a random object being considered may be a random connected graph, a random boundeddegreegraph, or a random errorcorrecting code with ..."
Abstract

Cited by 12 (2 self)
 Add to MetaCart
We initiate a general study of pseudorandom implementations of huge random objects, and apply it to a few areas in which random objects occur naturally. For example, a random object being considered may be a random connected graph, a random boundeddegreegraph, or a random errorcorrecting code with good distance. A pseudorandom implementation of such type T objects must generate objects of type T that can not be distinguished from random ones, rather than objects that can not be distinguished from type T objects (although they are not type T at all).