Results 1 
6 of
6
Authenticated Three Party Key Agreement Protocols from Pairings
, 2002
"... This paper takes the pairingbased tripartite key agreement protocol of Joux and develops it to produce threeparty key agreement protocols offering additional security properties. We present a number of tripartite, one round, authenticated protocols related to the MTI and MQV protocols. We also pre ..."
Abstract

Cited by 23 (2 self)
 Add to MetaCart
This paper takes the pairingbased tripartite key agreement protocol of Joux and develops it to produce threeparty key agreement protocols offering additional security properties. We present a number of tripartite, one round, authenticated protocols related to the MTI and MQV protocols. We also present passoptimal authenticated and key confirmed tripartite protocols that generalise the stationtostation protocol.
Universal Padding Schemes for RSA
 Proc. Crypto’02, LNCS
, 2002
"... Abstract. A common practice to encrypt with RSA is to first apply a padding scheme to the message and then to exponentiate the result with the public exponent; an example of this is OAEP. Similarly, the usual way of signing with RSA is to apply some padding scheme and then to exponentiate the result ..."
Abstract

Cited by 21 (1 self)
 Add to MetaCart
Abstract. A common practice to encrypt with RSA is to first apply a padding scheme to the message and then to exponentiate the result with the public exponent; an example of this is OAEP. Similarly, the usual way of signing with RSA is to apply some padding scheme and then to exponentiate the result with the private exponent, as for example in PSS. Usually, the RSA modulus used for encrypting is different from the one used for signing. The goal of this paper is to simplify this common setting. First, we show that PSS can also be used for encryption, and gives an encryption scheme semantically secure against adaptive chosenciphertext attacks, in the random oracle model. As a result, PSS can be used indifferently for encryption or signature. Moreover, we show that PSS allows to safely use the same RSA keypairs for both encryption and signature, in a concurrent manner. More generally, we show that using PSS the same set of keys can be used for both encryption and signature for any trapdoor partialdomain oneway permutation. The practical consequences of our result are important: PKIs and publickey implementations can be significantly simplified. Keywords: Probabilistic Signature Scheme, Provable Security. 1
On the Unpredictability of Bits of the Elliptic Curve DiffieHellman Scheme
"... Let E=F p be an elliptic curve, and G 2 E=F p . Dene the Die{Hellman function on E=F p as DH E;G (aG; bG) = abG. We show that if there is an ecient algorithm for predicting the LSB of the x or y coordinate of abG given hE ; G; aG; bGi for a certain family of elliptic curves, then there is an algori ..."
Abstract

Cited by 13 (4 self)
 Add to MetaCart
Let E=F p be an elliptic curve, and G 2 E=F p . Dene the Die{Hellman function on E=F p as DH E;G (aG; bG) = abG. We show that if there is an ecient algorithm for predicting the LSB of the x or y coordinate of abG given hE ; G; aG; bGi for a certain family of elliptic curves, then there is an algorithm for computing the Die{Hellman function on all curves in this family. This seems stronger than the best analogous results for the Die{Hellman function in F p . Boneh and Venkatesan showed that in F p computing approximately (log p) 1=2 of the bits of the Die{Hellman secret is as hard as computing the entire secret. Our results show that just predicting one bit of the Elliptic Curve Die{Hellman secret in a family of curves is as hard as computing the entire secret. 1
The modular inversion hidden number problem
 In ASIACRYPT 2001, volume 2248 of LNCS
, 2001
"... Abstract. We study a class of problems called Modular Inverse Hidden Number Problems (MIHNPs). The basic problem in this class is the following: Given many pairs � � � � −1 xi, msbk (α + xi) mod p for random xi ∈ Zp the problem is to find α ∈ Zp (here msbk(x) refers to the k most significant bits o ..."
Abstract

Cited by 12 (1 self)
 Add to MetaCart
Abstract. We study a class of problems called Modular Inverse Hidden Number Problems (MIHNPs). The basic problem in this class is the following: Given many pairs � � � � −1 xi, msbk (α + xi) mod p for random xi ∈ Zp the problem is to find α ∈ Zp (here msbk(x) refers to the k most significant bits of x). We describe an algorithm for this problem when k> (log 2 p)/3 and conjecture that the problem is hard whenever k < (log 2 p)/3. We show that assuming hardness of some variants of this MIHNP problem leads to very efficient algebraic PRNGs and MACs.
Secure Bilinear DiffieHellman Bits
, 2002
"... The Weil and Tate pairings are a popular new gadget in cryptography and have found many applications, including identitybased cryptography. In particular, the pairings have been used for key exchange protocols. This paper studies the bit security of keys obtained using protocols based on pairings ( ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
The Weil and Tate pairings are a popular new gadget in cryptography and have found many applications, including identitybased cryptography. In particular, the pairings have been used for key exchange protocols. This paper studies the bit security of keys obtained using protocols based on pairings (that is, we show that obtaining certain bits of the common key is as hard as computing the entire key). These results are valuable as they give insight into how many "hardcore" bits can be obtained from key exchange using pairings.
Simplified OAEP for the Rabin and RSA Functions
, 2001
"... Optimal Asymmetric Encryption Padding (OAEP) is a technique for converting the RSA trapdoor permutation into a chosen ciphertext secure system in the random oracle model. OAEP padding can be viewed as two rounds of a Feistel network. We show that for the Rabin and RSA trapdoor functions a much simpl ..."
Abstract
 Add to MetaCart
Optimal Asymmetric Encryption Padding (OAEP) is a technique for converting the RSA trapdoor permutation into a chosen ciphertext secure system in the random oracle model. OAEP padding can be viewed as two rounds of a Feistel network. We show that for the Rabin and RSA trapdoor functions a much simpler padding scheme is sufficient for chosen ciphertext security in the random oracle model. We show that only one round of a Feistel network is sufficient. The proof of security for this simpler padding is more efficient than the proof for OAEP, resulting in much tighter security bounds. The proof of security uses the algebraic properties of the RSA and Rabin functions.