Results 1  10
of
32
Simultaneous hardcore bits and cryptography against memory attacks
 IN TCC
, 2009
"... This paper considers two questions in cryptography. Cryptography Secure Against Memory Attacks. A particularly devastating sidechannel attack against cryptosystems, termed the “memory attack”, was proposed recently. In this attack, a significant fraction of the bits of a secret key of a cryptograp ..."
Abstract

Cited by 114 (11 self)
 Add to MetaCart
(Show Context)
This paper considers two questions in cryptography. Cryptography Secure Against Memory Attacks. A particularly devastating sidechannel attack against cryptosystems, termed the “memory attack”, was proposed recently. In this attack, a significant fraction of the bits of a secret key of a cryptographic algorithm can be measured by an adversary if the secret key is ever stored in a part of memory which can be accessed even after power has been turned off for a short amount of time. Such an attack has been shown to completely compromise the security of various cryptosystems in use, including the RSA cryptosystem and AES. We show that the publickey encryption scheme of Regev (STOC 2005), and the identitybased encryption scheme of Gentry, Peikert and Vaikuntanathan (STOC 2008) are remarkably robust against memory attacks where the adversary can measure a large fraction of the bits of the secretkey, or more generally, can compute an arbitrary function of the secretkey of bounded output length. This is done without increasing the size of the secretkey, and without introducing any
Lower bounds on the Efficiency of Generic Cryptographic Constructions
 41ST IEEE SYMPOSIUM ON FOUNDATIONS OF COMPUTER SCIENCE (FOCS), IEEE
, 2000
"... A central focus of modern cryptography is the construction of efficient, “highlevel” cryptographic tools (e.g., encryption schemes) from weaker, “lowlevel ” cryptographic primitives (e.g., oneway functions). Of interest are both the existence of such constructions, and their efficiency. Here, we ..."
Abstract

Cited by 81 (6 self)
 Add to MetaCart
(Show Context)
A central focus of modern cryptography is the construction of efficient, “highlevel” cryptographic tools (e.g., encryption schemes) from weaker, “lowlevel ” cryptographic primitives (e.g., oneway functions). Of interest are both the existence of such constructions, and their efficiency. Here, we show essentiallytight lower bounds on the best possible efficiency of any blackbox construction of some fundamental cryptographic tools from the most basic and widelyused cryptographic primitives. Our results hold in an extension of the model introduced by Impagliazzo and Rudich, and improve and extend earlier results of Kim, Simon, and Tetali. We focus on constructions of pseudorandom generators, universal oneway hash functions, and digital signatures based on oneway permutations, as well as constructions of public and privatekey encryption schemes based on trapdoor permutations. In each case, we show that any blackbox construction beating our efficiency bound would yield the unconditional existence of a oneway function and thus, in particular, prove P != NP.
Traceable signatures
"... This work presents a new privacy primitive called “Traceable Signatures”, together with an efficient provably secure implementation. To this end, we develop the underlying mathematical and protocol tools, present the concepts and the underlying security model, and then realize the scheme and its s ..."
Abstract

Cited by 65 (5 self)
 Add to MetaCart
This work presents a new privacy primitive called “Traceable Signatures”, together with an efficient provably secure implementation. To this end, we develop the underlying mathematical and protocol tools, present the concepts and the underlying security model, and then realize the scheme and its security proof. Traceable signatures support an extended set of fairness mechanisms (mechanisms for anonymity management and revocation) when compared with the traditional group signature mechanism. The extended functionality of traceable signatures is needed for proper operation and adequate level of privacy in various settings and applications. For example, the new notion allows (distributed) tracing of all signatures of a single (misbehaving) party without opening signatures and revealing identities of any other user in the system. In contrast, if such tracing is implemented by a state of the art group signature system, such wide opening of all signatures of a single user is a (centralized) operation that requires the opening of all anonymous signatures and revealing the users associated with them, an act that violates the privacy of all users. To allow efficient implementation of our scheme we develop a number of basic tools, zeroknowledge proofs, protocols, and primitives that we use extensively throughout. These novel mechanisms work directly over a group of unknown order, contributing to the efficiency and modularity of our design, and may be of independent interest. The interactive version of our signature scheme yields the notion of “traceable (anonymous) identification.”
Synthesizers and Their Application to the Parallel Construction of PseudoRandom Functions
, 1995
"... A pseudorandom function is a fundamental cryptographic primitive that is essential for encryption, identification and authentication. We present a new cryptographic primitive called pseudorandom synthesizer and show how to use it in order to get a parallel construction of a pseudorandom function. ..."
Abstract

Cited by 49 (10 self)
 Add to MetaCart
A pseudorandom function is a fundamental cryptographic primitive that is essential for encryption, identification and authentication. We present a new cryptographic primitive called pseudorandom synthesizer and show how to use it in order to get a parallel construction of a pseudorandom function. We show several NC¹ implementations of synthesizers based on concrete intractability assumptions as factoring and the DiffieHellman assumption. This yields the first parallel pseudorandom functions (based on standard intractability assumptions) and the only alternative to the original construction of Goldreich, Goldwasser and Micali. In addition, we show parallel constructions of synthesizers based on other primitives such as weak pseudorandom functions or trapdoor oneway permutations. The security of all our constructions is similar to the security of the underlying assumptions. The connection with problems in Computational Learning Theory is discussed.
An improved pseudorandom generator based on discrete log
 Journal of Cryptology
, 2000
"... Abstract. Under the assumption that solving the discrete logarithm problem modulo an nbit prime p is hard even when the exponent is a small cbit number, we construct a new and improved pseudorandom bit generator. This new generator outputs n − c − 1 bits per exponentiation with a cbit exponent. ..."
Abstract

Cited by 36 (2 self)
 Add to MetaCart
(Show Context)
Abstract. Under the assumption that solving the discrete logarithm problem modulo an nbit prime p is hard even when the exponent is a small cbit number, we construct a new and improved pseudorandom bit generator. This new generator outputs n − c − 1 bits per exponentiation with a cbit exponent. Using typical parameters, n = 1024 and c = 160, this yields roughly 860 pseudorandom bits per small exponentiations. Using an implementation with quite small precomputation tables, this yields a rate of more than 20 bits per modular multiplication, thus much faster than the the squaring (BBS) generator with similar parameters. 1
An Efficient PseudoRandom Generator Provably as Secure as Syndrome Decoding
, 1996
"... . We show a simple and efficient construction of a pseudorandom generator based on the intractability of an NPcomplete problem from the area of errorcorrecting codes. The generator is proved as secure as a hard instance of the syndrome decoding problem. Each application of the scheme generates a l ..."
Abstract

Cited by 33 (1 self)
 Add to MetaCart
. We show a simple and efficient construction of a pseudorandom generator based on the intractability of an NPcomplete problem from the area of errorcorrecting codes. The generator is proved as secure as a hard instance of the syndrome decoding problem. Each application of the scheme generates a linear amount of bits in only quadratic computing time. 1 Introduction A pseudorandom generator is an algorithm producing strings of bits that look random. The concept of "randomly looking" has been formalized by Blum and Micali [4] within the framework of complexity theory. Yao [22] has shown that the existence of a oneway permutation is sufficient to construct a pseudorandom generator. Subsequently, a long series of deep articles led to the conclusion that the existence of a oneway function is equivalent to the hypothesis that a pseudorandom generator exists [15, 10, 14]. However, the theoretical constructions proposed in these articles are often impractical. Several schemes have been ...
Cryptographic Extraction and Key Derivation: The HKDF Scheme
 Proceedings of CRYPTO 2010
"... In spite of the central role of key derivation functions (KDF) in applied cryptography, there has been little formal work addressing the design and analysis of general multipurpose KDFs. In practice, most KDFs (including those widely standardized) follow adhoc approaches that treat cryptographic h ..."
Abstract

Cited by 31 (4 self)
 Add to MetaCart
(Show Context)
In spite of the central role of key derivation functions (KDF) in applied cryptography, there has been little formal work addressing the design and analysis of general multipurpose KDFs. In practice, most KDFs (including those widely standardized) follow adhoc approaches that treat cryptographic hash functions as perfectly random functions. In this paper we close some gaps between theory and practice by contributing to the study and engineering of KDFs in several ways. We provide detailed rationale for the design of KDFs based on the extractthenexpand approach; we present the first general and rigorous definition of KDFs and their security which we base on the notion of computational extractors; we specify a concrete fully practical KDF based on the HMAC construction; and we provide an analysis of this construction based on the extraction and pseudorandom properties of HMAC. The resultant KDF design can support a large variety of KDF applications under suitable assumptions on the underlying hash function; particular attention and effort is devoted to minimizing these assumptions as much as possible for each usage scenario. Beyond the theoretical interest in modeling KDFs, this work is intended to address two
An Efficient Discrete Log Pseudo Random Generator
 Crypto ’98, LNCS No. 1462
, 1998
"... Abstract. The exponentiation function in a finite field of order p (a prime number) is believed to be a oneway function. It is well known that O(log log p) bits are simultaneously hard for this function. We consider a special case of this problem, the discrete logarithm with short exponents, which ..."
Abstract

Cited by 29 (1 self)
 Add to MetaCart
(Show Context)
Abstract. The exponentiation function in a finite field of order p (a prime number) is believed to be a oneway function. It is well known that O(log log p) bits are simultaneously hard for this function. We consider a special case of this problem, the discrete logarithm with short exponents, which is also believed to be hard to compute. Under this intractibility assumption we show that discrete exponentiation modulo a prime p can hide n−ω(log n) bits (n = dlog pe and p = 2q+1, where q is also a prime). We prove simultaneous security by showing that any information about the n−ω(log n) bits can be used to discover the discrete log of gs mod p where s has ω(log n) bits. For all practical purposes, the size of s can be a constant c bits. This leads to a very efficient pseudorandom number generator which produces n − c bits per iteration. For example, when n = 1024 bits and c = 128 bits our pseudorandom number generator produces a little less than 900 bits per exponentiation. 1
On the Security of Modular Exponentiation with Application to the Construction of Pseudorandom Generators
 Journal of Cryptology
, 2000
"... Assuming the inractability of factoring, we show that the output of the exponentiation modulo a composite function fN;g (x) = g x mod N (where N = P \Delta Q) is pseudorandom, even when its input is restricted to be half the size. This result is equivalent to the simultaneous hardness of the upper ..."
Abstract

Cited by 21 (0 self)
 Add to MetaCart
(Show Context)
Assuming the inractability of factoring, we show that the output of the exponentiation modulo a composite function fN;g (x) = g x mod N (where N = P \Delta Q) is pseudorandom, even when its input is restricted to be half the size. This result is equivalent to the simultaneous hardness of the upper half of the bits of fN;g , proven by Hastad, Schrift and Shamir. Yet, we supply a different proof that is significantly simpler than the original one. In addition, we suggest a pseudorandom generator which is more efficient than all previously known factoring based pseudorandom generators. Keywords: Modular exponentiation, discrete logarithm, hard core predicates, simultaneous security, pseudorandom generator, factoring assumption. This writeup is based on the Master Thesis of the second author (supervised by the first author). 0 1 Introduction Oneway functions play an extremely important role in modern cryptography. Loosely speaking, these are functions which are easy to evaluate bu...
Lecture Notes on Cryptography
, 2001
"... This is a set of lecture notes on cryptography compiled for 6.87s, a one week long course on cryptography taught at MIT by Shafi Goldwasser and Mihir Bellare in the summers of 1996–2001. The notes were formed by merging notes written for Shafi Goldwasser’s Cryptography and Cryptanalysis course at MI ..."
Abstract

Cited by 21 (0 self)
 Add to MetaCart
This is a set of lecture notes on cryptography compiled for 6.87s, a one week long course on cryptography taught at MIT by Shafi Goldwasser and Mihir Bellare in the summers of 1996–2001. The notes were formed by merging notes written for Shafi Goldwasser’s Cryptography and Cryptanalysis course at MIT with notes written for Mihir Bellare’s Cryptography and network security course at UCSD. In addition, Rosario Gennaro (as Teaching Assistant for the course in 1996) contributed Section 9.6, Section 11.4, Section 11.5, and Appendix D to the notes, and also compiled, from various sources, some of the problems in Appendix E. Cryptography is of course a vast subject. The thread followed by these notes is to develop and explain the notion of provable security and its usage for the design of secure protocols. Much of the material in Chapters 2, 3 and 7 is a result of scribe notes, originally taken by MIT graduate students who attended Professor Goldwasser’s Cryptography and Cryptanalysis course over the years, and later edited by Frank D’Ippolito who was a teaching assistant for the course in 1991. Frank also contributed much of the advanced number theoretic material in the Appendix. Some of the material in Chapter 3 is from the chapter on Cryptography, by R. Rivest, in the Handbook of Theoretical Computer Science. Chapters 4, 5, 6, 8 and 10, and Sections 9.5 and 7.4.6, were written by Professor Bellare for his Cryptography and network security course at UCSD.