Results 1  10
of
15
Practical Approaches to Attaining Security Against Adaptively Chosen Ciphertext Attacks
 In Advances in Cryptology–Crypto ’92
, 1992
"... Abstract. This paper presents three methods for strengthening public key cryptosystems in such a way that they become secure against adaptively chosen ciphertext attacks. In an adaptively chosen ciphertext attack, an attacker can query the deciphering algorithm with any ciphertexts, except for the e ..."
Abstract

Cited by 23 (2 self)
 Add to MetaCart
Abstract. This paper presents three methods for strengthening public key cryptosystems in such a way that they become secure against adaptively chosen ciphertext attacks. In an adaptively chosen ciphertext attack, an attacker can query the deciphering algorithm with any ciphertexts, except for the exact object ciphertext to be cryptanalyzed. The rst strengthening method is based on the use of oneway hash functions, the second on the use of universal hash functions and the third on the use of digital signature schemes. Each method is illustrated by an example ofapublickey cryptosystem based on the intractability ofcomputing discrete logarithms in nite elds. Two other issues, namely applications of the methods to public key cryptosystems based on other intractable problems and enhancement of information authentication capability to the cryptosystems, are also discussed. 1
An efficient discrete log pseudo random generator
 Proc. of Crypto '98
, 1998
"... Abstract. The exponentiation function in a finite field of order p (a prime number) is believed to be a oneway function. It is well known that O(log log p) bits are simultaneously hard for this function. We consider a special case of this problem, the discrete logarithm with short exponents, which ..."
Abstract

Cited by 20 (1 self)
 Add to MetaCart
Abstract. The exponentiation function in a finite field of order p (a prime number) is believed to be a oneway function. It is well known that O(log log p) bits are simultaneously hard for this function. We consider a special case of this problem, the discrete logarithm with short exponents, which is also believed to be hard to compute. Under this intractibility assumption we show that discrete exponentiation modulo a prime p can hide n−ω(log n) bits(n=⌈log p ⌉ and p =2q+1, where q is also a prime). We prove simultaneous security by showing that any information about the n − ω(log n) bits can be used to discover the discrete log of g s mod p where s has ω(log n) bits. For all practical purposes, the size of s can be a constant c bits. This leads to a very efficient pseudorandom number generator which produces n − c bits per iteration. For example, when n = 1024 bits and c = 128 bits our pseudorandom number generator produces a little less than 900 bits per exponentiation. 1
On the Security of Modular Exponentiation with Application to the Construction of Pseudorandom Generators
 Journal of Cryptology
, 2000
"... Assuming the inractability of factoring, we show that the output of the exponentiation modulo a composite function fN;g (x) = g x mod N (where N = P \Delta Q) is pseudorandom, even when its input is restricted to be half the size. This result is equivalent to the simultaneous hardness of the upper ..."
Abstract

Cited by 16 (0 self)
 Add to MetaCart
Assuming the inractability of factoring, we show that the output of the exponentiation modulo a composite function fN;g (x) = g x mod N (where N = P \Delta Q) is pseudorandom, even when its input is restricted to be half the size. This result is equivalent to the simultaneous hardness of the upper half of the bits of fN;g , proven by Hastad, Schrift and Shamir. Yet, we supply a different proof that is significantly simpler than the original one. In addition, we suggest a pseudorandom generator which is more efficient than all previously known factoring based pseudorandom generators. Keywords: Modular exponentiation, discrete logarithm, hard core predicates, simultaneous security, pseudorandom generator, factoring assumption. This writeup is based on the Master Thesis of the second author (supervised by the first author). 0 1 Introduction Oneway functions play an extremely important role in modern cryptography. Loosely speaking, these are functions which are easy to evaluate bu...
The Security of all RSA and Discrete Log Bits
, 2003
"... We study the security of individual bits in an RSA encrypted message EN (x). We show that given EN (x), predicting any single bit in x with only a nonnegligible advantage over the trivial guessing strategy, is (through a polynomial time reduction) as hard as breaking RSA. Moreover, we prove that bl ..."
Abstract

Cited by 11 (0 self)
 Add to MetaCart
We study the security of individual bits in an RSA encrypted message EN (x). We show that given EN (x), predicting any single bit in x with only a nonnegligible advantage over the trivial guessing strategy, is (through a polynomial time reduction) as hard as breaking RSA. Moreover, we prove that blocks of O(log log N) bitsofxare computationally indistinguishable from random bits. The results carry over to the Rabin encryption scheme. Considering the discrete exponentiation function gx modulo p, with probability 1 − o(1) over random choices of the prime p, the analog results are demonstrated. The results do not rely on group representation, and therefore applies to general cyclic groups as well. Finally, we prove that the bits of ax + b modulo p give hard core predicates for any oneway function f. All our results follow from a general result on the chosen multiplier hidden number problem: givenanintegerN, and access to an algorithm Px that on input a random a ∈ ZN, returns a guess of the ith bit of ax mod N, recover x. We show that for any i, ifPx has at least a nonnegligible advantage in predicting the ith bit, we either recover x, or, obtain a nontrivial factor of N in polynomial time. The result also extends to prove the results about simultaneous security of blocks of O(log log N) bits.
A Practical Digital Multisignature Scheme Based on Discrete Logarithms (Extended Abstract)
 in AUSCRYPT’92
, 1993
"... ) Thomas Hardjono 1 ? and Yuliang Zheng 2 ?? 1 ATR Communications Research Laboratories 22 Hikaridai, SeikaCho, Sorakugun, Kyoto 61902, Japan 2 Department of Computer Science, University of Wollongong, Australia Abstract. This paper proposes a practical digital multisignature scheme based ..."
Abstract

Cited by 10 (1 self)
 Add to MetaCart
) Thomas Hardjono 1 ? and Yuliang Zheng 2 ?? 1 ATR Communications Research Laboratories 22 Hikaridai, SeikaCho, Sorakugun, Kyoto 61902, Japan 2 Department of Computer Science, University of Wollongong, Australia Abstract. This paper proposes a practical digital multisignature scheme based on the C ? sig cryptosystem derived from the Csig cryptosystem of Zheng and Seberry (1993). The simple scheme consists of three phases. In the first phase the issuer of the document prepares the document, the list of prospective signatories and a pad on which signatories are to write their signatures. In the second phase each signatory verifies the document, signs it and forwards it to the next signatory. In the third phase a trusted verifier or notary decides on the validity of the signatures. The scheme prevents cheating by dishonest signatories from going undetected. The scheme is practical and offers at least the same security level afforded by its underlying cryptosystem against extern...
Security of almost all discrete log bits
 Electronic Colloq. on Comp. Compl., Univ. of Trier
, 1998
"... Let G be a finite cyclic group with generator α and with an encoding so that multiplication is computable in polynomial time. We study the security of bits of the discrete log x when given exp α(x), assuming that the exponentiation function exp α(x) = α x is oneway. We reduce he general problem to ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
Let G be a finite cyclic group with generator α and with an encoding so that multiplication is computable in polynomial time. We study the security of bits of the discrete log x when given exp α(x), assuming that the exponentiation function exp α(x) = α x is oneway. We reduce he general problem to the case that G has odd order q. If G has odd order q the security of the leastsignificant bits of x and of the most significant bits of ∈ [0, 1) follows from the work of Peralta [P85] and Long and the rational number x q Wigderson [LW88]. We generalize these bits and study the security of consecutive shift bits lsb(2−ix mod q) for i = k + 1,..., k + j. When we restrict expα to arguments x such that some sequence of j consecutive shift bits of x is constant (i.e., not depending on x) we call it a 2−jfraction of expα. For groups of odd group order q we show that every two 2−jfractions of expα are equally oneway by a polynomial time transformation: Either they are all oneway or none of them. Our key theorem shows that arbitrary j consecutive shift bits of x are
Improved public key cryptosystems secure against chosen ciphertext attacks
, 1994
"... This short note describes an improvement to the rst two of the three public key cryptosystems proposed by Zheng and Seberry, which are provably secure against chosen ciphertext attacks. The improvement removes a shortcoming with the original cryptosystems, which occurs when they are used for both co ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
This short note describes an improvement to the rst two of the three public key cryptosystems proposed by Zheng and Seberry, which are provably secure against chosen ciphertext attacks. The improvement removes a shortcoming with the original cryptosystems, which occurs when they are used for both con dentiality and sender authentication purposes. 1
Bit Extraction, HardCore Predicates, and the Bit Security Of RSA
, 1998
"... This thesis presents results on bit security and bit extraction. 1. A function ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
This thesis presents results on bit security and bit extraction. 1. A function
What is the Inverse of Repeated Square and Multiply Algorithm?
, 2007
"... It is well known that the repeated square and multiply algorithm is an efficient way of modular exponentiation. The obvious question to ask is if this algorithm has an inverse which would calculate the discrete logarithm and what is its time compexity. The technical hitch is in fixing the right sign ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
It is well known that the repeated square and multiply algorithm is an efficient way of modular exponentiation. The obvious question to ask is if this algorithm has an inverse which would calculate the discrete logarithm and what is its time compexity. The technical hitch is in fixing the right sign of the square root and this is the heart of the discrete logarithm problem over finite fields of characteristic not equal to 2. In this paper a couple of probabilistic algorithms to compute the discrete logarithm over finite fields and their time complexity are given by bypassing this difficulty. One of the algorithms was inspired by the famous 3x + 1 problem. Key words. Discrete logarithm, Legendre symbol, 3x+1 problem. 1 1
Cryptographic Applications of thResiduosity Problem with an Odd Integer
"... Abstract Let and n be positive integers. An integer z with gcd(z;n) = 1 is called a thresidue modn if there exists an integer x such that z x (mod n), or a thnonresidue modn if there doesn't exist such anx. Denote by Z n the set of integers relatively prime to n between 0 and n. The problem of de ..."
Abstract
 Add to MetaCart
Abstract Let and n be positive integers. An integer z with gcd(z;n) = 1 is called a thresidue modn if there exists an integer x such that z x (mod n), or a thnonresidue modn if there doesn't exist such anx. Denote by Z n the set of integers relatively prime to n between 0 and n. The problem of determining whether or not a randomly selected element z 2 Z n is a thresidue modn is called the thResiduosity Problem ( thRP), and appears to be intractable when n is a composite integer whose factorization is unknown. In this paper, we explore some important properties of thRP for the case where is an odd integer greater than 2, and discuss its applications to cryptography. Based on the di culty of thRP, we generalize the GoldwasserMicali bitbybit probabilistic encryption to a blockbyblock probabilistic one, and propose a direct protocol for the dice casting problem over a network. This problem is a general one which includes the wellstudied coin ipping problem. 1