Results 1  10
of
34
On the possibility of constructing meaningful hash collisions for public keys
 ACISP ’05: The 10th Australasian Conference on Information Security and Privacy, volume 3574 of Lecture Notes in Computer Science
, 2005
"... {a.k.lenstra,b.m.m.d.weger} at tue dot nl Abstract. It is sometimes argued (as in [4]) that finding meaningful hash collisions might prove difficult. We show that at least one of the arguments involved is wrong, by showing that for several common public key systems it is easy to construct pairs of m ..."
Abstract

Cited by 27 (4 self)
 Add to MetaCart
(Show Context)
{a.k.lenstra,b.m.m.d.weger} at tue dot nl Abstract. It is sometimes argued (as in [4]) that finding meaningful hash collisions might prove difficult. We show that at least one of the arguments involved is wrong, by showing that for several common public key systems it is easy to construct pairs of meaningful and secure public key data that either collide or share other characteristics with the hash collisions as quickly constructed in [14]. We present some simple results, investigate what we can and cannot (yet) achieve, and formulate some open problems of independent interest. At this point we are not yet aware of truly interesting practical implications. Nevertheless, our results may be relevant for the practical assessment of the recent hash collision results in [14]. For instance, we show how to use hash collisions to construct two X.509 certificates that contain identical signatures and that differ only in the public keys. Thus hash collisions indeed undermine one of the principles underlying Public Key Infrastructures.
Efficient blind signatures without random oracles
 In Carlo Blundo and Stelvio Cimato, editors, SCN 2004
, 2004
"... Abstract. The only known blind signature scheme that is secure in the standard model [20] is based on general results about multiparty computation, and thus it is extremely inefficient. The main result of this paper is the first provably secure blind signature scheme which is also efficient. We dev ..."
Abstract

Cited by 17 (1 self)
 Add to MetaCart
(Show Context)
Abstract. The only known blind signature scheme that is secure in the standard model [20] is based on general results about multiparty computation, and thus it is extremely inefficient. The main result of this paper is the first provably secure blind signature scheme which is also efficient. We develop our construction as follows. In the first step, which is a significant result on its own, we devise and prove the security of a new variant for the CramerShoupFischlin signature scheme. We are able to show that for generating signatures, instead of using randomly chosen prime exponents one can securely use randomly chosen odd integer exponents which significantly simplifies the signature generating process. We obtain our blind signing function as a secure and efficient twoparty computation that cleverly exploits its algebraic properties and those of the Paillier encryption scheme. The security of the resulting signing protocol relies on the Strong RSA assumption and the hardness of decisional composite residuosity; we stress that it does not rely on the existence of random oracles. 1
The Complete Analysis of a Polynomial Factorization Algorithm Over Finite Fields
, 2001
"... This paper derives basic probabilistic properties of random polynomials over finite fields that are of interest in the study of polynomial factorization algorithms. We show that the main characteristics of random polynomial can be treated systematically by methods of "analytic combinatorics&quo ..."
Abstract

Cited by 16 (3 self)
 Add to MetaCart
This paper derives basic probabilistic properties of random polynomials over finite fields that are of interest in the study of polynomial factorization algorithms. We show that the main characteristics of random polynomial can be treated systematically by methods of "analytic combinatorics" based on the combined use of generating functions and of singularity analysis. Our object of study is the classical factorization chain which is described in Fig. 1 and which, despite its simplicity, does not appear to have been totally analysed so far. In this paper, we provide a complete averagecase analysis.
An analytic approach to smooth polynomials over finite fields
 in Algorithmic Number Theory: Third Intern. Symp., ANTSIII
, 1998
"... Abstract. We consider the largest degrees that occur in the decomposition of polynomials over finite fields into irreducible factors. We expand the range of applicability of the Dickman function as an approximation for the number of smooth polynomials, which provides precise estimates for the discr ..."
Abstract

Cited by 15 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We consider the largest degrees that occur in the decomposition of polynomials over finite fields into irreducible factors. We expand the range of applicability of the Dickman function as an approximation for the number of smooth polynomials, which provides precise estimates for the discrete logarithm problem. In addition, we characterize the distribution of the two largest degrees of irreducible factors, a problem relevant to polynomial factorization. As opposed to most earlier treatments, our methods are based on a combination of exact descriptions by generating functions and a specific complex asymptotic method. 1
Chains of large gaps between consecutive primes
 Adv. in Math
, 1981
"... ABSTRACT. Let G(x) denote the largest gap between consecutive grimes below x, In a series of papers from 1935 to 1963, Erdos, Rankin, and Schonhage showed that G(x):::: (c + o ( I)) logx loglogx log log log 10gx(loglog logx)2, where c = eY and y is Euler's constant. Here, this result is shown ..."
Abstract

Cited by 13 (3 self)
 Add to MetaCart
(Show Context)
ABSTRACT. Let G(x) denote the largest gap between consecutive grimes below x, In a series of papers from 1935 to 1963, Erdos, Rankin, and Schonhage showed that G(x):::: (c + o ( I)) logx loglogx log log log 10gx(loglog logx)2, where c = eY and y is Euler's constant. Here, this result is shown with c = coe Y where Co = 1.31256... is the solution of the equation 4 / Co e4/co = 3. The principal new tool used is a result of independent interest, namely, a mean value theorem for generalized twin primes lying in a residue class with a large modulus. 1.
Factoring estimates for a 1024bit RSA modulus
 IN: PROC. ASIACRYPT 2003, LNCS 2894
, 2003
"... We estimate the yield of the number field sieve factoring algorithm when applied to the 1024bit composite integer RSA1024 and the parameters as proposed in the draft version [17] of the TWIRL hardware factoring device [18]. We present the details behind the resulting improved parameter choices f ..."
Abstract

Cited by 13 (6 self)
 Add to MetaCart
(Show Context)
We estimate the yield of the number field sieve factoring algorithm when applied to the 1024bit composite integer RSA1024 and the parameters as proposed in the draft version [17] of the TWIRL hardware factoring device [18]. We present the details behind the resulting improved parameter choices from [18].
Integers, without large prime factors, in arithmetic progressions, II
"... : We show that, for any fixed " ? 0, there are asymptotically the same number of integers up to x, that are composed only of primes y, in each arithmetic progression (mod q), provided that y q 1+" and log x=log q ! 1 as y ! 1: this improves on previous estimates. y An Alfred P. Sloan R ..."
Abstract

Cited by 11 (1 self)
 Add to MetaCart
: We show that, for any fixed " ? 0, there are asymptotically the same number of integers up to x, that are composed only of primes y, in each arithmetic progression (mod q), provided that y q 1+" and log x=log q ! 1 as y ! 1: this improves on previous estimates. y An Alfred P. Sloan Research Fellow. Supported, in part, by the National Science Foundation Integers, without large prime factors, in arithmetic progressions, II Andrew Granville 1. Introduction. The study of the distribution of integers with only small prime factors arises naturally in many areas of number theory; for example, in the study of large gaps between prime numbers, of values of character sums, of Fermat's Last Theorem, of the multiplicative group of integers modulo m, of Sunit equations, of Waring's problem, and of primality testing and factoring algorithms. For over sixty years this subject has received quite a lot of attention from analytic number theorists and we have recently begun to attain a very pre...
Searching for Elements in Black Box Fields and Applications
 In Advances in CryptologyCrypto’96, LNCS1109
, 1996
"... We introduce the notion of a black box field and discuss the problem of explicitly exposing field elements given in a black box form. We present several subexponential algorithms for this problem using a technique due to Maurer. These algorithms make use of elliptic curves over finite fields in a c ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
(Show Context)
We introduce the notion of a black box field and discuss the problem of explicitly exposing field elements given in a black box form. We present several subexponential algorithms for this problem using a technique due to Maurer. These algorithms make use of elliptic curves over finite fields in a crucial way. We present three applications for our results: (1) We show that any algebraically homomorphic encryption scheme can be broken in expected subexponential time. The existence of such schemes has been open for a number of years. (2) We give an expected subexponential time reduction from the problem of finding roots of polynomials over finite fields with low straight line complexity (e.g. sparse polynomials) to the problem of testing whether such polynomials have a root in the field. (3) We show that the hardness of computing discretelog over elliptic curves implies the security of the DiffieHellman protocol over elliptic curves. Finally in the last section of the paper we prove ...