Results 11  20
of
26
Fast Generation of Prime Numbers and Secure PublicKey Cryptographic Parameters
, 1995
"... A very efficient recursive algorithm for generating nearly random provable primes is presented. The expected time for generating a prime is only slightly greater than the expected time required for generating a pseudoprime of the same size that passes the MillerRabin test for only one base. The ..."
Abstract

Cited by 21 (0 self)
 Add to MetaCart
A very efficient recursive algorithm for generating nearly random provable primes is presented. The expected time for generating a prime is only slightly greater than the expected time required for generating a pseudoprime of the same size that passes the MillerRabin test for only one base. Therefore our algorithm is even faster than presentlyused algorithms for generating only pseudoprimes because several MillerRabin tests with independent bases must be applied for achieving a sufficient confidence level. Heuristic arguments suggest that the generated primes are close to uniformly distributed over the set of primes in the specified interval. Security constraints on the prime parameters of certain cryptographic systems are discussed, and in particular a detailed analysis of the iterated encryption attack on the RSA publickey cryptosystem is presented. The prime generation algorithm can easily be modified to generate nearly random primes or RSAmoduli that satisfy t...
Lecture Notes on Cryptography
, 2001
"... This is a set of lecture notes on cryptography compiled for 6.87s, a one week long course on cryptography taught at MIT by Shafi Goldwasser and Mihir Bellare in the summers of 1996–2001. The notes were formed by merging notes written for Shafi Goldwasser’s Cryptography and Cryptanalysis course at MI ..."
Abstract

Cited by 17 (0 self)
 Add to MetaCart
This is a set of lecture notes on cryptography compiled for 6.87s, a one week long course on cryptography taught at MIT by Shafi Goldwasser and Mihir Bellare in the summers of 1996–2001. The notes were formed by merging notes written for Shafi Goldwasser’s Cryptography and Cryptanalysis course at MIT with notes written for Mihir Bellare’s Cryptography and network security course at UCSD. In addition, Rosario Gennaro (as Teaching Assistant for the course in 1996) contributed Section 9.6, Section 11.4, Section 11.5, and Appendix D to the notes, and also compiled, from various sources, some of the problems in Appendix E. Cryptography is of course a vast subject. The thread followed by these notes is to develop and explain the notion of provable security and its usage for the design of secure protocols. Much of the material in Chapters 2, 3 and 7 is a result of scribe notes, originally taken by MIT graduate students who attended Professor Goldwasser’s Cryptography and Cryptanalysis course over the years, and later edited by Frank D’Ippolito who was a teaching assistant for the course in 1991. Frank also contributed much of the advanced number theoretic material in the Appendix. Some of the material in Chapter 3 is from the chapter on Cryptography, by R. Rivest, in the Handbook of Theoretical Computer Science. Chapters 4, 5, 6, 8 and 10, and Sections 9.5 and 7.4.6, were written by Professor Bellare for his Cryptography and network security course at UCSD.
Fully homomorphic encryption over the integers with shorter public keys
 CRYPTO 2011, volume 6841 of Lecture Notes in Computer Science
, 2011
"... Abstract. We extend the fully homomorphic encryption scheme over the integers of van Dijk et al. (DGHV) to batch fully homomorphic encryption, i.e. to a scheme that supports encrypting and homomorphically processing a vector of plaintext bits as a single ciphertext. Our variant remains semantically ..."
Abstract

Cited by 16 (2 self)
 Add to MetaCart
Abstract. We extend the fully homomorphic encryption scheme over the integers of van Dijk et al. (DGHV) to batch fully homomorphic encryption, i.e. to a scheme that supports encrypting and homomorphically processing a vector of plaintext bits as a single ciphertext. Our variant remains semantically secure under the (errorfree) approximateGCD problem. We also show how to perform arbitrary permutations on the underlying plaintext vector given the ciphertext and the public key. Our scheme offers competitive performance: we describe an implementation of the fully homomorphic evaluation of AES encryption, with an amortized cost of about 12 minutes per AES ciphertext on a standard desktop computer; this is comparable to the timings presented by Gentry et al. at Crypto 2012 for their implementation of a RingLWE based fully homomorphic encryption scheme.
On the Security of Modular Exponentiation with Application to the Construction of Pseudorandom Generators
 Journal of Cryptology
, 2000
"... Assuming the inractability of factoring, we show that the output of the exponentiation modulo a composite function fN;g (x) = g x mod N (where N = P \Delta Q) is pseudorandom, even when its input is restricted to be half the size. This result is equivalent to the simultaneous hardness of the upper ..."
Abstract

Cited by 16 (0 self)
 Add to MetaCart
Assuming the inractability of factoring, we show that the output of the exponentiation modulo a composite function fN;g (x) = g x mod N (where N = P \Delta Q) is pseudorandom, even when its input is restricted to be half the size. This result is equivalent to the simultaneous hardness of the upper half of the bits of fN;g , proven by Hastad, Schrift and Shamir. Yet, we supply a different proof that is significantly simpler than the original one. In addition, we suggest a pseudorandom generator which is more efficient than all previously known factoring based pseudorandom generators. Keywords: Modular exponentiation, discrete logarithm, hard core predicates, simultaneous security, pseudorandom generator, factoring assumption. This writeup is based on the Master Thesis of the second author (supervised by the first author). 0 1 Introduction Oneway functions play an extremely important role in modern cryptography. Loosely speaking, these are functions which are easy to evaluate bu...
Generating Random Factored Numbers, Easily
, 2003
"... Consider the problem of generating a random “prefactored ” number, that is, a uniformly random number between 1 and n, along with its prime factorization. Of course, one could pick a random number in this range and try to factor it, but there are no known polynomialtime factoring algorithms. In his ..."
Abstract

Cited by 11 (0 self)
 Add to MetaCart
Consider the problem of generating a random “prefactored ” number, that is, a uniformly random number between 1 and n, along with its prime factorization. Of course, one could pick a random number in this range and try to factor it, but there are no known polynomialtime factoring algorithms. In his dissertation, Bach presents an efficient algorithm for this problem [1], [2]. Here, we present a significantly simpler algorithm and analysis for the same problem. Our algorithm is, however, a log(n) factor less efficient.
Improved NonCommitting Encryption with Applications to Adaptively Secure Protocols
"... Abstract. We present a new construction of noncommitting encryption schemes. Unlike the previous constructions of Canetti et al. (STOC ’96) and of Damg˚ard and Nielsen (Crypto ’00), our construction achieves all of the following properties: – Optimal round complexity. Our encryption scheme is a 2r ..."
Abstract

Cited by 11 (3 self)
 Add to MetaCart
Abstract. We present a new construction of noncommitting encryption schemes. Unlike the previous constructions of Canetti et al. (STOC ’96) and of Damg˚ard and Nielsen (Crypto ’00), our construction achieves all of the following properties: – Optimal round complexity. Our encryption scheme is a 2round protocol, matching the round complexity of Canetti et al. and improving upon that in Damg˚ard and Nielsen. – Weaker assumptions. Our construction is based on trapdoor simulatable cryptosystems, a new primitive that we introduce as a relaxation of those used in previous works. We also show how to realize this primitive based on hardness of factoring. – Improved efficiency. The amortized complexity of encrypting a single bit is O(1) public key operations on a constantsized plaintext in the underlying cryptosystem. As a result, we obtain the first noncommitting publickey encryption schemes under hardness of factoring and worstcase lattice assumptions; previously, such schemes were only known under the CDH and RSA assumptions. Combined with existing work on secure multiparty computation, we obtain protocols for multiparty computation secure against a malicious adversary that may adaptively corrupt an arbitrary number of parties under weaker assumptions than were previously known. Specifically, we obtain the first adaptively secure multiparty protocols based on hardness of factoring in both the standalone setting and the UC setting with a common reference string. Key words: publickey encryption, adaptive corruption, noncommitting encryption, secure multiparty computation. 1
Evaluation may be easier than generation (Extended Abstract)
 IN PROCEEDINGS OF THE TWENTYEIGHTH ANNUAL ACM SYMPOSIUM ON THEORY OF COMPUTING
, 1996
"... Kearns et al. [18] defined two notions for learning a distribution D. The first is with generator, where the learner presents a generator that outputs a distribution identical or close to D. The other is with an evaluator, where the learner presents a procedure that on input x evaluates correctly ( ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
Kearns et al. [18] defined two notions for learning a distribution D. The first is with generator, where the learner presents a generator that outputs a distribution identical or close to D. The other is with an evaluator, where the learner presents a procedure that on input x evaluates correctly (or approximates) the probability that x is generated by D. They showed an example where efficient learning by a generator is possible, but learning by an evaluator is computationally infeasible. Though it may seem that generation is, in general, easier than evaluation, in this paper we show that the converse may be true: we provide a class of distributions where efficient learning with an evaluator is possible, but coming up with a generator that approximates the given distribution is infeasible. We also show that some distributions may be learned (with either a generator or an evaluator) to within any ffl ? 0, but the learned hypothesis must be of size proportional t...
On the Existence of 3Round ZeroKnowledge Proofs
, 2002
"... Goldreich and Krawczyk proved that there do not exist 3round blackbox zeroknowledge proofs or arguments for languages outside BPP. In 1998, Hada and Tanaka used nonstandard assumptions to provide a 3round zeroknowledge argument for every language in NP which was not blackbox zeroknowledge. W ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Goldreich and Krawczyk proved that there do not exist 3round blackbox zeroknowledge proofs or arguments for languages outside BPP. In 1998, Hada and Tanaka used nonstandard assumptions to provide a 3round zeroknowledge argument for every language in NP which was not blackbox zeroknowledge. We present a nonblackbox simulatable 3round zeroknowledge proof system for NP, which is secure even when the prover has unbounded computational resources. However, we require a nonstandard assumption (similar to those used by Hada and Tanaka) in order to prove our protocol is zeroknowledge. Additionally, we provide a proof of knowledge framework in which to view this type of nonstandard assumption. In this thesis, I designed and implemented a compiler which performs optimizations that reduce the number of lowlevel floating point operations necessary for a specific task; this involves the optimization of chains of floating point operations as well as the implementation of a "fixed" point data type that allows some floating point operations to simulated with integer arithmetic. The source language of the compiler is a subset of C, and the destination language is assembly language for a microfloating point CPU. An instructionlevel simulator of the CPU was written to allow testing of the code. A series of test pieces of codes was compiled, both with and without optimization, to determine how effective these optimizations were.
Improved NonCommitting Encryption Schemes based on a General Complexity Assumption
, 2000
"... Noncommitting encryption enables the construction of multiparty computation protocols secure against an adaptive adversary in the computational setting where private channels between players are not assumed. While any noncommitting encryption scheme must be secure in the ordinary semantic sens ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Noncommitting encryption enables the construction of multiparty computation protocols secure against an adaptive adversary in the computational setting where private channels between players are not assumed. While any noncommitting encryption scheme must be secure in the ordinary semantic sense, the converse is not necessarily true. We propose a construction of noncommitting encryption that can be based on any public key system which is secure in the ordinary sense and which has an extra property we call simulatability. The construction contains an earlier proposed scheme by Beaver based on the Di#eHellman problem as a special case, and we propose another implementation based on RSA. In a more general setting, our construction can be based on any collection of trapdoor oneway permutations with a certain simulatability property. This o#ers a considerable e#ciency improvement over the first noncommitting encryption scheme proposed by Canetti et al. Finally, at some loss of e#ciency, our scheme can be based on general collections of trapdoor oneway permutations without the simulatability assumption, and without the common domain assumption of Canetti et al.
Cryptology
"... Cryptology has advanced tremendously since 1976; this chapter provides a brief overview of the current stateoftheart in the field. Several major themes predominate in the development. One such theme is the careful elaboration of the definition of security for a cryptosystem. A second theme has be ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Cryptology has advanced tremendously since 1976; this chapter provides a brief overview of the current stateoftheart in the field. Several major themes predominate in the development. One such theme is the careful elaboration of the definition of security for a cryptosystem. A second theme has been the search for provably secure cryptosystems, based on plausible assumptions about the difficulty of specific numbertheoretic problems or on the existence of certain kinds of functions (such as oneway functions). A third theme is the invention of many novel and surprising cryptographic capabilities, such as publickey cryptography, digital signatures, secretsharing, oblivious transfers, and zeroknowledge proofs. These themes have been developed and interwoven so that today theorems of breathtaking generality and power assert the existence of cryptographic techniques capable of solving almost any imaginable cryptographic problem.