Results 1 
9 of
9
Using Secure Coprocessors
, 1994
"... The views and conclusions in this document are those of the authors and do not necessarily represent the official policies or endorsements of any of the research sponsors. How do we build distributed systems that are secure? Cryptographic techniques can be used to secure the communications between p ..."
Abstract

Cited by 150 (8 self)
 Add to MetaCart
The views and conclusions in this document are those of the authors and do not necessarily represent the official policies or endorsements of any of the research sponsors. How do we build distributed systems that are secure? Cryptographic techniques can be used to secure the communications between physically separated systems, but this is not enough: we must be able to guarantee the privacy of the cryptographic keys and the integrity of the cryptographic functions, in addition to the integrity of the security kernel and access control databases we have on the machines. Physical security is a central assumption upon which secure distributed systems are built; without this foundation even the best cryptosystem or the most secure kernel will crumble. In this thesis, I address the distributed security problem by proposing the addition of a small, physically secure hardware module, a secure coprocessor, to standard workstations and PCs. My central axiom is that secure coprocessors are able to maintain the privacy of the data they process. This thesis attacks the distributed security problem from multiple sides. First, I analyze the security properties of existing system components, both at the hardware and
Dyad: A System for Using Physically Secure Coprocessors
 Proceedings of the Joint HarvardMIT Workshop on Technological Strategies for the Protection of Intellectual Property in the Network Multimedia Environment
, 1991
"... The Dyad project at Carnegie Mellon University is using physically secure coprocessors to achieve new protocols and systems addressing a number of perplexing security problems. These coprocessors can be produced as boards or integrated circuit chips and can be directly inserted in standard workstati ..."
Abstract

Cited by 82 (1 self)
 Add to MetaCart
The Dyad project at Carnegie Mellon University is using physically secure coprocessors to achieve new protocols and systems addressing a number of perplexing security problems. These coprocessors can be produced as boards or integrated circuit chips and can be directly inserted in standard workstations or PCstyle computers. This paper presents a set of security problems and easily implementable solutions that exploit the power of physically secure coprocessors: (1) protecting the integrity of publicly accessible workstations, (2) tamperproof accounting/audit trails, (3) copy protection, and (4) electronic currency without centralized servers. We outline the architectural requirements for the use of secure coprocessors. 1 Introduction and Motivation The Dyad project at Carnegie Mellon University is using physically secure coprocessors to achieve new protocols and systems addressing a number of perplexing security problems. These coprocessors can be produced as boards or integrated ...
The discrete logarithm modulo a composite hides O(n) bits
 JOURNAL OF COMPUTER AND SYSTEM SCIENCES
, 1993
"... In this paper we consider the oneway function fg�N(X) =g X (modN), where N is a Blum integer. We prove that under the commonly assumed intractability of factoring Blum integers, all its bits are individually hard, and the lower as well as upper halves of them are simultaneously hard. As a result, f ..."
Abstract

Cited by 28 (1 self)
 Add to MetaCart
In this paper we consider the oneway function fg�N(X) =g X (modN), where N is a Blum integer. We prove that under the commonly assumed intractability of factoring Blum integers, all its bits are individually hard, and the lower as well as upper halves of them are simultaneously hard. As a result, fg�N can be used in efficient pseudorandom bit generators and multibit commitment schemes, where messages can be drawn according to arbitrary probability distributions.
The Classification of Hash Functions
, 1993
"... When we ask what makes a hash function `good', we usually get an answer which includes collision freedom as the main (if not sole) desideratum. However, we show here that given any collisionfree function, we can derive others which are also collisionfree, but cryptographically useless. This explai ..."
Abstract

Cited by 24 (3 self)
 Add to MetaCart
When we ask what makes a hash function `good', we usually get an answer which includes collision freedom as the main (if not sole) desideratum. However, we show here that given any collisionfree function, we can derive others which are also collisionfree, but cryptographically useless. This explains why researchers have not managed to find many interesting consequences of this property. We also prove Okamoto's conjecture that correlation freedom is strictly stronger than collision freedom. We go on to show that there are actually rather many properties which hash functions may need. Hash functions for use with RSA must be multiplication free, in the sense that one cannot find X , Y and Z such that h(X)h(Y ) = h(Z); and more complex requirements hold for other signature schemes. Universal principles can be proposed from which all the freedom properties follow, but like most theoretical principles, they do not seem to give much value to a designer; at the practical level, the main imp...
On the Security of Modular Exponentiation with Application to the Construction of Pseudorandom Generators
 Journal of Cryptology
, 2000
"... Assuming the inractability of factoring, we show that the output of the exponentiation modulo a composite function fN;g (x) = g x mod N (where N = P \Delta Q) is pseudorandom, even when its input is restricted to be half the size. This result is equivalent to the simultaneous hardness of the upper ..."
Abstract

Cited by 16 (0 self)
 Add to MetaCart
Assuming the inractability of factoring, we show that the output of the exponentiation modulo a composite function fN;g (x) = g x mod N (where N = P \Delta Q) is pseudorandom, even when its input is restricted to be half the size. This result is equivalent to the simultaneous hardness of the upper half of the bits of fN;g , proven by Hastad, Schrift and Shamir. Yet, we supply a different proof that is significantly simpler than the original one. In addition, we suggest a pseudorandom generator which is more efficient than all previously known factoring based pseudorandom generators. Keywords: Modular exponentiation, discrete logarithm, hard core predicates, simultaneous security, pseudorandom generator, factoring assumption. This writeup is based on the Master Thesis of the second author (supervised by the first author). 0 1 Introduction Oneway functions play an extremely important role in modern cryptography. Loosely speaking, these are functions which are easy to evaluate bu...
Bits and Relative Order from Residues, Space Efficiently
 Information Processing Letters
, 1994
"... . For each k, let P k be the product of the first k primes. By the Chinese remainder theorem, each integer in the interval [0; P k ) is determined by its residues modulo these k primes. We address the problems of spaceefficiently computing the bits and the relative order of such numbers from their ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
. For each k, let P k be the product of the first k primes. By the Chinese remainder theorem, each integer in the interval [0; P k ) is determined by its residues modulo these k primes. We address the problems of spaceefficiently computing the bits and the relative order of such numbers from their residues. Introduction For each k, let P k be the product of the first k primes, p 1 ! p 2 ! \Delta \Delta \Delta ! p k . By the Chinese remainder theorem, each integer in the interval [0; P k ) is determined by its residues modulo these k primes. 1 This fact is easily exploited to yield a spaceefficient test for equality of two such numbers. We show how to exploit it for an equally spaceefficient determination of which of two such numbers is larger, and we address the more general problem of spaceefficiently computing the bits of such a number from its residues. The best we can hope for is space O(S k ) for S k = log log P k , because it takes that much space just to write down k or...
On the Power of One Bit of a P Function
 Proceedings of the Fourth Italian Conference on Theoretical Computer Science
, 1992
"... We introduce the class MP of languages L which can be solved in polynomial time with an oracle for one selected bit of the value f(y) of a #P function f on a selected argument y. This extends the muchstudied language classes \Phi P and PP, which correspond to the power of the least and most signi ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
We introduce the class MP of languages L which can be solved in polynomial time with an oracle for one selected bit of the value f(y) of a #P function f on a selected argument y. This extends the muchstudied language classes \Phi P and PP, which correspond to the power of the least and most significant bits, respectively. We show that MP is captured by the power of the middle bit; namely: a language L is in MP iff for some #P function f 0 and all x, x 2 L () the middle bit of f 0 (x) in binary notation is a `1'. Also, S. Toda's proof [Tod89, Tod91] that the polynomial hierarchy (PH) is contained in P #P actually gives: PH ` BP[ \Phi P] ` C \Phi P ` MP. The class MP has complete problems, and is closed under complements and under polynomialtime manyone reducibility. We show that MP is closed under intersection iff, for any fixed k ? 0, k bits of a #P function are no more powerful than one. Moreover, if there is a polynomialtime construction for the closure under intersection...
Security Issues in the DiffieHellman Key Agreement Protocol
 IEEE Trans. on Information Theory
, 2000
"... DiffieHellman key agreement protocol [27] implementations have been plagued by serious security flaws. The attacks can be very subtle and, more often than not, haven't been taken into account by protocol designers. In this paper we attempt to provide a link between theoretical research and realw ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
DiffieHellman key agreement protocol [27] implementations have been plagued by serious security flaws. The attacks can be very subtle and, more often than not, haven't been taken into account by protocol designers. In this paper we attempt to provide a link between theoretical research and realworld implementations. In addition to exposing the most important attacks and issues we present fairly detailed pseudocode for the authenticated DiffieHellman protocol and for the halfcertified DiffieHellman (a.k.a. Elgamal key agreement). It is hoped that computer security practitioners will obtain enough information to build and design secure and efficient versions of this classic key agreement protocol. Contents 1
Is the Data Encryption Standard a Group? (Results of Cycling Experiments on DES)I
"... Abstract. The Data Encryption Standard (DES) defines an indexed set of permutations acting on the message space ~ = {0, 1} 64. If this set of permutations were closed under functional composition, then the two most popular proposals for strengthening DES through multiple encryption would be equival ..."
Abstract
 Add to MetaCart
Abstract. The Data Encryption Standard (DES) defines an indexed set of permutations acting on the message space ~ = {0, 1} 64. If this set of permutations were closed under functional composition, then the two most popular proposals for strengthening DES through multiple encryption would be equivalent to single encryption. Moreover, DES would be vulnerable to a knownplaintext attack that runs in 22s steps on the average. It is unknown in the open literature whether or not DES has this weakness. Two statistical tests are presented for determining if an indexed set of permutations acting on a finite message space forms a group under functional composition. The first test is a "meetinthemiddle " algorithm which uses O(v/K) time and space, where K is the size of the key space. The second test, a novel cycling algorithm, uses the same amount of time but only a small constant amount of space. Each test yields a knownplaintext attack against any finite, deterministic cryptosystem that generates a small group. The cycling closure test takes a pseudorandom walk in the message space until