Results 1  10
of
13
Using Secure Coprocessors
, 1994
"... The views and conclusions in this document are those of the authors and do not necessarily represent the official policies or endorsements of any of the research sponsors. How do we build distributed systems that are secure? Cryptographic techniques can be used to secure the communications between p ..."
Abstract

Cited by 165 (8 self)
 Add to MetaCart
(Show Context)
The views and conclusions in this document are those of the authors and do not necessarily represent the official policies or endorsements of any of the research sponsors. How do we build distributed systems that are secure? Cryptographic techniques can be used to secure the communications between physically separated systems, but this is not enough: we must be able to guarantee the privacy of the cryptographic keys and the integrity of the cryptographic functions, in addition to the integrity of the security kernel and access control databases we have on the machines. Physical security is a central assumption upon which secure distributed systems are built; without this foundation even the best cryptosystem or the most secure kernel will crumble. In this thesis, I address the distributed security problem by proposing the addition of a small, physically secure hardware module, a secure coprocessor, to standard workstations and PCs. My central axiom is that secure coprocessors are able to maintain the privacy of the data they process. This thesis attacks the distributed security problem from multiple sides. First, I analyze the security properties of existing system components, both at the hardware and
Dyad: A System for Using Physically Secure Coprocessors
 Proceedings of the Joint HarvardMIT Workshop on Technological Strategies for the Protection of Intellectual Property in the Network Multimedia Environment
, 1991
"... The Dyad project at Carnegie Mellon University is using physically secure coprocessors to achieve new protocols and systems addressing a number of perplexing security problems. These coprocessors can be produced as boards or integrated circuit chips and can be directly inserted in standard workstati ..."
Abstract

Cited by 96 (1 self)
 Add to MetaCart
(Show Context)
The Dyad project at Carnegie Mellon University is using physically secure coprocessors to achieve new protocols and systems addressing a number of perplexing security problems. These coprocessors can be produced as boards or integrated circuit chips and can be directly inserted in standard workstations or PCstyle computers. This paper presents a set of security problems and easily implementable solutions that exploit the power of physically secure coprocessors: (1) protecting the integrity of publicly accessible workstations, (2) tamperproof accounting/audit trails, (3) copy protection, and (4) electronic currency without centralized servers. We outline the architectural requirements for the use of secure coprocessors. 1 Introduction and Motivation The Dyad project at Carnegie Mellon University is using physically secure coprocessors to achieve new protocols and systems addressing a number of perplexing security problems. These coprocessors can be produced as boards or integrated ...
The discrete logarithm modulo a composite hides O(n) bits
 JOURNAL OF COMPUTER AND SYSTEM SCIENCES
, 1993
"... In this paper we consider the oneway function fg�N(X) =g X (modN), where N is a Blum integer. We prove that under the commonly assumed intractability of factoring Blum integers, all its bits are individually hard, and the lower as well as upper halves of them are simultaneously hard. As a result, f ..."
Abstract

Cited by 33 (1 self)
 Add to MetaCart
In this paper we consider the oneway function fg�N(X) =g X (modN), where N is a Blum integer. We prove that under the commonly assumed intractability of factoring Blum integers, all its bits are individually hard, and the lower as well as upper halves of them are simultaneously hard. As a result, fg�N can be used in efficient pseudorandom bit generators and multibit commitment schemes, where messages can be drawn according to arbitrary probability distributions.
The Classification of Hash Functions
, 1993
"... When we ask what makes a hash function `good', we usually get an answer which includes collision freedom as the main (if not sole) desideratum. However, we show here that given any collisionfree function, we can derive others which are also collisionfree, but cryptographically useless. This e ..."
Abstract

Cited by 24 (3 self)
 Add to MetaCart
When we ask what makes a hash function `good', we usually get an answer which includes collision freedom as the main (if not sole) desideratum. However, we show here that given any collisionfree function, we can derive others which are also collisionfree, but cryptographically useless. This explains why researchers have not managed to find many interesting consequences of this property. We also prove Okamoto's conjecture that correlation freedom is strictly stronger than collision freedom. We go on to show that there are actually rather many properties which hash functions may need. Hash functions for use with RSA must be multiplication free, in the sense that one cannot find X , Y and Z such that h(X)h(Y ) = h(Z); and more complex requirements hold for other signature schemes. Universal principles can be proposed from which all the freedom properties follow, but like most theoretical principles, they do not seem to give much value to a designer; at the practical level, the main imp...
On the Security of Modular Exponentiation with Application to the Construction of Pseudorandom Generators
 Journal of Cryptology
, 2000
"... Assuming the inractability of factoring, we show that the output of the exponentiation modulo a composite function fN;g (x) = g x mod N (where N = P \Delta Q) is pseudorandom, even when its input is restricted to be half the size. This result is equivalent to the simultaneous hardness of the upper ..."
Abstract

Cited by 21 (0 self)
 Add to MetaCart
(Show Context)
Assuming the inractability of factoring, we show that the output of the exponentiation modulo a composite function fN;g (x) = g x mod N (where N = P \Delta Q) is pseudorandom, even when its input is restricted to be half the size. This result is equivalent to the simultaneous hardness of the upper half of the bits of fN;g , proven by Hastad, Schrift and Shamir. Yet, we supply a different proof that is significantly simpler than the original one. In addition, we suggest a pseudorandom generator which is more efficient than all previously known factoring based pseudorandom generators. Keywords: Modular exponentiation, discrete logarithm, hard core predicates, simultaneous security, pseudorandom generator, factoring assumption. This writeup is based on the Master Thesis of the second author (supervised by the first author). 0 1 Introduction Oneway functions play an extremely important role in modern cryptography. Loosely speaking, these are functions which are easy to evaluate bu...
The Discrete Log is Very Discreet
 IN: STOC
, 1990
"... In this paper we consider the oneway function fg,N(X) = gX (modN), where N is a Blum integer. We prove that under the commonly assumed intractability of factoring Blum integers, almost all its bits are individually hard, and half of them are simultaneously hard. As a result, fg,N can be used in ef ..."
Abstract

Cited by 16 (0 self)
 Add to MetaCart
In this paper we consider the oneway function fg,N(X) = gX (modN), where N is a Blum integer. We prove that under the commonly assumed intractability of factoring Blum integers, almost all its bits are individually hard, and half of them are simultaneously hard. As a result, fg,N can be used in efficient pseudorandom bit generators and multibit commitment schemes, where messages can be drawn according to arbitrary probability distributions.
Security Issues in the DiffieHellman Key Agreement Protocol
 IEEE Trans. on Information Theory
, 2000
"... DiffieHellman key agreement protocol [27] implementations have been plagued by serious security flaws. The attacks can be very subtle and, more often than not, haven't been taken into account by protocol designers. In this paper we attempt to provide a link between theoretical research and r ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
(Show Context)
DiffieHellman key agreement protocol [27] implementations have been plagued by serious security flaws. The attacks can be very subtle and, more often than not, haven't been taken into account by protocol designers. In this paper we attempt to provide a link between theoretical research and realworld implementations. In addition to exposing the most important attacks and issues we present fairly detailed pseudocode for the authenticated DiffieHellman protocol and for the halfcertified DiffieHellman (a.k.a. Elgamal key agreement). It is hoped that computer security practitioners will obtain enough information to build and design secure and efficient versions of this classic key agreement protocol. Contents 1
On the ChorRivest Knapsack Cryptosystem
, 1991
"... Among all publickey cryptosystems that depend on the knapsack problem, the system proposed by Chor and Rivest (IEEE Trans. Inform. Theory 34 (1988), 9017909) is one of the few that have not been broken. The main difficulty in implementing their system is the computation of discrete logarithms in l ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
Among all publickey cryptosystems that depend on the knapsack problem, the system proposed by Chor and Rivest (IEEE Trans. Inform. Theory 34 (1988), 9017909) is one of the few that have not been broken. The main difficulty in implementing their system is the computation of discrete logarithms in large finite fields. In this note we describe the "powerline system," which is a modification of the ChorRivest system that does not have this shortcoming. The powerline system, which is not a knapsack system, is at least as secure as the original ChorRivest system.
Bits and Relative Order from Residues, Space Efficiently
 Information Processing Letters
, 1994
"... . For each k, let P k be the product of the first k primes. By the Chinese remainder theorem, each integer in the interval [0; P k ) is determined by its residues modulo these k primes. We address the problems of spaceefficiently computing the bits and the relative order of such numbers from their ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
. For each k, let P k be the product of the first k primes. By the Chinese remainder theorem, each integer in the interval [0; P k ) is determined by its residues modulo these k primes. We address the problems of spaceefficiently computing the bits and the relative order of such numbers from their residues. Introduction For each k, let P k be the product of the first k primes, p 1 ! p 2 ! \Delta \Delta \Delta ! p k . By the Chinese remainder theorem, each integer in the interval [0; P k ) is determined by its residues modulo these k primes. 1 This fact is easily exploited to yield a spaceefficient test for equality of two such numbers. We show how to exploit it for an equally spaceefficient determination of which of two such numbers is larger, and we address the more general problem of spaceefficiently computing the bits of such a number from its residues. The best we can hope for is space O(S k ) for S k = log log P k , because it takes that much space just to write down k or...
Is the Data Encryption Standard a Group? (Results of Cycling Experiments on DES)
, 1988
"... The Data Encryption Standard (DES) defines an indexed set of permutations acting on the message space ~ = {0, 1} 64. If this set of permutations were closed under functional composition, then the two most popular proposals for strengthening DES through multiple encryption would be equivalent to si ..."
Abstract

Cited by 5 (2 self)
 Add to MetaCart
The Data Encryption Standard (DES) defines an indexed set of permutations acting on the message space ~ = {0, 1} 64. If this set of permutations were closed under functional composition, then the two most popular proposals for strengthening DES through multiple encryption would be equivalent to single encryption. Moreover, DES would be vulnerable to a knownplaintext attack that runs in 22s steps on the average. It is unknown in the open literature whether or not DES has this weakness. Two statistical tests are presented for determining if an indexed set of permutations acting on a finite message space forms a group under functional composition. The first test is a "meetinthemiddle " algorithm which uses O(v/K) time and space, where K is the size of the key space. The second test, a novel cycling algorithm, uses the same amount of time but only a small constant amount of space. Each test yields a knownplaintext attack against any finite, deterministic cryptosystem that generates a small group. The cycling closure test takes a pseudorandom walk in the message space until