Results 11  20
of
58
DiffieHellman Oracles
 ADVANCES IN CRYPTOLOGY  CRYPTO '96 , LECTURE NOTES IN COMPUTER SCIENCE
, 1996
"... This paper consists of three parts. First, various types of DiffieHellman oracles for a cyclic group G and subgroups of G are defined and their equivalence is proved. In particular, the security of using a subgroup of G instead of G in the DiffieHellman protocol is investigated. Second, we derive ..."
Abstract

Cited by 34 (3 self)
 Add to MetaCart
This paper consists of three parts. First, various types of DiffieHellman oracles for a cyclic group G and subgroups of G are defined and their equivalence is proved. In particular, the security of using a subgroup of G instead of G in the DiffieHellman protocol is investigated. Second, we derive several new conditions for the polynomialtime equivalence of breaking the DiffieHellman protocol and computing discrete logarithms in G which extend former results by den Boer and Maurer. Finally, efficient constructions of DiffieHellman groups with provable equivalence are described.
On the statistical properties of Diffie–Hellman distributions
 MR 2001k:11258 Zbl 0997.11066
"... Let p be a large prime such that p−1 has some large prime factors, and let ϑ ∈ Z ∗ p be an rth power residue for all small factors of p − 1. The corresponding DiffieHellman (DH) distribution is (ϑ x, ϑ y, ϑ xy) where x, y are randomly chosen from Z ∗ p. A recently formulated assumption is that giv ..."
Abstract

Cited by 29 (10 self)
 Add to MetaCart
Let p be a large prime such that p−1 has some large prime factors, and let ϑ ∈ Z ∗ p be an rth power residue for all small factors of p − 1. The corresponding DiffieHellman (DH) distribution is (ϑ x, ϑ y, ϑ xy) where x, y are randomly chosen from Z ∗ p. A recently formulated assumption is that given p, ϑ of the above form it is infeasible to distinguish in reasonable time between DH distribution and triples of numbers chosen
The DiffieHellman Protocol
 DESIGNS, CODES, AND CRYPTOGRAPHY
, 1999
"... The 1976 seminal paper of Diffie and Hellman is a landmark in the history of cryptography. They introduced the fundamental concepts of a trapdoor oneway function, a publickey cryptosystem, and a digital signature scheme. Moreover, they presented a protocol, the socalled DiffieHellman protoco ..."
Abstract

Cited by 26 (0 self)
 Add to MetaCart
The 1976 seminal paper of Diffie and Hellman is a landmark in the history of cryptography. They introduced the fundamental concepts of a trapdoor oneway function, a publickey cryptosystem, and a digital signature scheme. Moreover, they presented a protocol, the socalled DiffieHellman protocol, allowing two parties who share no secret information initially, to generate a mutual secret key. This paper summarizes the present knowledge on the security of this protocol.
Rounding in Lattices and Its Cryptographic Applications
 Proc. 8th Annual ACMSIAM Symp. on Discr. Algorithms, ACM
, 1997
"... We analyze a lattice rounding technique using a natural matrix norm. We present its application to proving in a nonuniform model the hardness of computing 2 log log p bits of the secret keys of DiffieHellman and related protocols from the public keys. Earlier in [2] it was shown that p log p bits ..."
Abstract

Cited by 24 (0 self)
 Add to MetaCart
We analyze a lattice rounding technique using a natural matrix norm. We present its application to proving in a nonuniform model the hardness of computing 2 log log p bits of the secret keys of DiffieHellman and related protocols from the public keys. Earlier in [2] it was shown that p log p bits are hard to compute. 1 Introduction Lattice basis reduction techniques have proven to be very useful in diverse areas. Examples include cryptography, settling number theoretic conjectures, and diophantine approximation. Rounding a given vector to an approximately closest vector in a given lattice was first studied in this context by Babai [1]. Recently in [2] rounding in lattices was used to study the hardness of computing the most significant bits of secret keys obtained using the DiffieHellman protocol and related schemes. Motivated by this, we study a new lattice rounding technique which is used to improve on the results of [2] in a nonuniform model. The DiffieHellman protocol [3] ena...
Discrete Logarithms: the Effectiveness of the Index Calculus Method
, 1996
"... . In this article we survey recent developments concerning the discrete logarithm problem. Both theoretical and practical results are discussed. We emphasize the case of finite fields, and in particular, recent modifications of the index calculus method, including the number field sieve and the func ..."
Abstract

Cited by 24 (1 self)
 Add to MetaCart
. In this article we survey recent developments concerning the discrete logarithm problem. Both theoretical and practical results are discussed. We emphasize the case of finite fields, and in particular, recent modifications of the index calculus method, including the number field sieve and the function field sieve. We also provide a sketch of the some of the cryptographic schemes whose security depends on the intractibility of the discrete logarithm problem. 1 Introduction Let G be a cyclic group generated by an element t. The discrete logarithm problem in G is to compute for any b 2 G the least nonnegative integer e such that t e = b. In this case, we write log t b = e. Our purpose, in this paper, is to survey recent work on the discrete logarithm problem. Our approach is twofold. On the one hand, we consider the problem from a purely theoretical perspective. Indeed, the algorithms that have been developed to solve it not only explore the fundamental nature of one of the basic s...
Lecture Notes on Cryptography
, 2001
"... This is a set of lecture notes on cryptography compiled for 6.87s, a one week long course on cryptography taught at MIT by Shafi Goldwasser and Mihir Bellare in the summers of 1996–2001. The notes were formed by merging notes written for Shafi Goldwasser’s Cryptography and Cryptanalysis course at MI ..."
Abstract

Cited by 17 (0 self)
 Add to MetaCart
This is a set of lecture notes on cryptography compiled for 6.87s, a one week long course on cryptography taught at MIT by Shafi Goldwasser and Mihir Bellare in the summers of 1996–2001. The notes were formed by merging notes written for Shafi Goldwasser’s Cryptography and Cryptanalysis course at MIT with notes written for Mihir Bellare’s Cryptography and network security course at UCSD. In addition, Rosario Gennaro (as Teaching Assistant for the course in 1996) contributed Section 9.6, Section 11.4, Section 11.5, and Appendix D to the notes, and also compiled, from various sources, some of the problems in Appendix E. Cryptography is of course a vast subject. The thread followed by these notes is to develop and explain the notion of provable security and its usage for the design of secure protocols. Much of the material in Chapters 2, 3 and 7 is a result of scribe notes, originally taken by MIT graduate students who attended Professor Goldwasser’s Cryptography and Cryptanalysis course over the years, and later edited by Frank D’Ippolito who was a teaching assistant for the course in 1991. Frank also contributed much of the advanced number theoretic material in the Appendix. Some of the material in Chapter 3 is from the chapter on Cryptography, by R. Rivest, in the Handbook of Theoretical Computer Science. Chapters 4, 5, 6, 8 and 10, and Sections 9.5 and 7.4.6, were written by Professor Bellare for his Cryptography and network security course at UCSD.
MOVE: Mobility with Persistent Network Connections
, 2004
"... The combined force behind ubiquitous mobile computing and storage devices and universal network access has created a unique era of mobile network computing, in which computation units ranging from a single process to an entire host can move while communicating with each other across the network. A k ..."
Abstract

Cited by 14 (0 self)
 Add to MetaCart
The combined force behind ubiquitous mobile computing and storage devices and universal network access has created a unique era of mobile network computing, in which computation units ranging from a single process to an entire host can move while communicating with each other across the network. A key problem therefore is how to preserve the ongoing network communication between two computation units when they move from one place to another; because current network infrastructure and protocols are designed to support stationary communication endpoints only. We have developed MOVE, a finegrain endtoend connection migration architecture, to address the problem. The most distinguishing characteristic of MOVE is that MOVE achieves, in a single system, several essential goals of a mobile communication architecture including: (1) entirely end system only without any infrastructure demand, transport protocol independence, and backward compatibility; (2) finegrain connection migration and unlimited mobility scope; (3) secure migration with both handoff and suspension/resumption support; and (4) very
Efficient Verifiably Encrypted Signature and Partially Blind Signature from Bilinear Pairings
, 2004
"... Verifiably encrypted signatures are used when Alice wants to sign a message for Bob but does not want Bob to possess her signature on the message until a later date. Such signatures are used in optimistic contact signing to provide fair exchange. Partially blind signature schemes are an extension of ..."
Abstract

Cited by 14 (0 self)
 Add to MetaCart
Verifiably encrypted signatures are used when Alice wants to sign a message for Bob but does not want Bob to possess her signature on the message until a later date. Such signatures are used in optimistic contact signing to provide fair exchange. Partially blind signature schemes are an extension of blind signature schemes that allows a signer to sign a partially blinded message that include preagreed information such as expiry date or collateral conditions in unblinded form. These signatures are used...
An observation on associative oneway functions in complexity theory
 Information Processing Letters
, 1997
"... Abstract We introduce the notion of associative oneway functions and prove that they exist if and only if P 6 = NP. As evidence of their utility, we present two novel protocols that apply strong forms of these functions to achieve secret key agreement and digital signatures. ..."
Abstract

Cited by 11 (0 self)
 Add to MetaCart
Abstract We introduce the notion of associative oneway functions and prove that they exist if and only if P 6 = NP. As evidence of their utility, we present two novel protocols that apply strong forms of these functions to achieve secret key agreement and digital signatures.
Protection of Authenticated KeyAgreement Protocol against a DenialofService Attack
 In Proceedings of the International Symposium on Information Theory and Its Applications (ISITA’98
, 1998
"... . Authenticated and secure keyagreement protocols without a trusted keydistribution center usually owe a lot to publickey primitives whose implementation includes modular exponentiation. Since modular exponentiation is computationally expensive, protocols should be carefully designed so that atta ..."
Abstract

Cited by 9 (4 self)
 Add to MetaCart
. Authenticated and secure keyagreement protocols without a trusted keydistribution center usually owe a lot to publickey primitives whose implementation includes modular exponentiation. Since modular exponentiation is computationally expensive, protocols should be carefully designed so that attackers will not be motivated to use DenialofService (DoS) attacks. Considering this design direction, this paper first shows a basic protection strategy against DoS attacks based on publickey related computational cost. We then propose a threepass authenticated DiffieHellman keyagreement protocol conforming to the strategy; DoS attacks impose expensive computation on the attackers themselves. 1 Introduction In order to use cryptographic communication in open networks, how to establish session keys is a fundamental problem. The most wellknown scheme is DiffieHellman keyagreement protocol [1]. It is also wellknown that this protocol on its own is vulnerable to intruderinthemiddle a...