Results 1  10
of
48
Security analysis of the strong DiffieHellman problem
, 2006
"... Abstract. Let g be an element of prime order p in an abelian group and α ∈ Zp. We show that if g, g α, and g αd are given for a positive divisor d of p−1, we can compute the secret α in O(log p· ( √ p/d+ √ d)) group operations using O(max { √ p/d, √ d}) memory. If g αi (i = 0, 1, 2,..., d) are pr ..."
Abstract

Cited by 70 (2 self)
 Add to MetaCart
(Show Context)
Abstract. Let g be an element of prime order p in an abelian group and α ∈ Zp. We show that if g, g α, and g αd are given for a positive divisor d of p−1, we can compute the secret α in O(log p· ( √ p/d+ √ d)) group operations using O(max { √ p/d, √ d}) memory. If g αi (i = 0, 1, 2,..., d) are provided for a positive divisor d of p + 1, α can be computed in O(log p · ( √ p/d + d)) group operations using O(max { √ p/d, √ d}) memory. This implies that the strong DiffieHellman problem and its related problems have computational complexity reduced by O ( √ d) from that of the discrete logarithm problem for such primes. Further we apply this algorithm to the schemes based on the DiffieHellman problem on an abelian group of prime order p. As a result, we reduce the complexity of recovering the secret key from O ( √ p) to O ( √ p/d) for Boldyreva’s blind signature and the original ElGamal scheme when p − 1 (resp. p + 1) has a divisor d ≤ p 1/2 (resp. d ≤ p 1/3) and d signature or decryption queries are allowed.
A signature scheme as secure as the DiffieHellman problem
 Proceedings of Eurocrypt 2003, volume 2656 of LNCS
, 2003
"... Abstract. We show a signature scheme whose security is tightly related to the Computational DiffieHellman (CDH) assumption in the Random Oracle Model. Existing discretelog based signature schemes, such as ElGamal, DSS, and Schnorr signatures, either require nonstandard assumptions, or their secur ..."
Abstract

Cited by 38 (1 self)
 Add to MetaCart
Abstract. We show a signature scheme whose security is tightly related to the Computational DiffieHellman (CDH) assumption in the Random Oracle Model. Existing discretelog based signature schemes, such as ElGamal, DSS, and Schnorr signatures, either require nonstandard assumptions, or their security is only loosely related to the discrete logarithm (DL) assumption using Pointcheval and Stern’s “forking ” lemma. Since the hardness of the CDH problem is widely believed to be closely related to the hardness of the DL problem, the signature scheme presented here offers better security guarantees than existing discretelog based signature schemes. Furthermore, the new scheme has comparable efficiency to existing schemes. The signature scheme was previously proposed in the cryptographic literature on at least two occasions. However, no security analysis was done, probably because the scheme was viewed as a slight modification of Schnorr signatures. In particular, the scheme’s tight security reduction to CDH has remained unnoticed until now. Interestingly, this discretelog based signature scheme is similar to the trapdoor permutation based PSS signatures proposed by Bellare and Rogaway, and has a tight reduction for a similar reason.
The DiffieHellman Protocol
 DESIGNS, CODES, AND CRYPTOGRAPHY
, 1999
"... The 1976 seminal paper of Diffie and Hellman is a landmark in the history of cryptography. They introduced the fundamental concepts of a trapdoor oneway function, a publickey cryptosystem, and a digital signature scheme. Moreover, they presented a protocol, the socalled DiffieHellman protoco ..."
Abstract

Cited by 29 (0 self)
 Add to MetaCart
(Show Context)
The 1976 seminal paper of Diffie and Hellman is a landmark in the history of cryptography. They introduced the fundamental concepts of a trapdoor oneway function, a publickey cryptosystem, and a digital signature scheme. Moreover, they presented a protocol, the socalled DiffieHellman protocol, allowing two parties who share no secret information initially, to generate a mutual secret key. This paper summarizes the present knowledge on the security of this protocol.
Quantum algorithms for algebraic problems
, 2008
"... Quantum computers can execute algorithms that dramatically outperform classical computation. As the bestknown example, Shor discovered an efficient quantum algorithm for factoring integers, whereas factoring appears to be difficult for classical computers. Understanding what other computational pro ..."
Abstract

Cited by 23 (1 self)
 Add to MetaCart
Quantum computers can execute algorithms that dramatically outperform classical computation. As the bestknown example, Shor discovered an efficient quantum algorithm for factoring integers, whereas factoring appears to be difficult for classical computers. Understanding what other computational problems can be solved significantly faster using quantum algorithms is one of the major challenges in the theory of quantum
Pseudorandom Generators with Long Stretch and Low Locality from Random Local OneWay Functions
, 2013
"... We continue the study of locallycomputable pseudorandom generators (PRG) G: {0, 1}n → {0, 1}m such that each of their outputs depend on a small number of d input bits. While it is known that such generators are likely to exist for the case of small sublinear stretch m = n + n1−δ, it is less clear ..."
Abstract

Cited by 15 (1 self)
 Add to MetaCart
We continue the study of locallycomputable pseudorandom generators (PRG) G: {0, 1}n → {0, 1}m such that each of their outputs depend on a small number of d input bits. While it is known that such generators are likely to exist for the case of small sublinear stretch m = n + n1−δ, it is less clear whether achieving larger stretch such as m = n + Ω(n), or even m = n1+δ is possible. The existence of such PRGs, which was posed as an open question in previous works (e.g., [Cryan and Miltersen, MFCS 2001], [Mossel, Shpilka and Trevisan, FOCS 2003], and [Applebaum, Ishai and Kushilevitz, FOCS 2004]), has recently gained an additional motivation due to several interesting applications. We make progress towards resolving this question by obtaining several local constructions based on the onewayness of “random ” local functions – a variant of an assumption made by Goldreich (ECCC 2000). Specifically, we construct collections of PRGs with the following parameters: • Linear stretch m = n+ Ω(n) and constant locality d = O(1). • Polynomial stretch m = n1+δ and any (arbitrarily slowly growing) superconstant locality
Public key cryptography based on semigroup actions, Adv
 in Math. of Communications
"... (Communicated by Andreas Stein) Abstract. A generalization of the original DiffieHellman key exchange in (Z/pZ) ∗ found a new depth when Miller [27] and Koblitz [16] suggested that such a protocol could be used with the group over an elliptic curve. In this paper, we propose a further vast general ..."
Abstract

Cited by 10 (1 self)
 Add to MetaCart
(Show Context)
(Communicated by Andreas Stein) Abstract. A generalization of the original DiffieHellman key exchange in (Z/pZ) ∗ found a new depth when Miller [27] and Koblitz [16] suggested that such a protocol could be used with the group over an elliptic curve. In this paper, we propose a further vast generalization where abelian semigroups act on finite sets. We define a DiffieHellman key exchange in this setting and we illustrate how to build interesting semigroup actions using finite (simple) semirings. The practicality of the proposed extensions rely on the orbit sizes of the semigroup actions and at this point it is an open question how to compute the sizes of these orbits in general and also if there exists a square root attack in general. In Section 5 a concrete practical semigroup action built from simple semirings is presented. It will require further research to analyse this system. 1.
BlackBox Extension Fields and the Inexistence of FieldHomomorphic OneWay Permutations
"... The blackbox field (BBF) extraction problem is, for a given field�, to determine a secret field element hidden in a blackbox which allows to add and multiply values in�in the box and which reports only equalities of elements in the box. This problem is of cryptographic interest for two reasons. Fi ..."
Abstract

Cited by 9 (1 self)
 Add to MetaCart
(Show Context)
The blackbox field (BBF) extraction problem is, for a given field�, to determine a secret field element hidden in a blackbox which allows to add and multiply values in�in the box and which reports only equalities of elements in the box. This problem is of cryptographic interest for two reasons. First, for ���Ôit corresponds to the generic reduction of the discrete logarithm problem to the computational DiffieHellman problem in a group of prime orderÔ. Second, an efficient solution to the BBF problem proves the inexistence of certain fieldhomomorphic encryption schemes whose realization is an interesting open problems in algebrabased cryptography. BBFs are also of independent interest in computational algebra. In the previous literature, BBFs had only been considered for the prime field case. In this paper we consider a generalization of the extraction problem to BBFs that are extension fields. More precisely we discuss the representation problem defined as follows: For given generators��������algebraically generating a BBF and an additional elementÜ, all hidden in a blackbox, expressÜalgebraically in terms of ��������. We give an efficient algorithm for this representation problem and related problems for fields with small characteristic (e.g.���Òfor someÒ). We also consider extension fields of large characteristic and show how to reduce the representation problem to the extraction problem for the underlying prime field. These results imply the inexistence of fieldhomomorphic (as opposed to only grouphomomorphic, like RSA) oneway permutations for fields of small characteristic.
The Equivalence Between The Dhp And Dlp For Elliptic Curves Used In Practical Applications
, 2004
"... We reexamine the reduction of Maurer and Wolf of the Discrete Logarithm problem to the Di#eHellman problem. We give a precise estimate for the number of operations required in the reduction and use this to estimate the exact security of the elliptic curve variant of the Di#eHellman protocol for ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
We reexamine the reduction of Maurer and Wolf of the Discrete Logarithm problem to the Di#eHellman problem. We give a precise estimate for the number of operations required in the reduction and use this to estimate the exact security of the elliptic curve variant of the Di#eHellman protocol for various elliptic curves defined in standards. 1.
INTRACTABLE PROBLEMS IN CRYPTOGRAPHY
"... Abstract. We examine several variants of the DiffieHellman and Discrete Log problems that are connected to the security of cryptographic protocols. We discuss the reductions that are known between them and the challenges in trying to assess the true level of difficulty of these problems, particular ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We examine several variants of the DiffieHellman and Discrete Log problems that are connected to the security of cryptographic protocols. We discuss the reductions that are known between them and the challenges in trying to assess the true level of difficulty of these problems, particularly if they are interactive or have complicated input. 1.