Results 1  10
of
43
The Elliptic Curve Digital Signature Algorithm (ECDSA)
, 1999
"... The Elliptic Curve Digital Signature Algorithm (ECDSA) is the elliptic curve analogue of the Digital Signature Algorithm (DSA). It was accepted in 1999 as an ANSI standard, and was accepted in 2000 as IEEE and NIST standards. It was also accepted in 1998 as an ISO standard, and is under consideratio ..."
Abstract

Cited by 173 (5 self)
 Add to MetaCart
(Show Context)
The Elliptic Curve Digital Signature Algorithm (ECDSA) is the elliptic curve analogue of the Digital Signature Algorithm (DSA). It was accepted in 1999 as an ANSI standard, and was accepted in 2000 as IEEE and NIST standards. It was also accepted in 1998 as an ISO standard, and is under consideration for inclusion in some other ISO standards. Unlike the ordinary discrete logarithm problem and the integer factorization problem, no subexponentialtime algorithm is known for the elliptic curve discrete logarithm problem. For this reason, the strengthperkeybit is substantially greater in an algorithm that uses elliptic curves. This paper describes the ANSI X9.62 ECDSA, and discusses related security, implementation, and interoperability issues. Keywords: Signature schemes, elliptic curve cryptography, DSA, ECDSA.
A Key Recovery Attack on Discrete Logbased Schemes Using a Prime Order Subgroup
, 1997
"... Consider the wellknown oracle attack: Somehow one gets a certain computation result as a function of a secret key from the secret key owner and tries to extract some information on the secret key. This attacking scenario is well understood in the cryptographic community. However, there are many pro ..."
Abstract

Cited by 70 (2 self)
 Add to MetaCart
(Show Context)
Consider the wellknown oracle attack: Somehow one gets a certain computation result as a function of a secret key from the secret key owner and tries to extract some information on the secret key. This attacking scenario is well understood in the cryptographic community. However, there are many protocols based on the discrete logarithm problem that turn out to leak many of the secret key bits from this oracle attack, unless suitable checkings are carried out. In this paper we present a key recovery attack on various discrete logbased schemes working in a prime order subgroup. Our attack can disclose part of, or the whole secret key in most DiffieHellmantype key exchange protocols and some applications of ElGamal encryption and signature schemes. Key Words : Key recovery attack, Discrete logarithms, Key exchange, Digital signatures. 1 Introduction Many cryptographic protocols have been developed based on the discrete logarithm problem. The main objective of developers is to design...
OpenPGP Message Format
 Wong & Schlitt Experimental [Page 40] 4408 Sender Policy Framework (SPF
, 1998
"... This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards " (STD 1) for the standardization state and status of this pro ..."
Abstract

Cited by 51 (2 self)
 Add to MetaCart
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards " (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. This document is maintained in order to publish all necessary information needed to develop interoperable applications based on the OpenPGP format. It is not a stepbystep cookbook for writing an application. It describes only the format and methods needed to read, check, generate, and write conforming packets crossing any network. It does not deal with storage and implementation questions. It does, however, discuss implementation issues necessary to avoid security flaws. OpenPGP software uses a combination of strong publickey and
On the possibility of constructing meaningful hash collisions for public keys
 ACISP ’05: The 10th Australasian Conference on Information Security and Privacy, volume 3574 of Lecture Notes in Computer Science
, 2005
"... {a.k.lenstra,b.m.m.d.weger} at tue dot nl Abstract. It is sometimes argued (as in [4]) that finding meaningful hash collisions might prove difficult. We show that at least one of the arguments involved is wrong, by showing that for several common public key systems it is easy to construct pairs of m ..."
Abstract

Cited by 30 (4 self)
 Add to MetaCart
(Show Context)
{a.k.lenstra,b.m.m.d.weger} at tue dot nl Abstract. It is sometimes argued (as in [4]) that finding meaningful hash collisions might prove difficult. We show that at least one of the arguments involved is wrong, by showing that for several common public key systems it is easy to construct pairs of meaningful and secure public key data that either collide or share other characteristics with the hash collisions as quickly constructed in [14]. We present some simple results, investigate what we can and cannot (yet) achieve, and formulate some open problems of independent interest. At this point we are not yet aware of truly interesting practical implications. Nevertheless, our results may be relevant for the practical assessment of the recent hash collision results in [14]. For instance, we show how to use hash collisions to construct two X.509 certificates that contain identical signatures and that differ only in the public keys. Thus hash collisions indeed undermine one of the principles underlying Public Key Infrastructures.
Minding Your P's and Q's
 In Advances in Cryptology  ASIACRYPT'96, LNCS 1163
, 1996
"... Over the last year or two, a large number of attacks have been found by the authors and others on protocols based on the discrete logarithm problem, such as ElGamal signature and Diffie Hellman key exchange. These attacks depend on causing variables to assume values whose discrete logarithms can be ..."
Abstract

Cited by 29 (3 self)
 Add to MetaCart
(Show Context)
Over the last year or two, a large number of attacks have been found by the authors and others on protocols based on the discrete logarithm problem, such as ElGamal signature and Diffie Hellman key exchange. These attacks depend on causing variables to assume values whose discrete logarithms can be calculated, whether by forcing a protocol exchange into a smooth subgroup or by choosing degenerate values directly. We survey these attacks and discuss how to build systems that are robust against them. In the process we elucidate a number of the design decisions behind the US Digital Signature Standard.
The Pynchon Gate: A Secure Method of Pseudonymous Mail Retrieval
 In Proceedings of the Workshop on Privacy in the Electronic Society (WPES 2005
, 2005
"... We present The Pynchon Gate, a pseudonymous message retrieval system. The Pynchon Gate is based upon Private Information Retrieval, an information theory primitive that enables us to address many of the known problems with existing pseudonymous communication systems. We propose a system where th ..."
Abstract

Cited by 18 (4 self)
 Add to MetaCart
(Show Context)
We present The Pynchon Gate, a pseudonymous message retrieval system. The Pynchon Gate is based upon Private Information Retrieval, an information theory primitive that enables us to address many of the known problems with existing pseudonymous communication systems. We propose a system where the user retrieves a subset of the collection of all messages in such a way that the user leaks no information about which messages he is retrieving, and a global observer is unable to correlate sender behavior with recipient usage patterns. We introduce a more stable architecture for pseudonymous mail systems and analyze its strengths and weaknesses as compared to existing systems.
Proactive TwoParty Signatures for User Authentication
 Proc. 10th Annual Network and Distributed System Security Symposium (NDSS’03), The Internet Society
, 2003
"... We study proactive twoparty signature schemes in the context of user authentication. A proactive twoparty signature scheme (P2SS) allows two partiesthe client and the serverjointly to produce signatures and periodically to refresh their sharing of the secret key. The signature generation rem ..."
Abstract

Cited by 15 (2 self)
 Add to MetaCart
(Show Context)
We study proactive twoparty signature schemes in the context of user authentication. A proactive twoparty signature scheme (P2SS) allows two partiesthe client and the serverjointly to produce signatures and periodically to refresh their sharing of the secret key. The signature generation remains secure as long as both parties are not compromised between successive refreshes. We construct the first such proactive scheme based on the discrete log assumption by efficiently transforming Schnorr's popular signature scheme into a P2SS. We also extend our technique to the signature scheme of Guillou and Quisquater (GQ), providing two practical and efficient P2SSs that can be proven secure in the random oracle model under standard discrete log or RSA assumptions.
Can we trust cryptographic software? cryptographic flaws
 in GNU Privacy Guard v1.2.3. In EUROCRYPT 2004, LNCS
, 2004
"... Abstract. More and more software use cryptography. But how can one know if what is implemented is good cryptography? For proprietary software, one cannot say much unless one proceeds to reverseengineering, and history tends to show that bad cryptography is much more frequent than good cryptography ..."
Abstract

Cited by 14 (0 self)
 Add to MetaCart
(Show Context)
Abstract. More and more software use cryptography. But how can one know if what is implemented is good cryptography? For proprietary software, one cannot say much unless one proceeds to reverseengineering, and history tends to show that bad cryptography is much more frequent than good cryptography there. Open source software thus sounds like a good solution, but the fact that a source code can be read does not imply that it is actually read, especially by cryptography experts. In this paper, we illustrate this point by examining the case of a basic Internet application of cryptography: secure email. We analyze parts of thesourcecodeofthelatestversionofGNUPrivacyGuard(GnuPGor GPG), a free open source alternative to the famous PGP software, compliant with the OpenPGP standard, and included in most GNU/Linux distributions such as Debian, MandrakeSoft, Red Hat and SuSE. We observe several cryptographic flaws in GPG v1.2.3. The most serious flaw has been present in GPG for almost four years: we show that as soon as one (GPGgenerated) ElGamal signature of an arbitrary message is released, one can recover the signer’s private key in less than a second on a PC. As a consequence, ElGamal signatures and the socalled ElGamal sign+encrypt keys have recently been removed from GPG. Fortunately, ElGamal was not GPG’s default option for signing keys.
Hidden Collisions on DSS
, 1996
"... We explain how to forge public parameters for the Digital Signature Standard with two known messages which always produce the same set of valid signatures (what we call a collision). This attack is thwarted by using the generation algorithm suggested in the specifications of the Standard, so it prov ..."
Abstract

Cited by 13 (2 self)
 Add to MetaCart
We explain how to forge public parameters for the Digital Signature Standard with two known messages which always produce the same set of valid signatures (what we call a collision). This attack is thwarted by using the generation algorithm suggested in the specifications of the Standard, so it proves one always need to check proper generation. We also present a similar attack when using this generation algorithm within a complexity 2 74 , which is better than the birthday attack which seeks for collisions on the underlying hash function.
Addressing the Problem of Undetected Signature Key Compromise
, 1999
"... Suppose that messages have been signed using a user's signature private key during the period of time after a key compromise but before the compromise is detected. This is aperiod of undetected key compromise. Various techniques for detecting a compromise and preventing forged signature accepta ..."
Abstract

Cited by 10 (4 self)
 Add to MetaCart
Suppose that messages have been signed using a user's signature private key during the period of time after a key compromise but before the compromise is detected. This is aperiod of undetected key compromise. Various techniques for detecting a compromise and preventing forged signature acceptance are presented. Attack protection is achieved by requiring a second level of authentication for the acceptance of signatures, based on information shared with a trusted authority, independent of the signature private key and signing algorithm. Alternatively, attack detection is achieved with an independent sychronization with the authority, using a second factoradaptive (nonsecret) parameter. Preventing forged signature acceptance subsequent to the detection is achieved by the use of a coolingoff or latency period, combined with periodic resynchronization.