Abstract. This paper investigates a novel computational problem, namely the Composite Residuosity Class Problem, and its applications to public-key cryptography. We propose a new trapdoor mechanism and derive from this technique three encryption schemes: a trapdoor permutation and two homomorphic probabilistic encryption schemes computationally comparable to RSA. Our cryptosystems, based on usual modular arithmetics, are provably secure under appropriate assumptions in the standard model. 1

Several public key cryptosystems with additional homomorphic properties have been proposed so far. They allow to perform computation with encrypted data without the knowledge of any secret information. In many applications, the ability to perform decryption, i.e. the knowledge of the secret key, gives a huge power. A classical way to reduce the trust in such a secret owner, and consequently to increase the security, is to share the secret between many entities in such a way that cooperation between them is necessary to decrypt. In this paper, we propose a distributed version of the Paillier cryptosystem presented at Eurocrypt ’99. This shared scheme can for example be used in an electronic voting scheme or in a lottery where a random number related to the winning ticket has to be jointly chosen by all participants.

. This paper consists of three parts. First, various types of Diffie-Hellman oracles for a cyclic group G and subgroups of G are defined and their equivalence is proved. In particular, the security of using a subgroup of G instead of G in the Diffie-Hellman protocol is investigated. Second, we derive several new conditions for the polynomial-time equivalence of breaking the Diffie-Hellman protocol and computing discrete logarithms in G which extend former results by den Boer and Maurer. Finally, efficient constructions of Diffie-Hellman groups with provable equivalence are described. Keywords. Public-key cryptography, Diffie-Hellman protocol, Discrete logarithms, Elliptic curves. 1 Introduction Let G be a cyclic group with generator g. The Diffie-Hellman (DH) problem [6] is, for given g u and g v , to compute g uv . A possible group for the DH protocol [6] is Z p , where p is a prime number, or an elliptic curve over a finite field [17],[9]. The DH problem is at most as diffi...

Both uniform and non-uniform results concerning the security of the Diffie-Hellman key-exchange protocol are proved. First, it is shown that in a cyclic group G of order jGj = Q p e i i , where all the multiple prime factors of jGj are polynomial in log jGj, there exists an algorithm that reduces the computation of discrete logarithms in G to breaking the Diffie-Hellman protocol in G and has complexity p maxf(p i )g \Delta (log jGj) O(1) , where (p) stands for the minimum of the set of largest prime factors of all the numbers d in the interval [p \Gamma 2 p p+1; p+2 p p+ 1]. Under the unproven but plausible assumption that (p) is polynomial in log p, this reduction implies that the Diffie-Hellman problem and the discrete logarithm problem are polynomial-time equivalent in G. Second, it is proved that the Diffie-Hellman problem and the discrete logarithm problem are equivalent in a uniform sense for groups whose orders belong to certain classes: there exists a p...

The 1976 seminal paper of Diffie and Hellman is a landmark in the history of cryptography. They introduced the fundamental concepts of a trapdoor one-way function, a public-key cryptosystem, and a digital signature scheme. Moreover, they presented a protocol, the so-called Diffie-Hellman protocol, allowing two parties who share no secret information initially, to generate a mutual secret key. This paper summarizes the present knowledge on the security of this protocol.

This paper introduces three new probabilistic encryption schemes using elliptic curves over rings. The cryptosystems are based on three specific trapdoor mechanisms allowing the recipient to recover discrete logarithms on di#erent types of curves. The first scheme is an embodiment of Naccache and Stern's cryptosystem and realizes a discrete log encryption as originally wanted in [23] by Vanstone and Zuccherato.

this document is to keep the "natural" combination between the TA's public key and the user's public key, but reduce a single TA's power, and make the trusted authority service for IBC more trustworthy. Our solution makes use of Multiple Trusted Authorities in Identifier Based Cryptography (MTAIBC)

In [1], Vanstone and Zuccherato proposed a public-key elliptic curve cryptosystem in which the public key consists of an integer N and an elliptic curve E defined over the ring Z=NZ. Here N is a product of two secret primes p and q, each of special form, and the order of E modulo N is smooth. We present three attacks, each of which factors the modulus N and hence breaks the cryptosystem. The first attack exploits the special form of p and q; the second exploits the smoothness of the elliptic curve; and the third attack breaks a proposed application of the system to user authentication. For parameters as in [1], the modulus can be factored within a fraction of a second. Keywords Cryptography, public key, authentication, discrete logarithm, elliptic curves, factoring. I. The proposed cryptosystem In a recent cryptosystem proposed by Vanstone and Zuccherato [1], part of the public key is an integer N which is a product of two secret primes p and q. An elliptic curve E over Z=NZ is ch...