Results 1  10
of
27
Lower Bounds for Discrete Logarithms and Related Problems
, 1997
"... . This paper considers the computational complexity of the discrete logarithm and related problems in the context of "generic algorithms"that is, algorithms which do not exploit any special properties of the encodings of group elements, other than the property that each group element is encoded a ..."
Abstract

Cited by 223 (11 self)
 Add to MetaCart
. This paper considers the computational complexity of the discrete logarithm and related problems in the context of "generic algorithms"that is, algorithms which do not exploit any special properties of the encodings of group elements, other than the property that each group element is encoded as a unique binary string. Lower bounds on the complexity of these problems are proved that match the known upper bounds: any generic algorithm must perform\Omega (p 1=2 ) group operations, where p is the largest prime dividing the order of the group. Also, a new method for correcting a faulty DiffieHellman oracle is presented. 1 Introduction The discrete logarithm problem plays an important role in cryptography. The problem is this: given a generator g of a cyclic group G, and an element g x in G, determine x. A related problem is the DiffieHellman problem: given g x and g y , determine g xy . In this paper, we study the computational power of "generic algorithms" that is, ...
The Decision DiffieHellman Problem
, 1998
"... The Decision DiffieHellman assumption (ddh) is a gold mine. It enables one to construct efficient cryptographic systems with strong security properties. In this paper we survey the recent applications of DDH as well as known results regarding its security. We describe some open problems in this are ..."
Abstract

Cited by 197 (6 self)
 Add to MetaCart
The Decision DiffieHellman assumption (ddh) is a gold mine. It enables one to construct efficient cryptographic systems with strong security properties. In this paper we survey the recent applications of DDH as well as known results regarding its security. We describe some open problems in this area. 1 Introduction An important goal of cryptography is to pin down the exact complexity assumptions used by cryptographic protocols. Consider the DiffieHellman key exchange protocol [12]: Alice and Bob fix a finite cyclic group G and a generator g. They respectively pick random a; b 2 [1; jGj] and exchange g a ; g b . The secret key is g ab . To totally break the protocol a passive eavesdropper, Eve, must compute the DiffieHellman function defined as: dh g (g a ; g b ) = g ab . We say that the group G satisfies the Computational DiffieHellman assumption (cdh) if no efficient algorithm can compute the function dh g (x; y) in G. Precise definitions are given in the next sectio...
Key Agreement Protocols and their Security Analysis
, 1997
"... This paper proposes new protocols for two goals: authenticated key agreement and authenticated key agreement with key confirmation in the asymmetric (publickey) setting. A formal ..."
Abstract

Cited by 137 (6 self)
 Add to MetaCart
This paper proposes new protocols for two goals: authenticated key agreement and authenticated key agreement with key confirmation in the asymmetric (publickey) setting. A formal
HMQV: A HighPerformance Secure DiffieHellman Protocol
 Protocol, Advances in Cryptology — CRYPTO ’05, LNCS 3621
, 2005
"... The MQV protocol of Law, Menezes, Qu, Solinas and Vanstone is possibly the most e#cient of all known authenticated Di#eHellman protocols that use publickey authentication. In addition to great performance, the protocol has been designed to achieve a remarkable list of security properties. As a ..."
Abstract

Cited by 113 (2 self)
 Add to MetaCart
The MQV protocol of Law, Menezes, Qu, Solinas and Vanstone is possibly the most e#cient of all known authenticated Di#eHellman protocols that use publickey authentication. In addition to great performance, the protocol has been designed to achieve a remarkable list of security properties. As a result MQV has been widely standardized, and has recently been chosen by the NSA as the key exchange mechanism underlying "the next generation cryptography to protect US government information".
Authenticated DiffieHellman Key Agreement Protocols
, 1998
"... This paper surveys recent work on the design and analysis of key agreement protocols that are based on the intractability of the DiffieHellman problem. The focus is on protocols that have been standardized, or are in the process of being standardized, by organizations such as ANSI, IEEE, ISO/IEC, a ..."
Abstract

Cited by 70 (1 self)
 Add to MetaCart
This paper surveys recent work on the design and analysis of key agreement protocols that are based on the intractability of the DiffieHellman problem. The focus is on protocols that have been standardized, or are in the process of being standardized, by organizations such as ANSI, IEEE, ISO/IEC, and NIST. The practical and provable security aspects of these protocols are discussed.
Using Hash Functions as a Hedge against Chosen Ciphertext Attack
, 2000
"... The cryptosystem recently proposed by Cramer and Shoup [5] is a practical public key cryptosystem that is secure against adaptive chosen ciphertext attack provided the Decisional DiffieHellman assumption is true. Although this is a reasonable intractability assumption, it would be preferable to bas ..."
Abstract

Cited by 67 (7 self)
 Add to MetaCart
The cryptosystem recently proposed by Cramer and Shoup [5] is a practical public key cryptosystem that is secure against adaptive chosen ciphertext attack provided the Decisional DiffieHellman assumption is true. Although this is a reasonable intractability assumption, it would be preferable to base a security proof on a weaker assumption, such as the Computational DiffieHellman assumption. Indeed, this cryptosystem in its most basic form is in fact insecure if the Decisional DiffieHellman assumption is false. In this paper we present a practical hybrid scheme that is just as efficient as the scheme of of Cramer and Shoup; we prove that the scheme is secure if the Decisional DiffieHellman assumption is true; we give strong evidence that the scheme is secure if the weaker, Computational DiffieHellman assumption is true by providing a proof of security in the random oracle model.
Extended Password Key Exchange Protocols Immune to Dictionary Attack
, 1997
"... Strong password methods verify even small passwords over a network without additional stored keys or certificates with the user, and without fear of network dictionary attack. We describe a new extension to further limit exposure to theft of a stored passwordverifier, and apply it to several protoc ..."
Abstract

Cited by 37 (0 self)
 Add to MetaCart
Strong password methods verify even small passwords over a network without additional stored keys or certificates with the user, and without fear of network dictionary attack. We describe a new extension to further limit exposure to theft of a stored passwordverifier, and apply it to several protocols including the Simple Password Exponential Key Exchange (SPEKE). Alice proves knowledge of a password C to Bob, who has a stored verifier S, where S=g mod p. They perform a SPEKE exchange based on the shared secret S to derive ephemeral shared key K,. Bob chooses a random X and X sends g mod p. Alice computes K2=gxc mod p, and proves knowledge of {K,,K2/. Bob vervies this result to confirm that Alice knows C. Implementation issues are summarized, showing the potential for improved pe$ormance over Bellovin & Merritt's comparably strong AugmentedEncrypted Key Exchange. These methods make the password a strong independent factor in authentication, and are suitable for both Internet and intranet use.
The Relationship Between Breaking the DiffieHellman Protocol and Computing Discrete Logarithms
, 1998
"... Both uniform and nonuniform results concerning the security of the DiffieHellman keyexchange protocol are proved. First, it is shown that in a cyclic group G of order jGj = Q p e i i , where all the multiple prime factors of jGj are polynomial in log jGj, there exists an algorithm that re ..."
Abstract

Cited by 37 (3 self)
 Add to MetaCart
Both uniform and nonuniform results concerning the security of the DiffieHellman keyexchange protocol are proved. First, it is shown that in a cyclic group G of order jGj = Q p e i i , where all the multiple prime factors of jGj are polynomial in log jGj, there exists an algorithm that reduces the computation of discrete logarithms in G to breaking the DiffieHellman protocol in G and has complexity p maxf(p i )g \Delta (log jGj) O(1) , where (p) stands for the minimum of the set of largest prime factors of all the numbers d in the interval [p \Gamma 2 p p+1; p+2 p p+ 1]. Under the unproven but plausible assumption that (p) is polynomial in log p, this reduction implies that the DiffieHellman problem and the discrete logarithm problem are polynomialtime equivalent in G. Second, it is proved that the DiffieHellman problem and the discrete logarithm problem are equivalent in a uniform sense for groups whose orders belong to certain classes: there exists a p...
The DiffieHellman Protocol
 DESIGNS, CODES, AND CRYPTOGRAPHY
, 1999
"... The 1976 seminal paper of Diffie and Hellman is a landmark in the history of cryptography. They introduced the fundamental concepts of a trapdoor oneway function, a publickey cryptosystem, and a digital signature scheme. Moreover, they presented a protocol, the socalled DiffieHellman protoco ..."
Abstract

Cited by 26 (0 self)
 Add to MetaCart
The 1976 seminal paper of Diffie and Hellman is a landmark in the history of cryptography. They introduced the fundamental concepts of a trapdoor oneway function, a publickey cryptosystem, and a digital signature scheme. Moreover, they presented a protocol, the socalled DiffieHellman protocol, allowing two parties who share no secret information initially, to generate a mutual secret key. This paper summarizes the present knowledge on the security of this protocol.
Secure Hashed DiffieHellman over NonDDH Groups
, 2004
"... We show that in applications that use the DiffieHellman (DH) transform but take care of hashing the DH output (as required, for example, for secure DHbased encryption and key exchange) the usual requirement to work over a DDH group (i.e., a group in which the Decisional DiffieHellman assumption h ..."
Abstract

Cited by 21 (3 self)
 Add to MetaCart
We show that in applications that use the DiffieHellman (DH) transform but take care of hashing the DH output (as required, for example, for secure DHbased encryption and key exchange) the usual requirement to work over a DDH group (i.e., a group in which the Decisional DiffieHellman assumption holds) can be relaxed to only requiring that the DH group contains a large enough DDH subgroup. In particular, this implies the security of (hashed) DiffieHellman over nonprime order groups such as Z*_p. Moreover, our results show that one can work directly p without requiring any knowledge of the prime factorization of p1 and without even having to find a generator of Z*_p. These results are obtained via a general characterization of DDH groups in terms of their DDH subgroups, and a relaxation (called tDDH) of the DDH assumption via computational entropy. We also show that, under the shortexponent discretelog assumption, the security of the hashed DiffieHellman transform is preserved when replacing full exponents with short exponents.