Results 11  20
of
27
Equitable key escrow with limited time span (or, How to enforce time expiration cryptographically)
 ADVANCES IN CRYPTOLOGY, ASIACRYPT 98, LNCS 1514
, 1998
"... With equitable key escrow the control of society over the individual and the control of the individual over society are shared fairly. In particular, the control is limited to specified time periods. We consider two applications: time controlled key escrow and time controlled auctions with closed b ..."
Abstract

Cited by 17 (5 self)
 Add to MetaCart
With equitable key escrow the control of society over the individual and the control of the individual over society are shared fairly. In particular, the control is limited to specified time periods. We consider two applications: time controlled key escrow and time controlled auctions with closed bids. In the rst the individual cannot be targeted outside the period authorized by the court. In the second the individual cannot withhold his closed bid beyond the bidding period. We propose two protocols, one for each application. We do not require the use of temperproof devices.
An observation on associative oneway functions in complexity theory
 Information Processing Letters
, 1997
"... Abstract We introduce the notion of associative oneway functions and prove that they exist if and only if P 6 = NP. As evidence of their utility, we present two novel protocols that apply strong forms of these functions to achieve secret key agreement and digital signatures. ..."
Abstract

Cited by 12 (0 self)
 Add to MetaCart
Abstract We introduce the notion of associative oneway functions and prove that they exist if and only if P 6 = NP. As evidence of their utility, we present two novel protocols that apply strong forms of these functions to achieve secret key agreement and digital signatures.
Searching for Elements in Black Box Fields and Applications
 In Advances in CryptologyCrypto’96, LNCS1109
, 1996
"... We introduce the notion of a black box field and discuss the problem of explicitly exposing field elements given in a black box form. We present several subexponential algorithms for this problem using a technique due to Maurer. These algorithms make use of elliptic curves over finite fields in a c ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
We introduce the notion of a black box field and discuss the problem of explicitly exposing field elements given in a black box form. We present several subexponential algorithms for this problem using a technique due to Maurer. These algorithms make use of elliptic curves over finite fields in a crucial way. We present three applications for our results: (1) We show that any algebraically homomorphic encryption scheme can be broken in expected subexponential time. The existence of such schemes has been open for a number of years. (2) We give an expected subexponential time reduction from the problem of finding roots of polynomials over finite fields with low straight line complexity (e.g. sparse polynomials) to the problem of testing whether such polynomials have a root in the field. (3) We show that the hardness of computing discretelog over elliptic curves implies the security of the DiffieHellman protocol over elliptic curves. Finally in the last section of the paper we prove ...
Protection of Authenticated KeyAgreement Protocol against a DenialofService Attack
 In Proceedings of the International Symposium on Information Theory and Its Applications (ISITA’98
, 1998
"... . Authenticated and secure keyagreement protocols without a trusted keydistribution center usually owe a lot to publickey primitives whose implementation includes modular exponentiation. Since modular exponentiation is computationally expensive, protocols should be carefully designed so that atta ..."
Abstract

Cited by 9 (4 self)
 Add to MetaCart
. Authenticated and secure keyagreement protocols without a trusted keydistribution center usually owe a lot to publickey primitives whose implementation includes modular exponentiation. Since modular exponentiation is computationally expensive, protocols should be carefully designed so that attackers will not be motivated to use DenialofService (DoS) attacks. Considering this design direction, this paper first shows a basic protection strategy against DoS attacks based on publickey related computational cost. We then propose a threepass authenticated DiffieHellman keyagreement protocol conforming to the strategy; DoS attacks impose expensive computation on the attackers themselves. 1 Introduction In order to use cryptographic communication in open networks, how to establish session keys is a fundamental problem. The most wellknown scheme is DiffieHellman keyagreement protocol [1]. It is also wellknown that this protocol on its own is vulnerable to intruderinthemiddle a...
The Equivalence Between The Dhp And Dlp For Elliptic Curves Used In Practical Applications
, 2004
"... We reexamine the reduction of Maurer and Wolf of the Discrete Logarithm problem to the Di#eHellman problem. We give a precise estimate for the number of operations required in the reduction and use this to estimate the exact security of the elliptic curve variant of the Di#eHellman protocol for ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
We reexamine the reduction of Maurer and Wolf of the Discrete Logarithm problem to the Di#eHellman problem. We give a precise estimate for the number of operations required in the reduction and use this to estimate the exact security of the elliptic curve variant of the Di#eHellman protocol for various elliptic curves defined in standards. 1.
Security arguments for the UM key agreement protocol
 in the NIST SP
"... The Unified Model (UM) key agreement protocol is an efficient DiffieHellman scheme that has been included in many cryptographic standards, most recently in the NIST SP 80056A standard. The UM protocol is believed to possess all important security attributes including key authentication and secrecy ..."
Abstract

Cited by 4 (2 self)
 Add to MetaCart
The Unified Model (UM) key agreement protocol is an efficient DiffieHellman scheme that has been included in many cryptographic standards, most recently in the NIST SP 80056A standard. The UM protocol is believed to possess all important security attributes including key authentication and secrecy, resistance to unknown keyshare attacks, forward secrecy, resistance to knownsession key attacks, and resistance to leakage of ephemeral private keys, but is known to succumb to keycompromise impersonation attacks. In this paper we present a strengthening of the CanettiKrawczyk security definition for key agreement that captures resistance to all important attacks that have been identified in the literature with the exception of keycompromise impersonation attacks. We then present a reductionist security proof that the UM protocol satisfies this new definition in the random oracle model under the Gap DiffieHellman assumption.
Public key cryptography sans certificates in ad hoc networks
 In Applied Cryptography and Network Security (ACNS
, 2006
"... Abstract. Several researchers have proposed the use of threshold cryptographic model to enable secure communication in ad hoc networks without the need of a trusted center. In this model, the system remains secure even in the presence of a certain threshold t of corrupted/malicious nodes. In this pa ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
Abstract. Several researchers have proposed the use of threshold cryptographic model to enable secure communication in ad hoc networks without the need of a trusted center. In this model, the system remains secure even in the presence of a certain threshold t of corrupted/malicious nodes. In this paper, we show how to perform necessary public key operations without nodespecific certificates in ad hoc networks. These operations include pairwise key establishment, signing, and encryption. We achieve this by using Feldman’s verifiable polynomial secret sharing (VSS) as a key distribution scheme and treating the secret shares as the private keys. Unlike in the standard public key cryptography, where entities have independent private/public key pairs, in the proposed scheme the private keys are related (they are points on a polynomial of degree t) andeach public key can be computed from the public VSS information and node identifier. We show that such related keys can still be securely used for standard signature and encryption operations (using resp. Schnorr signatures and ElGamal encryption) and for pairwise key establishment, as long as there are no more that t collusions/corruptions in the system. The proposed usage of shares as private keys can also be viewed as a thresholdtolerant identitybased cryptosystem under standard (discrete logarithm based) assumptions. 1
Elliptic Curves and their use in Cryptography
 DIMACS Workshop on Unusual Applications of Number Theory
, 1997
"... The security of many cryptographic protocols depends on the difficulty of solving the socalled "discrete logarithm" problem, in the multiplicative group of a finite field. Although, in the general case, there are no polynomial time algorithms for this problem, constant improvements are being ma ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
The security of many cryptographic protocols depends on the difficulty of solving the socalled "discrete logarithm" problem, in the multiplicative group of a finite field. Although, in the general case, there are no polynomial time algorithms for this problem, constant improvements are being made  with the result that the use of these protocols require much larger key sizes, for a given level of security, than may be convenient. An abstraction of these protocols shows that they have analogues in any group. The challenge presents itself: find some other groups for which there are no good attacks on the discrete logarithm, and for which the group operations are sufficiently economical. In 1985, the author suggested that the groups arising from a particular mathematical object known as an "elliptic curve" might fill the bill. In this paper I review the general cryptographic protocols which are involved, briefly describe elliptic curves and review the possible attacks again...
Modification of Internet Key Exchange Resistant against DenialofService
, 2000
"... The first phase of Internet Key Exchange (IKE) is an authenticated version of DiffieHellman (DH) keyagreement. Since the authentication is computationally expensive, computational burden caused by malicious requests may exhaust the CPU resource of the target. Attackers can also abuse inappropriate ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
The first phase of Internet Key Exchange (IKE) is an authenticated version of DiffieHellman (DH) keyagreement. Since the authentication is computationally expensive, computational burden caused by malicious requests may exhaust the CPU resource of the target. Attackers can also abuse inappropriate use of Cookies and exhaust the memory resource of the target.
The equivalence between the DHP and DLP for elliptic curves used in practical applications, revisited
, 2005
"... The theoretical equivalence between the DLP and DHP problems was shown by Maurer in 1994. His work was then reexamined by Muzereau et al. [11] for the special case of elliptic curves used in practical cryptographic applications. This paper improves on the latter and tries to get the tightest possib ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
The theoretical equivalence between the DLP and DHP problems was shown by Maurer in 1994. His work was then reexamined by Muzereau et al. [11] for the special case of elliptic curves used in practical cryptographic applications. This paper improves on the latter and tries to get the tightest possible reduction in terms of computational equivalence, using Maurer’s method.