. A protocol is described which allows to send and receive messages anonymously using an arbitrary communication network, and it is proved to be unconditionally secure. This improves a result by DAVID CHAUM: The DC-net guarantees the same, but on the assumption of a reliable broadcast network. Since unconditionally secure Byzantine Agreement cannot be achieved, such a reliable broadcast network cannot be realized by algorithmic means. The solution proposed here, the DC + -net, uses the DC-net, but replaces the reliable broadcast network by a fail-stop one. By choosing the keys necessary for the DC-net dependently on the previously broadcast messages, the fail-stop broadcast can be achieved unconditionally secure and without increasing the complexity of the DC-net significantly, using an arbitrary communication network. Categories and Subject Descriptors: C.2.0 [Computer-Communication Networks]: General --- Security and protection, E.3 [Data Encryption], F.2.1 [Analysis of Algorithms...

It is the best of times for the game of factoring large numbers into their prime factors. In 1970 it was barely possible to factor “hard ” 20-digit numbers. In 1980, in the heyday of the Brillhart-Morrison continued fraction factoring algorithm, factoring of 50-digit numbers was becoming commonplace. In 1990 my own quadratic sieve factoring algorithm had doubled the length of the numbers that could be factored, the record having 116 digits. By 1994 the quadratic sieve had factored the famous 129-digit RSA challenge number that had been estimated in Martin Gardner’s 1976 Scientific American column to be safe for 40 quadrillion years (though other estimates around then were more modest). But the quadratic sieve is no longer the champion. It was replaced by Pollard’s number field sieve in the spring of 1996, when that method successfully split a 130-digit RSA challenge number in about 15 % of the time the quadratic sieve would have taken. In this article we shall briefly meet these factorization algorithms—these two sieves—and some of the many people who helped to develop them. In the middle part of this century, computational issues seemed to be out of fashion. In most books the problem of factoring big numbers

. In this article we survey recent developments concerning the discrete logarithm problem. Both theoretical and practical results are discussed. We emphasize the case of finite fields, and in particular, recent modifications of the index calculus method, including the number field sieve and the function field sieve. We also provide a sketch of the some of the cryptographic schemes whose security depends on the intractibility of the discrete logarithm problem. 1 Introduction Let G be a cyclic group generated by an element t. The discrete logarithm problem in G is to compute for any b 2 G the least non-negative integer e such that t e = b. In this case, we write log t b = e. Our purpose, in this paper, is to survey recent work on the discrete logarithm problem. Our approach is twofold. On the one hand, we consider the problem from a purely theoretical perspective. Indeed, the algorithms that have been developed to solve it not only explore the fundamental nature of one of the basic s...

Abstract. The integer factorisation and discrete logarithm problems are of practical importance because of the widespread use of public key cryptosystems whose security depends on the presumed difficulty of solving these problems. This paper considers primarily the integer factorisation problem. In recent years the limits of the best integer factorisation algorithms have been extended greatly, due in part to Moore’s law and in part to algorithmic improvements. It is now routine to factor 100-decimal digit numbers, and feasible to factor numbers of 155 decimal digits (512 bits). We outline several integer factorisation algorithms, consider their suitability for implementation on parallel machines, and give examples of their current capabilities. In particular, we consider the problem of parallel solution of the large, sparse linear systems which arise with the MPQS and NFS methods. 1

Elliptic curves play an important role in many areas of modern cryptology such as integer factorization and primality proving. Moreover, they can be used in cryptosystems based on discrete logarithms for building one-way permutations. For the latter purpose, it is required to have cyclic elliptic curves over finite fields. The aim of this note is to explain how to construct such curves over a finite field of large prime cardinality, using the ECPP primality proving test of Atkin and Morain. 1 Introduction Elliptic curves prove to be a powerful tool in modern cryptology. Following the original work of H. W. Lenstra, Jr. [18] concerning integer factorization, many researchers have used this new idea to work out primality proving algorithms [8, 14, 2, 4, 22] as well as cryptosystems [21, 16] generalizing those of [12, 1, 9]. Recent work on these topics can be found in [20, 19]. More recently, Kaliski [15] has used elliptic curves in the design of one-way permutations. For this, the autho...

Abstract. In this paper we study a key exchange protocol similar to the Diffie-Hellman key exchange protocol, using abelian subgroups of the automorphism group of a non-abelian nilpotent group. We also generalize group no.92 of the Hall-Senior table [16] to an arbitrary prime p and show that, for those groups, the group of central automorphisms is commutative. We use these for the key exchange we are studying. MSC: 94A62, 20D15. Keyword: Diffie-Hellman key exchange, public-key cryptography, p-group,

Since Diffie-Hellman [14], many secure systems, based on discrete logarithm or Diffie-Hellman assumption in Z_p, were introduced in the literature. In this work, we investigate the possibility to construct efficient primitives from exponentiation techniques over Z_p. Consequently, we propose a new pseudorandom generator, where its security is proven under the decisional Diffie-Hellman assumption. Our generator is the most efficient among all generators from Z*_p that are provably secure under standard assumptions. If an appropriate precomputation is allowed, our generator can produce O(log log p) bits per modular multiplication. This is the best possible result in...

These notes informally review the most common methods from computational number theory that have applications in public key cryptology.

3 Finite Fields In computational number theory and cryptographic applications, we often have to work over finite fields. A finite field F is a finite set with operations "+ " and "\Theta " which satisfy the usual associative, commutative and distributive laws:

etwork security. Mandatory reading for aspiring system managers. Antonia J. Jones:18 December 2001 2 W. Stallings. Cryptography and Network Security: Principles and Practice. Prentice Hall. 1998. ISBN 0-13-869017-0. Fills in many aspects of the present course and goes on to discuss mail and internet security. C. P. Pfleeger. Security in Computing. Prentice Hall. 1997. ISBN 0-13-185794-0. Good general introduction. The classic 1,200 page definitive story of cryptography up to the late 1950's is: D. Kahn. The Codebreakers. Scribner, New York. 1996. A recent very interesting account including the history of RSA and PGP and a non-technical discussion of quantum cryptography is: S. Singh. The Code Book. Fourth Estate, London. 1999. Fiction: Neal Stephenson. Cryptonomicon. William Heinemann, London. 1999. Antonia J. Jones:18 December 2001 3 CONTENTS I G