Results 1  10
of
11
Signature Schemes Based on the Strong RSA Assumption
 ACM TRANSACTIONS ON INFORMATION AND SYSTEM SECURITY
, 1998
"... We describe and analyze a new digital signature scheme. The new scheme is quite efficient, does not require the the signer to maintain any state, and can be proven secure against adaptive chosen message attack under a reasonable intractability assumption, the socalled Strong RSA Assumption. Moreove ..."
Abstract

Cited by 152 (8 self)
 Add to MetaCart
We describe and analyze a new digital signature scheme. The new scheme is quite efficient, does not require the the signer to maintain any state, and can be proven secure against adaptive chosen message attack under a reasonable intractability assumption, the socalled Strong RSA Assumption. Moreover, a hash function can be incorporated into the scheme in such a way that it is also secure in the random oracle model under the standard RSA Assumption.
Secure PasswordBased Cipher Suite for TLS
 PROCEEDINGS OF NETWORK AND DISTRIBUTED SYSTEMS SECURITY SYMPOSIUM
, 2001
"... SSL is the defacto standard today for securing endtoend transport on the Internet. While the protocol itself seems rather secure, there are a number of risks that lurk in its use, e.g., in web banking. However, the adoption of passwordbased keyexchange protocols can overcome some of
these probl ..."
Abstract

Cited by 26 (1 self)
 Add to MetaCart
SSL is the defacto standard today for securing endtoend transport on the Internet. While the protocol itself seems rather secure, there are a number of risks that lurk in its use, e.g., in web banking. However, the adoption of passwordbased keyexchange protocols can overcome some of
these problems. We propose the integration of such a protocol (DHEKE) in the TLS protocol, the standardization of SSL by IETF. The resulting protocol provides secure mutual authentication and key establishment over an insecure channel. It does not have to resort to a PKI or keys and certicates stored on the users computer. Additionally, its integration in TLS is as minimal and
nonintrusive as possible.
Multitrapdoor commitments and their applications to proofs of knowledge secure under concurrent maninthemiddle attacks,” in CRYPTO, 2004. A Cryptographic Assumptions We define the hardness assumptions that we use in the security proof of our optimized
 Similarly, B recovers Wmid(x) and Ymid(x) such that Wmid = Wmid(s) and Ymid = Ymid(s). Then, it sets H(x) = ((v0(x)+V (x))(w0(x)+W(x))−(y0(x)+Y (x)))/t(x), where V (x) = ∑k∈[N] ckvk(x) +Vmid(x) (and similarly for W(x) and Y (x)). Since the
"... Abstract. We introduce the notion of multitrapdoor commitments which is a stronger form of trapdoor commitment schemes. We then construct two very efficient instantiations of multitrapdoor commitment schemes, one based on the Strong RSA Assumption and the other on the Strong DiffieHellman Assumpt ..."
Abstract

Cited by 15 (1 self)
 Add to MetaCart
Abstract. We introduce the notion of multitrapdoor commitments which is a stronger form of trapdoor commitment schemes. We then construct two very efficient instantiations of multitrapdoor commitment schemes, one based on the Strong RSA Assumption and the other on the Strong DiffieHellman Assumption. The main application of our new notion is the construction of a compiler that takes any proof of knowledge and transforms it into one which is secure against a concurrent maninthemiddle attack (in the common reference string model). When using our specific implementations, this compiler is very efficient (requires no more than four exponentiations) and maintains the round complexity of the original proof of knowledge. The main practical applications of our results are concurrently secure identification protocols. For these applications our results are the first simple and efficient solutions based on the Strong RSA or DiffieHellman Assumption. 1
Finding Small Roots of Bivariate Integer Polynomial Equations Revisited
 PROC. ADVANCES IN CRYPTOLOGY EUROCRYPT’04, LNCS 3027
, 2004
"... At Eurocrypt ’96, Coppersmith proposed an algorithm for finding small roots of bivariate integer polynomial equations, based on lattice reduction techniques. But the approach is difficult to understand. In this paper, we present a much simpler algorithm for solving the same problem. Our simplificati ..."
Abstract

Cited by 14 (0 self)
 Add to MetaCart
At Eurocrypt ’96, Coppersmith proposed an algorithm for finding small roots of bivariate integer polynomial equations, based on lattice reduction techniques. But the approach is difficult to understand. In this paper, we present a much simpler algorithm for solving the same problem. Our simplification is analogous to the simplification brought by HowgraveGraham to Coppersmith’s algorithm for finding small roots of univariate modular polynomial equations. As an application, we illustrate the new algorithm with the problem of finding the factors of n = pq if we are given the high order 1/4log 2 n bits of p.
Polynomial Representations of the DiffieHellman Mapping
"... We obtain lower bounds on the degrees of polynomials representing the DiffieHellman mapping (g x , g y ) # g xy , where g is a primitive root of a finite field IF q of q elements. These bounds are exponential in terms of log q. In particular, these results can be used to obtain lower bounds on the ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
We obtain lower bounds on the degrees of polynomials representing the DiffieHellman mapping (g x , g y ) # g xy , where g is a primitive root of a finite field IF q of q elements. These bounds are exponential in terms of log q. In particular, these results can be used to obtain lower bounds on the parallel arithmetic complexity of breaking the DiffieHellman cryptosystem. The method is based on bounds of numbers of solutions of some polynomial equations.
Fast Generation of Prime Numbers of Portable Devices: An Update
 Proceedings of CHES 2006, LNCS 4249
, 2006
"... Abstract. The generation of prime numbers underlies the use of most publickey cryptosystems, essentially as a primitive needed for the creation of RSA key pairs. Surprisingly enough, despite decades of intense mathematical studies on primality testing and an observed progressive intensification of ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
Abstract. The generation of prime numbers underlies the use of most publickey cryptosystems, essentially as a primitive needed for the creation of RSA key pairs. Surprisingly enough, despite decades of intense mathematical studies on primality testing and an observed progressive intensification of cryptography, prime number generation algorithms remain scarcely investigated and most reallife implementations are of dramatically poor performance. We show simple techniques that substantially improve all algorithms previously suggested or extend their capabilities. We derive fast implementations on appropriately equipped portable devices like smartcards embedding a cryptographic coprocessor. This allows onboard generation of RSA keys featuring a very attractive (average) processing time. Our motivation here is to help transferring this task from terminals where this operation usually took place so far, to portable devices themselves in near future for more confidence, security, and compliance with networkscaled distributed protocols such as electronic cash or mobile commerce.
The Magic Words Are Squeamish Ossifrage (Extended Abstract)
"... We describe the computation which resulted in the title of this paper. Furthermore, we give an analysis of the data collected during this computation. From these data, we derive the important observation that in the final stages, the progress of the double large prime variation of the quadratic siev ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
We describe the computation which resulted in the title of this paper. Furthermore, we give an analysis of the data collected during this computation. From these data, we derive the important observation that in the final stages, the progress of the double large prime variation of the quadratic sieve integer factoring algorithm can more effectively be approximated by a quartic function of the time spent, than by the more familiar quadratic function. We also present, as an update to [15], some of our experiences with the management of a large computation distributed over the Internet. Based on this experience, we give some realistic estimates of the current readily available computational power of the Internet. We conclude that commonlyused 512bit RSA moduli are vulnerable to any organization prepared to spend a few million dollars and to wait a few months.
Injecting heterogeneity through protocol randomization
 0. We obtain Ui = M − c . Because c− bc � � pL = bc b − pL
, 2007
"... In this paper, we argue that heterogeneity should be an important principle in design and use of cryptographic protocols. We use automated formal analysis tools to randomly generate security protocols as a method of introducing heterogeneity. We present the results of simulations for the case of two ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
In this paper, we argue that heterogeneity should be an important principle in design and use of cryptographic protocols. We use automated formal analysis tools to randomly generate security protocols as a method of introducing heterogeneity. We present the results of simulations for the case of two party authentication protocols and argue that choosing protocols randomly out of sets numbering in the hundreds of millions is practical and achievable with an acceptable overhead. To realize the simulation, we implemented a highly efficient protocol verifier, achieving approximately two orders of magnitude improvement in performance compared to previous work.
Computational Methods in Public Key Cryptology
, 2002
"... These notes informally review the most common methods from computational number theory that have applications in public key cryptology. ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
These notes informally review the most common methods from computational number theory that have applications in public key cryptology.
Security of Biased Sources for Cryptographic Keys
, 2001
"... Cryptographic schemes are based on keys which are highly involved in granting their security. It is in general assumed that the source producing these keys has uniformly distribution, that is, it produces keys from a given key space with equal probability. Consequently, deviations from uniform distr ..."
Abstract
 Add to MetaCart
Cryptographic schemes are based on keys which are highly involved in granting their security. It is in general assumed that the source producing these keys has uniformly distribution, that is, it produces keys from a given key space with equal probability. Consequently, deviations from uniform distribution of the key source may be regarded a priori as a potential security breach, even if no dedicated attack is known, which might take advantage of these deviations. We propose in this paper a model for biased key sources and show that it is possible to prove some results about tolerance of biases, which have the property of being inherent to the bias itself and not requiring assumptions about unknown attacks, using these biases. The model is based on comparing the average case complexities of generic attacks to some number theoretical problems, with respect to uniform and to biased distributions. We also show the connection to information entropy based analysis of biased ...