Results 1  10
of
12
Parallel Collision Search with Cryptanalytic Applications
 Journal of Cryptology
, 1996
"... A simple new technique of parallelizing methods for solving search problems which seek collisions in pseudorandom walks is presented. This technique can be adapted to a wide range of cryptanalytic problems which can be reduced to finding collisions. General constructions are given showing how to ad ..."
Abstract

Cited by 145 (3 self)
 Add to MetaCart
A simple new technique of parallelizing methods for solving search problems which seek collisions in pseudorandom walks is presented. This technique can be adapted to a wide range of cryptanalytic problems which can be reduced to finding collisions. General constructions are given showing how to adapt the technique to finding discrete logarithms in cyclic groups, finding meaningful collisions in hash functions, and performing meetinthemiddle attacks such as a knownplaintext attack on double encryption. The new technique greatly extends the reach of practical attacks, providing the most costeffective means known to date for defeating: the small subgroup used in certain schemes based on discrete logarithms such as Schnorr, DSA, and elliptic curve cryptosystems; hash functions such as MD5, RIPEMD, SHA1, MDC2, and MDC4; and double encryption and threekey triple encryption. The practical significance of the technique is illustrated by giving the design for three $10 million custom machines which could be built with current technology: one finds elliptic curve logarithms in GF(2 ) thereby defeating a proposed elliptic curve cryptosystem in expected time 32 days, the second finds MD5 collisions in expected time 21 days, and the last recovers a doubleDES key from 2 known plaintexts in expected time 4 years, which is four orders of magnitude faster than the conventional meetinthemiddle attack on doubleDES. Based on this attack, doubleDES offers only 17 more bits of security than singleDES.
Random Mapping Statistics
 IN ADVANCES IN CRYPTOLOGY
, 1990
"... Random mappings from a finite set into itself are either a heuristic or an exact model for a variety of applications in random number generation, computational number theory, cryptography, and the analysis of algorithms at large. This paper introduces a general framework in which the analysis of ..."
Abstract

Cited by 78 (6 self)
 Add to MetaCart
Random mappings from a finite set into itself are either a heuristic or an exact model for a variety of applications in random number generation, computational number theory, cryptography, and the analysis of algorithms at large. This paper introduces a general framework in which the analysis of about twenty characteristic parameters of random mappings is carried out: These parameters are studied systematically through the use of generating functions and singularity analysis. In particular, an open problem of Knuth is solved, namely that of finding the expected diameter of a random mapping. The same approach is applicable to a larger class of discrete combinatorial models and possibilities of automated analysis using symbolic manipulation systems ("computer algebra") are also briefly discussed.
Parallel collision search with application to hash functions and discrete logarithms
 In ACM CCS 94
, 1994
"... Current techniques for collision search with feasible memory requirements involve pseudorandom walks through some space where one must wait for the result of the current step before the next step can begin. These techniques are serial in nature, and direct parallelization is inefficient. We present ..."
Abstract

Cited by 59 (1 self)
 Add to MetaCart
Current techniques for collision search with feasible memory requirements involve pseudorandom walks through some space where one must wait for the result of the current step before the next step can begin. These techniques are serial in nature, and direct parallelization is inefficient. We present a simple new method of parallelizing collision searches that greatly extends the reach of practical attacks. The new method is illustrated with applications to hash functions and discrete logarithms in cyclic groups. In the case of hash functions, we begin with two messages; the first is a message that we want our target to digitally sign, and the second is a message that the target is willing to sign. Using collision search adapted for hashing collisions, one can find slightly altered versions of these messages such that the two new messages give the same hash result. As a particular example, a $10 million custom machine for applying parallel collision search to the MD5 hash function could complete an attack with an expected run time of 24 days. This machine would be specific to MD5, but could be used for any pair of messages. For discrete logarithms in cyclic groups, ideas from Pollard’s rho and lambda methods for index computation are combined to allow efficient parallel implementation using the new method. As a concrete example, we consider an elliptic curve cryptosystem over GF(2 155) with the order of the curve having largest prime factor of approximate size 10 36. A $10 million machine custom built for this finite field could compute a discrete logarithm with an expected run time of 36 days. 1.
The Complete Analysis of a Polynomial Factorization Algorithm Over Finite Fields
, 2001
"... This paper derives basic probabilistic properties of random polynomials over finite fields that are of interest in the study of polynomial factorization algorithms. We show that the main characteristics of random polynomial can be treated systematically by methods of "analytic combinatorics" based o ..."
Abstract

Cited by 14 (3 self)
 Add to MetaCart
This paper derives basic probabilistic properties of random polynomials over finite fields that are of interest in the study of polynomial factorization algorithms. We show that the main characteristics of random polynomial can be treated systematically by methods of "analytic combinatorics" based on the combined use of generating functions and of singularity analysis. Our object of study is the classical factorization chain which is described in Fig. 1 and which, despite its simplicity, does not appear to have been totally analysed so far. In this paper, we provide a complete averagecase analysis.
On The Distribution Of The RSA Generator
 Proc. Intern. Conf. on Sequences and their Applications (SETA'98
, 1998
"... this paper we prove the result in the most important case for applications when m = pl where p and l are distinct primes. Such numbers are called Blum integers (sometimes given with certain additional conditions such as that ..."
Abstract

Cited by 12 (9 self)
 Add to MetaCart
this paper we prove the result in the most important case for applications when m = pl where p and l are distinct primes. Such numbers are called Blum integers (sometimes given with certain additional conditions such as that
Spectral Analysis of Pollard Rho Collisions
 Proc. of the 7th Algorithmic Number Theory Symposium (ANTS VII); Springer LNCS
"... Abstract. We show that the classical Pollard ρ algorithm for discrete logarithms produces a collision in expected time O ( √ n(log n) 3). This is the first nontrivial rigorous estimate for the collision probability for the unaltered Pollard ρ graph, and is close to the conjectured optimal bound of ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
Abstract. We show that the classical Pollard ρ algorithm for discrete logarithms produces a collision in expected time O ( √ n(log n) 3). This is the first nontrivial rigorous estimate for the collision probability for the unaltered Pollard ρ graph, and is close to the conjectured optimal bound of O ( √ n). The result is derived by showing that the mixing time for the random walk on this graph is O((log n) 3); without the squaring step in the Pollard ρ algorithm, the mixing time would be exponential in log n. The technique involves a spectral analysis of directed graphs, which captures the effect of the squaring step.
Variation of periods modulo p in arithmetic dynamics
 J. Math
"... Abstract. Let ϕ: V → V be a selfmorphism of a quasiprojective variety defined over a number field K and let P ∈ V (K) be a point with infinite orbit under iteration of ϕ. For each prime p of good reduction, let mp(ϕ, P) be the size of the ϕorbit of the reduction of P modulo p. Fix any ǫ> 0. We sho ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
Abstract. Let ϕ: V → V be a selfmorphism of a quasiprojective variety defined over a number field K and let P ∈ V (K) be a point with infinite orbit under iteration of ϕ. For each prime p of good reduction, let mp(ϕ, P) be the size of the ϕorbit of the reduction of P modulo p. Fix any ǫ> 0. We show that for almost all primes p in the sense of analytic density, the orbit size mp(ϕ, P) is larger than (log N K/Qp) 1−ǫ.
Random Cayley Digraphs and the Discrete Logarithm
 ANTSV), Lecture Notes in Computer Science
, 2002
"... Abstract. We formally show that there is an algorithm for dlog over all abelian groups that runs in expected optimal time (up to logarithmic factors) and uses only a small amount of space. To our knowledge, this is the first such analysis. Our algorithm is a modification of the classic Pollard rho, ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
Abstract. We formally show that there is an algorithm for dlog over all abelian groups that runs in expected optimal time (up to logarithmic factors) and uses only a small amount of space. To our knowledge, this is the first such analysis. Our algorithm is a modification of the classic Pollard rho, introducing explicit randomization of the parameters for the updating steps of the algorithm, and is analyzed using random walks with limited independence over abelian groups (a study which is of its own interest). Our analysis shows that finding cycles in such large graphs over groups that can be efficiently locally navigated is as hard as dlog. 1
On the Linear Complexity of the Power Generator
 Designs, Codes and Cryptography
, 1998
"... this paper we assume that this sequence is ..."
PERIODS OF RATIONAL MAPS MODULO PRIMES
"... Abstract. Let K be a number field, let ϕ ∈ K(t) be a rational map of degree at least 2, and let α, β ∈ K. We show that if α is not in the forward orbit of β, then there is a positive proportion of primes p of K such that α mod p is not in the forward orbit of β mod p. Moreover, we show that a simila ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
Abstract. Let K be a number field, let ϕ ∈ K(t) be a rational map of degree at least 2, and let α, β ∈ K. We show that if α is not in the forward orbit of β, then there is a positive proportion of primes p of K such that α mod p is not in the forward orbit of β mod p. Moreover, we show that a similar result holds for several maps and several points. We also present heuristic and numerical evidence that a higher dimensional analog of this result is unlikely to be true if we replace α by a hypersurface, such as the ramification locus of a morphism ϕ: P n → P n. 1.