Results 1  10
of
10
The modular inversion hidden number problem
 In ASIACRYPT 2001, volume 2248 of LNCS
, 2001
"... Abstract. We study a class of problems called Modular Inverse Hidden Number Problems (MIHNPs). The basic problem in this class is the following: Given many pairs � � � � −1 xi, msbk (α + xi) mod p for random xi ∈ Zp the problem is to find α ∈ Zp (here msbk(x) refers to the k most significant bits o ..."
Abstract

Cited by 12 (1 self)
 Add to MetaCart
Abstract. We study a class of problems called Modular Inverse Hidden Number Problems (MIHNPs). The basic problem in this class is the following: Given many pairs � � � � −1 xi, msbk (α + xi) mod p for random xi ∈ Zp the problem is to find α ∈ Zp (here msbk(x) refers to the k most significant bits of x). We describe an algorithm for this problem when k> (log 2 p)/3 and conjecture that the problem is hard whenever k < (log 2 p)/3. We show that assuming hardness of some variants of this MIHNP problem leads to very efficient algebraic PRNGs and MACs.
Optimal randomness extraction from a DiffieHellman element
 EUROCRYPT 2009, volume 5479 of LNCS
, 2009
"... Abstract. In this paper, we study a quite simple deterministic randomness extractor from random DiffieHellman elements defined over a prime order multiplicative subgroup G of a finite field Zp (the truncation), and over a group of points of an elliptic curve (the truncation of the abscissa). Inform ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
Abstract. In this paper, we study a quite simple deterministic randomness extractor from random DiffieHellman elements defined over a prime order multiplicative subgroup G of a finite field Zp (the truncation), and over a group of points of an elliptic curve (the truncation of the abscissa). Informally speaking, we show that the least significant bits of a random element in G ⊂ Z ∗ p or of the abscissa of a random point in E(Fp) are indistinguishable from a uniform bitstring. Such an operation is quite efficient, and is a good randomness extractor, since we show that it can extract nearly the same number of bits as the Leftover Hash Lemma can do for most Elliptic Curve parameters and for large subgroups of finite fields. To this aim, we develop a new technique to bound exponential sums that allows us to double the number of extracted bits compared with previous known results proposed at ICALP’06 by Fouque et al. It can also be used to improve previous bounds proposed by Canetti et al. One of the main application of this extractor is to mathematically prove an assumption proposed at Crypto ’07 and used in the security proof of the Elliptic Curve Pseudo Random Generator proposed by the NIST. The second most obvious application is to perform efficient key derivation given DiffieHellman elements. 1
On the Bit Security of NTRUEncrypt
"... Abstract. We show that in certain natural computational models every bit of a message encrypted with the NtruEncrypt cryptosystem is as secure as the whole message. 1 ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Abstract. We show that in certain natural computational models every bit of a message encrypted with the NtruEncrypt cryptosystem is as secure as the whole message. 1
On the bit security of the DiffieHellman key
 In Appl. Algebra in Engin., Commun. and Computing
, 2006
"... Let IFp be a finite field of p elements, where p is prime. The bit security of the DiffieHellman function over subgroups of IF ∗ p and of an elliptic curve over IFp, is considered. It is shown that if the Decision DiffieHellman problem is hard in these groups, then the two most significant bits of ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Let IFp be a finite field of p elements, where p is prime. The bit security of the DiffieHellman function over subgroups of IF ∗ p and of an elliptic curve over IFp, is considered. It is shown that if the Decision DiffieHellman problem is hard in these groups, then the two most significant bits of the DiffieHellman function are secure. Under the weaker assumption of the computational (rather than decisional) hardness of the DiffieHellman problems, only about (log p) 1/2 bits are known to be secure. Keywords DiffieHellman protocol, bit security, exponential sums 1 1
Hardness of Computing Individual Bits for Oneway Functions on Elliptic Curves
"... Abstract. We prove that if one can predict any of the bits of the input to an elliptic curve based oneway function over a finite field, then we can invert the function. In particular, our result implies that if one can predict any of the bits of the input to a classical pairingbased oneway functi ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. We prove that if one can predict any of the bits of the input to an elliptic curve based oneway function over a finite field, then we can invert the function. In particular, our result implies that if one can predict any of the bits of the input to a classical pairingbased oneway function with nonnegligible advantage over a random guess then one can efficiently invert this function and thus, solve the Fixed Argument Pairing Inversion problem (FAPI1/FAPI2). The latter has implications on the security of various pairingbased schemes such as the identitybased encryption scheme of Boneh– Franklin, Hess ’ identitybased signature scheme, as well as Joux’s threeparty oneround key agreement protocol. Moreover, if one can solve FAPI1 and FAPI2 in polynomial time then one can solve the Computational Diffie–Hellman problem (CDH) in polynomial time. Our result implies that all the bits of the functions defined above are hardtocompute assuming these functions are oneway. The argument is based on a listdecoding technique via discrete Fourier transforms due to Akavia–Goldwasser–Safra as well as an idea due to Boneh–Shparlinski. Keywords: Oneway function, hardtocompute bits, bilinear pairings, elliptic curves, fixed argument pairing inversion problem, Fourier transform, list decoding. 1
A Survey of Elliptic Curve Cryptosystems, Part I: Introductory
, 2003
"... The theory of elliptic curves is a classical topic in many branches of algebra and number theory, but recently it is receiving more attention in cryptography. An elliptic curve is a twodimensional (planar) curve defined by an equation involving a cubic power of coordinate x and a square power of co ..."
Abstract
 Add to MetaCart
The theory of elliptic curves is a classical topic in many branches of algebra and number theory, but recently it is receiving more attention in cryptography. An elliptic curve is a twodimensional (planar) curve defined by an equation involving a cubic power of coordinate x and a square power of coordinate y. One class of these curves is
Between Hashed DH and Computational DH: Compact Encryption from Weaker Assumption
"... In this paper, we introduce the intermediate hashed DiffieHellman (IHDH) assumption which is weaker than the hashed DH (HDH) assumption (and thus the decisional DH assumption), and is stronger than the computational DH assumption. We then present two public key encryption schemes with short ciphert ..."
Abstract
 Add to MetaCart
In this paper, we introduce the intermediate hashed DiffieHellman (IHDH) assumption which is weaker than the hashed DH (HDH) assumption (and thus the decisional DH assumption), and is stronger than the computational DH assumption. We then present two public key encryption schemes with short ciphertexts which are both chosenciphertext secure under this assumption. The shortmessage scheme has smaller size of ciphertexts than KurosawaDesmedt (KD) scheme, and the longmessage scheme is a KDsize scheme (with arbitrary plaintext length) which is based on a weaker assumption than the HDH assumption. Key words: public key encryption, chosenciphertext security, DiffieHellman assumption
Hardcore Predicates for a DiffieHellman Problem over Finite Fields
, 2013
"... A longstanding open problem in cryptography is proving the existence of (deterministic) hardcore predicates for the DiffieHellman problem defined over finite fields. In this paper we make progress on this problem by defining a very natural variation of the DiffieHellman problem over Fp2 and provi ..."
Abstract
 Add to MetaCart
A longstanding open problem in cryptography is proving the existence of (deterministic) hardcore predicates for the DiffieHellman problem defined over finite fields. In this paper we make progress on this problem by defining a very natural variation of the DiffieHellman problem over Fp2 and proving the unpredictability of every single bit of one of the coordinates of the secret DH value. To achieve our result we modify an idea presented at CRYPTO’01 by Boneh and Shparlinski [4] originally developed to prove that the LSB of the Elliptic Curve DiffieHellman problem is hard. We extend this idea in two novel ways: 1. We generalize it to the case of finite fields F p 2; 2. We prove that any bit, not just the LSB, is hard using the list decoding techniques of Akavia et al. [1] (FOCS’03) as generalized at CRYPTO’12 by Duc and Jetchev [6]. In the process we prove several other interesting results: • Our result hold also for a larger class of predicates, called segment predicates in [1]; • We extend the result of Boneh and Shparlinski to prove that every bit (and every segment predicate) of the Elliptic Curve DiffieHellman problem is hardcore; • We define the notion of partial oneway function over finite fields Fp2 and prove that every bit (and every segment predicate) of one of the input coordinate for these functions is hardcore.
Randomness Extraction in finite fields Fp n
"... Abstract. Many technics for randomness extraction over finite fields was proposed by various authors such as Fouque et al. and Carneti et al.. At eurocrypt’09, these previous works was improved by Chevalier et al., over a finite field Fp, where p is a prime. But their papers don’t study the case whe ..."
Abstract
 Add to MetaCart
Abstract. Many technics for randomness extraction over finite fields was proposed by various authors such as Fouque et al. and Carneti et al.. At eurocrypt’09, these previous works was improved by Chevalier et al., over a finite field Fp, where p is a prime. But their papers don’t study the case where the field is not prime such as binary fields. In this paper, we present a deterministic extractor for a multiplicative subgroup of F ∗ pn, where p is a prime. In particular, we show that the kfirst F2coefficients of a random element in a subgroup of F ∗ 2n are indistinguishable from a random bitstring of the same length. Hence, under the Decisional DiffieHellman assumption over binary fields, one can deterministically derive a uniformly random bitstring from a DiffieHellman key exchange in the standard model. Over Fp, Chevalier et al. use the ”PolyaVinogradov inequality ” to bound incomplete character sums but over F ∗ pn we use ”Winterhof inequality ” to bound incomplete character sums. Our proposition is a good deterministic extractor even if the length of its output is less than those one can have with the leftover hash lemma and universal hash functions. Our extractor can be used in any cryptographic protocol or encryption schemes.
New Results on the Hardness of DiffieHellman Bits
"... Abstract. We generalize and extend results obtained by Boneh and Venkatesan in 1996 and by González Vasco and Shparlinski in 2000 on the hardness of computing bits of the DiffieHellman key, given the public values. Specifically, while these results could only exclude (essentially) errorfree predic ..."
Abstract
 Add to MetaCart
Abstract. We generalize and extend results obtained by Boneh and Venkatesan in 1996 and by González Vasco and Shparlinski in 2000 on the hardness of computing bits of the DiffieHellman key, given the public values. Specifically, while these results could only exclude (essentially) errorfree predictions, we here exclude any nonnegligible advantage, though for larger fractions of the bits. We can also demonstrate a tradeoff between the tolerated error rate and the number of unpredictable bits. Moreover, by changing computational model, we show that even a very small proportion of the most significant bits of the Diffie–Hellman secret key cannot be retrieved from the public information by means of a Las Vegas type algorithm, unless the corresponding scheme is weak itself. 1