Results 1 
5 of
5
Secure Hashed DiffieHellman over NonDDH Groups
, 2004
"... We show that in applications that use the DiffieHellman (DH) transform but take care of hashing the DH output (as required, for example, for secure DHbased encryption and key exchange) the usual requirement to work over a DDH group (i.e., a group in which the Decisional DiffieHellman assumption h ..."
Abstract

Cited by 22 (3 self)
 Add to MetaCart
We show that in applications that use the DiffieHellman (DH) transform but take care of hashing the DH output (as required, for example, for secure DHbased encryption and key exchange) the usual requirement to work over a DDH group (i.e., a group in which the Decisional DiffieHellman assumption holds) can be relaxed to only requiring that the DH group contains a large enough DDH subgroup. In particular, this implies the security of (hashed) DiffieHellman over nonprime order groups such as Z*_p. Moreover, our results show that one can work directly p without requiring any knowledge of the prime factorization of p1 and without even having to find a generator of Z*_p. These results are obtained via a general characterization of DDH groups in terms of their DDH subgroups, and a relaxation (called tDDH) of the DDH assumption via computational entropy. We also show that, under the shortexponent discretelog assumption, the security of the hashed DiffieHellman transform is preserved when replacing full exponents with short exponents.
Squarefree Values of the Carmichael Function
 J. NUM. THEORY
, 2003
"... We obtain an asymptotic formula for the number of squarefree values among p 1; for primes ppx; and we apply it to derive the following asymptotic formula for LðxÞ; the number of squarefree values of the Carmichael function lðnÞ for 1pnpx; LðxÞ ðk þ oð1ÞÞ x ln 1 a x; where a 0:37395y is the Artin ..."
Abstract

Cited by 5 (3 self)
 Add to MetaCart
We obtain an asymptotic formula for the number of squarefree values among p 1; for primes ppx; and we apply it to derive the following asymptotic formula for LðxÞ; the number of squarefree values of the Carmichael function lðnÞ for 1pnpx; LðxÞ ðk þ oð1ÞÞ x ln 1 a x; where a 0:37395y is the Artin constant, and k 0:80328y is another absolute constant.
Solving Discrete Logarithms in SmoothOrder Groups with CUDA 1
"... This paper chronicles our experiences using CUDA to implement a parallelized variant of Pollard’s rho algorithm to solve discrete logarithms in groups with cryptographically large moduli but smooth order using commodity GPUs. We first discuss some key design constraints imposed by modern GPU archite ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
This paper chronicles our experiences using CUDA to implement a parallelized variant of Pollard’s rho algorithm to solve discrete logarithms in groups with cryptographically large moduli but smooth order using commodity GPUs. We first discuss some key design constraints imposed by modern GPU architectures and the CUDA framework, and then explain how we were able to implement efficient arbitraryprecision modular multiplication within these constraints. Our implementation can execute roughly 51.9 million 768bit modular multiplications per second — or a whopping 840 million 192bit modular multiplications per second — on a single Nvidia Tesla M2050 GPU card, which is a notable improvement over all previous results on comparable hardware. We leverage this fast modular multiplication in our implementation of the parallel rho algorithm, which can solve discrete logarithms modulo a 1536bit RSA number with a 2 55smooth totient in less than two minutes. We conclude the paper by discussing implications to discrete logarithmbased cryptosystems, and by pointing out how efficient implementations of parallel rho (or related algorithms) lead to trapdoor discrete logarithm groups; we also point out two potential cryptographic applications for the latter. Our code is written in C for CUDA and PTX; it is open source and freely available for download online. 1