Results 1 
9 of
9
Elliptic curve cryptography: The serpentine course of a paradigm shift
 J. NUMBER THEORY
, 2008
"... Over a period of sixteen years elliptic curve cryptography went from being an approach that many people mistrusted or misunderstood to being a public key technology that enjoys almost unquestioned acceptance. We describe the sometimes surprising twists and turns in this paradigm shift, and compare ..."
Abstract

Cited by 13 (4 self)
 Add to MetaCart
(Show Context)
Over a period of sixteen years elliptic curve cryptography went from being an approach that many people mistrusted or misunderstood to being a public key technology that enjoys almost unquestioned acceptance. We describe the sometimes surprising twists and turns in this paradigm shift, and compare this story with the commonly accepted Ideal Model of how research and development function in cryptography. We also discuss to what extent the ideas in the literature on “social construction of technology” can contribute to a better understanding of this history.
BonehBoyen signatures and the Strong DiffieHellman problem
 PairingBased Cryptography — Pairing 2009, Lecture Notes in Computer Science
"... Abstract. The BonehBoyen signature scheme is a pairing based short signature scheme which is provably secure in the standard model under the qStrong DiffieHellman assumption. In this paper, we prove the converse of this statement, and show that forging BonehBoyen signatures is actually equivalen ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
(Show Context)
Abstract. The BonehBoyen signature scheme is a pairing based short signature scheme which is provably secure in the standard model under the qStrong DiffieHellman assumption. In this paper, we prove the converse of this statement, and show that forging BonehBoyen signatures is actually equivalent to solving the qStrong DiffieHellman problem. Using this equivalence, we exhibit an algorithm which, on the vast majority of pairingfriendly curves, recovers BonehBoyen private keys in O(p 2 5 +ε) time, using O(p 1 5 +ε) signature queries. We present implementation results comparing the performance of our algorithm and traditional discrete logarithm algorithms such as Pollard’s lambda algorithm and Pollard’s rho algorithm. We also discuss some possible countermeasures and strategies for mitigating the impact of these findings. 1
Elliptic curve discrete logarithm problem over small degree extension fields. Application to the static Diffie–Hellman problem on E(Fq5). Cryptology ePrint Archive
, 2010
"... Abstract. In 2008 and 2009, Gaudry and Diem proposed an index calculus method for the resolution of the discrete logarithm on the group of points of an elliptic curve defined over a small degree extension field Fqn. In this paper, we study a variation of this index calculus method, improving the ove ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
(Show Context)
Abstract. In 2008 and 2009, Gaudry and Diem proposed an index calculus method for the resolution of the discrete logarithm on the group of points of an elliptic curve defined over a small degree extension field Fqn. In this paper, we study a variation of this index calculus method, improving the overall asymptotic complexity when log q ≤ cn3. In particular, we are able to successfully obtain relations on E(Fp5), whereas the more expensive computational complexity of Gaudry and Diem’s initial algorithm makes it impractical in this case. An important ingredient of this result is a new variation of Faugère’s Gröbner basis algorithm F4, which significantly speeds up the relation computation and might be of independent interest. As an application, we show how this index calculus leads to a practical example of an oracleassisted resolution of the elliptic curve static DiffieHellman problem over a finite field on 130 bits, which is faster than birthdaybased discrete logarithm computations on the same curve. Key words: elliptic curve, discrete logarithm problem (DLP), index calculus, Gröbner basis computation, summation polynomials, static DiffieHellman problem (SDHP) 1
The brave new world of bodacious assumptions in cryptography
 E. Notes in Theor. Comp. Sci., 265:97 – 122
, 2010
"... ..."
(Show Context)
On The Security of The ElGamal Encryption Scheme and Damg˚ard’s Variant
"... Abstract. In this paper, we give security proofs for ElGamal encryption scheme and its variant by Damg˚ard (DEG). For the ElGamal encryption, we show that (1) under the delayedtarget discrete log assumption and a variant of the generalized knowledgeofexponent assumption, ElGamal encryption is one ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper, we give security proofs for ElGamal encryption scheme and its variant by Damg˚ard (DEG). For the ElGamal encryption, we show that (1) under the delayedtarget discrete log assumption and a variant of the generalized knowledgeofexponent assumption, ElGamal encryption is oneway under nonadaptive chosen cipher attacks; (2) onewayness of ElGamal encryption under nonadaptive chosen cipher attacks is equivalent to the hardness of the delayedtarget computational DiffieHellman problem. For DEG, (1) we give a new proof that DEG is semantically secure against nonadaptive chosen ciphertext attacks under the delayedtarget decisional DiffieHellman assumption (although the same result has been presented in the literature before, our proof seems simpler); (2) we show that the DHK1 assumption, which was first proposed for DEG security proof, is stronger than necessary. A decisional (thus weaker) version of DHK1 assumption is sufficient for DEG security proof. Keywords: ElGamal encryption, Damg˚ard’s ElGamal, security proof. 1
INTRACTABLE PROBLEMS IN CRYPTOGRAPHY
"... Abstract. We examine several variants of the DiffieHellman and Discrete Log problems that are connected to the security of cryptographic protocols. We discuss the reductions that are known between them and the challenges in trying to assess the true level of difficulty of these problems, particular ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We examine several variants of the DiffieHellman and Discrete Log problems that are connected to the security of cryptographic protocols. We discuss the reductions that are known between them and the challenges in trying to assess the true level of difficulty of these problems, particularly if they are interactive or have complicated input. 1.
Summation polynomial algorithms for elliptic curves in characteristic two
"... Abstract. The paper is about the discrete logarithm problem for elliptic curves over characteristic 2 finite fields F2n of prime degree n. We consider practical issues about index calculus attacks using summation polynomials in this setting. The contributions of the paper include: a choice of variab ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. The paper is about the discrete logarithm problem for elliptic curves over characteristic 2 finite fields F2n of prime degree n. We consider practical issues about index calculus attacks using summation polynomials in this setting. The contributions of the paper include: a choice of variables for binary Edwards curves (invariant under the action of a relatively large group) to lower the degree of the summation polynomials; a choice of factor base that “breaks symmetry ” and increases the probability of finding a relation; an experimental investigation of the use of SAT solvers rather than Gröbner basis methods for solving multivariate polynomial equations over F2. We show that our choice of variables gives a significant improvement to previous work in this case. The symmetrybreaking factor base and use of SAT solvers seem to give some benefits in practice, but our experimental results are not conclusive. Our work indicates that Pollard rho is still much faster than index calculus algorithms for the ECDLP (and even for variants such as the oracleassisted static DiffieHellman problem of Granger and JouxVitse) over prime extension fields F2n of reasonable size.
Hierarchical deterministic Bitcoin wallets that tolerate key leakage (Short paper)
"... Abstract. A Bitcoin wallet is a set of private keys known to a user and which allow that user to spend any Bitcoin associated with those keys. In a hierarchical deterministic (HD) wallet, child private keys are generated pseudorandomly from a master private key, and the corresponding child public ke ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. A Bitcoin wallet is a set of private keys known to a user and which allow that user to spend any Bitcoin associated with those keys. In a hierarchical deterministic (HD) wallet, child private keys are generated pseudorandomly from a master private key, and the corresponding child public keys can be generated by anyone with knowledge of the master public key. These wallets have several interesting applications including Internet retail, trustless audit, and a treasurer allocating funds among departments. A specification of HD wallets has even been accepted as Bitcoin standard BIP32. Unfortunately, in all existing HD wallets—including BIP32 wallets—an attacker can easily recover the master private key given the master public key and any child private key. This vulnerability precludes use cases such as a combined treasurerauditor, and some in the Bitcoin community have suspected that this vulnerability cannot be avoided. We propose a new HD wallet that is not subject to this vulnerability. Our HD wallet can tolerate the leakage of up to m private keys with a master public key size of O(m). We prove that breaking our HD wallet is at least as hard as the socalled “one more ” discrete logarithm problem. 1