Results 11  20
of
75
Trading OneWayness Against ChosenCiphertext Security in FactoringBased Encryption
, 2006
"... Abstract. We revisit a longlived folklore impossibility result for factoringbased encryption and properly establish that reaching maximally secure onewayness (i.e. equivalent to factoring) and resisting chosenciphertext attacks (CCA) are incompatible goals for singlekey cryptosystems. We pinpoin ..."
Abstract

Cited by 15 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We revisit a longlived folklore impossibility result for factoringbased encryption and properly establish that reaching maximally secure onewayness (i.e. equivalent to factoring) and resisting chosenciphertext attacks (CCA) are incompatible goals for singlekey cryptosystems. We pinpoint two tradeoffs between security notions in the standard model that have always remained unnoticed in the Random Oracle (RO) model. These imply that simple ROmodel schemes such as Rabin/RWSAEP[+]/OAEP[+][+], EPOC2, etc. admit no instantiation in the standard model which CCA security is equivalent to factoring via a keypreserving reduction. We extend this impossibility to arbitrary reductions assuming nonmalleable key generation, a property capturing the intuition that factoring a modulus n should not be any easier when given a factoring oracle for moduli n ′ = n. The only known countermeasures against our impossibility results, besides malleable key generation, are the inclusion of an additional random string in the public key, or encryption twinning as in NaorYung or DolevDworkNaor constructions. 1
Trapdoor OneWay Permutations and Multivariate Polynomials
 Proc. of ICICS'97, LNCS 1334
, 1997
"... This article is divided into two parts. The rst part describes the known candidates of trapdoor oneway permutations. The second part presents a new candidate trapdoor oneway permutation. This candidate is based on properties of multivariate polynomials on nite elds, and has similar characteristics ..."
Abstract

Cited by 15 (2 self)
 Add to MetaCart
(Show Context)
This article is divided into two parts. The rst part describes the known candidates of trapdoor oneway permutations. The second part presents a new candidate trapdoor oneway permutation. This candidate is based on properties of multivariate polynomials on nite elds, and has similar characteristics to T. Matsumoto, H. Imai, and J. Patarin's schemes. What makes trapdoor oneway permutations particularly interesting is the fact that they immediately provide ciphering, signature, and authentication asymmetric schemes. Our candidate performs excellently in secret key, and secret key computations can be implemented in lowcost smartcards, i.e. without coprocessors. Key words : Trapdoor oneway permutations, multivariate polynomials, research of new asymmetric bijective schemes. Notes: This paper is the extended version of the paper with the same title published at ICICS'97. In this extended version, we have taken into account the recent results of [5]. Part I Known candidates ...
Polynomial Selection for the Number Field Sieve Integer Factorisation Algorithm
, 1999
"... I have been afforded the rare opportunity of working as a student of Richard Brent. Over the last three years, Richard has provided encouragement, guidance and suggestions from which I have learnt a great deal and for which I am extremely grateful. Richard was also considerate enough to take up a ch ..."
Abstract

Cited by 15 (0 self)
 Add to MetaCart
I have been afforded the rare opportunity of working as a student of Richard Brent. Over the last three years, Richard has provided encouragement, guidance and suggestions from which I have learnt a great deal and for which I am extremely grateful. Richard was also considerate enough to take up a chair in Computing Science at Oxford University in 1998. That gave me an excuse to visit him there, about which I will say more later. I also owe a great deal to Peter Montgomery (CWI, Amsterdam and Microsoft Research, USA). Peter's influence on current research in this field is far more extensive than most people realise. I have had the benefit of many long discussions with Peter, and a great deal of patient instruction from him. Several key sections of this thesis are developed from ideas originating from discussions with Peter. My research experience has been enriched and broadened through close collaboration with the Computational Number Theory and Data Security group at CWI in Amsterdam. I thank Herman te Riele, the head of the group, for fostering that collaboration and supporting two visits by me to CWI.
Security of Signature Schemes in a MultiUser Setting
, 2001
"... This paper considers the security of signature schemes in the multiuser setting. We argue that the wellaccepted notion of security for signature schemes, namely existential unforgeability against adaptive chosenmessage attacks, is not adequate for the multiuser setting. We extend this securi ..."
Abstract

Cited by 15 (1 self)
 Add to MetaCart
This paper considers the security of signature schemes in the multiuser setting. We argue that the wellaccepted notion of security for signature schemes, namely existential unforgeability against adaptive chosenmessage attacks, is not adequate for the multiuser setting. We extend this security notion to the multiuser setting and show that signature schemes proven secure in the singleuser setting can, under reasonable constraints, also be proven secure in the multiuser setting. 1
Public Key Cryptosystem Using A Reciprocal Number With The Same Intractability As Factoring A Large Number
 CRYPTOLOGIA
, 1994
"... This paper proposes a public key cryptosystem using a reciprocal number. Breaking the proposed cryptosystem is proven to be as difficult as factoring a large number. Encryption requires O(n 2 ) bit operations and decryption requires O(n 3 ) bit operations. (n is the bit length of a plaintext.) 1 ..."
Abstract

Cited by 13 (4 self)
 Add to MetaCart
(Show Context)
This paper proposes a public key cryptosystem using a reciprocal number. Breaking the proposed cryptosystem is proven to be as difficult as factoring a large number. Encryption requires O(n 2 ) bit operations and decryption requires O(n 3 ) bit operations. (n is the bit length of a plaintext.) 1 Introduction A public key cryptosystem proposed by Rabin [1] is excellent because it has been proven that breaking the cryptosystem is as hard as factoring a large number. However, a ciphertext cannot be uniquely deciphered because four different plaintexts produce the same cipher. Williams [2] showed that this disadvantage can be overcome if the secret two prime numbers, p and q, are chosen such that p = q = 3 mod 4. RSA cryptosystem [3] is the most wellknown public key cryptosystem. However, it is not known whether breaking RSA cryptosystem is as hard as factoring a lagre number. Recently, Williams [4] proposed a modified RSA cryptosystem which utilizes quadratic irrational numbers. He ...
Improving the Exact Security of Digital Signature Schemes
, 1999
"... We provide two contributions to exact security analysis of digital signatures: 1. We put forward a new method of constructing FiatShamirlike signature schemes that yields better "exact security" than the original FiatShamir method; and 2. We extend exact security analysis to exact cost ..."
Abstract

Cited by 13 (0 self)
 Add to MetaCart
(Show Context)
We provide two contributions to exact security analysis of digital signatures: 1. We put forward a new method of constructing FiatShamirlike signature schemes that yields better "exact security" than the original FiatShamir method; and 2. We extend exact security analysis to exact costsecurity analysis by showing that digital signature schemes with "loose security" may be preferable for reasonable measures of cost.
How Risky is the RandomOracle Model?
"... Abstract. RSAFDH and many other schemes secure in the RandomOracle Model (ROM) require a hash function with output size larger than standard sizes. We show that the randomoracle instantiations proposed in the literature for such cases are weaker than a random oracle, including the proposals by Be ..."
Abstract

Cited by 11 (0 self)
 Add to MetaCart
(Show Context)
Abstract. RSAFDH and many other schemes secure in the RandomOracle Model (ROM) require a hash function with output size larger than standard sizes. We show that the randomoracle instantiations proposed in the literature for such cases are weaker than a random oracle, including the proposals by Bellare and Rogaway from 1993 and 1996, and the ones implicit in IEEE P1363 and PKCS standards: for instance, we obtain a practical preimage attack on BR93 for 1024bit digests (with complexity less than 2 30). Next, we study the security impact of hash function defects for ROM signatures. As an extreme case, we note that any hash collision would suffice to disclose the master key in the IDbased cryptosystem by Boneh et al. from FOCS ’07, and the secret key in the RabinWilliams signature for which Bernstein proved tight security at EUROCRYPT ’08. We also remark that collisions can be found as a precomputation for any instantiation of the ROM, and this violates the security definition of the scheme in the standard model. Hence, this gives an example of a natural scheme that is proven secure in the ROM but that in insecure for any instantiation by a single function. Interestingly, for both of these schemes, a slight modification can prevent these attacks, while preserving the ROM security result. We give evidence that in the case of RSA and Rabin/RabinWilliams, an appropriate PSS padding is more robust than all other paddings known. 1
On the importance of securing your bins: The garbagemaninthemiddle attack
, 1997
"... In this paper, we address the following problem: " Is it possible to weaken/attack a scheme when a (provably) secure cryptosystem is used? ". The answer is yes. We exploit weak errorhandling methods. Our attack relies on the cryptanalyst being able to modify some ciphertext and then getti ..."
Abstract

Cited by 9 (2 self)
 Add to MetaCart
In this paper, we address the following problem: " Is it possible to weaken/attack a scheme when a (provably) secure cryptosystem is used? ". The answer is yes. We exploit weak errorhandling methods. Our attack relies on the cryptanalyst being able to modify some ciphertext and then getting access to the decryption of this modified ciphertext. Moreover, it applies on many cryptosystems, including RSA, Rabin, LUC, KMOV, Demytko, ElGamal and its analogues, 3pass system, knapsack scheme, etc. . .
SFSHTTP: Securing the web with selfcertifying URLs. citeseer.nj.nec.com/470041.html
"... Abstract The current solution to secure Web communication is SSLwhich relies on certificate authorities for key management, limiting the ability for individuals to independently set upsecure Web sites and forcing them to trust a small number of third parties. We propose a new model for Web security ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
Abstract The current solution to secure Web communication is SSLwhich relies on certificate authorities for key management, limiting the ability for individuals to independently set upsecure Web sites and forcing them to trust a small number of third parties. We propose a new model for Web securitySFSHTTPbased on SFS. While SFS uses selfcertifying pathnames to separate key management from file system security, SFSHTTP uses selfcertifying URLs to separate key management from Web security. Users and Web site maintainers can define their own security models without having to rely on centralized certification authorities. We implementSFSHTTP using the SFS libraries; users configure host authentication through the SFS agent. 1 Introduction The current solution to security and authentication on theWeb is SSL [7] which, while providing these desired properties, lacks one critical feature: extensible host authentication.Currently, Web security models all depend on (centralized) certificate authorities to validate the authenticity of remoteWeb servers. SFS [10] solves this problem in the file system arena with selfcertifying pathnames, but can we leveragethis idea for HTTP? We propose selfcertifying URLs as the correct modelfor security on the Web. Selfcertifying URLs, like selfcertifying pathnames, completely specify a remote server, including its public key. The central idea in SFS is to remove the burden of authentication from the file system; in SFSHTTP, we separate the means of authentication from Web servers and browsers themselves. A user can verify hosts in SFSHTTP is work inprogress. This paper is available online at http://www.pdos.lcs.mit.edu/~kaminsky/sfshttp.ps
A Binary Algorithm for the Jacobi Symbol
 ACM SIGSAM Bulletin
, 1993
"... We present a new algorithm to compute the Jacobi symbol, based on Stein's binary algorithm for the greatest common divisor, and we determine the worstcase behavior of this algorithm. Our implementation of the algorithm runs approximately 725% faster than traditional methods on inputs of size ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
(Show Context)
We present a new algorithm to compute the Jacobi symbol, based on Stein's binary algorithm for the greatest common divisor, and we determine the worstcase behavior of this algorithm. Our implementation of the algorithm runs approximately 725% faster than traditional methods on inputs of size 1001000 decimal digits. 1 Introduction Efficient computation of the Jacobi symbol \Gamma a n \Delta is an important component of the Monte Carlo primality test of Solovay and Strassen [9]. Algorithms for computing the Jacobi symbol can also be found on symbolic algebra systems such as Mathematica and Maple. Several efficient algorithms modeled on Euclid's algorithm for computing the greatest common divisor (gcd) have been proposed and analyzed; see, for example, [12, 3, 8]. Indeed, it is possible to compute \Gamma a n \Delta in O((log a)(log n)) bit operations using the "naive arithmetic" model. Using Schonhage's result [7], it is possible (see [1]) to compute \Gamma a n \Delta (...