Results 1  10
of
20
Towards the Equivalence of Breaking the DiffieHellman Protocol and Computing Discrete Logarithms
, 1994
"... Let G be an arbitrary cyclic group with generator g and order jGj with known factorization. G could be the subgroup generated by g within a larger group H. Based on an assumption about the existence of smooth numbers in short intervals, we prove that breaking the DiffieHellman protocol for G and ..."
Abstract

Cited by 69 (6 self)
 Add to MetaCart
Let G be an arbitrary cyclic group with generator g and order jGj with known factorization. G could be the subgroup generated by g within a larger group H. Based on an assumption about the existence of smooth numbers in short intervals, we prove that breaking the DiffieHellman protocol for G and base g is equivalent to computing discrete logarithms in G to the base g when a certain side information string S of length 2 log jGj is given, where S depends only on jGj but not on the definition of G and appears to be of no help for computing discrete logarithms in G. If every prime factor p of jGj is such that one of a list of expressions in p, including p \Gamma 1 and p + 1, is smooth for an appropriate smoothness bound, then S can efficiently be constructed and therefore breaking the DiffieHellman protocol is equivalent to computing discrete logarithms.
The Relationship Between Breaking the DiffieHellman Protocol and Computing Discrete Logarithms
, 1998
"... Both uniform and nonuniform results concerning the security of the DiffieHellman keyexchange protocol are proved. First, it is shown that in a cyclic group G of order jGj = Q p e i i , where all the multiple prime factors of jGj are polynomial in log jGj, there exists an algorithm that re ..."
Abstract

Cited by 37 (3 self)
 Add to MetaCart
Both uniform and nonuniform results concerning the security of the DiffieHellman keyexchange protocol are proved. First, it is shown that in a cyclic group G of order jGj = Q p e i i , where all the multiple prime factors of jGj are polynomial in log jGj, there exists an algorithm that reduces the computation of discrete logarithms in G to breaking the DiffieHellman protocol in G and has complexity p maxf(p i )g \Delta (log jGj) O(1) , where (p) stands for the minimum of the set of largest prime factors of all the numbers d in the interval [p \Gamma 2 p p+1; p+2 p p+ 1]. Under the unproven but plausible assumption that (p) is polynomial in log p, this reduction implies that the DiffieHellman problem and the discrete logarithm problem are polynomialtime equivalent in G. Second, it is proved that the DiffieHellman problem and the discrete logarithm problem are equivalent in a uniform sense for groups whose orders belong to certain classes: there exists a p...
DiffieHellman Oracles
 ADVANCES IN CRYPTOLOGY  CRYPTO '96 , LECTURE NOTES IN COMPUTER SCIENCE
, 1996
"... This paper consists of three parts. First, various types of DiffieHellman oracles for a cyclic group G and subgroups of G are defined and their equivalence is proved. In particular, the security of using a subgroup of G instead of G in the DiffieHellman protocol is investigated. Second, we derive ..."
Abstract

Cited by 34 (3 self)
 Add to MetaCart
This paper consists of three parts. First, various types of DiffieHellman oracles for a cyclic group G and subgroups of G are defined and their equivalence is proved. In particular, the security of using a subgroup of G instead of G in the DiffieHellman protocol is investigated. Second, we derive several new conditions for the polynomialtime equivalence of breaking the DiffieHellman protocol and computing discrete logarithms in G which extend former results by den Boer and Maurer. Finally, efficient constructions of DiffieHellman groups with provable equivalence are described.
The DiffieHellman Protocol
 DESIGNS, CODES, AND CRYPTOGRAPHY
, 1999
"... The 1976 seminal paper of Diffie and Hellman is a landmark in the history of cryptography. They introduced the fundamental concepts of a trapdoor oneway function, a publickey cryptosystem, and a digital signature scheme. Moreover, they presented a protocol, the socalled DiffieHellman protoco ..."
Abstract

Cited by 26 (0 self)
 Add to MetaCart
The 1976 seminal paper of Diffie and Hellman is a landmark in the history of cryptography. They introduced the fundamental concepts of a trapdoor oneway function, a publickey cryptosystem, and a digital signature scheme. Moreover, they presented a protocol, the socalled DiffieHellman protocol, allowing two parties who share no secret information initially, to generate a mutual secret key. This paper summarizes the present knowledge on the security of this protocol.
Open Problems in Number Theoretic Complexity, II
"... this paper contains a list of 36 open problems in numbertheoretic complexity. We expect that none of these problems are easy; we are sure that many of them are hard. This list of problems reflects our own interests and should not be viewed as definitive. As the field changes and becomes deeper, new ..."
Abstract

Cited by 26 (0 self)
 Add to MetaCart
this paper contains a list of 36 open problems in numbertheoretic complexity. We expect that none of these problems are easy; we are sure that many of them are hard. This list of problems reflects our own interests and should not be viewed as definitive. As the field changes and becomes deeper, new problems will emerge and old problems will lose favor. Ideally there will be other `open problems' papers in future ANTS proceedings to help guide the field. It is likely that some of the problems presented here will remain open for the forseeable future. However, it is possible in some cases to make progress by solving subproblems, or by establishing reductions between problems, or by settling problems under the assumption of one or more well known hypotheses (e.g. the various extended Riemann hypotheses, NP 6= P; NP 6= coNP). For the sake of clarity we have often chosen to state a specific version of a problem rather than a general one. For example, questions about the integers modulo a prime often have natural generalizations to arbitrary finite fields, to arbitrary cyclic groups, or to problems with a composite modulus. Questions about the integers often have natural generalizations to the ring of integers in an algebraic number field, and questions about elliptic curves often generalize to arbitrary curves or abelian varieties. The problems presented here arose from many different places and times. To those whose research has generated these problems or has contributed to our present understanding of them but to whom inadequate acknowledgement is given here, we apologize. Our list of open problems is derived from an earlier `open problems' paper we wrote in 1986 [AM86]. When we wrote the first version of this paper, we feared that the problems presented were so difficult...
Discrete Logarithms: the Effectiveness of the Index Calculus Method
, 1996
"... . In this article we survey recent developments concerning the discrete logarithm problem. Both theoretical and practical results are discussed. We emphasize the case of finite fields, and in particular, recent modifications of the index calculus method, including the number field sieve and the func ..."
Abstract

Cited by 24 (1 self)
 Add to MetaCart
. In this article we survey recent developments concerning the discrete logarithm problem. Both theoretical and practical results are discussed. We emphasize the case of finite fields, and in particular, recent modifications of the index calculus method, including the number field sieve and the function field sieve. We also provide a sketch of the some of the cryptographic schemes whose security depends on the intractibility of the discrete logarithm problem. 1 Introduction Let G be a cyclic group generated by an element t. The discrete logarithm problem in G is to compute for any b 2 G the least nonnegative integer e such that t e = b. In this case, we write log t b = e. Our purpose, in this paper, is to survey recent work on the discrete logarithm problem. Our approach is twofold. On the one hand, we consider the problem from a purely theoretical perspective. Indeed, the algorithms that have been developed to solve it not only explore the fundamental nature of one of the basic s...
An introduction to pairingbased cryptography. Notes from lectures given in
, 2005
"... Abstract. Bilinear pairings have been used to design ingenious protocols for such tasks as oneround threeparty key agreement, identitybased encryption, and aggregate signatures. Suitable bilinear pairings can be constructed from ..."
Abstract

Cited by 14 (0 self)
 Add to MetaCart
Abstract. Bilinear pairings have been used to design ingenious protocols for such tasks as oneround threeparty key agreement, identitybased encryption, and aggregate signatures. Suitable bilinear pairings can be constructed from
Searching for Elements in Black Box Fields and Applications
 In Advances in CryptologyCrypto’96, LNCS1109
, 1996
"... We introduce the notion of a black box field and discuss the problem of explicitly exposing field elements given in a black box form. We present several subexponential algorithms for this problem using a technique due to Maurer. These algorithms make use of elliptic curves over finite fields in a c ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
We introduce the notion of a black box field and discuss the problem of explicitly exposing field elements given in a black box form. We present several subexponential algorithms for this problem using a technique due to Maurer. These algorithms make use of elliptic curves over finite fields in a crucial way. We present three applications for our results: (1) We show that any algebraically homomorphic encryption scheme can be broken in expected subexponential time. The existence of such schemes has been open for a number of years. (2) We give an expected subexponential time reduction from the problem of finding roots of polynomials over finite fields with low straight line complexity (e.g. sparse polynomials) to the problem of testing whether such polynomials have a root in the field. (3) We show that the hardness of computing discretelog over elliptic curves implies the security of the DiffieHellman protocol over elliptic curves. Finally in the last section of the paper we prove ...
Comparing two pairingbased aggregate signature schemes”, Designs, Codes and Cryptography
"... Abstract. In 2003, Boneh, Gentry, Lynn and Shacham (BGLS) devised the first provablysecure aggregate signature scheme. Their scheme uses bilinear pairings and their security proof is in the random oracle model. The first pairingbased aggregate signature scheme which has a security proof that does ..."
Abstract

Cited by 7 (3 self)
 Add to MetaCart
Abstract. In 2003, Boneh, Gentry, Lynn and Shacham (BGLS) devised the first provablysecure aggregate signature scheme. Their scheme uses bilinear pairings and their security proof is in the random oracle model. The first pairingbased aggregate signature scheme which has a security proof that does not make the random oracle assumption was proposed in 2006 by Lu, Ostrovsky, Sahai, Shacham and Waters (LOSSW). In this paper, we compare the security and efficiency of the BGLS and LOSSW schemes when asymmetric pairings derived from BarretoNaehrig (BN) elliptic curves are employed. 1.
The DiffieHellman problem and generalization of Verheul’s theorem
, 2009
"... Bilinear pairings on elliptic curves have been of much interest in cryptography recently. Most of the protocols involving pairings rely on the hardness of the bilinear DiffieHellman problem. In contrast to the discrete log (or DiffieHellman) problem in a finite field, the difficulty of this proble ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
Bilinear pairings on elliptic curves have been of much interest in cryptography recently. Most of the protocols involving pairings rely on the hardness of the bilinear DiffieHellman problem. In contrast to the discrete log (or DiffieHellman) problem in a finite field, the difficulty of this problem has not yet been much studied. In 2001, Verheul [66] proved that on a certain class of curves, the discrete log and DiffieHellman problems are unlikely to be provably equivalent to the same problems in a corresponding finite field unless both DiffieHellman problems are easy. In this paper we generalize Verheul’s theorem and discuss the implications on the security of pairing based systems. We also include a large table of distortion maps. 1