Results 1  10
of
81
Computationally private information retrieval with polylogarithmic communication
 Advances in Cryptology—EUROCRYPT ’99
, 1999
"... We present a singledatabase computationally private information retrieval scheme with polylogarithmic communication complexity. Our construction is based on a new, but reasonable intractability assumption, which we call the ΦHiding Assumption (ΦHA): essentially the difficulty of deciding whether a ..."
Abstract

Cited by 229 (3 self)
 Add to MetaCart
We present a singledatabase computationally private information retrieval scheme with polylogarithmic communication complexity. Our construction is based on a new, but reasonable intractability assumption, which we call the ΦHiding Assumption (ΦHA): essentially the difficulty of deciding whether a small prime> 2 divides ϕ(m), where m is a composite integer of unknown factorization. Our result also implies the existence of tworound CS proof systems under a concrete complexity assumption. Keywords: Integer factorization, Euler’s function, Φhiding assumption, private information retrieval, computationally sound proofs.
The Decision DiffieHellman Problem
, 1998
"... The Decision DiffieHellman assumption (ddh) is a gold mine. It enables one to construct efficient cryptographic systems with strong security properties. In this paper we survey the recent applications of DDH as well as known results regarding its security. We describe some open problems in this are ..."
Abstract

Cited by 211 (6 self)
 Add to MetaCart
(Show Context)
The Decision DiffieHellman assumption (ddh) is a gold mine. It enables one to construct efficient cryptographic systems with strong security properties. In this paper we survey the recent applications of DDH as well as known results regarding its security. We describe some open problems in this area. 1 Introduction An important goal of cryptography is to pin down the exact complexity assumptions used by cryptographic protocols. Consider the DiffieHellman key exchange protocol [12]: Alice and Bob fix a finite cyclic group G and a generator g. They respectively pick random a; b 2 [1; jGj] and exchange g a ; g b . The secret key is g ab . To totally break the protocol a passive eavesdropper, Eve, must compute the DiffieHellman function defined as: dh g (g a ; g b ) = g ab . We say that the group G satisfies the Computational DiffieHellman assumption (cdh) if no efficient algorithm can compute the function dh g (x; y) in G. Precise definitions are given in the next sectio...
Keyprivacy in publickey encryption
, 2001
"... We consider a novel security requirement of encryption schemes that we call “keyprivacy” or “anonymity”.It asks that an eavesdropper in possession of a ciphertext not be able to tell which specific key, out of a set of known public keys, is the one under which the ciphertext was created, meaning t ..."
Abstract

Cited by 99 (8 self)
 Add to MetaCart
We consider a novel security requirement of encryption schemes that we call “keyprivacy” or “anonymity”.It asks that an eavesdropper in possession of a ciphertext not be able to tell which specific key, out of a set of known public keys, is the one under which the ciphertext was created, meaning the receiver is anonymous from the point of view of the adversary.We investigate the anonymity of known encryption schemes.We prove that the El Gamal scheme provides anonymity under chosenplaintext attack assuming the Decision DiffieHellman problem is hard and that the CramerShoup scheme provides anonymity under chosenciphertext attack under the same assumption.We also consider anonymity for trapdoor permutations.Known attacks indicate that the RSA trapdoor permutation is not anonymous and neither are the standard encryption schemes based on it.We provide a variant of RSAOAEP that provides anonymity in the random oracle model assuming RSA is oneway.We also give constructions of anonymous trapdoor permutations, assuming RSA is oneway, which yield anonymous encryption schemes in the standard model.
Cache missing for fun and profit
 Proc. of BSDCan 2005
, 2005
"... Abstract. Simultaneous multithreading — put simply, the sharing of the execution resources of a superscalar processor between multiple execution threads — has recently become widespread via its introduction (under the name “HyperThreading”) into Intel Pentium 4 processors. In this implementation, f ..."
Abstract

Cited by 63 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Simultaneous multithreading — put simply, the sharing of the execution resources of a superscalar processor between multiple execution threads — has recently become widespread via its introduction (under the name “HyperThreading”) into Intel Pentium 4 processors. In this implementation, for reasons of efficiency and economy of processor area, the sharing of processor resources between threads extends beyond the execution units; of particular concern is that the threads share access to the memory caches. We demonstrate that this shared access to memory caches provides not only an easily used high bandwidth covert channel between threads, but also permits a malicious thread (operating, in theory, with limited privileges) to monitor the execution of another thread, allowing in many cases for theft of cryptographic keys. Finally, we provide some suggestions to processor designers, operating system vendors, and the authors of cryptographic software, of how this attack could be mitigated or eliminated entirely. 1.
SingleDatabase Private Information Retrieval with Constant Communication Rate
 In Proceedings of the 32nd International Colloquium on Automata, Languages and Programming
, 2005
"... Abstract. We present a singledatabase private information retrieval (PIR) scheme with communication complexity O(k +d), where k ≥ log n is a security parameter that depends on the database size n and d is the bitlength of the retrieved database block. This communication complexity is better asympt ..."
Abstract

Cited by 58 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We present a singledatabase private information retrieval (PIR) scheme with communication complexity O(k +d), where k ≥ log n is a security parameter that depends on the database size n and d is the bitlength of the retrieved database block. This communication complexity is better asymptotically than previous singledatabase PIR schemes. The scheme also gives improved performance for practical parameter settings whether the user is retrieving a single bit or very large blocks. For large blocks, our scheme achieves a constant “rate ” (e.g., 0.2), even when the userside communication is very low (e.g., two 1024bit numbers). Our scheme and security analysis is presented using general groups with hidden smooth subgroups; the scheme can be instantiated using composite moduli, in which case the security of our scheme is based on a simple variant of the “Φhiding ” assumption by Cachin, Micali and Stadler [2].
Lattice attacks on digital signature schemes
 Designs, Codes and Cryptography
, 1999
"... digital signatures, lattices * Internal Accession Date Only © Copyright HewlettPackard Company 1999 We describe a lattice attack on the Digital Signature Algorithm (DSA) when used to sign many messages, mi, under the assumption that a proportion of the bits of each of the associated ephemeral keys, ..."
Abstract

Cited by 41 (8 self)
 Add to MetaCart
(Show Context)
digital signatures, lattices * Internal Accession Date Only © Copyright HewlettPackard Company 1999 We describe a lattice attack on the Digital Signature Algorithm (DSA) when used to sign many messages, mi, under the assumption that a proportion of the bits of each of the associated ephemeral keys, yi, can be recovered by alternative techniques.
Accumulating composites and improved group signing
 Proceedings of Asiacrypt 2003, volume 2894 of LNCS
, 2003
"... Abstract. Constructing practical and provably secure group signature schemes has been a very active research topic in recent years. A group signature can be viewed as a digital signature with certain extra properties. Notably, anyone can verify that a signature is generated by a legitimate group mem ..."
Abstract

Cited by 22 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Constructing practical and provably secure group signature schemes has been a very active research topic in recent years. A group signature can be viewed as a digital signature with certain extra properties. Notably, anyone can verify that a signature is generated by a legitimate group member, while the actual signer can only be identified (and linked) by a designated entity called a group manager. Currently, the most efficient group signature scheme available is due to Camenisch and Lysyanskaya [CL02]. It is obtained by integrating a novel dynamic accumulator with the scheme by Ateniese, et al. [ACJT00]. In this paper, we construct a dynamic accumulator that accumulates composites, as opposed to previous accumulators that accumulated primes. We also present an efficient method for proving knowledge of factorization of a committed value. Based on these (and other) techniques we design a novel provably secure group signature scheme. It operates in the common auxiliary string model and offers two important benefits: 1) the Join process is very efficient: a new member computes only a single exponentiation, and 2) the (unoptimized) cost of generating a group signature is 17 exponentiations which is appreciably less than the stateoftheart. 1
Encapsulated key escrow
, 1996
"... The main objection to current keyescrow proposals is that they assume complete faith in the authority and its trustees. If the authority does not follow the rules, or is replaced by an untrustworthy authority tomorrow, it can immediately recover the secret keys of all users, and embark on massive ..."
Abstract

Cited by 21 (0 self)
 Add to MetaCart
(Show Context)
The main objection to current keyescrow proposals is that they assume complete faith in the authority and its trustees. If the authority does not follow the rules, or is replaced by an untrustworthy authority tomorrow, it can immediately recover the secret keys of all users, and embark on massive wiretapping. We introduce a new approach tokey escrow called encapsulated key escrow (EKE). With this approach itis computationally possible for an authority to wiretap individual users, but computationally prohibitive for the authority to launch large scale wiretapping. This is achieved by imposing a time delay between obtaining the escrowed information of a user and actually recovering the secret key. Furthermore, the recoverability is veri able at escrow time. The approach is applicable both for session keys and for public key cryptography. EKE is a simple general paradigm, applicable across cryptosystems and key distribution protocols, regardless of their type. It solves in one stroke the problem of imposing time delays in key escrow. In particular it yields the rst time delayed key escrow system for RSA, and more e cient solutions for Di eHellman than achievable by the previous approach to time delays, namely partial key escrow (PKE). The idea behind EKE is a new cryptographic tool called a veri able cryptographic time capsule (VCTC). This has broader applications to \sending information into the future.&quot;
Solving linear equations modulo divisors: On factoring given any bits
 In Advances in Cryptology  Asiacrypt 2008, volume 5350 of LNCS
, 2008
"... Abstract. We study the problem of finding solutions to linear equations modulo an unknown divisor p of a known composite integer N. An important application of this problem is factorization of N with given bits of p. It is wellknown that this problem is polynomialtime solvable if at most half of ..."
Abstract

Cited by 18 (0 self)
 Add to MetaCart
Abstract. We study the problem of finding solutions to linear equations modulo an unknown divisor p of a known composite integer N. An important application of this problem is factorization of N with given bits of p. It is wellknown that this problem is polynomialtime solvable if at most half of the bits of p are unknown and if the unknown bits are located in one consecutive block. We introduce an heuristic algorithm that extends factoring with known bits to an arbitrary number n of blocks. Surprisingly, we are able to show that ln(2) ≈ 70 % of the bits are sufficient for any n in order to find the factorization. The algorithm’s running time is however exponential in the parameter n. Thus, our algorithm is polynomial time only for n = O(log logN) blocks.
Using LLLReduction for Solving RSA and Factorization Problems: A Survey
, 2007
"... 25 years ago, Lenstra, Lenstra and Lovasz presented their celebrated LLL lattice reduction algorithm. Among the various applications of the LLL algorithm is a method due to Coppersmith for finding small roots of polynomial equations. We give a survey of the applications of this root finding method ..."
Abstract

Cited by 17 (0 self)
 Add to MetaCart
25 years ago, Lenstra, Lenstra and Lovasz presented their celebrated LLL lattice reduction algorithm. Among the various applications of the LLL algorithm is a method due to Coppersmith for finding small roots of polynomial equations. We give a survey of the applications of this root finding method to the problem of inverting the RSA function and the factorization problem. As we will see, most of the results are of a dual nature: They can either be interpreted as cryptanalytic results or as hardness/security results.