Results 1  10
of
85
Computationally private information retrieval with polylogarithmic communication
 Advances in Cryptology—EUROCRYPT ’99
, 1999
"... We present a singledatabase computationally private information retrieval scheme with polylogarithmic communication complexity. Our construction is based on a new, but reasonable intractability assumption, which we call the ΦHiding Assumption (ΦHA): essentially the difficulty of deciding whether a ..."
Abstract

Cited by 246 (3 self)
 Add to MetaCart
We present a singledatabase computationally private information retrieval scheme with polylogarithmic communication complexity. Our construction is based on a new, but reasonable intractability assumption, which we call the ΦHiding Assumption (ΦHA): essentially the difficulty of deciding whether a small prime> 2 divides ϕ(m), where m is a composite integer of unknown factorization. Our result also implies the existence of tworound CS proof systems under a concrete complexity assumption. Keywords: Integer factorization, Euler’s function, Φhiding assumption, private information retrieval, computationally sound proofs.
The Decision DiffieHellman Problem
, 1998
"... The Decision DiffieHellman assumption (ddh) is a gold mine. It enables one to construct efficient cryptographic systems with strong security properties. In this paper we survey the recent applications of DDH as well as known results regarding its security. We describe some open problems in this are ..."
Abstract

Cited by 231 (6 self)
 Add to MetaCart
(Show Context)
The Decision DiffieHellman assumption (ddh) is a gold mine. It enables one to construct efficient cryptographic systems with strong security properties. In this paper we survey the recent applications of DDH as well as known results regarding its security. We describe some open problems in this area. 1 Introduction An important goal of cryptography is to pin down the exact complexity assumptions used by cryptographic protocols. Consider the DiffieHellman key exchange protocol [12]: Alice and Bob fix a finite cyclic group G and a generator g. They respectively pick random a; b 2 [1; jGj] and exchange g a ; g b . The secret key is g ab . To totally break the protocol a passive eavesdropper, Eve, must compute the DiffieHellman function defined as: dh g (g a ; g b ) = g ab . We say that the group G satisfies the Computational DiffieHellman assumption (cdh) if no efficient algorithm can compute the function dh g (x; y) in G. Precise definitions are given in the next sectio...
Keyprivacy in publickey encryption
, 2001
"... We consider a novel security requirement of encryption schemes that we call “keyprivacy” or “anonymity”.It asks that an eavesdropper in possession of a ciphertext not be able to tell which specific key, out of a set of known public keys, is the one under which the ciphertext was created, meaning t ..."
Abstract

Cited by 113 (8 self)
 Add to MetaCart
We consider a novel security requirement of encryption schemes that we call “keyprivacy” or “anonymity”.It asks that an eavesdropper in possession of a ciphertext not be able to tell which specific key, out of a set of known public keys, is the one under which the ciphertext was created, meaning the receiver is anonymous from the point of view of the adversary.We investigate the anonymity of known encryption schemes.We prove that the El Gamal scheme provides anonymity under chosenplaintext attack assuming the Decision DiffieHellman problem is hard and that the CramerShoup scheme provides anonymity under chosenciphertext attack under the same assumption.We also consider anonymity for trapdoor permutations.Known attacks indicate that the RSA trapdoor permutation is not anonymous and neither are the standard encryption schemes based on it.We provide a variant of RSAOAEP that provides anonymity in the random oracle model assuming RSA is oneway.We also give constructions of anonymous trapdoor permutations, assuming RSA is oneway, which yield anonymous encryption schemes in the standard model.
Cache missing for fun and profit
 Proc. of BSDCan 2005
, 2005
"... Abstract. Simultaneous multithreading — put simply, the sharing of the execution resources of a superscalar processor between multiple execution threads — has recently become widespread via its introduction (under the name “HyperThreading”) into Intel Pentium 4 processors. In this implementation, f ..."
Abstract

Cited by 81 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Simultaneous multithreading — put simply, the sharing of the execution resources of a superscalar processor between multiple execution threads — has recently become widespread via its introduction (under the name “HyperThreading”) into Intel Pentium 4 processors. In this implementation, for reasons of efficiency and economy of processor area, the sharing of processor resources between threads extends beyond the execution units; of particular concern is that the threads share access to the memory caches. We demonstrate that this shared access to memory caches provides not only an easily used high bandwidth covert channel between threads, but also permits a malicious thread (operating, in theory, with limited privileges) to monitor the execution of another thread, allowing in many cases for theft of cryptographic keys. Finally, we provide some suggestions to processor designers, operating system vendors, and the authors of cryptographic software, of how this attack could be mitigated or eliminated entirely. 1.
SingleDatabase Private Information Retrieval with Constant Communication Rate
 In Proceedings of the 32nd International Colloquium on Automata, Languages and Programming
, 2005
"... Abstract. We present a singledatabase private information retrieval (PIR) scheme with communication complexity O(k +d), where k ≥ log n is a security parameter that depends on the database size n and d is the bitlength of the retrieved database block. This communication complexity is better asympt ..."
Abstract

Cited by 67 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We present a singledatabase private information retrieval (PIR) scheme with communication complexity O(k +d), where k ≥ log n is a security parameter that depends on the database size n and d is the bitlength of the retrieved database block. This communication complexity is better asymptotically than previous singledatabase PIR schemes. The scheme also gives improved performance for practical parameter settings whether the user is retrieving a single bit or very large blocks. For large blocks, our scheme achieves a constant “rate ” (e.g., 0.2), even when the userside communication is very low (e.g., two 1024bit numbers). Our scheme and security analysis is presented using general groups with hidden smooth subgroups; the scheme can be instantiated using composite moduli, in which case the security of our scheme is based on a simple variant of the “Φhiding ” assumption by Cachin, Micali and Stadler [2].
Lattice attacks on digital signature schemes
 Designs, Codes and Cryptography
, 1999
"... digital signatures, lattices * Internal Accession Date Only © Copyright HewlettPackard Company 1999 We describe a lattice attack on the Digital Signature Algorithm (DSA) when used to sign many messages, mi, under the assumption that a proportion of the bits of each of the associated ephemeral keys, ..."
Abstract

Cited by 43 (8 self)
 Add to MetaCart
(Show Context)
digital signatures, lattices * Internal Accession Date Only © Copyright HewlettPackard Company 1999 We describe a lattice attack on the Digital Signature Algorithm (DSA) when used to sign many messages, mi, under the assumption that a proportion of the bits of each of the associated ephemeral keys, yi, can be recovered by alternative techniques.
Solving linear equations modulo divisors: On factoring given any bits
 In Advances in Cryptology  Asiacrypt 2008, volume 5350 of LNCS
, 2008
"... Abstract. We study the problem of finding solutions to linear equations modulo an unknown divisor p of a known composite integer N. An important application of this problem is factorization of N with given bits of p. It is wellknown that this problem is polynomialtime solvable if at most half of ..."
Abstract

Cited by 23 (0 self)
 Add to MetaCart
Abstract. We study the problem of finding solutions to linear equations modulo an unknown divisor p of a known composite integer N. An important application of this problem is factorization of N with given bits of p. It is wellknown that this problem is polynomialtime solvable if at most half of the bits of p are unknown and if the unknown bits are located in one consecutive block. We introduce an heuristic algorithm that extends factoring with known bits to an arbitrary number n of blocks. Surprisingly, we are able to show that ln(2) ≈ 70 % of the bits are sufficient for any n in order to find the factorization. The algorithm’s running time is however exponential in the parameter n. Thus, our algorithm is polynomial time only for n = O(log logN) blocks.
Encapsulated key escrow
, 1996
"... The main objection to current keyescrow proposals is that they assume complete faith in the authority and its trustees. If the authority does not follow the rules, or is replaced by an untrustworthy authority tomorrow, it can immediately recover the secret keys of all users, and embark on massive ..."
Abstract

Cited by 21 (0 self)
 Add to MetaCart
(Show Context)
The main objection to current keyescrow proposals is that they assume complete faith in the authority and its trustees. If the authority does not follow the rules, or is replaced by an untrustworthy authority tomorrow, it can immediately recover the secret keys of all users, and embark on massive wiretapping. We introduce a new approach tokey escrow called encapsulated key escrow (EKE). With this approach itis computationally possible for an authority to wiretap individual users, but computationally prohibitive for the authority to launch large scale wiretapping. This is achieved by imposing a time delay between obtaining the escrowed information of a user and actually recovering the secret key. Furthermore, the recoverability is veri able at escrow time. The approach is applicable both for session keys and for public key cryptography. EKE is a simple general paradigm, applicable across cryptosystems and key distribution protocols, regardless of their type. It solves in one stroke the problem of imposing time delays in key escrow. In particular it yields the rst time delayed key escrow system for RSA, and more e cient solutions for Di eHellman than achievable by the previous approach to time delays, namely partial key escrow (PKE). The idea behind EKE is a new cryptographic tool called a veri able cryptographic time capsule (VCTC). This has broader applications to \sending information into the future.&quot;
Finding Small Roots of Bivariate Integer Polynomial Equations Revisited
 PROC. ADVANCES IN CRYPTOLOGY EUROCRYPT’04, LNCS 3027
, 2004
"... At Eurocrypt ’96, Coppersmith proposed an algorithm for finding small roots of bivariate integer polynomial equations, based on lattice reduction techniques. But the approach is difficult to understand. In this paper, we present a much simpler algorithm for solving the same problem. Our simplificati ..."
Abstract

Cited by 21 (1 self)
 Add to MetaCart
At Eurocrypt ’96, Coppersmith proposed an algorithm for finding small roots of bivariate integer polynomial equations, based on lattice reduction techniques. But the approach is difficult to understand. In this paper, we present a much simpler algorithm for solving the same problem. Our simplification is analogous to the simplification brought by HowgraveGraham to Coppersmith’s algorithm for finding small roots of univariate modular polynomial equations. As an application, we illustrate the new algorithm with the problem of finding the factors of n = pq if we are given the high order 1/4log 2 n bits of p.
Using LLLReduction for Solving RSA and Factorization Problems: A Survey
, 2007
"... 25 years ago, Lenstra, Lenstra and Lovasz presented their celebrated LLL lattice reduction algorithm. Among the various applications of the LLL algorithm is a method due to Coppersmith for finding small roots of polynomial equations. We give a survey of the applications of this root finding method ..."
Abstract

Cited by 20 (0 self)
 Add to MetaCart
25 years ago, Lenstra, Lenstra and Lovasz presented their celebrated LLL lattice reduction algorithm. Among the various applications of the LLL algorithm is a method due to Coppersmith for finding small roots of polynomial equations. We give a survey of the applications of this root finding method to the problem of inverting the RSA function and the factorization problem. As we will see, most of the results are of a dual nature: They can either be interpreted as cryptanalytic results or as hardness/security results.