Results 1  10
of
25
The Insecurity of the Digital Signature Algorithm with Partially Known Nonces
 Journal of Cryptology
, 2000
"... . We present a polynomialtime algorithm that provably recovers the signer's secret DSA key when a few bits of the random nonces k (used at each signature generation) are known for a number of DSA signatures at most linear in log q (q denoting as usual the small prime of DSA), under a reasonabl ..."
Abstract

Cited by 66 (16 self)
 Add to MetaCart
. We present a polynomialtime algorithm that provably recovers the signer's secret DSA key when a few bits of the random nonces k (used at each signature generation) are known for a number of DSA signatures at most linear in log q (q denoting as usual the small prime of DSA), under a reasonable assumption on the hash function used in DSA. The number of required bits is about log 1=2 q, and can be further decreased to 2 if one assumes access to ideal lattice basis reduction, namely an oracle for the lattice closest vector problem for the infinity norm. All previously known results were only heuristic, including those of HowgraveGraham and Smart who recently introduced that topic. Our attack is based on a connection with the hidden number problem (HNP) introduced at Crypto '96 by Boneh and Venkatesan in order to study the bitsecurity of the DiffieHellman key exchange. The HNP consists, given a prime number q, of recovering a number ff 2 IFq such that for many known random t 2 IFq ...
The Insecurity of the Elliptic Curve Digital Signature Algorithm with Partially Known Nonces, Des
 Codes Cryptogr
"... ..."
On the Security of DiffieHellman Bits
, 2000
"... Boneh and Venkatesan have recently proposed a polynomial time algorithm for recovering a "hidden" element α of a finite field IFp of p elements from rather short strings of the most significant bits of the remainder modulo p of ..."
Abstract

Cited by 22 (10 self)
 Add to MetaCart
Boneh and Venkatesan have recently proposed a polynomial time algorithm for recovering a "hidden" element α of a finite field IFp of p elements from rather short strings of the most significant bits of the remainder modulo p of
Asymptotically optimal communication for torusbased cryptography
 In Advances in Cryptology (CRYPTO 2004), Springer LNCS 3152
, 2004
"... Abstract. We introduce a compact and efficient representation of elements of the algebraic torus. This allows us to design a new discretelog based publickey system achieving the optimal communication rate, partially answering the conjecture in [4]. For n the product of distinct primes, we construct ..."
Abstract

Cited by 11 (1 self)
 Add to MetaCart
Abstract. We introduce a compact and efficient representation of elements of the algebraic torus. This allows us to design a new discretelog based publickey system achieving the optimal communication rate, partially answering the conjecture in [4]. For n the product of distinct primes, we construct efficient ElGamal signature and encryption schemes in a subgroup of F ∗ qn in which the number of bits exchanged is only a φ(n)/n fraction of that required in traditional schemes, while the security offered remains the same. We also present a DiffieHellman key exchange protocol averaging only φ(n) log2 q bits of communication per key. For the cryptographically important cases of n = 30 and n = 210, we transmit a 4/5 and a 24/35 fraction, respectively, of the number of bits required in XTR [14] and recent CEILIDH [24] cryptosystems. 1
Sparse polynomial approximation in finite fields
 in Proceedings of the thirtythird annual ACM symposium on Theory of computing, ser. STOC ’01
"... ..."
Hidden number problem with hidden multipliers, timedrelease crypto and noisy exponentiation
 Math. Comp
"... Abstract. We consider a generalisation of the hidden number problem recently introduced by Boneh and Venkatesan. The initial problem can be stated as follows: recover a number a ∈ Fp such that for many known random t ∈ Fp approximations to the values of ⌊at ⌋ p areknown. Herewestudyaversionof the pr ..."
Abstract

Cited by 10 (4 self)
 Add to MetaCart
Abstract. We consider a generalisation of the hidden number problem recently introduced by Boneh and Venkatesan. The initial problem can be stated as follows: recover a number a ∈ Fp such that for many known random t ∈ Fp approximations to the values of ⌊at ⌋ p areknown. Herewestudyaversionof the problem where the “multipliers ” t are not known but rather certain approximations to them are given. We present a probabilistic polynomial time solution when the error is small enough, and we show that the problem cannot be solved if the error is sufficiently large. We apply the result to the bit security of “timedrelease crypto ” introduced by Rivest, Shamir and Wagner, to noisy exponentiation blackboxes and to the bit security of the “inverse” exponentiation. We also show that it implies a certain bit security result for Weil pairing on elliptic curves. 1.
Hardness of distinguishing the MSB or LSB of secret keys
 in DiffieHellman schemes, ICALP
, 2006
"... Abstract. In this paper we introduce very simple deterministic randomness extractors for DiffieHellman distributions. More specifically we show that the k most significant bits or the k least significant bits of a random element in a subgroup of Z ⋆ p are indistinguishable from a random bitstring ..."
Abstract

Cited by 8 (3 self)
 Add to MetaCart
Abstract. In this paper we introduce very simple deterministic randomness extractors for DiffieHellman distributions. More specifically we show that the k most significant bits or the k least significant bits of a random element in a subgroup of Z ⋆ p are indistinguishable from a random bitstring of the same length. This allows us to show that under the Decisional DiffieHellman assumption we can deterministically derive a uniformly random bitstring from a DiffieHellman exchange in the standard model. Then, we show that it can be used in key exchange or encryption scheme to avoid the leftover hash lemma and universal hash functions. Keywords: DiffieHellman transform, randomness extraction, least significant bits, exponential sums. 1
On the generalized hidden number problem and bit security of XTR
 Proc. AAECC14, Lect. Notes in Comp. Sci
, 2001
"... ..."
The hidden number problem with the trace and bit security of XTR and LUC
 XTR AND LUC’, LECT. NOTES IN COMP. SCI
, 2002
"... We consider a certain generalization of the hidden number problem introduced by Boneh and Venkatesan in 1996. Considering the XTR variation of DiffieHellman, we apply our results to show security of the log 1/2 p most significant bits of the secret, in analogy to the results known for the classical ..."
Abstract

Cited by 8 (5 self)
 Add to MetaCart
We consider a certain generalization of the hidden number problem introduced by Boneh and Venkatesan in 1996. Considering the XTR variation of DiffieHellman, we apply our results to show security of the log 1/2 p most significant bits of the secret, in analogy to the results known for the classical DiffieHellman scheme. Our method is based on bounds of exponential sums which were introduced by Deligne in 1977. We proceed to show that the results are also applicable to the LUC scheme. Here, assuming the LUC function is oneway, we can in addition show that each single bit of the argument is a hardcore bit.
The hidden number problem in extension fields and its applications
 Lect. Notes in Comp. Sci
, 2002
"... ..."