Results 1  10
of
17
The Insecurity of the Digital Signature Algorithm with Partially Known Nonces
 Journal of Cryptology
, 2000
"... . We present a polynomialtime algorithm that provably recovers the signer's secret DSA key when a few bits of the random nonces k (used at each signature generation) are known for a number of DSA signatures at most linear in log q (q denoting as usual the small prime of DSA), under a reasonable ass ..."
Abstract

Cited by 66 (16 self)
 Add to MetaCart
. We present a polynomialtime algorithm that provably recovers the signer's secret DSA key when a few bits of the random nonces k (used at each signature generation) are known for a number of DSA signatures at most linear in log q (q denoting as usual the small prime of DSA), under a reasonable assumption on the hash function used in DSA. The number of required bits is about log 1=2 q, and can be further decreased to 2 if one assumes access to ideal lattice basis reduction, namely an oracle for the lattice closest vector problem for the infinity norm. All previously known results were only heuristic, including those of HowgraveGraham and Smart who recently introduced that topic. Our attack is based on a connection with the hidden number problem (HNP) introduced at Crypto '96 by Boneh and Venkatesan in order to study the bitsecurity of the DiffieHellman key exchange. The HNP consists, given a prime number q, of recovering a number ff 2 IFq such that for many known random t 2 IFq ...
The Insecurity of the Elliptic Curve Digital Signature Algorithm with Partially Known Nonces
 Design, Codes and Cryptography
, 2000
"... Nguyen and Shparlinski recently presented a polynomialtime algorithm that provably recovers the signer's secret DSA key when a few bits of the random nonces k (used at each signature generation) are known for a number of DSA signatures at most linear in log q (q denoting as usual the small prime of ..."
Abstract

Cited by 34 (10 self)
 Add to MetaCart
Nguyen and Shparlinski recently presented a polynomialtime algorithm that provably recovers the signer's secret DSA key when a few bits of the random nonces k (used at each signature generation) are known for a number of DSA signatures at most linear in log q (q denoting as usual the small prime of DSA), under a reasonable assumption on the hash function used in DSA. The number of required bits is about log 1/2 q, and can be further decreased to 2 if one assumes access to ideal lattice basis reduction, namely an oracle for the lattice closest vector problem for the infinity norm. All previously known results were only heuristic, including those of HowgraveGraham and Smart who introduced the topic. Here, we obtain similar results for the elliptic curve variant of DSA (ECDSA).
On the Security of DiffieHellman Bits
, 2000
"... Boneh and Venkatesan have recently proposed a polynomial time algorithm for recovering a "hidden" element α of a finite field IFp of p elements from rather short strings of the most significant bits of the remainder modulo p of ..."
Abstract

Cited by 23 (10 self)
 Add to MetaCart
Boneh and Venkatesan have recently proposed a polynomial time algorithm for recovering a "hidden" element α of a finite field IFp of p elements from rather short strings of the most significant bits of the remainder modulo p of
Sparse Polynomial Approximation in Finite Fields
 Proc. 33rd ACM Symp. on Theory of Comput
, 2000
"... We consider a polynomial analogue of the hidden number problem which has recently been introduced by Boneh and Venkatesan. Namely we consider the sparse polynomial approximation problem of recovering an unknown polynomial f(X) # IF p [X] with at most m nonzero terms from approximate values of f( ..."
Abstract

Cited by 11 (3 self)
 Add to MetaCart
We consider a polynomial analogue of the hidden number problem which has recently been introduced by Boneh and Venkatesan. Namely we consider the sparse polynomial approximation problem of recovering an unknown polynomial f(X) # IF p [X] with at most m nonzero terms from approximate values of f(t) at polynomially many points t # IF p selected uniformly at random. The case of a polynomial f(X) = #X corresponds to the hidden number problem. The above problem is related to the noisy polynomial interpolation problem and to the sparse polynomial interpolation problem which have recently been considered in the literature. Our results are based on a combination of some number theory tools such as bounds of exponential sums and the number of solutions of congruences with the lattice reduction technique. 1 Introduction As usual, for a prime p we denote by IF p the field of p elements which we assume to be represented by the elements {0, . . . , p  1}. For integers s and m # 1 we d...
Asymptotically optimal communication for torusbased cryptography
 In Advances in Cryptology (CRYPTO 2004), Springer LNCS 3152
, 2004
"... Abstract. We introduce a compact and efficient representation of elements of the algebraic torus. This allows us to design a new discretelog based publickey system achieving the optimal communication rate, partially answering the conjecture in [4]. For n the product of distinct primes, we construct ..."
Abstract

Cited by 11 (1 self)
 Add to MetaCart
Abstract. We introduce a compact and efficient representation of elements of the algebraic torus. This allows us to design a new discretelog based publickey system achieving the optimal communication rate, partially answering the conjecture in [4]. For n the product of distinct primes, we construct efficient ElGamal signature and encryption schemes in a subgroup of F ∗ qn in which the number of bits exchanged is only a φ(n)/n fraction of that required in traditional schemes, while the security offered remains the same. We also present a DiffieHellman key exchange protocol averaging only φ(n) log2 q bits of communication per key. For the cryptographically important cases of n = 30 and n = 210, we transmit a 4/5 and a 24/35 fraction, respectively, of the number of bits required in XTR [14] and recent CEILIDH [24] cryptosystems. 1
Hidden number problem with hidden multipliers, timedrelease crypto and noisy exponentiation
 Math. Comp
"... Abstract. We consider a generalisation of the hidden number problem recently introduced by Boneh and Venkatesan. The initial problem can be stated as follows: recover a number a ∈ Fp such that for many known random t ∈ Fp approximations to the values of ⌊at ⌋ p areknown. Herewestudyaversionof the pr ..."
Abstract

Cited by 10 (4 self)
 Add to MetaCart
Abstract. We consider a generalisation of the hidden number problem recently introduced by Boneh and Venkatesan. The initial problem can be stated as follows: recover a number a ∈ Fp such that for many known random t ∈ Fp approximations to the values of ⌊at ⌋ p areknown. Herewestudyaversionof the problem where the “multipliers ” t are not known but rather certain approximations to them are given. We present a probabilistic polynomial time solution when the error is small enough, and we show that the problem cannot be solved if the error is sufficiently large. We apply the result to the bit security of “timedrelease crypto ” introduced by Rivest, Shamir and Wagner, to noisy exponentiation blackboxes and to the bit security of the “inverse” exponentiation. We also show that it implies a certain bit security result for Weil pairing on elliptic curves. 1.
The hidden number problem with the trace and bit security of XTR and LUC
 XTR AND LUC’, LECT. NOTES IN COMP. SCI
, 2002
"... We consider a certain generalization of the hidden number problem introduced by Boneh and Venkatesan in 1996. Considering the XTR variation of DiffieHellman, we apply our results to show security of the log 1/2 p most significant bits of the secret, in analogy to the results known for the classical ..."
Abstract

Cited by 8 (5 self)
 Add to MetaCart
We consider a certain generalization of the hidden number problem introduced by Boneh and Venkatesan in 1996. Considering the XTR variation of DiffieHellman, we apply our results to show security of the log 1/2 p most significant bits of the secret, in analogy to the results known for the classical DiffieHellman scheme. Our method is based on bounds of exponential sums which were introduced by Deligne in 1977. We proceed to show that the results are also applicable to the LUC scheme. Here, assuming the LUC function is oneway, we can in addition show that each single bit of the argument is a hardcore bit.
On the generalized hidden number problem and bit security of XTR
 Proc. AAECC14, Lect. Notes in Comp. Sci
, 2001
"... Abstract. We consider a certain generalisation of the hidden number problem which has recently been introduced by Boneh and Venkatesan. We apply our results to study the bit security of the XTR cryptosystem and obtain some analogues of the results which have been known for the bit security of the Di ..."
Abstract

Cited by 8 (3 self)
 Add to MetaCart
Abstract. We consider a certain generalisation of the hidden number problem which has recently been introduced by Boneh and Venkatesan. We apply our results to study the bit security of the XTR cryptosystem and obtain some analogues of the results which have been known for the bit security of the DiffieHellman scheme. 1
Hardness of distinguishing the MSB or LSB of secret keys
 in DiffieHellman schemes, ICALP
, 2006
"... Abstract. In this paper we introduce very simple deterministic randomness extractors for DiffieHellman distributions. More specifically we show that the k most significant bits or the k least significant bits of a random element in a subgroup of Z ⋆ p are indistinguishable from a random bitstring ..."
Abstract

Cited by 8 (3 self)
 Add to MetaCart
Abstract. In this paper we introduce very simple deterministic randomness extractors for DiffieHellman distributions. More specifically we show that the k most significant bits or the k least significant bits of a random element in a subgroup of Z ⋆ p are indistinguishable from a random bitstring of the same length. This allows us to show that under the Decisional DiffieHellman assumption we can deterministically derive a uniformly random bitstring from a DiffieHellman exchange in the standard model. Then, we show that it can be used in key exchange or encryption scheme to avoid the leftover hash lemma and universal hash functions. Keywords: DiffieHellman transform, randomness extraction, least significant bits, exponential sums. 1
The Hidden Number Problem in Extension Fields and Its Applications
"... We present polynomial time algorithms for certain generalizations of the hidden number problem which has played an important role in gaining understanding of the security of commonly suggested one way functions. Namely, we consider an analogue of this problem for a certain class of polynomials over ..."
Abstract

Cited by 4 (2 self)
 Add to MetaCart
We present polynomial time algorithms for certain generalizations of the hidden number problem which has played an important role in gaining understanding of the security of commonly suggested one way functions. Namely, we consider an analogue of this problem for a certain class of polynomials over an extension of a finite field; recovering a hidden polynomial given the values of its trace at randomly selected points. Also, we give an algorithm for a variant of the problem in free finite dimensional modules. This result can be helpful for studying security of analogues of the RSA and Di#eHellman cryptosystems over such modules. The hidden number problem is also related to the so called blackbox field model of computation. We show that simplified versions of the above recovery problems can be used to derive positive results on the computational power of this model. 1