Results 1  10
of
22
Pseudorandom Functions and Permutations Provably Secure Against RelatedKey Attacks
, 2010
"... This paper fills an important foundational gap with the first proofs, under standard assumptions and in the standard model, of the existence of pseudorandom functions (PRFs) and pseudorandom permutations (PRPs) resisting rich and relevant forms of relatedkey attacks (RKA). An RKA allows the adversa ..."
Abstract

Cited by 13 (3 self)
 Add to MetaCart
This paper fills an important foundational gap with the first proofs, under standard assumptions and in the standard model, of the existence of pseudorandom functions (PRFs) and pseudorandom permutations (PRPs) resisting rich and relevant forms of relatedkey attacks (RKA). An RKA allows the adversary to query the function not only under the target key but under other keys derived from it in adversaryspecified ways. Based on the NaorReingold PRF we obtain an RKAPRF whose keyspace is a group and that is proven, under DDH, to resist attacks in which the key may be operated on by arbitrary adversaryspecified group elements. Previous work was able only to provide schemes in idealized models (ideal cipher, random oracle), under new, nonstandard assumptions, or for limited classes of attacks. The reason was technical difficulties that we resolve via a new approach and framework that, in addition to the above, yields other RKAPRFs including a DLINbased one derived from the LewkoWaters PRF. Over the last 15 years cryptanalysts and blockcipher designers have routinely and consistently targeted RKAsecurity; it is visibly important for abuseresistant cryptography; and it helps protect against faultinjection sidechannel attacks. Yet ours are the first significant proofs of existence of secure constructs. We warn that our constructs are proofsofconcept
On The Distribution Of The RSA Generator
 Proc. Intern. Conf. on Sequences and their Applications (SETA'98
, 1998
"... this paper we prove the result in the most important case for applications when m = pl where p and l are distinct primes. Such numbers are called Blum integers (sometimes given with certain additional conditions such as that ..."
Abstract

Cited by 12 (9 self)
 Add to MetaCart
this paper we prove the result in the most important case for applications when m = pl where p and l are distinct primes. Such numbers are called Blum integers (sometimes given with certain additional conditions such as that
S.: HMAC is a randomness extractor and applications to TLS
, 2008
"... Abstract. In this paper, we study the security of a practical randomness extractor and its application in the tls standard. Randomness extraction is the first stage of key derivation functions since the secret shared between the entities does not always come from a uniformly distributed source. More ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
Abstract. In this paper, we study the security of a practical randomness extractor and its application in the tls standard. Randomness extraction is the first stage of key derivation functions since the secret shared between the entities does not always come from a uniformly distributed source. More precisely, we wonder if the Hmac function, used in many standards, can be considered as a randomness extractor? We show that when the shared secret is put in the key space of the Hmac function, there are two cases to consider depending on whether the key is larger than the blocklength of the hash function or not. In both cases, we provide a formal proof that the output is pseudorandom, but under different assumptions. Nevertheless, all the assumptions are related to the fact that the compression function of the underlying hash function behaves like a pseudorandom function. This analysis allows us to prove the tls randomness extractor for DiffieHellman and RSA key exchange. Of independent interest, we study a computational analog to the leftover hash lemma for computational almost universal hash function families: any pseudorandom function family matches the latter definition. 1
Hardness of distinguishing the MSB or LSB of secret keys
 in DiffieHellman schemes, ICALP
, 2006
"... Abstract. In this paper we introduce very simple deterministic randomness extractors for DiffieHellman distributions. More specifically we show that the k most significant bits or the k least significant bits of a random element in a subgroup of Z ⋆ p are indistinguishable from a random bitstring ..."
Abstract

Cited by 8 (3 self)
 Add to MetaCart
Abstract. In this paper we introduce very simple deterministic randomness extractors for DiffieHellman distributions. More specifically we show that the k most significant bits or the k least significant bits of a random element in a subgroup of Z ⋆ p are indistinguishable from a random bitstring of the same length. This allows us to show that under the Decisional DiffieHellman assumption we can deterministically derive a uniformly random bitstring from a DiffieHellman exchange in the standard model. Then, we show that it can be used in key exchange or encryption scheme to avoid the leftover hash lemma and universal hash functions. Keywords: DiffieHellman transform, randomness extraction, least significant bits, exponential sums. 1
Optimal randomness extraction from a DiffieHellman element
 EUROCRYPT 2009, volume 5479 of LNCS
, 2009
"... Abstract. In this paper, we study a quite simple deterministic randomness extractor from random DiffieHellman elements defined over a prime order multiplicative subgroup G of a finite field Zp (the truncation), and over a group of points of an elliptic curve (the truncation of the abscissa). Inform ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
Abstract. In this paper, we study a quite simple deterministic randomness extractor from random DiffieHellman elements defined over a prime order multiplicative subgroup G of a finite field Zp (the truncation), and over a group of points of an elliptic curve (the truncation of the abscissa). Informally speaking, we show that the least significant bits of a random element in G ⊂ Z ∗ p or of the abscissa of a random point in E(Fp) are indistinguishable from a uniform bitstring. Such an operation is quite efficient, and is a good randomness extractor, since we show that it can extract nearly the same number of bits as the Leftover Hash Lemma can do for most Elliptic Curve parameters and for large subgroups of finite fields. To this aim, we develop a new technique to bound exponential sums that allows us to double the number of extracted bits compared with previous known results proposed at ICALP’06 by Fouque et al. It can also be used to improve previous bounds proposed by Canetti et al. One of the main application of this extractor is to mathematically prove an assumption proposed at Crypto ’07 and used in the security proof of the Elliptic Curve Pseudo Random Generator proposed by the NIST. The second most obvious application is to perform efficient key derivation given DiffieHellman elements. 1
Double Exponential Sums Related to DiffieHellman Distributions
"... Let p be a large prime number and T a divisor of p−1.Letλbe an element of multiplicative ..."
Abstract

Cited by 4 (3 self)
 Add to MetaCart
Let p be a large prime number and T a divisor of p−1.Letλbe an element of multiplicative
A Public Key Cryptosystem Based On Sparse Polynomials
 Proceedings of an International Conference
, 1998
"... this paper we present a new idea for the construction of oneway functions. The hard problem underlying our oneway functions can be stated as follows: ..."
Abstract

Cited by 4 (2 self)
 Add to MetaCart
this paper we present a new idea for the construction of oneway functions. The hard problem underlying our oneway functions can be stated as follows:
New estimates of double trigonometric sums with exponential functions
 J. Number Theory
"... We establish a new bound for the exponential sum ∣ γ(y)exp(2πiaλ xy ∣ ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
We establish a new bound for the exponential sum ∣ γ(y)exp(2πiaλ xy ∣
On Decimations of lSequences
, 2002
"... Maximal length Feedback with Carry Shift Register sequences have several remarkable statistical properties. Among them is the property that the arithmetic correlations between any two cyclically distinct decimations are precisely zero. It is open, however, whether all such pairs of decimations are i ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Maximal length Feedback with Carry Shift Register sequences have several remarkable statistical properties. Among them is the property that the arithmetic correlations between any two cyclically distinct decimations are precisely zero. It is open, however, whether all such pairs of decimations are indeed cyclically distinct. In this paper we show that the set of distinct decimations is large and, in some cases, all decimations are distinct. 1
On A New Exponential Sum
 Canad. Math. Bull
, 1999
"... Let p be prime and let # 2 ZZ p be of multiplicative order t modulo p. We consider exponential sums of the form S(a) = t X x=1 exp i 2ßia# x 2 =p j and prove that for any " ? 0 max gcd(a;p)=1 jS(a)j = O i t 5=6+" p 1=8 j : 1991 Mathematics Subject Classification. Primary 11L07 ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Let p be prime and let # 2 ZZ p be of multiplicative order t modulo p. We consider exponential sums of the form S(a) = t X x=1 exp i 2ßia# x 2 =p j and prove that for any " ? 0 max gcd(a;p)=1 jS(a)j = O i t 5=6+" p 1=8 j : 1991 Mathematics Subject Classification. Primary 11L07, 11T23, 11B50; Secondary 11K31, 11K38 Supported in part by the National Science Foundation y Supported in part by the Australian Research Council Let p be a large prime such that p \Gamma 1 has some large prime factors, and let # 2 ZZ p be of multiplicative order t modulo p. We put e(z) = exp(2ßiz=p): We estimate exponential sums of the form S(a) = t X x=1 e i a# x 2 j : The question has been motivated by some results of [1] and in fact in the proof we use some estimates from that paper. We remark that the similarly looking sums T (a) = t X x=1 e (a# x ) have been studied in many papers by many authors and have numerous applications, see [4, 5, 6, 7, 8] and refere...