Results 1  10
of
21
The Decision DiffieHellman Problem
, 1998
"... The Decision DiffieHellman assumption (ddh) is a gold mine. It enables one to construct efficient cryptographic systems with strong security properties. In this paper we survey the recent applications of DDH as well as known results regarding its security. We describe some open problems in this are ..."
Abstract

Cited by 198 (6 self)
 Add to MetaCart
The Decision DiffieHellman assumption (ddh) is a gold mine. It enables one to construct efficient cryptographic systems with strong security properties. In this paper we survey the recent applications of DDH as well as known results regarding its security. We describe some open problems in this area. 1 Introduction An important goal of cryptography is to pin down the exact complexity assumptions used by cryptographic protocols. Consider the DiffieHellman key exchange protocol [12]: Alice and Bob fix a finite cyclic group G and a generator g. They respectively pick random a; b 2 [1; jGj] and exchange g a ; g b . The secret key is g ab . To totally break the protocol a passive eavesdropper, Eve, must compute the DiffieHellman function defined as: dh g (g a ; g b ) = g ab . We say that the group G satisfies the Computational DiffieHellman assumption (cdh) if no efficient algorithm can compute the function dh g (x; y) in G. Precise definitions are given in the next sectio...
Numbertheoretic constructions of efficient pseudorandom functions
 In 38th Annual Symposium on Foundations of Computer Science
, 1997
"... ..."
On the statistical properties of Diffie–Hellman distributions
 MR 2001k:11258 Zbl 0997.11066
"... Let p be a large prime such that p−1 has some large prime factors, and let ϑ ∈ Z ∗ p be an rth power residue for all small factors of p − 1. The corresponding DiffieHellman (DH) distribution is (ϑ x, ϑ y, ϑ xy) where x, y are randomly chosen from Z ∗ p. A recently formulated assumption is that giv ..."
Abstract

Cited by 29 (10 self)
 Add to MetaCart
Let p be a large prime such that p−1 has some large prime factors, and let ϑ ∈ Z ∗ p be an rth power residue for all small factors of p − 1. The corresponding DiffieHellman (DH) distribution is (ϑ x, ϑ y, ϑ xy) where x, y are randomly chosen from Z ∗ p. A recently formulated assumption is that given p, ϑ of the above form it is infeasible to distinguish in reasonable time between DH distribution and triples of numbers chosen
On the Distribution of the Power Generator
 Math. Comp
, 1999
"... . We present a new method to study the power generator of pseudorandom numbers modulo a Blum integer m. This includes as special cases the RSA generator and the BlumBlumShub generator. We prove the uniform distribution of these, provided that the period t # m 3/4+# with fixed # > 0 and under ..."
Abstract

Cited by 12 (8 self)
 Add to MetaCart
. We present a new method to study the power generator of pseudorandom numbers modulo a Blum integer m. This includes as special cases the RSA generator and the BlumBlumShub generator. We prove the uniform distribution of these, provided that the period t # m 3/4+# with fixed # > 0 and under the same condition the uniform distribution of a positive proportion of the leftmost and rightmost bits. This sharpens and generalizes previous results which dealt with the RSA generator, provided the period t # m 23/24+# . We apply our results to deduce that the period of the binary sequence of the rightmost bit has exponential length. 1. Introduction Let e # 2, m # 1 and # be integers such that gcd(#, m) = 1. Then one can define the sequence (u n ) by the recurrence relation u n # u e n1 (mod m), 0 # u n # m 1, n = 1, 2, . . . , (1.1) with the initial value u 0 = #. This sequence is known as the power generator of pseudorandom numbers and has many applications to crypt...
On The Distribution Of The RSA Generator
 Proc. Intern. Conf. on Sequences and their Applications (SETA'98
, 1998
"... this paper we prove the result in the most important case for applications when m = pl where p and l are distinct primes. Such numbers are called Blum integers (sometimes given with certain additional conditions such as that ..."
Abstract

Cited by 12 (9 self)
 Add to MetaCart
this paper we prove the result in the most important case for applications when m = pl where p and l are distinct primes. Such numbers are called Blum integers (sometimes given with certain additional conditions such as that
Hardness of distinguishing the MSB or LSB of secret keys
 in DiffieHellman schemes, ICALP
, 2006
"... Abstract. In this paper we introduce very simple deterministic randomness extractors for DiffieHellman distributions. More specifically we show that the k most significant bits or the k least significant bits of a random element in a subgroup of Z ⋆ p are indistinguishable from a random bitstring ..."
Abstract

Cited by 8 (3 self)
 Add to MetaCart
Abstract. In this paper we introduce very simple deterministic randomness extractors for DiffieHellman distributions. More specifically we show that the k most significant bits or the k least significant bits of a random element in a subgroup of Z ⋆ p are indistinguishable from a random bitstring of the same length. This allows us to show that under the Decisional DiffieHellman assumption we can deterministically derive a uniformly random bitstring from a DiffieHellman exchange in the standard model. Then, we show that it can be used in key exchange or encryption scheme to avoid the leftover hash lemma and universal hash functions. Keywords: DiffieHellman transform, randomness extraction, least significant bits, exponential sums. 1
S.: HMAC is a randomness extractor and applications to TLS
, 2008
"... Abstract. In this paper, we study the security of a practical randomness extractor and its application in the tls standard. Randomness extraction is the first stage of key derivation functions since the secret shared between the entities does not always come from a uniformly distributed source. More ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
Abstract. In this paper, we study the security of a practical randomness extractor and its application in the tls standard. Randomness extraction is the first stage of key derivation functions since the secret shared between the entities does not always come from a uniformly distributed source. More precisely, we wonder if the Hmac function, used in many standards, can be considered as a randomness extractor? We show that when the shared secret is put in the key space of the Hmac function, there are two cases to consider depending on whether the key is larger than the blocklength of the hash function or not. In both cases, we provide a formal proof that the output is pseudorandom, but under different assumptions. Nevertheless, all the assumptions are related to the fact that the compression function of the underlying hash function behaves like a pseudorandom function. This analysis allows us to prove the tls randomness extractor for DiffieHellman and RSA key exchange. Of independent interest, we study a computational analog to the leftover hash lemma for computational almost universal hash function families: any pseudorandom function family matches the latter definition. 1
Double Exponential Sums Over Thin Sets
, 2001
"... . We estimate double exponential sums of the form Sa ( X , Y) = X x#X X y#Y exp (2#ia# xy /p) , where # is of multiplicative order t modulo the prime p and X and Y are arbitrary subsets of the residue ring modulo t. In the special case t = p  1, our bound is nontrivial for  X  ..."
Abstract

Cited by 5 (2 self)
 Add to MetaCart
. We estimate double exponential sums of the form Sa ( X , Y) = X x#X X y#Y exp (2#ia# xy /p) , where # is of multiplicative order t modulo the prime p and X and Y are arbitrary subsets of the residue ring modulo t. In the special case t = p  1, our bound is nontrivial for  X  #  Y # p 15/16+# with any fixed # > 0, while if in addition we have  X  # p 1#/4 it is nontrivial for  Y # p 3/4+# . 1. Let p be a prime and let IF p be a finite field of p elements. For an integer m # 1 we denote by ZZ m = {0, . . . , m  1} the residue ring modulo m. We also identify IF p with the set {0, . . . , p  1}. Finally we define e(z) = exp(2#i/p) and use log z for the natural logarithm of z. Throughout the paper the implied constants in symbols `O', `#' and `#' may occasionally, where obvious, depend on the small positive parameter # and are absolute otherwise (we recall that A # B and B # A are equivalent to A = O(B)). We fix an element # # I...
On The Distribution Of DiffieHellman Triples With Sparse Exponents
 SIAM Journal on Discrete Mathematics
, 2001
"... Let g be a primitive root modulo a (n + 1)bit prime p. In this paper we prove the uniformity of distribution of the DiffieHellman triples (g x , g y , g xy ) as the exponents x and y run through the set of nbit integers with precisely k nonzero bits in their bit representation provided that k # 0 ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
Let g be a primitive root modulo a (n + 1)bit prime p. In this paper we prove the uniformity of distribution of the DiffieHellman triples (g x , g y , g xy ) as the exponents x and y run through the set of nbit integers with precisely k nonzero bits in their bit representation provided that k # 0.35n. Such "sparse" exponents are of interest because for these the computation of g x , g y , g xy , is faster than for running through all x and y. In the latter case, that is, for arbitrary exponents, similar (albeit stronger) uniformity of distribution results have recently been obtained by R. Canetti, M. Larsen, D. Lieman, S. Konyagin and the authors.
Character Sums With Exponential Functions
, 2000
"... Let # be an integer of multiplicative order t # 1 modulo a prime p. We introduce and estimate sums of the form S Z (p, t, a) = T X s=1 exp (2#ia# zs /p) with a sequence Z = (z 1 , . . . , z T ) such that kz 1 , . . . , kz T is a permutation of z 1 , . . . , z T , both sequences taken mo ..."
Abstract

Cited by 5 (5 self)
 Add to MetaCart
Let # be an integer of multiplicative order t # 1 modulo a prime p. We introduce and estimate sums of the form S Z (p, t, a) = T X s=1 exp (2#ia# zs /p) with a sequence Z = (z 1 , . . . , z T ) such that kz 1 , . . . , kz T is a permutation of z 1 , . . . , z T , both sequences taken modulo t, for su#ciently many distinct modulo t values of k. Such sequences include # x n for x = 1, . . . , t with an integer n # 1; # x n for x = 1, . . . , t and gcd(x, t) = 1 with an integer n # 1; # e x for x = 1, . . . , T with an integer e, where T is the period of the sequence e x modulo t. Some of our results can be extended to composite moduli and to sums of multiplicative characters as well. Character sums with the above sequences have some cryptographic motivation and applications and have been considered in several papers by J. B. Friedlander, D. Lieman and I. E. Shparlinski. In particular we generalize and improve several previous bounds. 1 Introduction In thi...