Results 1  10
of
28
The Decision DiffieHellman Problem
, 1998
"... The Decision DiffieHellman assumption (ddh) is a gold mine. It enables one to construct efficient cryptographic systems with strong security properties. In this paper we survey the recent applications of DDH as well as known results regarding its security. We describe some open problems in this are ..."
Abstract

Cited by 211 (6 self)
 Add to MetaCart
(Show Context)
The Decision DiffieHellman assumption (ddh) is a gold mine. It enables one to construct efficient cryptographic systems with strong security properties. In this paper we survey the recent applications of DDH as well as known results regarding its security. We describe some open problems in this area. 1 Introduction An important goal of cryptography is to pin down the exact complexity assumptions used by cryptographic protocols. Consider the DiffieHellman key exchange protocol [12]: Alice and Bob fix a finite cyclic group G and a generator g. They respectively pick random a; b 2 [1; jGj] and exchange g a ; g b . The secret key is g ab . To totally break the protocol a passive eavesdropper, Eve, must compute the DiffieHellman function defined as: dh g (g a ; g b ) = g ab . We say that the group G satisfies the Computational DiffieHellman assumption (cdh) if no efficient algorithm can compute the function dh g (x; y) in G. Precise definitions are given in the next sectio...
Numbertheoretic constructions of efficient pseudorandom functions
 In 38th Annual Symposium on Foundations of Computer Science
, 1997
"... ..."
On the statistical properties of Diffie–Hellman distributions
 MR 2001k:11258 Zbl 0997.11066
"... Let p be a large prime such that p−1 has some large prime factors, and let ϑ ∈ Z ∗ p be an rth power residue for all small factors of p − 1. The corresponding DiffieHellman (DH) distribution is (ϑ x, ϑ y, ϑ xy) where x, y are randomly chosen from Z ∗ p. A recently formulated assumption is that giv ..."
Abstract

Cited by 29 (10 self)
 Add to MetaCart
(Show Context)
Let p be a large prime such that p−1 has some large prime factors, and let ϑ ∈ Z ∗ p be an rth power residue for all small factors of p − 1. The corresponding DiffieHellman (DH) distribution is (ϑ x, ϑ y, ϑ xy) where x, y are randomly chosen from Z ∗ p. A recently formulated assumption is that given p, ϑ of the above form it is infeasible to distinguish in reasonable time between DH distribution and triples of numbers chosen
On the Distribution of the RSA generator
 Proc. Intern. Conf. on Sequences and their Applications
, 1998
"... ..."
(Show Context)
S.: HMAC is a randomness extractor and applications to TLS
, 2008
"... Abstract. In this paper, we study the security of a practical randomness extractor and its application in the tls standard. Randomness extraction is the first stage of key derivation functions since the secret shared between the entities does not always come from a uniformly distributed source. More ..."
Abstract

Cited by 9 (1 self)
 Add to MetaCart
Abstract. In this paper, we study the security of a practical randomness extractor and its application in the tls standard. Randomness extraction is the first stage of key derivation functions since the secret shared between the entities does not always come from a uniformly distributed source. More precisely, we wonder if the Hmac function, used in many standards, can be considered as a randomness extractor? We show that when the shared secret is put in the key space of the Hmac function, there are two cases to consider depending on whether the key is larger than the blocklength of the hash function or not. In both cases, we provide a formal proof that the output is pseudorandom, but under different assumptions. Nevertheless, all the assumptions are related to the fact that the compression function of the underlying hash function behaves like a pseudorandom function. This analysis allows us to prove the tls randomness extractor for DiffieHellman and RSA key exchange. Of independent interest, we study a computational analog to the leftover hash lemma for computational almost universal hash function families: any pseudorandom function family matches the latter definition. 1
Hardness of distinguishing the MSB or LSB of secret keys
 in DiffieHellman schemes, ICALP
, 2006
"... Abstract. In this paper we introduce very simple deterministic randomness extractors for DiffieHellman distributions. More specifically we show that the k most significant bits or the k least significant bits of a random element in a subgroup of Z ⋆ p are indistinguishable from a random bitstring ..."
Abstract

Cited by 8 (3 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper we introduce very simple deterministic randomness extractors for DiffieHellman distributions. More specifically we show that the k most significant bits or the k least significant bits of a random element in a subgroup of Z ⋆ p are indistinguishable from a random bitstring of the same length. This allows us to show that under the Decisional DiffieHellman assumption we can deterministically derive a uniformly random bitstring from a DiffieHellman exchange in the standard model. Then, we show that it can be used in key exchange or encryption scheme to avoid the leftover hash lemma and universal hash functions. Keywords: DiffieHellman transform, randomness extraction, least significant bits, exponential sums. 1
On the distribution of DiffieHellman triples with sparse exponents
 SIAM Journal on Discrete Mathematics
, 2001
"... ..."