Results 1  10
of
14
Pairingbased Cryptography at High Security Levels
 Proceedings of Cryptography and Coding 2005, volume 3796 of LNCS
, 2005
"... Abstract. In recent years cryptographic protocols based on the Weil and Tate pairings on elliptic curves have attracted much attention. A notable success in this area was the elegant solution by Boneh and Franklin [7] of the problem of efficient identitybased encryption. At the same time, the secur ..."
Abstract

Cited by 79 (3 self)
 Add to MetaCart
Abstract. In recent years cryptographic protocols based on the Weil and Tate pairings on elliptic curves have attracted much attention. A notable success in this area was the elegant solution by Boneh and Franklin [7] of the problem of efficient identitybased encryption. At the same time, the security standards for public key cryptosystems are expected to increase, so that in the future they will be capable of providing security equivalent to 128, 192, or 256bit AES keys. In this paper we examine the implications of heightened security needs for pairingbased cryptosystems. We first describe three different reasons why highsecurity users might have concerns about the longterm viability of these systems. However, in our view none of the risks inherent in pairingbased systems are sufficiently serious to warrant pulling them from the shelves. We next discuss two families of elliptic curves E for use in pairingbased cryptosystems. The first has the property that the pairing takes values in the prime field Fp over which the curve is defined; the second family consists of supersingular curves with embedding degree k = 2. Finally, we examine the efficiency of the Weil pairing as opposed to the Tate pairing and compare a range of choices of embedding degree k, including k = 1 and k = 24. Let E be the elliptic curve 1.
ECM on Graphics Cards
"... Abstract. This paper reports recordsetting performance for the ellipticcurve method of integer factorization: for example, 604.99 curves/second for ECM stage 1 with B1 = 8192 for 280bit integers on a single PC. The stateoftheart GMPECM software handles 171.42 curves/second for ECM stage 1 with ..."
Abstract

Cited by 13 (4 self)
 Add to MetaCart
Abstract. This paper reports recordsetting performance for the ellipticcurve method of integer factorization: for example, 604.99 curves/second for ECM stage 1 with B1 = 8192 for 280bit integers on a single PC. The stateoftheart GMPECM software handles 171.42 curves/second for ECM stage 1 with B1 = 8192 for 280bit integers using all four cores of a 2.4GHz Core 2 Quad Q6600. The extra speed takes advantage of extra hardware, specifically two NVIDIA GTX 280 graphics cards, using a new ECM implementation introduced in this paper. Our implementation uses Edwards curves, relies on new parallel addition formulas, and is carefully tuned for the highly parallel GPU architecture. On a single GTX 280 the implementation performs 22.66 million modular multiplications per second for a general 280bit modulus. GMPECM, using all four cores of a Q6600, performs 17.91 million multiplications per second. This paper also reports speeds on other graphics processors: for example,
On the function field sieve and the impact of higher splitting probabilities: Application to discrete logarithms in f 2
, 1971
"... Abstract. In this paper we propose a binary field variant of the JouxLercier mediumsized Function Field Sieve, which results not only in complexities as low as Lqn(1/3, 2/3) for computing arbitrary logarithms, but also in an heuristic polynomial time algorithm for finding the discrete logarithms o ..."
Abstract

Cited by 11 (1 self)
 Add to MetaCart
Abstract. In this paper we propose a binary field variant of the JouxLercier mediumsized Function Field Sieve, which results not only in complexities as low as Lqn(1/3, 2/3) for computing arbitrary logarithms, but also in an heuristic polynomial time algorithm for finding the discrete logarithms of degree one elements. To illustrate the efficiency of the method, we have successfully solved the DLP in the finite field with 2 1971 elements. 1
Thomé, When eth roots become easier than factoring
 Progress in Cryptology – Asiacrypt 2007, LNCS 4833
, 2007
"... Abstract. We show that computing eth roots modulo n is easier than factoring n with currently known methods, given subexponential access to an oracle outputting the roots of numbers of the form xi + c. Here c is fixed and xi denotes small integers of the attacker’s choosing. The attack comes in two ..."
Abstract

Cited by 10 (1 self)
 Add to MetaCart
Abstract. We show that computing eth roots modulo n is easier than factoring n with currently known methods, given subexponential access to an oracle outputting the roots of numbers of the form xi + c. Here c is fixed and xi denotes small integers of the attacker’s choosing. The attack comes in two flavors: – A first version is illustrated here by producing selective roots of the form xi + c in Ln ( 1 q 3 32
Cryptography meets voting
, 2005
"... We survey the contributions of the entire theoretical computer science/cryptography community during 19752002 that impact the question of how to run verifiable elections with secret ballots. The approach based on homomorphic encryptions is the most successful; one such scheme is sketched in detail ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
We survey the contributions of the entire theoretical computer science/cryptography community during 19752002 that impact the question of how to run verifiable elections with secret ballots. The approach based on homomorphic encryptions is the most successful; one such scheme is sketched in detail and argued to be feasible to implement. It is explained precisely what these ideas accomplish but also what they do not accomplish, and a short history of election fraud throughout history is included.
The number field sieve for integers of low weight
, 2006
"... Abstract. We define the weight of an integer N to be the smallest w such that N can be represented as ∑w i=1 ɛi2ci,withɛ1,...,ɛw ∈{1, −1}. Since arithmetic modulo a prime of low weight is particularly efficient, it is tempting to use such primes in cryptographic protocols. In this paper we consider ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
Abstract. We define the weight of an integer N to be the smallest w such that N can be represented as ∑w i=1 ɛi2ci,withɛ1,...,ɛw ∈{1, −1}. Since arithmetic modulo a prime of low weight is particularly efficient, it is tempting to use such primes in cryptographic protocols. In this paper we consider the difficulty of the discrete logarithm problem modulo a prime N of low weight, as well as the difficulty of factoring an integer N of low weight. We describe a version of the number field sieve which handles both problems. In the case that w = 2, the method is the same as the special number field sieve, which runs conjecturally in time exp(((32/9) 1/3 + o(1))(log N) 1/3 (log log N) 2/3)for N →∞. For fixed w>2, we conjecture that there is a constant ξ less than (32/9) 1/3 ((2w − 3)/(w − 1)) 1/3 such that the running time of the algorithm is at most exp((ξ + o(1))(log N) 1/3 (log log N) 2/3)forN→∞. We further conjecture that no ξ less than (32/9) 1/3 ( ( √ 2w − 2 √ 2+1)/(w − 1)) 2/3 has this property. Our analysis reveals that on average the method performs significantly better than it does in the worst case. We consider all the examples given in a recent paper of Koblitz and Menezes and demonstrate that in every case but one, our algorithm runs faster than the standard versions of the number field sieve. 1.
An algorithm to solve the discrete logarithm problem with the number field sieve”, pp. 174–190 in Public key cryptography, edited by M. Yung et al
 Lecture Notes in Comput. Sci. 3958
, 2006
"... Abstract. Recently, Shirokauer’s algorithm to solve the discrete logarithm problem modulo a prime p has been modified by Matyukhin, yielding an algorithm with running time Lp [ 1, 1.9018...], which is, at 3 the present time, the best known estimate of the complexity of finding discrete logarithms ov ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
Abstract. Recently, Shirokauer’s algorithm to solve the discrete logarithm problem modulo a prime p has been modified by Matyukhin, yielding an algorithm with running time Lp [ 1, 1.9018...], which is, at 3 the present time, the best known estimate of the complexity of finding discrete logarithms over prime finite fields and which coincides with the best known theoretical running time for factoring integers, obtained by Coppersmith. In this paper, another algorithm to solve the discrete logarithm problem in F ∗ p for p prime is presented. The global running time is again Lp [ 1, 1.9018...], but in contrast with Matyukhins method, this al3 gorithm enables us to calculate individual logarithms in a separate stage in time Lp [ 1 3, 31/3], once a Lp [ 1, 1.9018...] time costing precomputation 3 stage has been executed. We describe the algorithm as derived from [6] and estimate its running time to be Lp [ 1 64 3 9)1/3], after which individual logarithms can be calculated in time Lp [ 1
Advanced Course on Contemporary Cryptology, chapter Provable Security for PublicKey Schemes
 Advanced Courses CRM Barcelona. Birkhuser Publishers, Basel, juin 2005. ISBN: 376437294X (248
, 2005
"... Abstract. Since the appearance of publickey cryptography in the DiffieHellman seminal paper, many schemes have been proposed, but many have been broken. Indeed, for a long time, the simple fact that a cryptographic algorithm had withstood cryptanalytic attacks for several years was considered as a ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
Abstract. Since the appearance of publickey cryptography in the DiffieHellman seminal paper, many schemes have been proposed, but many have been broken. Indeed, for a long time, the simple fact that a cryptographic algorithm had withstood cryptanalytic attacks for several years was considered as a kind of validation. But some schemes took a long time before being widely studied, and maybe thereafter being broken. A much more convincing line of research has tried to provide “provable ” security for cryptographic protocols, in a complexity theory sense: if one can break the cryptographic protocol, one can efficiently solve the underlying problem. Unfortunately, this initially was a purely theoretical work: very few practical schemes could be proven in this socalled “standard model ” because such a security level rarely meets with efficiency. Ten years ago, Bellare and Rogaway proposed a tradeoff to achieve some kind of validation of efficient schemes, by identifying some concrete cryptographic objects with ideal random ones. The most famous identification appeared in the socalled “randomoracle model”. More recently, another direction has been taken to prove the security of efficient schemes in the standard model (without any ideal assumption) by using stronger computational assumptions. In these lectures, we focus on practical asymmetric protocols together with their “reductionist ” security proofs, mainly in the randomoracle model. We cover the two main goals that publickey cryptography is devoted to solve: authentication with digital signatures, and confidentiality with publickey encryption schemes. 1
Parallel Solution of Sparse Linear Systems Defined over GF(p)
"... Introduction The security of modern publickey cryptography is usually based on the presumed hardness of problems such as factoring integers or computing discrete logarithms. The Number Field Sieve [19] (NFS) and Function Field Sieve [1] (FFS) oer two examples of algorithms that can attack these pr ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Introduction The security of modern publickey cryptography is usually based on the presumed hardness of problems such as factoring integers or computing discrete logarithms. The Number Field Sieve [19] (NFS) and Function Field Sieve [1] (FFS) oer two examples of algorithms that can attack these problems. Such algorithms are generally speci ed in two phases. The rst phase, sometimes called the sieving step, aims to collect many relations that represent small items of information about the problem one is trying to solve. This phase is easy to parallelise since one can generate the relations independently. It is therefore attractive for distributed, Internet based collaborative computation [26]. The second phase of processing, sometimes called the matrix step, aims to collect the relations and combine them into a single linear system which, when solved, allows one to eciently compute answers to the original problem. Ecient implementation of the matrix step is challenging since the li
Evaluation Report on the Discrete Logarithm Problem over finite fields
"... This document is an evaluation of the discrete logarithm problem over finite fields (DLP), as a basis for designing cryptographic schemes. It relies on the analysis of numerous research papers on the subject. The present report is organized as follows: firstly, we review the DLP and several ..."
Abstract
 Add to MetaCart
This document is an evaluation of the discrete logarithm problem over finite fields (DLP), as a basis for designing cryptographic schemes. It relies on the analysis of numerous research papers on the subject. The present report is organized as follows: firstly, we review the DLP and several