Results 1  10
of
13
The Elliptic Curve Digital Signature Algorithm (ECDSA)
, 1999
"... The Elliptic Curve Digital Signature Algorithm (ECDSA) is the elliptic curve analogue of the Digital Signature Algorithm (DSA). It was accepted in 1999 as an ANSI standard, and was accepted in 2000 as IEEE and NIST standards. It was also accepted in 1998 as an ISO standard, and is under consideratio ..."
Abstract

Cited by 102 (5 self)
 Add to MetaCart
The Elliptic Curve Digital Signature Algorithm (ECDSA) is the elliptic curve analogue of the Digital Signature Algorithm (DSA). It was accepted in 1999 as an ANSI standard, and was accepted in 2000 as IEEE and NIST standards. It was also accepted in 1998 as an ISO standard, and is under consideration for inclusion in some other ISO standards. Unlike the ordinary discrete logarithm problem and the integer factorization problem, no subexponentialtime algorithm is known for the elliptic curve discrete logarithm problem. For this reason, the strengthperkeybit is substantially greater in an algorithm that uses elliptic curves. This paper describes the ANSI X9.62 ECDSA, and discusses related security, implementation, and interoperability issues. Keywords: Signature schemes, elliptic curve cryptography, DSA, ECDSA.
Generating ElGamal signatures without knowing the secret key
, 1996
"... . We present a new method to forge ElGamal signatures if the public parameters of the system are not chosen properly. Since the secret key is hereby not found this attack shows that forging ElGamal signatures is sometimes easier than the underlying discrete logarithm problem. 1 Introduction ElGamal ..."
Abstract

Cited by 38 (0 self)
 Add to MetaCart
. We present a new method to forge ElGamal signatures if the public parameters of the system are not chosen properly. Since the secret key is hereby not found this attack shows that forging ElGamal signatures is sometimes easier than the underlying discrete logarithm problem. 1 Introduction ElGamal's digital signature scheme [4] relies on the difficulty of computing discrete logarithms in the multiplicative group IF p and can therefore be broken if the computation of discrete logarithms is feasible. However, the converse has never been proved. In this paper we show that it is sometimes possible to forge signatures without breaking the underlying discrete logarithm problem. This shows that the ElGamal signature scheme and some variants of the scheme must be used very carefully. The paper is organized as follows. Section 2 describes the ElGamal signature scheme. In Section 3 we present a method to forge signatures if some additional information on the generator is known. We show that...
Assumptions Related to Discrete Logarithms: Why Subtleties Make a Real Difference
 Advances in CryptologyEurocrypt 2001, LNCS 2045
, 2002
"... The security of many cryptographic constructions relies on assumptions related to Discrete Logarithms (DL), e.g., the Di#eHellman, Square Exponent, Inverse Exponent or Representation Problem assumptions. In the concrete formalizations of these assumptions one has some degrees of freedom o#ered ..."
Abstract

Cited by 19 (2 self)
 Add to MetaCart
The security of many cryptographic constructions relies on assumptions related to Discrete Logarithms (DL), e.g., the Di#eHellman, Square Exponent, Inverse Exponent or Representation Problem assumptions. In the concrete formalizations of these assumptions one has some degrees of freedom o#ered by parameters such as computational model, problem type (computational, decisional) or success probability of adversary. However, these parameters and their impact are often not properly considered or are simply overlooked in the existing literature.
On the relations between noninteractive key distribution, identitybased encryption and trapdoor discrete log groups. Cryptology ePrint Archive, Report 2007/453
, 2007
"... Abstract. This paper investigates the relationships between identitybased noninteractive key distribution (IDNIKD) and identitybased encryption (IBE). It provides a new security model for IDNIKD, and a generic construction that converts a secure IDNIKD scheme into a secure IBE scheme. This con ..."
Abstract

Cited by 10 (2 self)
 Add to MetaCart
Abstract. This paper investigates the relationships between identitybased noninteractive key distribution (IDNIKD) and identitybased encryption (IBE). It provides a new security model for IDNIKD, and a generic construction that converts a secure IDNIKD scheme into a secure IBE scheme. This conversion is used to explain the relationship between the IDNIKD scheme of Sakai, Ohgishi and Kasahara and the IBE scheme of Boneh and Franklin. The paper then explores the construction of IDNIKD and IBE schemes from general trapdoor discrete log groups. Two different concrete instantiations for such groups provide new, provably secure IDNIKD and IBE schemes. These schemes are suited to applications in which the Trusted Authority is computationally wellresourced, but clients performing encryption/decryption are highly constrained. Keywords: Identitybased encryption; identitybased noninteractive key distribution; trapdoor discrete logs. 1
Efficient Maximal Privacy in Boardroom Voting and Anonymous Broadcast
, 2004
"... Most voting schemes rely on a number of authorities. If too many of these authorities are dishonest then voter privacy may be violated. To give stronger guarantees of voter privacy Kiayias and Yung \cite{KY} introduced the concept of elections with perfect ballot secrecy. In this type of election sc ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
Most voting schemes rely on a number of authorities. If too many of these authorities are dishonest then voter privacy may be violated. To give stronger guarantees of voter privacy Kiayias and Yung \cite{KY} introduced the concept of elections with perfect ballot secrecy. In this type of election scheme it is guaranteed that the only thing revealed about voters' choices is the result of the election, no matter how many parties are corrupt. Our first contribution is to suggest a simple voting scheme with perfect ballot secrecy that is more efficient than \cite{KY}. Considering the question of achieving maximal privacy in other protocols, we look at anonymous broadcast. We suggest the notion of perfect message secrecy; meaning that nothing is revealed about who sent which message, no matter how many parties are corrupt. Our second contribution is an anonymous broadcast channel with perfect message secrecy built on top of a broadcast channel.
RSA Key Generation with Verifiable Randomness
 In Public Key Cryptography 2002, LNCS 2274
, 2002
"... Abstract. We consider the problem of proving that a user has selected and correctly employed a truly random seed in the generation of her RSA key pair. This task is related to the problem of key validation, the process whereby a user proves to another party that her key pair has been generated secur ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
Abstract. We consider the problem of proving that a user has selected and correctly employed a truly random seed in the generation of her RSA key pair. This task is related to the problem of key validation, the process whereby a user proves to another party that her key pair has been generated securely. The aim of key validation is to pursuade the verifying party that the user has not intentionally weakened or reused her key or unintentionally made use of bad software. Previous approaches to this problem have been ad hoc, aiming to prove that a private key is secure against specific types of attacks, e.g., that an RSA modulus is resistant to ellipticcurvebased factoring attacks. This approach results in a rather unsatisfying laundry list of security tests for keys. We propose a new approach that we refer to as key generation with verifiable randomness (KEGVER). Our aim is to show in zero knowledge that a private key has been generated at random according to a prescribed process, and is therefore likely to benefit from the full strength of the underlying cryptosystem. Our proposal may be viewed as a kind of distributed key generation protocol involving the user and verifying party. Because the resulting private key is held solely by the user, however, we are able to propose a protocol much more practical than conventional distributed key generation. We focus here on a KEGVER protocol for RSA key generation. Key words: certificate authority, key generation, nonrepudiation, publickey infrastructure, verifiable randomness, zero knowledge 1
Computation in Optimal Extension Fields
 Conference on The Mathematics of Public Key Cryptography, The Fields Institute for Research in the Mathematical Sciences
, 2000
"... This thesis focuses on a class of Galois field used to achieve fast finite field arithmetic which we call Optimal Extension Fields (OEFs), first introduced in [BP98]. We extend this work by presenting an adaptation of Itoh and Tsujii's algorithm for finite field inversion applied to OEFs. In particu ..."
Abstract

Cited by 5 (3 self)
 Add to MetaCart
This thesis focuses on a class of Galois field used to achieve fast finite field arithmetic which we call Optimal Extension Fields (OEFs), first introduced in [BP98]. We extend this work by presenting an adaptation of Itoh and Tsujii's algorithm for finite field inversion applied to OEFs. In particular, we use the facts that the action of the Frobenius map in GF (p m ) can be computed with only m 1 subfield multiplications and that inverses in GF (p) may be computed cheaply using known techniques. As a result, we show that one extension field inversion can be computed with a logarithmic number of extension field multiplications. In addition, we provide new variants of the KaratsubaOfman algorithm for extension field multiplication which give a performance increase. Further, we provide an OEF construction algorithm together with tables of Type I and Type II OEFs along with statistics on the number of pseudoMersenne primes and OEFs. We apply this new work to provide implementation r...
Generating Efficient Primes for Discrete Log Cryptosystems
"... This paper presents a method for generating prime moduli with a special form which can simplify the modular reduction process and reduce the storage requirement. Such moduli will be particularly useful for implementing discrete log cryptosystems under the environment with limited computing and stora ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
This paper presents a method for generating prime moduli with a special form which can simplify the modular reduction process and reduce the storage requirement. Such moduli will be particularly useful for implementing discrete log cryptosystems under the environment with limited computing and storage resources. Keywords : Public key cryptosystems, Primality test, Discrete logarithm, Modular reduction. 1 Introduction Most well known public key systems, such as DiffieHellman [4], ElGamal [6] and RSA [22], use modular arithmetic for big numbers. The recent advance in algorithms and technology forces us to use bigger and bigger key parameters in these systems to attain an adequate level of security [19]. Thus it has been a practical interest to devise various ways to enhance efficiency in the computation and communication complexity and the storage usage. Recently, variants of the ElGamal signature scheme have been standardized in U.S.A as digital signature standard (DSS) [17] and in Ru...
RFC 5054: Using the Secure Remote Password (SRP) Protocol for TLS Authentication
, 2007
"... This memo presents a technique for using the Secure Remote Password protocol as an authentication method for the Transport Layer Security protocol.
..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
This memo presents a technique for using the Secure Remote Password protocol as an authentication method for the Transport Layer Security protocol.
A Short Note on Girault's SelfCertified Model
, 2001
"... In this paper, we describe an important shortcoming of the first selfcertified model proposed by Girault, that may be exploited by the authority to compute users' secret keys. We also propose to take additional precautions to make the attack ineffective. ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
In this paper, we describe an important shortcoming of the first selfcertified model proposed by Girault, that may be exploited by the authority to compute users' secret keys. We also propose to take additional precautions to make the attack ineffective.