Results 1  10
of
15
The Two Faces of Lattices in Cryptology
, 2001
"... Lattices are regular arrangements of points in ndimensional space, whose study appeared in the 19th century in both number theory and crystallography. Since the appearance of the celebrated LenstraLenstra Lov'asz lattice basis reduction algorithm twenty years ago, lattices have had surprising ..."
Abstract

Cited by 67 (16 self)
 Add to MetaCart
Lattices are regular arrangements of points in ndimensional space, whose study appeared in the 19th century in both number theory and crystallography. Since the appearance of the celebrated LenstraLenstra Lov'asz lattice basis reduction algorithm twenty years ago, lattices have had surprising applications in cryptology. Until recently, the applications of lattices to cryptology were only negative, as lattices were used to break various cryptographic schemes. Paradoxically, several positive cryptographic applications of lattices have emerged in the past five years: there now exist publickey cryptosystems based on the hardness of lattice problems, and lattices play a crucial role in a few security proofs.
Lattice Reduction in Cryptology: An Update
 Lect. Notes in Comp. Sci
, 2000
"... Lattices are regular arrangements of points in space, whose study appeared in the 19th century in both number theory and crystallography. ..."
Abstract

Cited by 36 (7 self)
 Add to MetaCart
Lattices are regular arrangements of points in space, whose study appeared in the 19th century in both number theory and crystallography.
How to Securely Outsource Cryptographic Computations
 In Theory of Cryptography (2005
"... Abstract. We address the problem of using untrusted (potentially malicious) cryptographic helpers. We provide a formal security definition for securely outsourcing computations from a computationally limited device to an untrusted helper. In our model, the adversarial environment writes the software ..."
Abstract

Cited by 25 (0 self)
 Add to MetaCart
Abstract. We address the problem of using untrusted (potentially malicious) cryptographic helpers. We provide a formal security definition for securely outsourcing computations from a computationally limited device to an untrusted helper. In our model, the adversarial environment writes the software for the helper, but then does not have direct communication with it once the device starts relying on it. In addition to security, we also provide a framework for quantifying the efficiency and checkability of an outsourcing implementation. We present two practical outsourcesecure schemes. Specifically, we show how to securely outsource modular exponentiation, which presents the computational bottleneck in most publickey cryptography on computationally limited devices. Without outsourcing, a device would need O(n) modular multiplications to carry out modular exponentiation for nbit exponents. The load reduces to O(log 2 n) for any exponentiationbased scheme where the honest device may use two untrusted exponentiation programs; we highlight the CramerShoup cryptosystem [13] and Schnorr signatures [28] as examples. With a relaxed notion of security, we achieve the same load reduction for a new CCA2secure encryption scheme using only one untrusted CramerShoup encryption program. 1
New Public Key Cryptosystems based on the DependentRSA Problems
, 1999
"... . Since the DieHellman paper, asymmetric encryption has been a very important topic, and furthermore ever well studied. However, between the eciency of RSA and the security of some less ecient schemes, no tradeo has ever been provided. In this paper, we propose better than a tradeo: indeed, we ..."
Abstract

Cited by 24 (6 self)
 Add to MetaCart
. Since the DieHellman paper, asymmetric encryption has been a very important topic, and furthermore ever well studied. However, between the eciency of RSA and the security of some less ecient schemes, no tradeo has ever been provided. In this paper, we propose better than a tradeo: indeed, we rst present a new problem, derived from the RSA assumption, the \Dependent{RSA Problem". A careful study of its diculty is performed and some variants are proposed, namely the \Decisional Dependent{RSA Problem". They are next used to provide new encryption schemes which are both secure and ecient. More precisely, the main scheme is proven semantically secure in the standard model. Then, two variants are derived with improved security properties, namely against adaptive chosenciphertext attacks, in the random oracle model. Furthermore, all those schemes are more or less as ecient as the original RSA encryption scheme and reach semantic security. Keywords: PublicKey Encryption,...
The Hardness of the Hidden Subset Sum Problem and its Cryptographic Implications
 IN PROC. OF CRYPTO '99, VOLUME 1666 OF LNCS
, 1999
"... At Eurocrypt'98, Boyko, Peinado and Venkatesan presented simple and very fast methods for generating randomly distributed pairs of the form (x; g x mod p) using precomputation. The security of these methods relied on the potential hardness of a new problem, the socalled hidden subset sum prob ..."
Abstract

Cited by 12 (4 self)
 Add to MetaCart
At Eurocrypt'98, Boyko, Peinado and Venkatesan presented simple and very fast methods for generating randomly distributed pairs of the form (x; g x mod p) using precomputation. The security of these methods relied on the potential hardness of a new problem, the socalled hidden subset sum problem. Surprisingly, apart from exhaustive search, no algorithm to solve this problem was known. In this paper, we exhibit a security criterion for the hidden subset sum problem, and discuss its implications on the practicability of the precomputation schemes. Our results are twofold. On the one hand, we present an efficient latticebased attack which is expected to succeed if and only if the parameters satisfy a particular condition that we make explicit. Experiments have validated the theoretical analysis, and show the limitations of the precomputation methods. For instance, any realistic smartcard implementation of Schnorr's identification scheme using these precomputations meth...
Distribution Of Modular Sums And The Security Of The Server Aided Exponentiation
, 2000
"... We obtain some uniformity of distribution results for the values of modular sums of the form a j x j (mod M) (x 1 ; : : : ; x n ) 2 B where M 1 is an integer, a 1 ; : : : ; a n are elements of the residue ring modulo M , selected unformly at random, and B is an arbitrary set of ndimension ..."
Abstract

Cited by 9 (2 self)
 Add to MetaCart
We obtain some uniformity of distribution results for the values of modular sums of the form a j x j (mod M) (x 1 ; : : : ; x n ) 2 B where M 1 is an integer, a 1 ; : : : ; a n are elements of the residue ring modulo M , selected unformly at random, and B is an arbitrary set of ndimensional integer vectors. In some partial cases, for very special sets B, some results of this kind have been known, however our estimates are more precise and more general. Our technique is based on fairly simple properties of exponential sums. We also give cryptographic applications of some of these results. In particular, we consider an extension of a pseudorandom number generator due to V. Boyko, M. Peinado and R. Venkatesan, and establish the security of some discrete logarithm based signature schemes making use of this generator (in both its original and extended forms). One of these schemes, which uses precomputation is well known. The other scheme which uses server aided computation, seems to be new. We show that for a certain choice of parameters one can guarantee an essential speedup of both of these schemes without compromising the security (compared to the traditional discrete logarithm based signature scheme).
Fast Generation of Pairs (k, [k]P) for Koblitz Elliptic Curves
, 2001
"... We propose a method for increasing the speed of scalar multiplication on binary anomalous (Koblitz) elliptic curves. By introducing a generator which produces random pairs (k, [k]P ) of special shape, we exhibit a specific setting where the number of elliptic curve operations is reduced by 25% t ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
We propose a method for increasing the speed of scalar multiplication on binary anomalous (Koblitz) elliptic curves. By introducing a generator which produces random pairs (k, [k]P ) of special shape, we exhibit a specific setting where the number of elliptic curve operations is reduced by 25% to 50% compared with the general case when k is chosen uniformly. This generator can be used when an ephemeral pair (k, [k]P ) is needed by a cryptographic algorithm, and especially for Elliptic Curve Di#eHellman key exchange, ECDSA signature and ElGamal encryption.
HDRSA: Hybrid Dependent RSA a New PublicKey Encryption Scheme
, 1999
"... . This paper describes a new hybrid RSAbased publickey encryption scheme, the HDRSA. It relies on the recently proposed DependentRSA problem, which can be proven as difficult as the original RSA problem, in some circumstances. The basic scheme, using the "onetime pad" symmetric encryption, ..."
Abstract

Cited by 4 (3 self)
 Add to MetaCart
. This paper describes a new hybrid RSAbased publickey encryption scheme, the HDRSA. It relies on the recently proposed DependentRSA problem, which can be proven as difficult as the original RSA problem, in some circumstances. The basic scheme, using the "onetime pad" symmetric encryption, provides a both very efficient scheme and secure relative to the sole DependentRSA problem. A more general proposal, by integrating symmetric encryption schemes, allows much higher rates under a very weak assumption about the symmetric scheme used. The general scheme is first presented together with a careful study of its security relative to the DependentRSA problem. Then, the hardness of this new problem is discussed, namely by proving its equivalence with RSA, for wellchosen exponents. Therefore, it results that this new encryption scheme is semantically secure against any kind of attacks, namely nonadaptive and even adaptive chosenciphertext ones. Moreover, with a similar security as OAEPRSA (PKCS #1 v2.0), this scheme can reach higher speed rates. Furthermore, if one compares it with the DHAES or EPOC (two other IEEE P1363a candidates for encryption), efficiency gets many times better. Keywords: PublicKey Encryption, Hybrid Scheme, Semantic Security, ChosenCiphertext Attacks, Integer Factoring, the DependentRSA Problem 2 David Pointcheval Table of Contents 1 Preliminaries 3 1.1 The DependentRSA Problems . . . . . . . . . . . . . . . . . . . . . . . . 3 1.2 OneTime Secure Symmetric Encryption Schemes . . . . . . . . . . . . . . 3 1.3 ChosenCiphertext Security . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.4 The Random Oracle Model . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.5 Related Work . . . . . . . . . . . . . ...
On the security of Lenstra’s variant of DSA without long inversions
 In K. Kim (Ed.), Public Key Cryptography – PKC 2001. (LNCS
, 2001
"... Abstract. We use bounds of exponential sums to show that for a wide class of parameters the modification of the DSA signature scheme proposed by A. K. Lenstra at Asiacrypt’96 is as secure as the original scheme. 1 ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Abstract. We use bounds of exponential sums to show that for a wide class of parameters the modification of the DSA signature scheme proposed by A. K. Lenstra at Asiacrypt’96 is as secure as the original scheme. 1
On the uniformity of distribution of the RSA pairs
 Math. Comp
"... Abstract. Let m = pl be a product of two distinct primes p and l. Weshow that for almost all exponents e with gcd(e, ϕ(m)) = 1 the RSA pairs (x, xe) are uniformly distributed modulo m when x runs through • the group of units Z ∗ m modulo m (that is, as in the classical RSA scheme); • the set of kp ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
Abstract. Let m = pl be a product of two distinct primes p and l. Weshow that for almost all exponents e with gcd(e, ϕ(m)) = 1 the RSA pairs (x, xe) are uniformly distributed modulo m when x runs through • the group of units Z ∗ m modulo m (that is, as in the classical RSA scheme); • the set of kproducts x = ai1 ···ai, 1 ≤ i1 < ·· · < ik ≤ n, where k a1, ·· ·,an ∈ Z ∗ m are selected at random (that is, as in the recently introduced RSA scheme with precomputation). These results are based on some new bounds of exponential sums. 1.