Results 1  10
of
14
The Decision DiffieHellman Problem
, 1998
"... The Decision DiffieHellman assumption (ddh) is a gold mine. It enables one to construct efficient cryptographic systems with strong security properties. In this paper we survey the recent applications of DDH as well as known results regarding its security. We describe some open problems in this are ..."
Abstract

Cited by 211 (6 self)
 Add to MetaCart
The Decision DiffieHellman assumption (ddh) is a gold mine. It enables one to construct efficient cryptographic systems with strong security properties. In this paper we survey the recent applications of DDH as well as known results regarding its security. We describe some open problems in this area. 1 Introduction An important goal of cryptography is to pin down the exact complexity assumptions used by cryptographic protocols. Consider the DiffieHellman key exchange protocol [12]: Alice and Bob fix a finite cyclic group G and a generator g. They respectively pick random a; b 2 [1; jGj] and exchange g a ; g b . The secret key is g ab . To totally break the protocol a passive eavesdropper, Eve, must compute the DiffieHellman function defined as: dh g (g a ; g b ) = g ab . We say that the group G satisfies the Computational DiffieHellman assumption (cdh) if no efficient algorithm can compute the function dh g (x; y) in G. Precise definitions are given in the next sectio...
Key Agreement Protocols and their Security Analysis
, 1997
"... This paper proposes new protocols for two goals: authenticated key agreement and authenticated key agreement with key confirmation in the asymmetric (publickey) setting. A formal ..."
Abstract

Cited by 144 (6 self)
 Add to MetaCart
This paper proposes new protocols for two goals: authenticated key agreement and authenticated key agreement with key confirmation in the asymmetric (publickey) setting. A formal
The gapproblems: a new class of problems for the security of cryptographic schemes
 Proceedings of PKC 2001, volume 1992 of LNCS
, 1992
"... Abstract. This paper introduces a novel class of computational problems, the gap problems, which can be considered as a dual to the class of the decision problems. We show the relationship among inverting problems, decision problems and gap problems. These problems find a nice and rich practical ins ..."
Abstract

Cited by 132 (11 self)
 Add to MetaCart
(Show Context)
Abstract. This paper introduces a novel class of computational problems, the gap problems, which can be considered as a dual to the class of the decision problems. We show the relationship among inverting problems, decision problems and gap problems. These problems find a nice and rich practical instantiation with the DiffieHellman problems. Then, we see how the gap problems find natural applications in cryptography, namely for proving the security of very efficient schemes, but also for solving a more than 10year old open security problem: the Chaum’s undeniable signature.
Using Hash Functions as a Hedge against Chosen Ciphertext Attack
, 2000
"... The cryptosystem recently proposed by Cramer and Shoup [5] is a practical public key cryptosystem that is secure against adaptive chosen ciphertext attack provided the Decisional DiffieHellman assumption is true. Although this is a reasonable intractability assumption, it would be preferable to bas ..."
Abstract

Cited by 70 (7 self)
 Add to MetaCart
(Show Context)
The cryptosystem recently proposed by Cramer and Shoup [5] is a practical public key cryptosystem that is secure against adaptive chosen ciphertext attack provided the Decisional DiffieHellman assumption is true. Although this is a reasonable intractability assumption, it would be preferable to base a security proof on a weaker assumption, such as the Computational DiffieHellman assumption. Indeed, this cryptosystem in its most basic form is in fact insecure if the Decisional DiffieHellman assumption is false. In this paper we present a practical hybrid scheme that is just as efficient as the scheme of of Cramer and Shoup; we prove that the scheme is secure if the Decisional DiffieHellman assumption is true; we give strong evidence that the scheme is secure if the weaker, Computational DiffieHellman assumption is true by providing a proof of security in the random oracle model.
ChosenCiphertext Security for any OneWay Cryptosystem
 In PKC ’00, LNCS 1751
, 2000
"... Abstract. For two years, public key encryption has become an essential topic in cryptography, namely with security against chosenciphertext attacks. This paper presents a generic technique to make a highly secure cryptosystem from any partially trapdoor oneway function, in the random oracle model. ..."
Abstract

Cited by 41 (12 self)
 Add to MetaCart
(Show Context)
Abstract. For two years, public key encryption has become an essential topic in cryptography, namely with security against chosenciphertext attacks. This paper presents a generic technique to make a highly secure cryptosystem from any partially trapdoor oneway function, in the random oracle model. More concretely, any suitable problem providing a oneway cryptosystem can be efficiently derived into a chosenciphertext secure encryption scheme. Indeed, the overhead only consists of two hashing and a XOR. As application, we provide the most efficient El Gamal encryption variant, therefore secure relative to the computational DiffieHellman problem. Furthermore, we present the first scheme whose security is relative to the factorization of large integers, with a perfect reduction (factorization is performed within the same time and with identical probability of success as the security break).
Variations of diffiehellman problem
 In ICICS ’03, volume 2836 of LNCS
, 2003
"... Abstract. This paper studies various computational and decisional DiffieHellman problems by providing reductions among them in the high granularity setting. We show that all three variations of computational DiffieHellman problem: square DiffieHellman problem, inverse DiffieHellman problem and d ..."
Abstract

Cited by 27 (1 self)
 Add to MetaCart
(Show Context)
Abstract. This paper studies various computational and decisional DiffieHellman problems by providing reductions among them in the high granularity setting. We show that all three variations of computational DiffieHellman problem: square DiffieHellman problem, inverse DiffieHellman problem and divisible DiffieHellman problem, are equivalent with optimal reduction. Also, we are considering variations of the decisional DiffieHellman problem in single sample and polynomial samples settings, and we are able to show that all variations are equivalent except for the argument DDH ⇐ SDDH. We are not able to prove or disprove this statement, thus leave an interesting open problem. Keywords: DiffieHellman problem, Square DiffieHellman problem, Inverse DiffieHellman problem, Divisible DiffieHellman problem
Secure Hashed DiffieHellman over NonDDH Groups
, 2004
"... We show that in applications that use the DiffieHellman (DH) transform but take care of hashing the DH output (as required, for example, for secure DHbased encryption and key exchange) the usual requirement to work over a DDH group (i.e., a group in which the Decisional DiffieHellman assumption h ..."
Abstract

Cited by 22 (3 self)
 Add to MetaCart
We show that in applications that use the DiffieHellman (DH) transform but take care of hashing the DH output (as required, for example, for secure DHbased encryption and key exchange) the usual requirement to work over a DDH group (i.e., a group in which the Decisional DiffieHellman assumption holds) can be relaxed to only requiring that the DH group contains a large enough DDH subgroup. In particular, this implies the security of (hashed) DiffieHellman over nonprime order groups such as Z*_p. Moreover, our results show that one can work directly p without requiring any knowledge of the prime factorization of p1 and without even having to find a generator of Z*_p. These results are obtained via a general characterization of DDH groups in terms of their DDH subgroups, and a relaxation (called tDDH) of the DDH assumption via computational entropy. We also show that, under the shortexponent discretelog assumption, the security of the hashed DiffieHellman transform is preserved when replacing full exponents with short exponents.
Assumptions Related to Discrete Logarithms: Why Subtleties Make a Real Difference
 Advances in CryptologyEurocrypt 2001, LNCS 2045
, 2002
"... The security of many cryptographic constructions relies on assumptions related to Discrete Logarithms (DL), e.g., the Di#eHellman, Square Exponent, Inverse Exponent or Representation Problem assumptions. In the concrete formalizations of these assumptions one has some degrees of freedom o#ered ..."
Abstract

Cited by 20 (2 self)
 Add to MetaCart
The security of many cryptographic constructions relies on assumptions related to Discrete Logarithms (DL), e.g., the Di#eHellman, Square Exponent, Inverse Exponent or Representation Problem assumptions. In the concrete formalizations of these assumptions one has some degrees of freedom o#ered by parameters such as computational model, problem type (computational, decisional) or success probability of adversary. However, these parameters and their impact are often not properly considered or are simply overlooked in the existing literature.
TwoPass Authenticated Key Agreement Protocol with Key Confirmation
 Proc. of Indocrypt 2000, LNCS
, 2000
"... This paper proposes three key agreement protocols that emphasize their security and performance. First, the twopass authenticated key agreement (AK) protocol is presented in the asymmetric setting, which is based on DieHellman key agreement working over an elliptic curve group and provides more de ..."
Abstract

Cited by 11 (2 self)
 Add to MetaCart
(Show Context)
This paper proposes three key agreement protocols that emphasize their security and performance. First, the twopass authenticated key agreement (AK) protocol is presented in the asymmetric setting, which is based on DieHellman key agreement working over an elliptic curve group and provides more desirable security attributes than the MTI/A0, twopass Unified Model and twopass MQV protocols. Other two protocols are modifications of this protocol: the threepass authenticated key agreement with key confirmation (AKC) protocol which uses message authentication code (MAC) algorithms for key confirmation, and the twopass authenticated key agreement protocol with unilateral key confirmation which uses the MAC and the signature.
Efficient pseudorandom generators based on the ddh assumption
 IN PKC 2007, VOLUME ???? OF LNCS
, 2007
"... A family of pseudorandom generators based on the decisional DiffieHellman assumption is proposed. The new construction is a modified and generalized version of the Dual Elliptic Curve generator proposed by Barker and Kelsey. Although the original Dual Elliptic Curve generator is shown to be insec ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
(Show Context)
A family of pseudorandom generators based on the decisional DiffieHellman assumption is proposed. The new construction is a modified and generalized version of the Dual Elliptic Curve generator proposed by Barker and Kelsey. Although the original Dual Elliptic Curve generator is shown to be insecure, the modified version is provably secure and very efficient in comparison with the other pseudorandom generators based on discrete log assumptions. Our generator can be based on any group of prime order provided that an additional requirement is met (i.e., there exists an efficiently computable function that in some sense enumerates the elements of the group). Two specific instances are presented. The techniques used to design the instances, for example, the new probabilistic randomness extractor are of independent interest for other applications.