Results 1  10
of
66
Efficient Algorithms for Solving Overdefined Systems of Multivariate Polynomial Equations
 In Advances in Cryptology, Eurocrypt’2000, LNCS 1807
, 2000
"... Abstract. The security of many recently proposed cryptosystems is based on the difficulty of solving large systems of quadratic multivariate polynomial equations. This problem is NPhard over any field. When the number of equations m is the same as the number of unknowns n the best known algorithms ..."
Abstract

Cited by 140 (19 self)
 Add to MetaCart
Abstract. The security of many recently proposed cryptosystems is based on the difficulty of solving large systems of quadratic multivariate polynomial equations. This problem is NPhard over any field. When the number of equations m is the same as the number of unknowns n the best known algorithms are exhaustive search for small fields, and a Gröbner base algorithm for large fields. Gröbner base algorithms have large exponential complexity and cannot solve in practice systems with n ≥ 15. Kipnis and Shamir [9] have recently introduced a new algorithm called ”relinearization”. The exact complexity of this algorithm is not known, but for sufficiently overdefined systems it was expected to run in polynomial time. In this paper we analyze the theoretical and practical aspects of relinearization. We ran a large number of experiments for various values of n and m, and analysed which systems of equations were actually solvable. We show that many of the equations generated by relinearization are linearly dependent, and thus relinearization is less efficient that one could expect. We then develop an improved algorithm called XL which is both simpler and more powerful than relinearization. For all 0 < ɛ ≤ 1/2, and m ≥ ɛn 2, XL and relinearization are expected to run in polynomial time of approximately n O(1/ √ ɛ). Moreover, we provide strong evidence that relinearization and XL can solve randomly generated systems of polynomial equations in subexponential time when m exceeds n by a number that increases slowly with n. Note: An extended version of this paper is available from the authors. Key words: NPcompleteness, cryptography, multivariate cryptography, polynomial equations over finite fields, relinearization, Gröbner bases. 1
RSAOAEP is Secure under the RSA Assumption
, 2002
"... Recently Victor Shoup noted that there is a gap in the widelybelieved security result of OAEP against adaptive chosenciphertext attacks. Moreover, he showed that, presumably, OAEP cannot be proven secure from the onewayness of the underlying trapdoor permutation. This paper establishes another ..."
Abstract

Cited by 128 (20 self)
 Add to MetaCart
Recently Victor Shoup noted that there is a gap in the widelybelieved security result of OAEP against adaptive chosenciphertext attacks. Moreover, he showed that, presumably, OAEP cannot be proven secure from the onewayness of the underlying trapdoor permutation. This paper establishes another result on the security of OAEP. It proves that OAEP oers semantic security against adaptive chosenciphertext attacks, in the random oracle model, under the partialdomain onewayness of the underlying permutation. Therefore, this uses a formally stronger assumption. Nevertheless, since partialdomain onewayness of the RSA function is equivalent to its (fulldomain) onewayness, it follows that the security of RSA{OAEP can actually be proven under the sole RSA assumption, although the reduction is not tight.
OAEP Reconsidered
 Journal of Cryptology
, 2000
"... The OAEP encryption scheme was introduced by Bellare and Rogaway at Eurocrypt '94, and is widely believed to be secure against adaptive chosen ciphertext attack. The main justification for this belief is a proof of security in the random oracle model. This paper shows conclusively that this justific ..."
Abstract

Cited by 96 (4 self)
 Add to MetaCart
The OAEP encryption scheme was introduced by Bellare and Rogaway at Eurocrypt '94, and is widely believed to be secure against adaptive chosen ciphertext attack. The main justification for this belief is a proof of security in the random oracle model. This paper shows conclusively that this justification is invalid. First, it observes that there appears to be a nontrivial gap in the proof. Second, it proves a theorem that essentially says that this gap cannot be filled using standard proof techniques of the type used in Bellare and Rogaway's paper, and elsewhere in the cryptographic literature. It should be stressed that these results do not imply that RSAOAEP in insecure. They simply undermine the justification that no attacks are possible in general. In fact, we make the observation that RSAOAEP with encryption exponent 3 actually is provably secure in the random oracle model, but the argument makes use of special properties of the RSA function. However, this should not necessarily be...
Lowexponent RSA with related messages
, 1996
"... Abstract. In this paper we present a new class of attacks against RSA with low encrypting exponent. The attacks enable the recovery of plaintext messages from their ciphertexts and a known polynomial relationship among the messages, provided that the ciphertexts were created using the same RSA pub ..."
Abstract

Cited by 78 (0 self)
 Add to MetaCart
Abstract. In this paper we present a new class of attacks against RSA with low encrypting exponent. The attacks enable the recovery of plaintext messages from their ciphertexts and a known polynomial relationship among the messages, provided that the ciphertexts were created using the same RSA public key with low encrypting exponent. 1
Another Look at “Provable Security"
, 2004
"... We give an informal analysis and critique of several typical “provable security” results. In some cases there are intuitive but convincing arguments for rejecting the conclusions suggested by the formal terminology and “proofs,” whereas in other cases the formalism seems to be consistent with common ..."
Abstract

Cited by 59 (12 self)
 Add to MetaCart
We give an informal analysis and critique of several typical “provable security” results. In some cases there are intuitive but convincing arguments for rejecting the conclusions suggested by the formal terminology and “proofs,” whereas in other cases the formalism seems to be consistent with common sense. We discuss the reasons why the search for mathematically convincing theoretical evidence to support the security of publickey systems has been an important theme of researchers. But we argue that the theoremproof paradigm of theoretical mathematics is often of limited relevance here and frequently leads to papers that are confusing and misleading. Because our paper is aimed at the general mathematical public, it is selfcontained and as jargonfree as possible.
The shortest vector in a lattice is hard to approximate to within some constant
 in Proc. 39th Symposium on Foundations of Computer Science
, 1998
"... Abstract. We show that approximating the shortest vector problem (in any ℓp norm) to within any constant factor less than p √ 2 is hardfor NP under reverse unfaithful random reductions with inverse polynomial error probability. In particular, approximating the shortest vector problem is not in RP (r ..."
Abstract

Cited by 51 (4 self)
 Add to MetaCart
Abstract. We show that approximating the shortest vector problem (in any ℓp norm) to within any constant factor less than p √ 2 is hardfor NP under reverse unfaithful random reductions with inverse polynomial error probability. In particular, approximating the shortest vector problem is not in RP (random polynomial time), unless NP equals RP. We also prove a proper NPhardness result (i.e., hardness under deterministic manyone reductions) under a reasonable number theoretic conjecture on the distribution of squarefree smooth numbers. As part of our proof, we give an alternative construction of Ajtai’s constructive variant of Sauer’s lemma that greatly simplifies Ajtai’s original proof. Key words. NPhardness, shortest vector problem, point lattices, geometry of numbers, sphere packing
Checking before Output May Not Be Enough against FaultBased Cryptanalysis
, 2000
"... In order to avoid faultbased attacks on cryptographic security modules (e.g., smartcards), some authors suggest that the computation results should be checked for faults before being transmitted. In this paper, we describe a potential faultbased attack where key bits leak only through the informa ..."
Abstract

Cited by 37 (2 self)
 Add to MetaCart
In order to avoid faultbased attacks on cryptographic security modules (e.g., smartcards), some authors suggest that the computation results should be checked for faults before being transmitted. In this paper, we describe a potential faultbased attack where key bits leak only through the information whether the device produces after a temporary fault a correct answer or not. This information is available to the adversary even if a check is performed before output.
Extended Notions of Security for Multicast Public Key Cryptosystems
 PUBLIC KEY CRYPTOSYSTEMS, ICALP 2000, LNCS 1853
, 2000
"... In this paper we introduce two notions of security: multiuser indistinguishability and multiuser nonmalleability. We believe that they encompass the correct requirements for public key encryption schemes in the context of multicast communications. A precise and nontrivial analysis proves that ..."
Abstract

Cited by 29 (9 self)
 Add to MetaCart
In this paper we introduce two notions of security: multiuser indistinguishability and multiuser nonmalleability. We believe that they encompass the correct requirements for public key encryption schemes in the context of multicast communications. A precise and nontrivial analysis proves that they are equivalent to the former singleuser notions, provided the number of participants is polynomial. We also introduce a new denition for nonmalleability which is simpler than those currently in use. We believe that our results are of practical signicance: especially they support the use of PKCS#1 v.2 based on OAEP in the multicast setting.
Paillier's Cryptosystem Revisited
 IN ACM CONFERENCE ON COMPUTER AND COMMUNICATIONS SECURITY 2001
, 2001
"... We reexamine Paillier's cryptosystem, and show that by choosing a particular discrete log base g, and by introducing an alternative decryption procedure, we can extend the scheme to allow an arbitrary exponent e instead of N. The use of low exponents substantially increases the eciency of the schem ..."
Abstract

Cited by 29 (4 self)
 Add to MetaCart
We reexamine Paillier's cryptosystem, and show that by choosing a particular discrete log base g, and by introducing an alternative decryption procedure, we can extend the scheme to allow an arbitrary exponent e instead of N. The use of low exponents substantially increases the eciency of the scheme. The semantic security is now based on a new decisional assumption, namely the hardness of deciding whether an element is a "small" eth residue modulo N². We also
Why Chosen Ciphertext Security Matters
, 1998
"... This article motivates the importance of publickey cryptosystems that are secure against chosen ciphertext attack, and of rigorous security proofs. It also discusses the new cryptosystem developed by Cramer and Shoup, and its relevance in this regard. ..."
Abstract

Cited by 29 (2 self)
 Add to MetaCart
This article motivates the importance of publickey cryptosystems that are secure against chosen ciphertext attack, and of rigorous security proofs. It also discusses the new cryptosystem developed by Cramer and Shoup, and its relevance in this regard.