Results 1  10
of
20
An Efficient Protocol for Authenticated Key Agreement
 Designs, Codes and Cryptography
, 1998
"... This paper proposes a new and efficient twopass protocol for authenticated key agreement in the asymmetric (publickey) setting. The protocol is based on DiffieHellman key agreement and can be modified to work in an arbitrary finite group and, in particular, elliptic curve groups. Two modification ..."
Abstract

Cited by 113 (4 self)
 Add to MetaCart
This paper proposes a new and efficient twopass protocol for authenticated key agreement in the asymmetric (publickey) setting. The protocol is based on DiffieHellman key agreement and can be modified to work in an arbitrary finite group and, in particular, elliptic curve groups. Two modifications of this protocol are also presented: a onepass authenticated key agreement protocol suitable for environments where only one entity is online, and a threepass protocol in which key confirmation is additionally provided. The protocols are currently under consideration for standardization in ANSI X9.42 [2], ANSI X9.63 [4] and IEEE P1363 [18]. Keywords: DiffieHellman, authenticated key agreement, key confirmation, elliptic curves. An Efficient Protocol for Authenticated Key Agreement 1 1 Introduction Key establishment is the process by which two (or more) entities establish a shared secret key. The key is subsequently used to achieve some cryptographic goal such as confidentiality or d...
Authenticated Group Key Agreement and Friends
, 1998
"... Many modern computing environments involve dynamic peer groups. Distributed simulation, multiuser games, conferencing and replicated servers are just a few examples. Given the openness of today's networks, communication among group members must be secure and, at the same time, efficient. This paper ..."
Abstract

Cited by 87 (7 self)
 Add to MetaCart
Many modern computing environments involve dynamic peer groups. Distributed simulation, multiuser games, conferencing and replicated servers are just a few examples. Given the openness of today's networks, communication among group members must be secure and, at the same time, efficient. This paper studies the problem of authenticated key agreement in dynamic peer groups with the emphasis on efficient and provably secure key authentication, key confirmation and integrity. It begins by considering 2party authenticated key agreement and extends the results to Group DiffieHellman key agreement. In the process, some new security properties (unique to groups) are discussed. 1 Introduction This paper is concerned with security services in the context of dynamic peer groups (DPGs). Such groups are common in many network protocol layers and in many areas of modern computing and the solution to their security needs, in particular key management, are still open research challenges [19]. Exa...
A Key Recovery Attack on Discrete Logbased Schemes Using a Prime Order Subgroup
, 1997
"... Consider the wellknown oracle attack: Somehow one gets a certain computation result as a function of a secret key from the secret key owner and tries to extract some information on the secret key. This attacking scenario is well understood in the cryptographic community. However, there are many pro ..."
Abstract

Cited by 62 (2 self)
 Add to MetaCart
Consider the wellknown oracle attack: Somehow one gets a certain computation result as a function of a secret key from the secret key owner and tries to extract some information on the secret key. This attacking scenario is well understood in the cryptographic community. However, there are many protocols based on the discrete logarithm problem that turn out to leak many of the secret key bits from this oracle attack, unless suitable checkings are carried out. In this paper we present a key recovery attack on various discrete logbased schemes working in a prime order subgroup. Our attack can disclose part of, or the whole secret key in most DiffieHellmantype key exchange protocols and some applications of ElGamal encryption and signature schemes. Key Words : Key recovery attack, Discrete logarithms, Key exchange, Digital signatures. 1 Introduction Many cryptographic protocols have been developed based on the discrete logarithm problem. The main objective of developers is to design...
A New PublicKey Cryptosystem
, 1997
"... This paper describes a new publickey cryptosystem where the ciphertext is obtained by multiplying the publickeys indexed by the message bits and the cleartext is recovered by factoring the ciphertext raised to a secret power. ..."
Abstract

Cited by 40 (5 self)
 Add to MetaCart
This paper describes a new publickey cryptosystem where the ciphertext is obtained by multiplying the publickeys indexed by the message bits and the cleartext is recovered by factoring the ciphertext raised to a secret power.
Design Validations for Discrete Logarithm Based Signature Schemes
 In PKC ’00, LNCS 1751
, 2000
"... Abstract. A number of signature schemes and standards have been recently designed, based on the Discrete Logarithm problem. In this paper we conduct design validation of such schemes while trying to minimize the use of ideal hash functions. We consider several Discrete Logarithm (DSAlike) signature ..."
Abstract

Cited by 25 (3 self)
 Add to MetaCart
Abstract. A number of signature schemes and standards have been recently designed, based on the Discrete Logarithm problem. In this paper we conduct design validation of such schemes while trying to minimize the use of ideal hash functions. We consider several Discrete Logarithm (DSAlike) signatures abstracted as generic schemes. We show that the following holds: “if the schemes can be broken by an existential forgery using an adaptively chosenmessage attack then either the discrete logarithm problem can be solved, or some hash function can be distinguished from an ideal one, or multicollisions can be found. ” Thus, for these signature schemes, either they are equivalent to the discrete logarithm problem or there is an attack that takes advantage of properties which are not desired (or expected) in strong practical hash functions (SHA1 or whichever high quality cryptographic hash function is used). What is interesting is that the schemes we discuss include KCDSA and slight variations of DSA. Further, since our schemes coincide with (or are extremely close to) their standard counterparts they benefit from their desired properties: efficiency of computation/space, employment of certain mathematical operations and wide applicability to various algebraic
Why Textbook ElGamal and RSA Encryption are Insecure (Extended Abstract)
, 2000
"... We present an attack on plain ElGamal and plain RSA encryption. The attack shows that without proper preprocessing of the plaintexts, both ElGamal and RSA encryption are fundamentally insecure. Namely, when one uses these systems to encrypt a (short) secret key of a symmetric cipher it is often poss ..."
Abstract

Cited by 23 (4 self)
 Add to MetaCart
We present an attack on plain ElGamal and plain RSA encryption. The attack shows that without proper preprocessing of the plaintexts, both ElGamal and RSA encryption are fundamentally insecure. Namely, when one uses these systems to encrypt a (short) secret key of a symmetric cipher it is often possible to recover the secret key from the ciphertext. Our results demonstrate that preprocessing messages prior to encryption is an essential part of both systems.
An Efficient Secure Authenticated Group Key Exchange Algorithm for Large and Dynamic Groups
 IN PROC. 23 RD NATIONAL INFORMATION SYSTEMS SECURITY CONFERENCE
, 2000
"... We present a new secure authenticated group key exchange algorithm for large groups. The protocol ..."
Abstract

Cited by 12 (5 self)
 Add to MetaCart
We present a new secure authenticated group key exchange algorithm for large groups. The protocol
Fundamental Elliptic Curve Cryptography Algorithms
, 2011
"... This note describes the fundamental algorithms of Elliptic Curve Cryptography (ECC) as they were defined in some seminal references from 1994 and earlier. These descriptions may be useful for implementing the fundamental algorithms without using any of the specialized methods that were developed in ..."
Abstract

Cited by 11 (0 self)
 Add to MetaCart
This note describes the fundamental algorithms of Elliptic Curve Cryptography (ECC) as they were defined in some seminal references from 1994 and earlier. These descriptions may be useful for implementing the fundamental algorithms without using any of the specialized methods that were developed in following years. Only elliptic curves defined over fields of characteristic greater than three are in scope; these curves are those used in Suite B. Status of This Memo This document is not an Internet Standards Track specification; it is published for informational purposes. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 5741. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at
Probing Attacks on TamperResistant Devices
, 1999
"... This paper describes a new type of attack on tamperresistant cryptographic hardware. We show that by locally observing the value of a few RAM or adress bus bits (possibly a single one) during the execution of a cryptographic algorithm, typically by the mean of a probe (needle), an attacker coul ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
This paper describes a new type of attack on tamperresistant cryptographic hardware. We show that by locally observing the value of a few RAM or adress bus bits (possibly a single one) during the execution of a cryptographic algorithm, typically by the mean of a probe (needle), an attacker could easily recover information on the secret key being used; our attacks apply to publickey cryptosystems such as RSA or El Gamal, as well as to secretkey encryption schemes including DES and RC5.
A formal model of DiffieHellman using CSP and rank functions
, 2003
"... Formal analysis techniques have proved successful in finding flaws in security protocols. Such techniques typically assume the presence of perfect encryption, an assumption that is clearly not true in practice. When we aim to prove the correctness of a protocol, we must be more careful in assuming b ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
Formal analysis techniques have proved successful in finding flaws in security protocols. Such techniques typically assume the presence of perfect encryption, an assumption that is clearly not true in practice. When we aim to prove the correctness of a protocol, we must be more careful in assuming bounds on the capabilities of the intruder: a real intruder can, and will, exploit properties of the underlying cryptosystem. The DiffieHellman key agreement scheme exhibits a rich set of algebraic properties, and this report suggests how the existing CSP approach can be extended to incorporate these properties in a rank function verification. The utility of the approach is established by performing an analysis of a key agreement protocol from the CLIQUES suite.