Results 1  10
of
45
Authenticated MultiParty Key Agreement
, 1996
"... We examine multiparty key agreement protocols that provide (i) key authentication, (ii) key confirmation and (iii) forward secrecy. Several minor (repairable) attacks are presented against previous twoparty key agreement schemes and a model for key agreement is presented that provably provides the ..."
Abstract

Cited by 68 (2 self)
 Add to MetaCart
We examine multiparty key agreement protocols that provide (i) key authentication, (ii) key confirmation and (iii) forward secrecy. Several minor (repairable) attacks are presented against previous twoparty key agreement schemes and a model for key agreement is presented that provably provides the properties listed above. A generalization of the BurmesterDesmedt model (Eurocrypt '94) for multiparty key agreement is given, allowing a transformation of any twoparty key agreement scheme into a multiparty scheme. Multiparty schemes (based on the general model and two specific 2party schemes) are presented that reduce the number of rounds required for key computation compared to the specific BurmesterDesmedt scheme. It is also shown how the specific BurmesterDesmedt scheme fails to provide key authentication. 1991 AMS Classification: 94A60 CR Categories: D.4.6 Key Words: multiparty, key agreement, key authentication, key confirmation, forward secrecy. Carleton University, Sc...
A New PublicKey Cryptosystem
, 1997
"... This paper describes a new publickey cryptosystem where the ciphertext is obtained by multiplying the publickeys indexed by the message bits and the cleartext is recovered by factoring the ciphertext raised to a secret power. ..."
Abstract

Cited by 40 (5 self)
 Add to MetaCart
This paper describes a new publickey cryptosystem where the ciphertext is obtained by multiplying the publickeys indexed by the message bits and the cleartext is recovered by factoring the ciphertext raised to a secret power.
Extended Password Key Exchange Protocols Immune to Dictionary Attack
, 1997
"... Strong password methods verify even small passwords over a network without additional stored keys or certificates with the user, and without fear of network dictionary attack. We describe a new extension to further limit exposure to theft of a stored passwordverifier, and apply it to several protoc ..."
Abstract

Cited by 38 (0 self)
 Add to MetaCart
Strong password methods verify even small passwords over a network without additional stored keys or certificates with the user, and without fear of network dictionary attack. We describe a new extension to further limit exposure to theft of a stored passwordverifier, and apply it to several protocols including the Simple Password Exponential Key Exchange (SPEKE). Alice proves knowledge of a password C to Bob, who has a stored verifier S, where S=g mod p. They perform a SPEKE exchange based on the shared secret S to derive ephemeral shared key K,. Bob chooses a random X and X sends g mod p. Alice computes K2=gxc mod p, and proves knowledge of {K,,K2/. Bob vervies this result to confirm that Alice knows C. Implementation issues are summarized, showing the potential for improved pe$ormance over Bellovin & Merritt's comparably strong AugmentedEncrypted Key Exchange. These methods make the password a strong independent factor in authentication, and are suitable for both Internet and intranet use.
An improved pseudorandom generator based on discrete log
 Journal of Cryptology
, 2000
"... Abstract. Under the assumption that solving the discrete logarithm problem modulo an nbit prime p is hard even when the exponent is a small cbit number, we construct a new and improved pseudorandom bit generator. This new generator outputs n − c − 1 bits per exponentiation with a cbit exponent. ..."
Abstract

Cited by 29 (2 self)
 Add to MetaCart
Abstract. Under the assumption that solving the discrete logarithm problem modulo an nbit prime p is hard even when the exponent is a small cbit number, we construct a new and improved pseudorandom bit generator. This new generator outputs n − c − 1 bits per exponentiation with a cbit exponent. Using typical parameters, n = 1024 and c = 160, this yields roughly 860 pseudorandom bits per small exponentiations. Using an implementation with quite small precomputation tables, this yields a rate of more than 20 bits per modular multiplication, thus much faster than the the squaring (BBS) generator with similar parameters. 1
The DiffieHellman Protocol
 DESIGNS, CODES, AND CRYPTOGRAPHY
, 1999
"... The 1976 seminal paper of Diffie and Hellman is a landmark in the history of cryptography. They introduced the fundamental concepts of a trapdoor oneway function, a publickey cryptosystem, and a digital signature scheme. Moreover, they presented a protocol, the socalled DiffieHellman protoco ..."
Abstract

Cited by 26 (0 self)
 Add to MetaCart
The 1976 seminal paper of Diffie and Hellman is a landmark in the history of cryptography. They introduced the fundamental concepts of a trapdoor oneway function, a publickey cryptosystem, and a digital signature scheme. Moreover, they presented a protocol, the socalled DiffieHellman protocol, allowing two parties who share no secret information initially, to generate a mutual secret key. This paper summarizes the present knowledge on the security of this protocol.
Authentication and Key Agreement via Memorable Password
, 2001
"... This paper presents a new password authentication and key agreement protocol called AMP in a provable manner. The intrinsic problem with password authentication is a password, associated with each user, has low entropy so that (1) the password is hard to transmit securely over an insecure channel an ..."
Abstract

Cited by 26 (6 self)
 Add to MetaCart
This paper presents a new password authentication and key agreement protocol called AMP in a provable manner. The intrinsic problem with password authentication is a password, associated with each user, has low entropy so that (1) the password is hard to transmit securely over an insecure channel and (2) the password file is hard to protect. Our solution to this complex problem is the amplified password proof idea along with the amplified password file. A party commits the high entropy information and amplifies her password with that information in the amplified password proof. She never shows any information except that she knows it for her proof. Our amplified password proof idea is similar to the zeroknowledge proof in that sense. A server stores amplified verifiers in the amplified password file that is secure against a server file compromise and a dictionary attack. AMP mainly provides the passwordverifier based authentication and the DiffieHellman based key agreement, securely and efficiently. AMP is simple and actually the most efficient protocol among the related protocols. 1.
Minding Your P's and Q's
 In Advances in Cryptology  ASIACRYPT'96, LNCS 1163
, 1996
"... Over the last year or two, a large number of attacks have been found by the authors and others on protocols based on the discrete logarithm problem, such as ElGamal signature and Diffie Hellman key exchange. These attacks depend on causing variables to assume values whose discrete logarithms can be ..."
Abstract

Cited by 25 (3 self)
 Add to MetaCart
Over the last year or two, a large number of attacks have been found by the authors and others on protocols based on the discrete logarithm problem, such as ElGamal signature and Diffie Hellman key exchange. These attacks depend on causing variables to assume values whose discrete logarithms can be calculated, whether by forcing a protocol exchange into a smooth subgroup or by choosing degenerate values directly. We survey these attacks and discuss how to build systems that are robust against them. In the process we elucidate a number of the design decisions behind the US Digital Signature Standard.
Design Validations for Discrete Logarithm Based Signature Schemes
 In PKC ’00, LNCS 1751
, 2000
"... Abstract. A number of signature schemes and standards have been recently designed, based on the Discrete Logarithm problem. In this paper we conduct design validation of such schemes while trying to minimize the use of ideal hash functions. We consider several Discrete Logarithm (DSAlike) signature ..."
Abstract

Cited by 25 (3 self)
 Add to MetaCart
Abstract. A number of signature schemes and standards have been recently designed, based on the Discrete Logarithm problem. In this paper we conduct design validation of such schemes while trying to minimize the use of ideal hash functions. We consider several Discrete Logarithm (DSAlike) signatures abstracted as generic schemes. We show that the following holds: “if the schemes can be broken by an existential forgery using an adaptively chosenmessage attack then either the discrete logarithm problem can be solved, or some hash function can be distinguished from an ideal one, or multicollisions can be found. ” Thus, for these signature schemes, either they are equivalent to the discrete logarithm problem or there is an attack that takes advantage of properties which are not desired (or expected) in strong practical hash functions (SHA1 or whichever high quality cryptographic hash function is used). What is interesting is that the schemes we discuss include KCDSA and slight variations of DSA. Further, since our schemes coincide with (or are extremely close to) their standard counterparts they benefit from their desired properties: efficiency of computation/space, employment of certain mathematical operations and wide applicability to various algebraic
Some babystep giantstep algorithms for the low hamming weight discrete logarithm problem
 Mathematics of Computation
"... Abstract. In this paper, we present several babystep giantstep algorithms for the low hamming weight discrete logarithm problem. In this version of the discrete log problem, we are required to find a discrete logarithm in a finite group of order approximately 2m, given that the unknown logarithm h ..."
Abstract

Cited by 22 (3 self)
 Add to MetaCart
Abstract. In this paper, we present several babystep giantstep algorithms for the low hamming weight discrete logarithm problem. In this version of the discrete log problem, we are required to find a discrete logarithm in a finite group of order approximately 2m, given that the unknown logarithm has a specified number of 1’s, say t, in its binary representation. Heiman and Odlyzko presented the first algorithms for this problem. Unpublished improvements � � � � by Coppersmith include a deterministic algorithm with � complexity m/2 √t � �� m/2 O m, and a Las Vegas algorithm with complexity O t/2 t/2 We perform an averagecase analysis of Coppersmith’s deterministic algorithm. The averagecase complexity achieves only a constant factor speedup