Results 1  10
of
149
On the Exact Security of Full Domain Hash
, 2000
"... The Full Domain Hash (FDH) scheme is a RSAbased signature scheme in which the message is hashed onto the full domain of the RSA function. The FDH scheme is provably secure in the random oracle model, assuming that inverting RSA is hard. In this paper we exhibit a slightly di#erent proof which p ..."
Abstract

Cited by 143 (2 self)
 Add to MetaCart
The Full Domain Hash (FDH) scheme is a RSAbased signature scheme in which the message is hashed onto the full domain of the RSA function. The FDH scheme is provably secure in the random oracle model, assuming that inverting RSA is hard. In this paper we exhibit a slightly di#erent proof which provides a tighter security reduction. This in turn improves the e#ciency of the scheme since smaller RSA moduli can be used for the same level of security. The same method can be used to obtain a tighter security reduction for Rabin signature scheme, Paillier signature scheme, and the GennaroHaleviRabin signature scheme.
The gapproblems: a new class of problems for the security of cryptographic schemes
 Proceedings of PKC 2001, volume 1992 of LNCS
, 1992
"... Abstract. This paper introduces a novel class of computational problems, the gap problems, which can be considered as a dual to the class of the decision problems. We show the relationship among inverting problems, decision problems and gap problems. These problems find a nice and rich practical ins ..."
Abstract

Cited by 140 (11 self)
 Add to MetaCart
(Show Context)
Abstract. This paper introduces a novel class of computational problems, the gap problems, which can be considered as a dual to the class of the decision problems. We show the relationship among inverting problems, decision problems and gap problems. These problems find a nice and rich practical instantiation with the DiffieHellman problems. Then, we see how the gap problems find natural applications in cryptography, namely for proving the security of very efficient schemes, but also for solving a more than 10year old open security problem: the Chaum’s undeniable signature.
The two faces of lattices in cryptology
 Cryptography and lattices conference  CaLC 2001
, 2001
"... ..."
(Show Context)
Subexponential algorithms for Unique Games and related problems
 IN 51 ST IEEE FOCS
, 2010
"... We give subexponential time approximation algorithms for the unique games and the small set expansion problems. Specifically, for some absolute constant c, we give: 1. An exp(kn ε)time algorithm that, given as input a kalphabet unique game on n variables that has an assignment satisfying 1 − ε c f ..."
Abstract

Cited by 82 (7 self)
 Add to MetaCart
We give subexponential time approximation algorithms for the unique games and the small set expansion problems. Specifically, for some absolute constant c, we give: 1. An exp(kn ε)time algorithm that, given as input a kalphabet unique game on n variables that has an assignment satisfying 1 − ε c fraction of its constraints, outputs an assignment satisfying 1 − ε fraction of the constraints. 2. An exp(n ε /δ)time algorithm that, given as input an nvertex regular graph that has a set S of δn vertices with edge expansion at most ε c, outputs a set S ′ of at most δn vertices with edge expansion at most ε. We also obtain a subexponential algorithm with improved approximation for the MultiCut problem, as well as subexponential algorithms with improved approximations to MaxCut, SparsestCut and Vertex Cover on some interesting subclasses of instances. Khot’s Unique Games Conjecture (UGC) states that it is NPhard to achieve approximation guarantees such as ours for unique games. While our results stop short of refusing the UGC, they do suggest that Unique Games is significantly easier than NPhard problems such as 3SAT,3LIN, Label Cover and more, that are believed not to have a subexponential algorithm achieving a nontrivial approximation ratio. The main component in our algorithms is a new result on graph decomposition that may have other applications. Namely we show that for every δ> 0 and a regular nvertex graph G, by changing at most δ fraction of G’s edges, one can break G into disjoint parts so that the induced graph on each part has at most n ε eigenvalues larger than 1 − η (where ε, η depend polynomially on δ). Our results are based on combining this decomposition with previous algorithms for unique games on graphs with few large eigenvalues (Kolla and Tulsiani 2007, Kolla 2010).
Latticebased Cryptography
, 2008
"... In this chapter we describe some of the recent progress in latticebased cryptography. Latticebased cryptographic constructions hold a great promise for postquantum cryptography, as they enjoy very strong security proofs based on worstcase hardness, relatively efficient implementations, as well a ..."
Abstract

Cited by 67 (5 self)
 Add to MetaCart
(Show Context)
In this chapter we describe some of the recent progress in latticebased cryptography. Latticebased cryptographic constructions hold a great promise for postquantum cryptography, as they enjoy very strong security proofs based on worstcase hardness, relatively efficient implementations, as well as great simplicity. In addition, latticebased cryptography is believed to be secure against quantum computers. Our focus here
Parallel Algorithms for Integer Factorisation
"... The problem of finding the prime factors of large composite numbers has always been of mathematical interest. With the advent of public key cryptosystems it is also of practical importance, because the security of some of these cryptosystems, such as the RivestShamirAdelman (RSA) system, depends o ..."
Abstract

Cited by 44 (17 self)
 Add to MetaCart
The problem of finding the prime factors of large composite numbers has always been of mathematical interest. With the advent of public key cryptosystems it is also of practical importance, because the security of some of these cryptosystems, such as the RivestShamirAdelman (RSA) system, depends on the difficulty of factoring the public keys. In recent years the best known integer factorisation algorithms have improved greatly, to the point where it is now easy to factor a 60decimal digit number, and possible to factor numbers larger than 120 decimal digits, given the availability of enough computing power. We describe several algorithms, including the elliptic curve method (ECM), and the multiplepolynomial quadratic sieve (MPQS) algorithm, and discuss their parallel implementation. It turns out that some of the algorithms are very well suited to parallel implementation. Doubling the degree of parallelism (i.e. the amount of hardware devoted to the problem) roughly increases the size of a number which can be factored in a fixed time by 3 decimal digits. Some recent computational results are mentioned – for example, the complete factorisation of the 617decimal digit Fermat number F11 = 2211 + 1 which was accomplished using ECM.
Lattice Reduction in Cryptology: An Update
 Lect. Notes in Comp. Sci
, 2000
"... Lattices are regular arrangements of points in space, whose study appeared in the 19th century in both number theory and crystallography. ..."
Abstract

Cited by 44 (7 self)
 Add to MetaCart
(Show Context)
Lattices are regular arrangements of points in space, whose study appeared in the 19th century in both number theory and crystallography.
Detecting Perfect Powers In Essentially Linear Time
 Math. Comp
, 1998
"... This paper (1) gives complete details of an algorithm to compute approximate kth roots; (2) uses this in an algorithm that, given an integer n>1, either writes n as a perfect power or proves that n is not a perfect power; (3) proves, using Loxton's theorem on multiple linear forms in logari ..."
Abstract

Cited by 41 (11 self)
 Add to MetaCart
(Show Context)
This paper (1) gives complete details of an algorithm to compute approximate kth roots; (2) uses this in an algorithm that, given an integer n>1, either writes n as a perfect power or proves that n is not a perfect power; (3) proves, using Loxton's theorem on multiple linear forms in logarithms, that this perfectpower decomposition algorithm runs in time (log n) . 1.
Factorization of a 768bit RSA modulus
, 2010
"... This paper reports on the factorization of the 768bit number RSA768 by the number field sieve factoring method and discusses some implications for RSA. ..."
Abstract

Cited by 38 (13 self)
 Add to MetaCart
(Show Context)
This paper reports on the factorization of the 768bit number RSA768 by the number field sieve factoring method and discusses some implications for RSA.