Results 1 
9 of
9
An Improvement to the GaudrySchost Algorithm for Multidimensional Discrete Logarithm Problems
"... Abstract. Gaudry and Schost gave a lowmemory algorithm for solving the 2dimensional discrete logarithm problem. We present an improvement to their algorithm and extend this improvement to the general multidimensional DLP. An important component of the algorithm is a multidimensional pseudorandom w ..."
Abstract

Cited by 7 (3 self)
 Add to MetaCart
Abstract. Gaudry and Schost gave a lowmemory algorithm for solving the 2dimensional discrete logarithm problem. We present an improvement to their algorithm and extend this improvement to the general multidimensional DLP. An important component of the algorithm is a multidimensional pseudorandom walk which we analyse thoroughly in the 1 and 2 dimensional cases as well as giving some discussion for higher dimensions.
Déja ̀ Q: Using Dual Systems to Revisit qType Assumptions
"... After more than a decade of usage, bilinear groups have established their place in the cryptographic canon by enabling the construction of many advanced cryptographic primitives. Unfortunately, this explosion in functionality has been accompanied by an analogous growth in the complexity of the ass ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
(Show Context)
After more than a decade of usage, bilinear groups have established their place in the cryptographic canon by enabling the construction of many advanced cryptographic primitives. Unfortunately, this explosion in functionality has been accompanied by an analogous growth in the complexity of the assumptions used to prove security. Many of these assumptions have been gathered under the umbrella of the “uberassumption, ” yet certain classes of these assumptions — namely, qtype assumptions — are stronger and require larger parameter sizes than their static counterparts. In this paper, we show that in certain bilinear groups, many classes of qtype assumptions are in fact implied by subgroup hiding (a wellestablished, static assumption). Our main tool in this endeavor is the dualsystem technique, as introduced by Waters in 2009. As a case study, we first show that in compositeorder groups, we can prove the security of the DodisYampolskiy PRF based solely on subgroup hiding and allow for a domain of arbitrary size (the original proof only allowed a logarithmicallysized domain). We then turn our attention to classes of qtype assumptions and show that they are implied — when instantiated in appropriate groups — solely by subgroup hiding. These classes are quite general and include assumptions such as qSDH. Concretely, our result implies that every construction relying on such assumptions for security (e.g., BonehBoyen signatures) can, when instantiated in appropriate compositeorder bilinear groups, be proved secure under subgroup hiding instead. 1
Using Equivalence Classes to Accelerate Solving the Discrete Logarithm PROBLEM IN A SHORT INTERVAL
 IN P. Q. NGUYEN AND D. POINTCHEVAL (EDS.), PKC 2010, SPRINGER LNCS 6056
, 2010
"... The Pollard kangaroo method solves the discrete logarithm problem (DLP) in an interval of size N with heuristic average case expected running time approximately 2 √ N group operations. A recent variant of the kangaroo method, requiring one or two inversions in the group, solves the problem in appro ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
(Show Context)
The Pollard kangaroo method solves the discrete logarithm problem (DLP) in an interval of size N with heuristic average case expected running time approximately 2 √ N group operations. A recent variant of the kangaroo method, requiring one or two inversions in the group, solves the problem in approximately 1.71 √ N group operations. It is wellknown that the Pollard rho method can be spedup by using equivalence classes (such as orbits of points under an efficiently computed group homomorphism), but such ideas have not been used for the DLP in an interval. Indeed, it seems impossible to implement the standard kangaroo method with equivalence classes. The main result of the paper is to give an algorithm, building on work of Gaudry and Schost, to solve the DLP in an interval of size N with heuristic average case expected running time of close to 1.36 √ N group operations for groups with fast inversion. In practice the algorithm is not quite this fast, due to problems with pseudorandom walks going outside the boundaries of the search space, and due to the overhead of handling fruitless cycles. We present some experimental results. This is the full version (with some minor corrections and updates) of the paper which was published in P. Q. Nguyen and D. Pointcheval (eds.),
COMPUTING DISCRETE LOGARITHMS IN AN INTERVAL
, 2012
"... The discrete logarithm problem in an interval of size N in a group G is: Given g, h ∈ G and an integer N to find an integer 0 ≤ n ≤ N, if it exists, such that h = gn. Previously the best lowstorage algorithm to solve this problem was the van Oorschot and Wiener version of the Pollard kangaroo met ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
(Show Context)
The discrete logarithm problem in an interval of size N in a group G is: Given g, h ∈ G and an integer N to find an integer 0 ≤ n ≤ N, if it exists, such that h = gn. Previously the best lowstorage algorithm to solve this problem was the van Oorschot and Wiener version of the Pollard kangaroo method. The heuristic average case running time of this method is (2 + o(1)) √ N group operations. We present two new lowstorage algorithms for the discrete logarithm problem in an interval of size N. The first algorithm is based on the Pollard kangaroo method, but uses 4 kangaroos instead of the usual two. We explain why this algorithm has heuristic average case expected running time of (1.715+o(1)) √ N group operations. The second algorithm is based on the GaudrySchost algorithm and the ideas of our first algorithm. We explain why this algorithm has heuristic average case expected running time of (1.661 + o(1)) √ N group operations. We give experimental results that show that the methods do work close to that predicted by the theoretical analysis.
The brave new world of bodacious assumptions in cryptography
 Notices of the American Mathematical Society
, 2010
"... ..."
(Show Context)
INTRACTABLE PROBLEMS IN CRYPTOGRAPHY
"... Abstract. We examine several variants of the DiffieHellman and Discrete Log problems that are connected to the security of cryptographic protocols. We discuss the reductions that are known between them and the challenges in trying to assess the true level of difficulty of these problems, particular ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We examine several variants of the DiffieHellman and Discrete Log problems that are connected to the security of cryptographic protocols. We discuss the reductions that are known between them and the challenges in trying to assess the true level of difficulty of these problems, particularly if they are interactive or have complicated input. 1.
Certificateless Signatures: Structural Extensions of Security Models and New Provably Secure Schemes
"... Certificateless signatures (CLSs) were introduced to solve the key escrow problem of identitybased signatures. In CLS, the full private key is determined by neither the user nor the trusted third party. However, a certificate of a public key is not required in CLS schemes; therefore, anyone can rep ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Certificateless signatures (CLSs) were introduced to solve the key escrow problem of identitybased signatures. In CLS, the full private key is determined by neither the user nor the trusted third party. However, a certificate of a public key is not required in CLS schemes; therefore, anyone can replace the public key. On the formal security, there are two types of adversaries where the Type I adversary acts as the outsider, and the Type II as the key generation center. Huang et al. took a few security issues into consideration and provided some security models. They showed three kinds of Type I adversaries with different security levels. Moreover, Tso et al. found the existence of another Type I adversary that was not discussed by Huang et al.; however, the adversaries are still too subtle to be presently defined. In this paper, we further consider public key replacement and strong unforgeability in certificateless signatures. All feasible situations are revisited along with abilities of adversaries. Additionally, structural extensions of security models are proposed with respect to the described public key replacement and strong unforgeability. Moreover, we also present some schemes, analyze their security against different adversaries, and describe our research results. Finally, one of the proposed certificateless short signature schemes is proven to achieve the strongest security level.
THE RANDOM ORACLE MODEL: A TWENTYYEAR RETROSPECTIVE
"... Abstract. It has been roughly two decades since the random oracle model for reductionist security arguments was introduced and one decade since we first discussed the controversy that had arisen concerning its use. In this retrospective we argue that there is no evidence that the need for the rand ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Abstract. It has been roughly two decades since the random oracle model for reductionist security arguments was introduced and one decade since we first discussed the controversy that had arisen concerning its use. In this retrospective we argue that there is no evidence that the need for the random oracle assumption in a proof indicates the presence of a realworld security weakness in the corresponding protocol. We give several examples of attempts to avoid random oracles that have led to protocols that have security weaknesses that were not present in the original ones whose proofs required random oracles. We also argue that the willingness to use random oracles gives one the flexibility to modify certain protocols so as to reduce dependence on potentially vulnerable pseudorandom bit generators. Finally, we discuss a modified version of ECDSA, which we call ECDSA+, that may have better realworld security than standard ECDSA, and compare it with a modified Schnorr signature. If one is willing to use the random oracle model (and the analogous generic group model), then various security arguments are known for these two schemes. If one shuns these models, then no provable security result is known for them. 1.
On the Security of the Schnorr Signature Scheme and DSA against RelatedKey Attacks ⋆
"... Abstract. In the ordinary security model for signature schemes, we consider an adversary that may forge a signature on a new message using only his knowledge of other valid message and signature pairs. To take into account side channel attacks such as tampering or faultinjection attacks, Bellare an ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. In the ordinary security model for signature schemes, we consider an adversary that may forge a signature on a new message using only his knowledge of other valid message and signature pairs. To take into account side channel attacks such as tampering or faultinjection attacks, Bellare and Kohno (Eurocrypt 2003) formalized relatedkey attacks (RKA), where stronger adversaries are considered. In RKA for signature schemes, the adversary can also manipulate the signing key and obtain signatures for the modied key. This paper considers RKA security of two established signature schemes: the Schnorr signature scheme and (a wellknown variant of) DSA. First, we show that these signature schemes are secure against a weak notion of RKA. Second, we demonstrate that, on the other hand, neither the Schnorr signature scheme nor DSA achieves the standard notion of RKA security, by showing concrete attacks on these. Lastly, we show that a slight modication of both the Schnorr signature scheme and (the considered variant of) DSA yields fully RKA secure schemes.