Results 1  10
of
12
On the Unpredictability of Bits of the Elliptic Curve DiffieHellman Scheme
"... Let E=F p be an elliptic curve, and G 2 E=F p . Dene the Die{Hellman function on E=F p as DH E;G (aG; bG) = abG. We show that if there is an ecient algorithm for predicting the LSB of the x or y coordinate of abG given hE ; G; aG; bGi for a certain family of elliptic curves, then there is an algori ..."
Abstract

Cited by 14 (4 self)
 Add to MetaCart
Let E=F p be an elliptic curve, and G 2 E=F p . Dene the Die{Hellman function on E=F p as DH E;G (aG; bG) = abG. We show that if there is an ecient algorithm for predicting the LSB of the x or y coordinate of abG given hE ; G; aG; bGi for a certain family of elliptic curves, then there is an algorithm for computing the Die{Hellman function on all curves in this family. This seems stronger than the best analogous results for the Die{Hellman function in F p . Boneh and Venkatesan showed that in F p computing approximately (log p) 1=2 of the bits of the Die{Hellman secret is as hard as computing the entire secret. Our results show that just predicting one bit of the Elliptic Curve Die{Hellman secret in a family of curves is as hard as computing the entire secret. 1
Predicting Nonlinear Pseudorandom Number Generators
 MATH. COMPUTATION
, 2004
"... Let p be a prime and let a and b be elements of the finite field Fp of p elements. The inversive congruential generator (ICG) is a sequence (un) of pseudorandom numbers defined by the relation un+1 ≡ au−1 n +b mod p. We show that if sufficiently many of the most significant bits of several consecut ..."
Abstract

Cited by 8 (5 self)
 Add to MetaCart
Let p be a prime and let a and b be elements of the finite field Fp of p elements. The inversive congruential generator (ICG) is a sequence (un) of pseudorandom numbers defined by the relation un+1 ≡ au−1 n +b mod p. We show that if sufficiently many of the most significant bits of several consecutive values un of the ICG are given, one can recover the initial value u0 (even in the case where the coefficients a and b are not known). We also obtain similar results for the quadratic congruential generator (QCG), vn+1 ≡ f(vn) modp, where f ∈ Fp[X]. This suggests that for cryptographic applications ICG and QCG should be used with great care. Our results are somewhat similar to those known for the linear congruential generator (LCG), xn+1 ≡ axn + b mod p, but they apply only to much longer bit strings. We also estimate limits of some heuristic approaches, which still remain much weaker than those known for LCG.
On the Provable Security of an Efficient RSABased Pseudorandom Generator
, 2006
"... Pseudorandom Generators (PRGs) based on the RSA inversion (onewayness) problem have been extensively studied in the literature over the last 25 years. These generators have the attractive feature of provable pseudorandomness security assuming the hardness of the RSA inversion problem. However, de ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
Pseudorandom Generators (PRGs) based on the RSA inversion (onewayness) problem have been extensively studied in the literature over the last 25 years. These generators have the attractive feature of provable pseudorandomness security assuming the hardness of the RSA inversion problem. However, despite extensive study, the most efficient provably secure RSAbased generators output asymptotically only at most O(log n) bits per multiply modulo an RSA modulus of bitlength n, and hence are too slow to be used in many practical applications. To bring theory closer to practice, we present a simple modification to the proof of security by Fischlin and Schnorr of an RSAbased PRG, which shows that one can obtain an RSAbased PRG which outputs Ω(n) bits per multiply and has provable pseudorandomness security assuming the hardness of a wellstudied variant of the RSA inversion problem, where a constant fraction of the plaintext bits are given. Our result gives a positive answer to an open question posed by Gennaro (J. of Cryptology, 2005) regarding finding a PRG beating the rate O(log n) bits per multiply at the cost of a reasonable assumption on RSA inversion.
Secure Bilinear DiffieHellman Bits
, 2002
"... The Weil and Tate pairings are a popular new gadget in cryptography and have found many applications, including identitybased cryptography. In particular, the pairings have been used for key exchange protocols. This paper studies the bit security of keys obtained using protocols based on pairings ( ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
The Weil and Tate pairings are a popular new gadget in cryptography and have found many applications, including identitybased cryptography. In particular, the pairings have been used for key exchange protocols. This paper studies the bit security of keys obtained using protocols based on pairings (that is, we show that obtaining certain bits of the common key is as hard as computing the entire key). These results are valuable as they give insight into how many "hardcore" bits can be obtained from key exchange using pairings.
Hardness of Computing Individual Bits for Oneway Functions on Elliptic Curves
"... Abstract. We prove that if one can predict any of the bits of the input to an elliptic curve based oneway function over a finite field, then we can invert the function. In particular, our result implies that if one can predict any of the bits of the input to a classical pairingbased oneway functi ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Abstract. We prove that if one can predict any of the bits of the input to an elliptic curve based oneway function over a finite field, then we can invert the function. In particular, our result implies that if one can predict any of the bits of the input to a classical pairingbased oneway function with nonnegligible advantage over a random guess then one can efficiently invert this function and thus, solve the Fixed Argument Pairing Inversion problem (FAPI1/FAPI2). The latter has implications on the security of various pairingbased schemes such as the identitybased encryption scheme of Boneh– Franklin, Hess ’ identitybased signature scheme, as well as Joux’s threeparty oneround key agreement protocol. Moreover, if one can solve FAPI1 and FAPI2 in polynomial time then one can solve the Computational Diffie–Hellman problem (CDH) in polynomial time. Our result implies that all the bits of the functions defined above are hardtocompute assuming these functions are oneway. The argument is based on a listdecoding technique via discrete Fourier transforms due to Akavia–Goldwasser–Safra as well as an idea due to Boneh–Shparlinski. Keywords: Oneway function, hardtocompute bits, bilinear pairings, elliptic curves, fixed argument pairing inversion problem, Fourier transform, list decoding. 1
Passwordauthenticated key exchange using efficient MACs
"... Abstract — This paper is concerned with passwordauthenticated key agreement protocols. Designing such protocols represents an interesting challenge since there is no standard way of choosing a password that achieves an optimum tradeoff between usability and security. Indeed, passwords belonging to ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Abstract — This paper is concerned with passwordauthenticated key agreement protocols. Designing such protocols represents an interesting challenge since there is no standard way of choosing a password that achieves an optimum tradeoff between usability and security. Indeed, passwords belonging to a highly structured language are essentially equivalent to low entropy strings. A fundamental goal is that of obtaining secure and efficient protocols, with optimum computational complexity, round complexity and communication efficiency. These properties make them ideal candidates for mobile devices. We present DHBPAKE1 which is an improved version of the protocol presented in previous work (DHBPAKE). The construction builds upon the encrypted key exchange protocol of Bellovin and Merritt augmented with a key confirmation round based on the use of efficient message authentication codes. We discuss in detail the security properties of the two efficient message authentication schemes which form the basic building blocks of the protocol. In addition, we formally prove the security of protocol DHBPAKE1 in a modified version of the model of Boyko et al.. Index Terms — key agreement protocols, password based authentication, message authentication scheme I.
Playing ”HideandSeek” in finite fields: Hidden number problem and its applications
 In Proc. 7th Spanish Meeting on Cryptology and Information Security, Vol.1, Univ. of
, 2002
"... ..."
Cryptanalysis of MQV with partially known nonces
, 2002
"... In this paper we present the first lattice attack on an authenticated key agreement protocol, which does not use a digital signature algorithm to produce the authentication. We present a two stage attack on MQV in which one party may recover the other party's static private key from partial ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
In this paper we present the first lattice attack on an authenticated key agreement protocol, which does not use a digital signature algorithm to produce the authentication. We present a two stage attack on MQV in which one party may recover the other party's static private key from partial knowledge of the nonces from several runs of the protocol. The first stage reduces the attack to a hidden number problem which is partially solved by considering a closest vector problem and using Babai's algorithm. This stage is closely related to the attack of Nguyen and Shparlinski on DSA but is complicated by a nonuniform distribution of multipliers. The second stage recovers the rest of the key using the babystep/giantstep algorithm or Pollard's Lambda algorithm and runs in time O(q ). The attack has been proven to work with high probability and validated experimentally. We have thus reduced the security from O(q ) down to O(q ) when partial knowledge of the nonces is given.
Extended Hidden Number Problem and Its Cryptanalytic Applications
"... Abstract. Since its formulation in 1996, the Hidden Number Problem (HNP) plays an important role in both cryptography and cryptanalysis. It has a strong connection with proving security of DiffieHellman and related schemes as well as breaking certain implementations of DSAlike signature schemes. W ..."
Abstract
 Add to MetaCart
Abstract. Since its formulation in 1996, the Hidden Number Problem (HNP) plays an important role in both cryptography and cryptanalysis. It has a strong connection with proving security of DiffieHellman and related schemes as well as breaking certain implementations of DSAlike signature schemes. We formulate an extended version of HNP (EHNP) and present a polynomial time algorithm for solving its instances. Our extension improves usability of HNP for solving real cryptanalytic problems significantly. The techniques elaborated here can be used for cryptographic strength proving, as well. We then present a practically feasible side channel attack on certain implementations of DSA (e.g. OpenSSL), which emphasizes the security risk caused by a side channel hidden in the design of Pentium 4 HTT processor for applications like SSH. During experimental simulations, having observed as few as 6 authentications to the server, an attacker was able to disclose the server’s private key.