Results 1  10
of
44
Parallel collision search with application to hash functions and discrete logarithms
 In ACM CCS 94
, 1994
"... Current techniques for collision search with feasible memory requirements involve pseudorandom walks through some space where one must wait for the result of the current step before the next step can begin. These techniques are serial in nature, and direct parallelization is inefficient. We present ..."
Abstract

Cited by 75 (1 self)
 Add to MetaCart
Current techniques for collision search with feasible memory requirements involve pseudorandom walks through some space where one must wait for the result of the current step before the next step can begin. These techniques are serial in nature, and direct parallelization is inefficient. We present a simple new method of parallelizing collision searches that greatly extends the reach of practical attacks. The new method is illustrated with applications to hash functions and discrete logarithms in cyclic groups. In the case of hash functions, we begin with two messages; the first is a message that we want our target to digitally sign, and the second is a message that the target is willing to sign. Using collision search adapted for hashing collisions, one can find slightly altered versions of these messages such that the two new messages give the same hash result. As a particular example, a $10 million custom machine for applying parallel collision search to the MD5 hash function could complete an attack with an expected run time of 24 days. This machine would be specific to MD5, but could be used for any pair of messages. For discrete logarithms in cyclic groups, ideas from Pollard’s rho and lambda methods for index computation are combined to allow efficient parallel implementation using the new method. As a concrete example, we consider an elliptic curve cryptosystem over GF(2 155) with the order of the curve having largest prime factor of approximate size 10 36. A $10 million machine custom built for this finite field could compute a discrete logarithm with an expected run time of 36 days. 1.
SquareRoot Algorithms For The Discrete Logarithm Problem (a Survey)
 In Public Key Cryptography and Computational Number Theory, Walter de Gruyter
, 2001
"... The best algorithms to compute discrete logarithms in arbitrary groups (of prime order) are the babystep giantstep method, the rho method and the kangaroo method. The first two have (expected) running time O( p n) group operations (n denoting the group order), thereby matching Shoup's lower b ..."
Abstract

Cited by 36 (0 self)
 Add to MetaCart
(Show Context)
The best algorithms to compute discrete logarithms in arbitrary groups (of prime order) are the babystep giantstep method, the rho method and the kangaroo method. The first two have (expected) running time O( p n) group operations (n denoting the group order), thereby matching Shoup's lower bounds. While the babystep giantstep method is deterministic but with large memory requirements, the rho and the kangaroo method are probabilistic but can be implemented very space efficiently, and they can be parallelized with linear speedup. In this paper, we present the state of the art in these methods.
Factorization Of The Tenth Fermat Number
 MATH. COMP
, 1999
"... We describe the complete factorization of the tenth Fermat number F 10 by the elliptic curve method (ECM). F 10 is a product of four prime factors with 8, 10, 40 and 252 decimal digits. The 40digit factor was found after about 140 Mflopyears of computation. We also discuss the complete factor ..."
Abstract

Cited by 28 (12 self)
 Add to MetaCart
(Show Context)
We describe the complete factorization of the tenth Fermat number F 10 by the elliptic curve method (ECM). F 10 is a product of four prime factors with 8, 10, 40 and 252 decimal digits. The 40digit factor was found after about 140 Mflopyears of computation. We also discuss the complete factorization of other Fermat numbers by ECM, and summarize the factorizations of F 5 ; : : : ; F 11 .
Recent progress and prospects for integer factorisation algorithms
 In Proc. of COCOON 2000
, 2000
"... Abstract. The integer factorisation and discrete logarithm problems are of practical importance because of the widespread use of public key cryptosystems whose security depends on the presumed difficulty of solving these problems. This paper considers primarily the integer factorisation problem. In ..."
Abstract

Cited by 24 (1 self)
 Add to MetaCart
(Show Context)
Abstract. The integer factorisation and discrete logarithm problems are of practical importance because of the widespread use of public key cryptosystems whose security depends on the presumed difficulty of solving these problems. This paper considers primarily the integer factorisation problem. In recent years the limits of the best integer factorisation algorithms have been extended greatly, due in part to Moore’s law and in part to algorithmic improvements. It is now routine to factor 100decimal digit numbers, and feasible to factor numbers of 155 decimal digits (512 bits). We outline several integer factorisation algorithms, consider their suitability for implementation on parallel machines, and give examples of their current capabilities. In particular, we consider the problem of parallel solution of the large, sparse linear systems which arise with the MPQS and NFS methods. 1
I.: Making a Nymbler Nymble using VERBS
, 2010
"... Abstract. We propose a new system modeled after Nymble. Like Nymble, our scheme provides a privacypreserving analog of IP address blocking for anonymizing networks. However, unlike Nymble, the user in our scheme need not trust third parties to maintain their anonymity. We achieve this while avoidin ..."
Abstract

Cited by 21 (10 self)
 Add to MetaCart
(Show Context)
Abstract. We propose a new system modeled after Nymble. Like Nymble, our scheme provides a privacypreserving analog of IP address blocking for anonymizing networks. However, unlike Nymble, the user in our scheme need not trust third parties to maintain their anonymity. We achieve this while avoiding the use of trusted hardware and without requiring an offline credential issuing authority to guarantee that users do not obtain multiple credentials. We use zeroknowledge proofs to reduce the capabilities of colluding third parties, and introduce a new cryptographic technique that we call verifierefficient restricted blind signatures, or VERBS, to maintain efficiency. Signature verification with our VERBS are 1–2 orders of magnitude faster than existing restricted blind signatures.
Factorization of the tenth and eleventh Fermat numbers
, 1996
"... . We describe the complete factorization of the tenth and eleventh Fermat numbers. The tenth Fermat number is a product of four prime factors with 8, 10, 40 and 252 decimal digits. The eleventh Fermat number is a product of five prime factors with 6, 6, 21, 22 and 564 decimal digits. We also note a ..."
Abstract

Cited by 17 (8 self)
 Add to MetaCart
(Show Context)
. We describe the complete factorization of the tenth and eleventh Fermat numbers. The tenth Fermat number is a product of four prime factors with 8, 10, 40 and 252 decimal digits. The eleventh Fermat number is a product of five prime factors with 6, 6, 21, 22 and 564 decimal digits. We also note a new 27decimal digit factor of the thirteenth Fermat number. This number has four known prime factors and a 2391decimal digit composite factor. All the new factors reported here were found by the elliptic curve method (ECM). The 40digit factor of the tenth Fermat number was found after about 140 Mflopyears of computation. We discuss aspects of the practical implementation of ECM, including the use of specialpurpose hardware, and note several other large factors found recently by ECM. 1. Introduction For a nonnegative integer n, the nth Fermat number is F n = 2 2 n + 1. It is known that F n is prime for 0 n 4, and composite for 5 n 23. Also, for n 2, the factors of F n are of th...
Integer Factorization
, 2006
"... Factorization problems are the “The problem of distinguishing prime numbers from composite numbers, and of resolving the latter into their prime factors, is known to be one of the most important and useful in arithmetic,” Gauss wrote in his Disquisitiones Arithmeticae in 1801. “The dignity of the sc ..."
Abstract

Cited by 10 (1 self)
 Add to MetaCart
Factorization problems are the “The problem of distinguishing prime numbers from composite numbers, and of resolving the latter into their prime factors, is known to be one of the most important and useful in arithmetic,” Gauss wrote in his Disquisitiones Arithmeticae in 1801. “The dignity of the science itself seems to require that every possible means be explored for the solution of a problem so elegant and so celebrated.” But what exactly is the problem? It turns out that there are many different factorization problems, as we will discuss in this paper.
Making a Nymbler Nymble using VERBS (Extended Version). Computer Science
, 2010
"... Abstract. In this work, we propose a new platform to enable service providers, such as web site operators, on the Internet to block past abusive users of anonymizing networks (for example, Tor) from further misbehaviour, without compromising their privacy, and while preserving the privacy of all of ..."
Abstract

Cited by 7 (6 self)
 Add to MetaCart
Abstract. In this work, we propose a new platform to enable service providers, such as web site operators, on the Internet to block past abusive users of anonymizing networks (for example, Tor) from further misbehaviour, without compromising their privacy, and while preserving the privacy of all of the nonabusive users. Our system provides a privacypreserving analog of IP address banning, and is modeled after the wellknown Nymble system [29,47,48]. However, while we solve the same problem as the original Nymble scheme, we eliminate the troubling situation in which users must trust their anonymity in the hands of a small number of trusted third parties. Unlike other approaches that have been considered in the literature [10,44,45,46], we avoid the use of trusted hardware devices or unrealistic assumptions about offline credential issuing authorities who are responsible for ensuring that no user is able to obtain multiple credentials. Thus, our scheme combines the strong privacy guarantees of [10,44,45,46] with a simple infrastructure as in [29,47,48]. To prevent malicious third parties from trivially colluding to reveal the identities of anonymous users we make use of a number of standard zeroknowledge proofs, and to maintain efficiency we introduce a new cryptographic technique which we call verifier efficient restricted blind signatures, or VERBS. Our approach allows users to perform all privacysensitive computations locally, and then prove in zeroknowledge that the computations were performed correctly in order to obtain efficiently verifiable signatures on the output — all without revealing neither the result of the computation, nor any potentially identifying information, to the signature issuing authority. Signature verification in our proposed VERBS scheme is 1–2 orders of magnitude more efficient than verification in any known restricted blind signature scheme.