We describe and analyze a new digital signature scheme. The new scheme is quite efficient, does not require the the signer to maintain any state, and can be proven secure against adaptive chosen message attack under a reasonable intractability assumption, the so-called Strong RSA Assumption. Moreover, a hash function can be incorporated into the scheme in such a way that it is also secure in the random oracle model under the standard RSA Assumption.

SSL is the de-facto standard today for securing end-to-end transport on the Internet. While the protocol itself seems rather secure, there are a number of risks that lurk in its use, e.g., in web banking. However, the adoption of password-based key-exchange protocols can overcome some of these problems. We propose the integration of such a protocol (DH-EKE) in the TLS protocol, the standardization of SSL by IETF. The resulting protocol provides secure mutual authentication and key establishment over an insecure channel. It does not have to resort to a PKI or keys and certicates stored on the users computer. Additionally, its integration in TLS is as minimal and non-intrusive as possible.

We introduce the notion of multi-trapdoor commitments which is a stronger form of trapdoor commitment schemes. We then construct two very e#cient instantiations of multi-trapdoor commitment schemes, based on the Strong RSA Assumption and the recently introduced Strong Di#e-Hellman Assumption.

At Eurocrypt ’96, Coppersmith proposed an algorithm for finding small roots of bivariate integer polynomial equations, based on lattice reduction techniques. But the approach is difficult to understand. In this paper, we present a much simpler algorithm for solving the same problem. Our simplification is analogous to the simplification brought by Howgrave-Graham to Coppersmith’s algorithm for finding small roots of univariate modular polynomial equations. As an application, we illustrate the new algorithm with the problem of finding the factors of n = pq if we are given the high order 1/4log 2 n bits of p.

We obtain lower bounds on the degrees of polynomials representing the Diffie-Hellman mapping (g x , g y ) # g xy , where g is a primitive root of a finite field IF q of q elements. These bounds are exponential in terms of log q. In particular, these results can be used to obtain lower bounds on the parallel arithmetic complexity of breaking the Diffie-Hellman cryptosystem. The method is based on bounds of numbers of solutions of some polynomial equations.

We describe the computation which resulted in the title of this paper. Furthermore, we give an analysis of the data collected during this computation. From these data, we derive the important observation that in the final stages, the progress of the double large prime variation of the quadratic sieve integer factoring algorithm can more effectively be approximated by a quartic function of the time spent, than by the more familiar quadratic function. We also present, as an update to [15], some of our experiences with the management of a large computation distributed over the Internet. Based on this experience, we give some realistic estimates of the current readily available computational power of the Internet. We conclude that commonly-used 512-bit RSA moduli are vulnerable to any organization prepared to spend a few million dollars and to wait a few months.

In this paper, we argue that heterogeneity should be an important principle in design and use of cryptographic protocols. We use automated formal analysis tools to randomly generate security protocols as a method of introducing heterogeneity. We present the results of simulations for the case of two party authentication protocols and argue that choosing protocols randomly out of sets numbering in the hundreds of millions is practical and achievable with an acceptable overhead. To realize the simulation, we implemented a highly efficient protocol verifier, achieving approximately two orders of magnitude improvement in performance compared to previous work.

These notes informally review the most common methods from computational number theory that have applications in public key cryptology.

Cryptographic schemes are based on keys which are highly involved in granting their security. It is in general assumed that the source producing these keys has uniformly distribution, that is, it produces keys from a given key space with equal probability. Consequently, deviations from uniform distribution of the key source may be regarded a priori as a potential security breach, even if no dedicated attack is known, which might take advantage of these deviations. We propose in this paper a model for biased key sources and show that it is possible to prove some results about tolerance of biases, which have the property of being inherent to the bias itself and not requiring assumptions about unknown attacks, using these biases. The model is based on comparing the average case complexities of generic attacks to some number theoretical problems, with respect to uniform and to biased distributions. We also show the connection to information entropy based analysis of biased ...

Abstract not found