Results 1  10
of
28
The Elliptic Curve Digital Signature Algorithm (ECDSA)
, 1999
"... The Elliptic Curve Digital Signature Algorithm (ECDSA) is the elliptic curve analogue of the Digital Signature Algorithm (DSA). It was accepted in 1999 as an ANSI standard, and was accepted in 2000 as IEEE and NIST standards. It was also accepted in 1998 as an ISO standard, and is under consideratio ..."
Abstract

Cited by 101 (5 self)
 Add to MetaCart
The Elliptic Curve Digital Signature Algorithm (ECDSA) is the elliptic curve analogue of the Digital Signature Algorithm (DSA). It was accepted in 1999 as an ANSI standard, and was accepted in 2000 as IEEE and NIST standards. It was also accepted in 1998 as an ISO standard, and is under consideration for inclusion in some other ISO standards. Unlike the ordinary discrete logarithm problem and the integer factorization problem, no subexponentialtime algorithm is known for the elliptic curve discrete logarithm problem. For this reason, the strengthperkeybit is substantially greater in an algorithm that uses elliptic curves. This paper describes the ANSI X9.62 ECDSA, and discusses related security, implementation, and interoperability issues. Keywords: Signature schemes, elliptic curve cryptography, DSA, ECDSA.
A Key Recovery Attack on Discrete Logbased Schemes Using a Prime Order Subgroup
, 1997
"... Consider the wellknown oracle attack: Somehow one gets a certain computation result as a function of a secret key from the secret key owner and tries to extract some information on the secret key. This attacking scenario is well understood in the cryptographic community. However, there are many pro ..."
Abstract

Cited by 62 (2 self)
 Add to MetaCart
Consider the wellknown oracle attack: Somehow one gets a certain computation result as a function of a secret key from the secret key owner and tries to extract some information on the secret key. This attacking scenario is well understood in the cryptographic community. However, there are many protocols based on the discrete logarithm problem that turn out to leak many of the secret key bits from this oracle attack, unless suitable checkings are carried out. In this paper we present a key recovery attack on various discrete logbased schemes working in a prime order subgroup. Our attack can disclose part of, or the whole secret key in most DiffieHellmantype key exchange protocols and some applications of ElGamal encryption and signature schemes. Key Words : Key recovery attack, Discrete logarithms, Key exchange, Digital signatures. 1 Introduction Many cryptographic protocols have been developed based on the discrete logarithm problem. The main objective of developers is to design...
OpenPGP Message Format
 Wong & Schlitt Experimental [Page 40] 4408 Sender Policy Framework (SPF
, 1998
"... This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards " (STD 1) for the standardization state and status of this protocol. Dis ..."
Abstract

Cited by 38 (2 self)
 Add to MetaCart
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards " (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. This document is maintained in order to publish all necessary information needed to develop interoperable applications based on the OpenPGP format. It is not a stepbystep cookbook for writing an application. It describes only the format and methods needed to read, check, generate, and write conforming packets crossing any network. It does not deal with storage and implementation questions. It does, however, discuss implementation issues necessary to avoid security flaws. OpenPGP software uses a combination of strong publickey and
Minding Your P's and Q's
 In Advances in Cryptology  ASIACRYPT'96, LNCS 1163
, 1996
"... Over the last year or two, a large number of attacks have been found by the authors and others on protocols based on the discrete logarithm problem, such as ElGamal signature and Diffie Hellman key exchange. These attacks depend on causing variables to assume values whose discrete logarithms can be ..."
Abstract

Cited by 25 (3 self)
 Add to MetaCart
Over the last year or two, a large number of attacks have been found by the authors and others on protocols based on the discrete logarithm problem, such as ElGamal signature and Diffie Hellman key exchange. These attacks depend on causing variables to assume values whose discrete logarithms can be calculated, whether by forcing a protocol exchange into a smooth subgroup or by choosing degenerate values directly. We survey these attacks and discuss how to build systems that are robust against them. In the process we elucidate a number of the design decisions behind the US Digital Signature Standard.
The Pynchon Gate: A Secure Method of Pseudonymous Mail Retrieval
 In Proceedings of the Workshop on Privacy in the Electronic Society (WPES 2005
, 2005
"... We present The Pynchon Gate, a pseudonymous message retrieval system. The Pynchon Gate is based upon Private Information Retrieval, an information theory primitive that enables us to address many of the known problems with existing pseudonymous communication systems. We propose a system where th ..."
Abstract

Cited by 15 (4 self)
 Add to MetaCart
We present The Pynchon Gate, a pseudonymous message retrieval system. The Pynchon Gate is based upon Private Information Retrieval, an information theory primitive that enables us to address many of the known problems with existing pseudonymous communication systems. We propose a system where the user retrieves a subset of the collection of all messages in such a way that the user leaks no information about which messages he is retrieving, and a global observer is unable to correlate sender behavior with recipient usage patterns. We introduce a more stable architecture for pseudonymous mail systems and analyze its strengths and weaknesses as compared to existing systems.
Proactive TwoParty Signatures for User Authentication
 Proc. 10th Annual Network and Distributed System Security Symposium (NDSS’03), The Internet Society
, 2003
"... We study proactive twoparty signature schemes in the context of user authentication. A proactive twoparty signature scheme (P2SS) allows two partiesthe client and the serverjointly to produce signatures and periodically to refresh their sharing of the secret key. The signature generation rem ..."
Abstract

Cited by 12 (2 self)
 Add to MetaCart
We study proactive twoparty signature schemes in the context of user authentication. A proactive twoparty signature scheme (P2SS) allows two partiesthe client and the serverjointly to produce signatures and periodically to refresh their sharing of the secret key. The signature generation remains secure as long as both parties are not compromised between successive refreshes. We construct the first such proactive scheme based on the discrete log assumption by efficiently transforming Schnorr's popular signature scheme into a P2SS. We also extend our technique to the signature scheme of Guillou and Quisquater (GQ), providing two practical and efficient P2SSs that can be proven secure in the random oracle model under standard discrete log or RSA assumptions.
Can we trust cryptographic software? cryptographic flaws
 in GNU Privacy Guard v1.2.3. In EUROCRYPT 2004, LNCS
, 2004
"... Abstract. More and more software use cryptography. But how can one know if what is implemented is good cryptography? For proprietary software, one cannot say much unless one proceeds to reverseengineering, and history tends to show that bad cryptography is much more frequent than good cryptography ..."
Abstract

Cited by 12 (0 self)
 Add to MetaCart
Abstract. More and more software use cryptography. But how can one know if what is implemented is good cryptography? For proprietary software, one cannot say much unless one proceeds to reverseengineering, and history tends to show that bad cryptography is much more frequent than good cryptography there. Open source software thus sounds like a good solution, but the fact that a source code can be read does not imply that it is actually read, especially by cryptography experts. In this paper, we illustrate this point by examining the case of a basic Internet application of cryptography: secure email. We analyze parts of thesourcecodeofthelatestversionofGNUPrivacyGuard(GnuPGor GPG), a free open source alternative to the famous PGP software, compliant with the OpenPGP standard, and included in most GNU/Linux distributions such as Debian, MandrakeSoft, Red Hat and SuSE. We observe several cryptographic flaws in GPG v1.2.3. The most serious flaw has been present in GPG for almost four years: we show that as soon as one (GPGgenerated) ElGamal signature of an arbitrary message is released, one can recover the signer’s private key in less than a second on a PC. As a consequence, ElGamal signatures and the socalled ElGamal sign+encrypt keys have recently been removed from GPG. Fortunately, ElGamal was not GPG’s default option for signing keys.
Addressing the Problem of Undetected Signature Key Compromise
, 1999
"... Suppose that messages have been signed using a user's signature private key during the period of time after a key compromise but before the compromise is detected. This is aperiod of undetected key compromise. Various techniques for detecting a compromise and preventing forged signature acceptance a ..."
Abstract

Cited by 9 (4 self)
 Add to MetaCart
Suppose that messages have been signed using a user's signature private key during the period of time after a key compromise but before the compromise is detected. This is aperiod of undetected key compromise. Various techniques for detecting a compromise and preventing forged signature acceptance are presented. Attack protection is achieved by requiring a second level of authentication for the acceptance of signatures, based on information shared with a trusted authority, independent of the signature private key and signing algorithm. Alternatively, attack detection is achieved with an independent sychronization with the authority, using a second factoradaptive (nonsecret) parameter. Preventing forged signature acceptance subsequent to the detection is achieved by the use of a coolingoff or latency period, combined with periodic resynchronization.
Smooth Orders and Cryptographic Applications
 Lecture Notes in Comptuer Science
, 2002
"... We obtain rigorous upper bounds on the number of primes x for which p1 is smooth or has a large smooth factor. Conjecturally these bounds are nearly tight. As a corollary, we show that for almost all primes p the multiplicative order of 2 modulo p is not smooth, and we prove a similar but weaker re ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
We obtain rigorous upper bounds on the number of primes x for which p1 is smooth or has a large smooth factor. Conjecturally these bounds are nearly tight. As a corollary, we show that for almost all primes p the multiplicative order of 2 modulo p is not smooth, and we prove a similar but weaker result for almost all odd numbers n. We also discuss some cryptographic applications.