## Computational Alternatives to Random Number Generators (1999)

### Cached

### Download Links

- [www.gemplus.com]
- [www.it.iitb.ac.in]
- [www.gemplus.com]
- [www.di.ens.fr]
- [www.gemplus.fr]
- [ftp.ens.fr]
- DBLP

### Other Repositories/Bibliography

Citations: | 4 - 3 self |

### BibTeX

@MISC{M'Raïhi99computationalalternatives,

author = {David M'Raïhi and David Naccache and Published In S. Tavares and H. Meijer and Selected Areas In Cryptography},

title = {Computational Alternatives to Random Number Generators},

year = {1999}

}

### OpenURL

### Abstract

In this paper, we present a simple method for generating random-based signatures when random number generators are either unavailable or of suspected quality (malicious or accidental).

### Citations

1229 | A public key cryptosystem and a signature scheme based on the discrete logarithm - ElGamal - 1985 |

884 | How to prove yourself: Practical solutions to identification and signature problems
- Fiat, Shamir
(Show Context)
Citation Context ...orrupting the source to obtain twice an identical u). 4 Deterministic versions of other schemes The idea described in the previous sections can be trivially applied to other signature schemes such as =-=[10]-=- or [12]. Suffice it to say that one should replace each session’s random number by a digest of the keys (secret and public) and the signed message. 67 System parameters: k, security parameter p and ... |

867 | A digital signature scheme secure against adaptive chosenmessage attacks
- Goldwasser, Micali, et al.
- 1998
(Show Context)
Citation Context ...ibution generate over a key-space, a (possibly probabilistic) signature algorithm sign depending on a secret key and a verification algorithm verify depending on the public key (see Goldwasser et al. =-=[11]-=-). We also assume that sign has access to a private oracle f (which is a part of its private key) while verify has access to the public oracle h that commonly formalizes the hash function transforming... |

503 | Keying hash functions for message authentication
- Bellare, Canetti, et al.
- 1996
(Show Context)
Citation Context ...arter-Wegman’s xor-universal hash function [6]). More practically, we can use standard hash-functions such as: hK(x) = HMAC-SHA(K, x) at the cost of adding the function’s pseudo-randomness hypothesis =-=[2, 3]-=- to the (already assumed) hardness of the discrete logarithm problem. To adapt random oracle-secure signatures to everyday’s life, we regard (hK)K as a pseudo-random keyed hash-family and require an i... |

462 |
Blind signatures for untraceable payments
- Chaum
(Show Context)
Citation Context ...g u mod p e = h(m, r) mod q s = u − xe mod q Signature verification: verify(m; e, s) r = g s y e mod p check that e = h(m, r) mod q Fig. 3. A practical deterministic Schnorr variant. Blind signatures =-=[8]-=- (a popular building-block of most e-cash schemes) can be easily transformed as well: in the usual RSA setting the user computes w = h(k, m, e, n) (where k is a short secret-key) and sends m ′ = w e m... |

332 |
A public key cryptosystem and a signature scheme based on discrete logarithms
- Gamal
- 1984
(Show Context)
Citation Context ...tamper-resistance assumptions. 1 Introduction Most digital signature algorithms rely on random sources which stability and quality crucially influence security: a typical example is El-Gamal’s scheme =-=[9]-=- where the secret key is protected by the collision-freedom of the source. Although biasing tamper-resistant generators is difficult 1 , discrete components can be easily short-circuited or replaced b... |

324 |
Efficient identification and signatures for smart cards
- Schnorr
(Show Context)
Citation Context ... from some internal state, receives a message, outputs its signature and returns precisely to the same initial state. Being very broad, we will illustrate our approach with Schnorr’s signature scheme =-=[22]-=- before extending the idea to other randomized cryptosystems. 2 Digital signatures In eurocrypt’96, Pointcheval and Stern [20] proved the security of an El-Gamal variant where the hash-function has be... |

303 |
How to construct pseudorandom permutations from pseudorandom functions
- LUBY, RACKOFF
- 1988
(Show Context)
Citation Context ... where ω is the random tape and h is a random mapping from A to B. So far, this criterion has been used in block-cipher design but never in conjunction with hash functions. Actually, Luby and Rackoff =-=[16]-=- proved that a truly random 3-round, ℓ-bit message Feistel-cipher is (n, n 2 /2 ℓ/2 )-pseudo-random and 2 although, as showed recently, there is no guarantee that a provably secure scheme in the rando... |

300 | Security arguments for digital signatures and blind signatures
- Pointcheval, Stern
- 2000
(Show Context)
Citation Context ...00 such devices during 2 years ( ∼ = 2 26 seconds). – consider Schnorr’s scheme, which is (n, t, 2 20 nt/T DL)-secure in the random oracle model, where T DL denotes the inherent complexity of the DLP =-=[21]-=-. For example, {|p| = 512, |q| = 256}-discrete logarithms can not be computed in less than 2 98 seconds ( ∼ = a 10,000-processor machine performing 1,000 modular multiplications per processor per seco... |

257 | The Random Oracle Methodology, Revisited
- Canetti, Goldreich, et al.
- 1998
(Show Context)
Citation Context ...age Feistel-cipher is (n, n 2 /2 ℓ/2 )-pseudo-random and 2 although, as showed recently, there is no guarantee that a provably secure scheme in the random oracle model will still be secure in reality =-=[5]-=-. 23 System parameters: k, security parameter p and q primes, q|(p − 1) g ∈ Z ⋆ p of order q h : {0, 1} ∗ → Zq Key generation: generate(1 k ) secret: x ∈R Zq and f : {0, 1} ∗ → Zq public: y = g x mod... |

224 | Security proofs for signature schemes
- Pointcheval, Stern
(Show Context)
Citation Context ...ry broad, we will illustrate our approach with Schnorr’s signature scheme [22] before extending the idea to other randomized cryptosystems. 2 Digital signatures In eurocrypt’96, Pointcheval and Stern =-=[20]-=- proved the security of an El-Gamal variant where the hash-function has been replaced by a random oracle. However, 1 such designs are usually buried in the lowest silicon layers and protected by a con... |

223 | How to Time-Stamp a Digital Document
- Haber, Stornetta
- 1991
(Show Context)
Citation Context ...t if n hashings take more than t seconds, then K can be chosen randomly by a trusted authority, with some temporal validity. In this setting, long-term signatures become very similar to time-stamping =-=[13, 1]-=-. Another consequence is that random oracle security-proofs are no longer theoretical arguments with no practical justification as they become, de facto, a step towards practical and provably-secure s... |

220 |
Public-Key Cryptosystem Based on Algebraic Coding Themy,” DSN Progress Report 424
- McEliece, “A
- 1978
(Show Context)
Citation Context ...so be used to prevent timing-attacks [15], but it requires again a random blinding factor [14]. More fundamentally, our technique completely eliminates a well-known attack on Mc Eleice’s cryptosystem =-=[18]-=- where, by asking the sender to re-encrypt logarithmically many messages, one can filter-out the error vectors (e, chosen randomly by the sender at each encryption) through simple majority votes. We r... |

207 |
A practical zero-knowledge protocol fitted to security microprocesors minimizing both transmission and memory
- Guillou, Quisquater
- 1988
(Show Context)
Citation Context ...g the source to obtain twice an identical u). 4 Deterministic versions of other schemes The idea described in the previous sections can be trivially applied to other signature schemes such as [10] or =-=[12]-=-. Suffice it to say that one should replace each session’s random number by a digest of the keys (secret and public) and the signed message. 67 System parameters: k, security parameter p and q prime ... |

195 |
ªTiming Attacks on
- Kocher
- 1996
(Show Context)
Citation Context ...od n to the authority who replies with s ′ = w ed m d mod n that the user un-blinds by a modular division (s = s ′ /w = m d mod n). The “blinding” technique can also be used to prevent timing-attacks =-=[15]-=-, but it requires again a random blinding factor [14]. More fundamentally, our technique completely eliminates a well-known attack on Mc Eleice’s cryptosystem [18] where, by asking the sender to re-en... |

86 |
Universal Hash Functions
- Carter, Wegman
- 1979
(Show Context)
Citation Context ...g and G an nℓ-bit string defining a random polynomial of degree n − 1, we define hK(x) = y ⊕ G(x ⊕ a × y) where a × y is the product in GF(2 ℓ ) (this uses Carter-Wegman’s xor-universal hash function =-=[6]-=-). More practically, we can use standard hash-functions such as: hK(x) = HMAC-SHA(K, x) at the cost of adding the function’s pseudo-randomness hypothesis [2, 3] to the (already assumed) hardness of th... |

70 | Improving the efficiency and reliability of digital time-stamping
- Bayer, Haber, et al.
- 1993
(Show Context)
Citation Context ...t if n hashings take more than t seconds, then K can be chosen randomly by a trusted authority, with some temporal validity. In this setting, long-term signatures become very similar to time-stamping =-=[13, 1]-=-. Another consequence is that random oracle security-proofs are no longer theoretical arguments with no practical justification as they become, de facto, a step towards practical and provably-secure s... |

50 | Message authentication using hash functions: the HMAC construction
- Bellare, Canetti, et al.
- 1996
(Show Context)
Citation Context ...arter-Wegman’s xor-universal hash function [6]). More practically, we can use standard hash-functions such as: hK(x) = HMAC-SHA(K, x) at the cost of adding the function’s pseudo-randomness hypothesis =-=[2, 3]-=- to the (already assumed) hardness of the discrete logarithm problem. To adapt random oracle-secure signatures to everyday’s life, we regard (hK)K as a pseudo-random keyed hash-family and require an i... |

33 | A simplified and Generalized Treatment of Luby-Rackoff Pseudorandom Permutation Generators
- Maurer
- 1992
(Show Context)
Citation Context ...y ⊕ G(x ⊕ F (y)). The family (hK)K is (n, n 2 /2 ℓ+1 )-pseudo-random. Proof. The considered family is nothing but a truncated two-round Feistel construction and the proof is adapted from [16, 19] and =-=[17]-=-. The core of the proof consists in finding a meaningful lower bound for the probability that n different {xi, yi}’s produce n given zi’s. More precisely, the ratio between this probability and its va... |

30 |
Provable Security for Block Ciphers by Decorrelation
- Vaudenay
- 1998
(Show Context)
Citation Context ...(this argument was brought as an evidence for DES’ security). Note that (n, ɛ)-pseudo-randomness was recently shown to be close to the notion of n-wise decorrelation bias, investigated by Vaudenay in =-=[24]-=-. This construction can be adapted to pseudo-random hash-functions as follows: we first show how to construct a pseudo-random hash-function from a huge random string and then simplify the model by de-... |

30 |
a Theory of Factorization and Genera
- Number
- 1971
(Show Context)
Citation Context ...thms can not be computed in less than 2 98 seconds ( ∼ = a 10,000-processor machine performing 1,000 modular multiplications per processor per second, executing Shank’s baby-step giant-step algorithm =-=[23]-=-) and theorem 4 guarantees that within two years, no attacker can succeed an existential-forgery under an adaptive-attack with probability greater than 1/1000. This proves that realistic low-cost impl... |

12 |
A simple unpredictable random number generator
- Blum, Blum, et al.
- 1986
(Show Context)
Citation Context ...om sources are keyed state-machines that receive a query, output a pseudo-random number, update their internal state and halt until the next query: a typical example is the BBS generator presented in =-=[4]-=-). In this paper, we present an alternative approach that converts randomized signature schemes into deterministic ones: in our construction, the signer is a memoryless automaton that starts from some... |

10 | cient identi cation and signatures for smart cards - Schnorr - 1989 |

8 | Improving the e±ciency and reliability of digital time-stamping - Bayer, Haber, et al. - 1992 |

6 | Improving the E ciency and Reliability of Digital Time-Stamping - Bayer, Haber, et al. - 1993 |

4 | Recherche de Performance dans l’Algorithmique des Corps Finis, Applications à la Cryptographie - Chabaud - 1996 |

4 | A practical zero-knowledge protocol tted to security microprocessors minimizing both transmission and memory - Guillou, Quisquater - 1988 |

4 |
Timing Attacks on Cryptosystems
- Kaliski
- 1996
(Show Context)
Citation Context ... mod n that the user un-blinds by a modular division (s = s ′ /w = m d mod n). The “blinding” technique can also be used to prevent timing-attacks [15], but it requires again a random blinding factor =-=[14]-=-. More fundamentally, our technique completely eliminates a well-known attack on Mc Eleice’s cryptosystem [18] where, by asking the sender to re-encrypt logarithmically many messages, one can filter-o... |

3 | A Simplified and generalised treatment of Luby-Rackoff Pseudorandom Permutation Generators - Maurer - 1992 |

2 | Universal hash functions, Journal of computer and system sciences - Carter - 1979 |

2 | A public-key cryptosystem based on algebraic coding theory, dsn progress report 42-44, Jet propulsion laboratories, caltech - McEleice - 1978 |

2 |
Étude des Générateurs de Permutations Pseudo-aléatoires Basés sur le Schéma du DES
- Patarin
- 1991
(Show Context)
Citation Context ...t hK(x, y) = y ⊕ G(x ⊕ F (y)). The family (hK)K is (n, n 2 /2 ℓ+1 )-pseudo-random. Proof. The considered family is nothing but a truncated two-round Feistel construction and the proof is adapted from =-=[16, 19]-=- and [17]. The core of the proof consists in finding a meaningful lower bound for the probability that n different {xi, yi}’s produce n given zi’s. More precisely, the ratio between this probability a... |

1 | A simpli ed and generalised treatment of Luby-Racko pseudo-random permutation generators - Maurer |

1 | Class number, a theory of factorisation, and genera - Shanks - 1971 |