## Associative one-way functions: A new paradigm for secret-key agreement and digital signatures (1993)

Citations: | 8 - 1 self |

### BibTeX

@TECHREPORT{Rabi93associativeone-way,

author = {Muhammad Rabi and Alan T. Sherman\lambda},

title = {Associative one-way functions: A new paradigm for secret-key agreement and digital signatures},

institution = {},

year = {1993}

}

### OpenURL

### Abstract

Abstract We propose associative one-way functions as a new cryptographic paradigm for exchanging secret keys and for signing digital documents. First, we precisely define these functions and establish some of their basic properties. Next, generalizing a theorem of Selman, we constructively prove that they exist if and only if P 6 = NP. In addition, we exhibit an implementation based on integer multiplication. We present a novel protocol that enables two parties to agree on a secret key, and we discuss the security of this protocol. Finally, we generalize our protocol to enable two or more parties to agree on a secret key, and we present a similar protocol for signing documents.

### Citations

2712 | New directions in cryptography
- Diffie, Hellman
- 1976
(Show Context)
Citation Context ...tem a plausible implementation of a public-key cryptosystem since no one has proven that breaking it is equivalent to factoring. The key agreement problem was introduced in 1976 by Diffie and Hellman =-=[5, 6]-=-, who referred to it as the public-key distribution problem. Without any proof of security, Diffie and Hellman also suggested a plausible solution based on the difficulty of computing discrete logarit... |

1115 |
A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
- ElGamal
- 1985
(Show Context)
Citation Context ...tingsoe U (m 0 ) = z ffi oe U (m) = z ffi (m ffi xU ). To overcome this difficulty, one could use a public cryptographically-secure hash function, as is typically done in the Elgamal signature scheme =-=[8]-=-. When using a hash function h : M ! M, the signer would compute the signature h(m) ffi xU and assume that Eve cannot find any z 2 M and any intelligible message m 0 2 M such that h(m 0 ) = z ffi h(m)... |

264 | Authentication and authenticated key exchanges
- DIFFIE, OORSCHOT, et al.
- 1992
(Show Context)
Citation Context ...ised a new way to achieve key agreement based on hash functions and physically-secure memories. Additional methods have been suggested in 1987 by Blom [1], in 1992 by Diffie, van Oorschot, and Wiener =-=[7]-=-, and in 1992 by Blundo, De Santis, Herzberg, Kutten, Vaccaro, and Yung [2]. Although several approaches to proving the security of key-agreement protocols have been tried (e.g. see Desmedt and Burmes... |

215 |
An optimal class of symmetric key generation systems
- Blom
- 1985
(Show Context)
Citation Context ...p" hardware, in 1993 Leighton and Micali [12] devised a new way to achieve key agreement based on hash functions and physically-secure memories. Additional methods have been suggested in 1987 by =-=Blom [1]-=-, in 1992 by Diffie, van Oorschot, and Wiener [7], and in 1992 by Blundo, De Santis, Herzberg, Kutten, Vaccaro, and Yung [2]. Although several approaches to proving the security of key-agreement proto... |

145 | Complexity measures for public-key cryptosystems
- Grollmann, Selman
- 1988
(Show Context)
Citation Context ...ay function would implysP ( \Delta and thus P 6= NP , where \Delta = NP " CoNP . Brassard required that his one-way function be bijective and that its image be in CoNP . In 1984, Grollmann and Se=-=lman [10]-=-[16, Proposition 3] tightened this result by proving that an injective one-way function exists if and only if P 6= UP , where UP (unique P ) is the class of languages that can be accepted in nondeterm... |

98 |
Theory and Applications of Trapdoor Functions (Extended Abstract
- Yao
- 1982
(Show Context)
Citation Context ...s factoring. Second, we present an elegant two-round protocol that applies any strong AWOF to solve the two-party secretkey agreement problem. Using an informationtheoretic framework suggested by Yao =-=[19, 20]-=-, we discuss the security of the protocol. In addition, we extend the protocol to handle two or more parties, and we present a similar protocol for signing documents. Throughout, we focus on unauthent... |

89 |
Privacy and authentication: an introduction to cryptography
- Diffie, Hellman
- 1979
(Show Context)
Citation Context ...tem a plausible implementation of a public-key cryptosystem since no one has proven that breaking it is equivalent to factoring. The key agreement problem was introduced in 1976 by Diffie and Hellman =-=[5, 6]-=-, who referred to it as the public-key distribution problem. Without any proof of security, Diffie and Hellman also suggested a plausible solution based on the difficulty of computing discrete logarit... |

63 |
Perfectly secure key distribution for dynamic conferences
- Blundo, Santis, et al.
- 1992
(Show Context)
Citation Context ...lly-secure memories. Additional methods have been suggested in 1987 by Blom [1], in 1992 by Diffie, van Oorschot, and Wiener [7], and in 1992 by Blundo, De Santis, Herzberg, Kutten, Vaccaro, and Yung =-=[2]-=-. Although several approaches to proving the security of key-agreement protocols have been tried (e.g. see Desmedt and Burmester [4] and van Oorschot [14]), no one has proven the security of the Diffi... |

54 |
A key distribution system equivalent to factoring
- McCurley
- 1988
(Show Context)
Citation Context ...sted a plausible solution based on the difficulty of computing discrete logarithms over GF (p). Since then, several other approaches to key agreement have been proposed. For example, in 1988 McCurley =-=[13] put forth-=- a method and proved it secure, provided integer factoring is hard. Motivated by practical engineering considerations for "Clipper Chip" hardware, in 1993 Leighton and Micali [12] devised a ... |

28 | Extending cryptographic logics of belief to key agreement protocols
- Oorschot
- 1993
(Show Context)
Citation Context ...De Santis, Herzberg, Kutten, Vaccaro, and Yung [2]. Although several approaches to proving the security of key-agreement protocols have been tried (e.g. see Desmedt and Burmester [4] and van Oorschot =-=[14]-=-), no one has proven the security of the Diffie-Hellman scheme, even assuming that computing discrete logarithms is infeasible in polynomial time. Any public-key cryptosystem can be used to M. Rabi an... |

26 |
A survey of one-way functions in complexity theory, Mathematical Systems Theory 25(3
- Selman
- 1992
(Show Context)
Citation Context ...i is easy to compute but hard to invert. We say that ffi is strong if inverting x ffi y is hard even when given x or y. In this paper we present two results involving AOWFs: First, extending Selman's =-=[16]-=- complexity-theoretic framework for studying one-way functions, we formalize our notion of an AOWF and constructively prove that one exists if and only if P 6= NP . We also give a practical implementa... |

25 |
A note on the complexity of cryptography
- Brassard
- 1979
(Show Context)
Citation Context ...iewing Selman 's theorem. Brassard was one of the first researchers to investigate connections between the existence of one-way functions and relationships among complexity classes. In 1979, Brassard =-=[3] prov-=-ed that the existence of a one-way function would implysP ( \Delta and thus P 6= NP , where \Delta = NP " CoNP . Brassard required that his one-way function be bijective and that its image be in ... |

16 |
Is the Data Encryption Standard a group? (Results of cycling experiments on DES
- Jr, Rivest, et al.
- 1988
(Show Context)
Citation Context ...s. The idea of associative one-way functions is due to Sherman, who proposed the concept in 1984 in his exploration of relationships among algebraic and security properties of cryptographic functions =-=[17, 11]-=-. Its application in the keyagreement protocol was suggested by Rivest and Sherman in 1984. We expect that the intriguing AOWF concept will be shown to have many other useful applications in cryptolog... |

11 |
Towards practical proven secure authenticated key distribution
- Desmedt, Burmester
- 1993
(Show Context)
Citation Context ...d in 1992 by Blundo, De Santis, Herzberg, Kutten, Vaccaro, and Yung [2]. Although several approaches to proving the security of key-agreement protocols have been tried (e.g. see Desmedt and Burmester =-=[4]-=- and van Oorschot [14]), no one has proven the security of the Diffie-Hellman scheme, even assuming that computing discrete logarithms is infeasible in polynomial time. Any public-key cryptosystem can... |

10 |
Cryptography,” in Handbook of Theoretical Computer
- Rivest
- 1990
(Show Context)
Citation Context ...d only if oe ffi y U = m ffi (x U ffi y U ). As with many other signature schemes, this M. Rabi and A. Sherman, Associative One-Way Functions---November 15, 1993 9 scheme is vulnerable to what Rivest =-=[15]-=- calls existential forgery: given any valid messagesignature pair (m; oe U (m)), it is possible to forge signatures of new messages of the form m 0 = z ffi m, for any z 2 M. Specifically, forge oe U (... |

10 | The probability distribution of the Diffie-Hellman key - Waldvogel, Massey - 1993 |

4 | Cryptology and VLSI (a two-part dissertation - Sherman - 1986 |

3 |
Kid Krypto
- Fellows, Koblitz
- 1993
(Show Context)
Citation Context ...ilarly, multiplication of square integer matrices is a provable AOWF. 2 2 Although these functions are not strong AOWFs in the adult cryptographic world, they are examples of strong AOWFs in Fellow's =-=[9]-=- world of kid krypto. Division of large integers is intractable for most first graders, M. Rabi and A. Sherman, Associative One-Way Functions---November 15, 1993 7 Logical OR An alternate type of stro... |

1 |
New approaches to secret-key exchange (extended abstract
- Leighton, Micali
(Show Context)
Citation Context ...8 McCurley [13] put forth a method and proved it secure, provided integer factoring is hard. Motivated by practical engineering considerations for "Clipper Chip" hardware, in 1993 Leighton a=-=nd Micali [12]-=- devised a new way to achieve key agreement based on hash functions and physically-secure memories. Additional methods have been suggested in 1987 by Blom [1], in 1992 by Diffie, van Oorschot, and Wie... |

1 |
Computational information theory" in Complexity in Information Theory
- Yao
- 1993
(Show Context)
Citation Context ...s factoring. Second, we present an elegant two-round protocol that applies any strong AWOF to solve the two-party secretkey agreement problem. Using an informationtheoretic framework suggested by Yao =-=[19, 20]-=-, we discuss the security of the protocol. In addition, we extend the protocol to handle two or more parties, and we present a similar protocol for signing documents. Throughout, we focus on unauthent... |