Results

**11 - 14**of**14**### Computing information on domain parameters from public keys selected uniformly at random

, 2015

"... The security of many cryptographic schemes and protocols rests on the conjectured computational intractability of the discrete logarithm problem in some group 〈g 〉 of prime order. Such schemes and protocols require domain parameters that specify 〈g 〉 and a specific generator g. In this paper we cons ..."

Abstract
- Add to MetaCart

The security of many cryptographic schemes and protocols rests on the conjectured computational intractability of the discrete logarithm problem in some group 〈g 〉 of prime order. Such schemes and protocols require domain parameters that specify 〈g 〉 and a specific generator g. In this paper we consider the problem of computing information on the domain parameters from public keys selected uniformly at random from 〈g〉. We show that it is not possible to compute any information on the generator g regardless of the number of public keys observed. In the case of elliptic curves E(Fp) or E(F2n) on short Weierstrass form, or E(K) on Edwards form, twisted Edwards form or Montgomery form, where K is a non-binary field, we show how to compute the domain parameters excluding the generator from four keys on affine form. Hence, if the domain parameters excluding the generator are to be kept private, points may not be transmitted on affine form. It is an open question whether point compression is a sufficient requirement. Regardless of whether points are transmitted on affine or compressed form, it is in general possible to create a distinguisher for the domain parameters, excluding the generator, both in the case of the elliptic curve groups previously mentioned, and in the case of subgroups of F∗p. We propose that a good method for preventing all of the above attacks may be to use blinding schemes, and suggest new applications for existing blinding schemes originally designed for steganographic applications. 1

### Efficient ephemeral elliptic curve cryptographic keys

"... Abstract. We show how any pair of authenticated users can on-the-fly agree on an el-liptic curve group that is unique to their communication session, unpredictable to outside observers, and secure against known attacks. Our proposal is suitable for deployment on constrained devices such as smartphon ..."

Abstract
- Add to MetaCart

(Show Context)
Abstract. We show how any pair of authenticated users can on-the-fly agree on an el-liptic curve group that is unique to their communication session, unpredictable to outside observers, and secure against known attacks. Our proposal is suitable for deployment on constrained devices such as smartphones, allowing them to efficiently generate ephemeral parameters that are unique to any single cryptographic application such as symmetric key agreement. For such applications it thus offers an alternative to long term usage of stan-dardized or otherwise pre-generated elliptic curve parameters, obtaining security against cryptographic attacks aimed at other users, and eliminating the need to trust elliptic curves generated by third parties.

### USENIX Association 23rd USENIX Security Symposium 159 TapDance: End-to-Middle Anticensorship without Flow Blocking

, 2014

"... is sponsored by USENIX ..."

(Show Context)