D. Boneh and R. Lipton, Algorithms for black-box fields and their application to cryptography. Advances in Cryptology -- Crypto 96 Proceedings, Lecture Notes in Computer Science Vol. 1109, N. Koblitz ed., Springer-Verlag, 1996.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....analysis, probably because it was viewed as a slight modification of Schnorr signatures. In particular, the scheme s tight security reduction to CDH has remained unnoticed until now. Since the hardness of the CDH problem is widely believed to be closely related to the hardness of the DL problem [Sho97,BL96,MW99], our signature scheme o#ers better security guarantees than well known discrete log based signature schemes. Moreover, by the results of Maurer and Wolf [MW99] we can relate the security of our signature scheme directly to the hardness of the discretelog problem for a large class of groups in ....

Dan Boneh and Richard Lipton. Algorithms for black-box fields and their application to cryptography. In Neal Koblitz, editor, Proceedings of Crypto 96, volume 1109 of LNCS, pages 283--297. Springer-Verlag, May 1996.

....we can break certain algebraically homomorphic The Legendre symbol is defined to be 0 if p divides x, 1 if x is a quadratic residue mod p and if x is not a quadratic residue mod p. cryptosystems by a reduction to the shifted Legendre symbol problem. The best known classical algorithm [9] for breaking these cryptosystems is subexponential and is based on a smoothness assumption. These cryptosystems can also be broken by Shor s algorithm for period finding, but the two attacks on the cryptosystems appear to use completely di#erent ideas. While current quantum algorithms solve ....

....problem. This definition provides a unified way of viewing the quantum Fourier transform s ability to capture subgroup and shift structure. Some of our hidden shift problems can be reduced to the HSP, although e#cient algorithms for these HSP instances are not known. Assuming Conjecture 2. 1 from [9], the shifted Legendre symbol problem over The Jacobi symbol is defined so that it satisfies the relation bc c and reduces to the Legendre symbol when the lower parameter is prime. Z pZ can be reduced to an instance of the HSP over the dihedral group D p = Z pZ # Z 2Z in the ....

[Article contains additional citation context not shown here]

Dan Boneh and Richard J. Lipton. Algorithms for black-box fields and their application to cryptography. Lecture Notes in Computer Science, 1109:283--297, 1996.

....though, whether the uncomputing step is really necessary, or whether a cleverly designed algorithm might avoid it. Our result gives, to our knowledge, the first nontrivial example For the shifted Legendre symbol problem, this is true assuming a number theoretic conjecture of Boneh and Lipton [5]. for which recursive uncomputation is provably necessary. We conjecture that uncomputation is needed as well for other recursive problems, such as game tree evaluation 2 . The plan is as follows. In Section 2 we define the RFS problem and show that it lies in BQP. In Section 3, we use the ....

D. Boneh and R. Lipton. Algorithms for black box fields and their appli- cation to cryptography. In Proceedings of CRYPTO'96, Lecture Notes in Computer Science Vol. 1109, Springer-Verlag, pp. 283-297, 1996.

....generated by P , xP and yP (where x and y are integer) nd xyP . This problem is closely related to the well known elliptic curve discrete logarithm problem (ECDLP) given E(F q ) P; n and xP , nd x) 7] and there is strong evidence that the two problems are computationally equivalent (e.g. see [8] and [16] All protocols in this paper have been described in the setting of the group of points on an elliptic curve de ned over a nite eld. The following abbreviations are used for clear understanding: IKA denotes implicit key authentication, EKA explicit key authentication, K KS known key ....

D. Boneh and R. Lipton, \Algorithms for Black-Box Fields and their Application to Cryptography", Advances in Cryptology { Crypto '96, LNCS 1109, SpringerVerlag,

....entry of the 1998 International Obfuscated C Code Contest, an ASCII Morse code translator by Frans van Dorsselaer [vD98] adapted for this paper) Homomorphic Encryption. A long standing open problem in cryptography is whether homomorphic encryption schemes exist (cf. RAD78, FM91, DDN00, BL96, SYY99] That is, we seek a secure public key cryptosystem for which, given encryptions of two bits (and the public key) one can compute an encryption of any binary Boolean operation of those bits. Obfuscators would allow one to convert any public key cryptosystem into a homomorphic one: use ....

Dan Boneh and Richard Lipton. Algorithms for black-box fields and their applications to cryptography. In M. Wiener, editor, Advances in Cryptology---CRYPTO '96, volume 1109 of Lecture Notes in Computer Science, pages 283--297. Springer-Verlag, August 1996.

....of the full problem really is. For the algebraic problems usually considered, complexity theory still has a long way to go here, but di#erent restricted computational models have been proposed, hoping to prove lower (and upper) bounds under such restrictions. The so called black box fields, see [3], constitute such a model of computation, related to the hidden number problem. By disallowing representation specific operations, one hopes to be able to deduce complexity bounds for the problem under study. A lower bound could for instance be taken as evidence for the security of some ....

....specific things, for example, relating the ith bit of the binary representation of an object to direct algebraic properties, are not possible. The representation need not even be unique. More precisely we say that a finite field IF q , q = p n , is given by a black box model (c.f. [3]) if elements x # IF q are represented through a surjective representation # : 0, 1 m # IF q (m # log q) there are addition and multiplication oracles A, M : 0, 1 m 0, 1 m # 0, 1 m , such that #(A(x, y) #(x) #(y) #(M(x, y) #(x)#(y) there is an ....

[Article contains additional citation context not shown here]

D. Boneh and R. J. Lipton, `Algorithms for Black-Box Fields and their Application to Cryptography', in Lect. Notes in Comp. Sci., Springer-Verlag, Berlin, 1109 (1996), 283--297.

....1.1 Open Problems It can be argued that the RSA example can be more naturally considered as a ring than as a group. One may ask if root extraction is also hard for generic algorithms allowed to exploit the full ring structure, i.e. it may do additions as well as multiplications. Boneh and Lipton [BL96] have considered this problem for fields, in a model called black box fields, and have shown that in this model (where the algorithm knows the cardinality of the field) one cannot hide the identity of field elements from the algorithm using random encodings: the algorithm will be able figure out ....

....is hidden behind an encoding, and so exponential lower bounds in this generic model cannot be shown. The black box field model can easily be changed to a black box ring model. But if we do not give the algorithm the cardinality of the ring, it is unclear whether the results of Boneh and Lipton [BL96] extend to black box rings, and on the other hand also unclear if our lower bound still holds. 2 Lower Bound on Generic Root Extraction Algorithms 2.1 Model In our model, we have public parameters B, C and D. Here, B, C are natural numbers and D is a probability distribution on Abelian groups ....

D. Boneh and R. J. Lipton. Algorithms for black-box fields and their application to cryptography. Lecture Notes in Computer Science, 1109:283--297, 1996.

....of negative results. Ahituv, Lapid, and Neumann showed that any cryptosystem that is xor homomorphic on GF (2 64 ) is insecure under chosen ciphertext attack [1] Boneh and Lipton showed that any deterministic cryptosystem that is a field homomorphism must fall victim to a subexponential attack [10]. They further conjectured that any field homomorphic cryptosystem, which they called completely malleable, would prove to be insecure. Brickell and Yacobi broke a number of candidate constructions of privacy homomorphisms [11] These negative results have their analogue in our results of ....

....the binary operator M . If (R, R , R ) is a ring, we say that Sig : R # Y is a ring homomorphic signature scheme if it is homomorphic with respect to both R and R . Boneh et al. have shown that every 2 field homomorphic signature scheme Sig : F # Y can be broken in subexponential time [10]. 4 Redactable Signatures The problem. Redactable signatures are intended to model a situation where a censor can delete certain substrings of a signed document without destroying the ability of the recipient to verify the integrity of the resulting (redacted) document. In particular, we allow ....

D. Boneh and R. J. Lipton. Algorithms for black-box fields and their application to cryptography. In Neal Koblitz, editor, Advances in Cryptology---CRYPTO '96, pages 283--297, Berlin, 1996. Springer-Verlag. Lecture Notes in Computer Science Volume 1109.

....of extending further general algebraic homomorphic schemes, and enabling circuits of increased depth. Recently [13] a scheme which enables computing with encrypted data over a complete base (which includes logical NOT, OR, and AND) has been referred to as completely 1 Boneh and Lipton [9] showed that deterministic algebraically homomorphic encryption schemes over rings Z=NZ can be broken in subexponential time under a (reasonable) number theoretic assumption. In their argument it is essential though, that the scheme is deterministic and so it does not apply to algebraic ....

D. Boneh, R. Lipton. Algorithms for Black-Box Fields and their Application to Cryptography. Crypto '96. pages 283--297.

.... means that all group elements are represented using a random bijective encoding function #( Z G # G and group operations can only be performed via the addition and inversion oracles #(x y) # # (#(x) #(y) and #( x) # # (x) respectively, which the adversary receives as a black box [15, 22, 23]. 2 For this paper we slightly simplified the classification. Further parameters and values and more details can be found in the full paper [21] Assumptions Related to Discrete Logarithms 247 If we use # in the following we always mean the (not further specified) random encoding used for ....

Dan Boneh and Richard J. Lipton. Algorithms for black box fields and their application to cryptography. In Koblitz [32], pages 283--297.

....The complete equivalence holds for groups such that S is easily constructable. We will also show how to construct DH groups with the property that S is either easily constructable, known to the group designer or at least provably exists. Considerations on related topics can be found in [34] and [21]. In the latter, the notion of a black box field is introduced, what makes explicit our concept of hidden computation, presented in [24] 2 The index search problem and methods for computing discrete logarithms Let A be a set with n elements, and let an enumeration of the elements of A, that is ....

.... ways: If a DH oracle for one of the subgroups hg p e Gamma1 Deltaa i, where p e Gamma1 Delta a divides jGj=p, is available, then x k modulo p can be computed from Gamma a 0 Delta p e Gamma1 Deltaa = i g p e Gamma1 Deltaa j x k p Deltal by use of the given oracle (see also [21]) Alternatively, assume that p th roots can be taken in G. If a 00 : g x k p Deltal 0 (for some l 0 ) is computed first, x k modulo p can be obtained as usual. To get a 00 , it suffices to take the p th root of a 0 k times. Any p k th root of a 0 is of the required form since p ....

[Article contains additional citation context not shown here]

D. Boneh and R. J. Lipton, Algorithms for black-box fields and their application to cryptography, preprint, 1995.

....was shown that this is true for certain classes of groups. In this section we describe a general technique for proving such equivalence results which was introduced by Maurer [32] as a generalization of an earlier result by den Boer [15] and was 8 further developed by Wolf [60] Boneh and Lipton [5], Maurer and Wolf [36] and Cherepnev [13] 3.1 The Diffie Hellman oracle Definition 4 A Diffie Hellman oracle (DH oracle for short) for a group G with respect to a given generator g takes as inputs two elements a; b 2 G (where a = g u and b = g v ) and returns (without computational cost) ....

....s from g s , using the above technique of implicit computing. Because of the Chinese remainder theorem, it is sufficient to compute s modulo the maximal 10 prime powers dividing the group order jGj. We first address the problem of computing s modulo a prime factor p of jGj. Boneh and Lipton [5] have formalized this as the black box field problem. Intuitively, a black box field is a field GF (p) of which the elements are represented by not necessarily unique arbitrary binary strings from which it is a priori difficult to determine the represented field element explicitly. The inverse ....

[Article contains additional citation context not shown here]

D. Boneh and R. J. Lipton, Algorithms for black-box fields and their application to cryptography, Advances in Cryptology - CRYPTO '96, Lecture Notes in Computer Science, Vol. 1109, pp. 283--297, Springer-Verlag, 1996.

....from the DL problem to the DH problem proves the equivalence of the two problems for every particular group of a certain order. The construction of such reduction algorithms was intensively studied with the objective to prove the equivalence of the DH and DL problems for all groups [2] 4] 5] [1]. We will see that the application of Corollary 3 to this situation shows that the two problems are not computationally equivalent in a generic sense for all groups. The problem of computing discrete logarithms in groups G of order n when given a DH oracle, i.e. an oracle solving the DH problem, ....

....DL problem to the DH problem for all groups G of order n satisfies T = Omega Gamma286 p) and T = Omega Gamma p q) where p and q are the largest and the largest multiple prime factor of n, respectively. Both bounds in Corollary 4 are asymptotically tight. In [2] and [4] see also [5] and [1]) generic reduction algorithms from the DL problem to the DH problem were presented which match these bounds. The idea of these algorithms is to reduce, using the DH oracle, the DL problem in G to the same problem in certain groups defined over GF (p) for all prime factors p of jGj = n) such as ....

D. Boneh and R. J. Lipton, Algorithms for black-box fields and their application to cryptography, Advances in Cryptology - CRYPTO '96, Lecture Notes in Computer Science, Vol. 1109, pp. 283--297, Springer-Verlag, 1996.

....A and B of a smooth elliptic curve over F p defined by y 2 = x 3 Ax B do generally not allow to find p efficiently by the method of [11] because no point can be generated on the curve modulo jGj. In [14] a method is described, presented initially in [21] and independently considered in [3], for obtaining stronger results under the assumption of efficient DH oracle algorithms using algebraic operations for certain groups. For example, a cyclic auxiliary group H p whose order contains a large prime factor q and a smooth auxiliary group H q over F q are sufficient under the assumption ....

D. Boneh and R.J. Lipton, Algorithms for black-box fields and their application to cryptography, preprint, 1995.

....the smallest prime divisor is, the faster the algorithm runs. In [16] Ueli Maurer, used elliptic curves to show how one could reduce the problem of calculating discrete logarithms to the Diffie Hellman problem, for some prime moduli. Later work by Maurer and Wolf [17] and Boneh and Lipton [3] finished off this program, by making use of a reasonable conjecture about the distribution of the orders of elliptic curves (the same conjecture used by Lenstra in his factoring method) 7 Conclusion The study of elliptic curves includes much beautiful and deep number theory. Until recently ....

Dan Boneh and Richard Lipton. Algorithms for Black-Box fields and their application to cryptography. In Neal Koblitz, editor, Advances in Cryptology -- Crypto '96, volume 1109 of Lecture Notes in Computer Science, pages 283--297, Berlin, Heidelberg, New York, 1996. Springer--Verlag.

No context found.

D. Boneh and R. Lipton, Algorithms for black-box fields and their application to cryptography. Advances in Cryptology -- Crypto 96 Proceedings, Lecture Notes in Computer Science Vol. 1109, N. Koblitz ed., Springer-Verlag, 1996.

No context found.

D. Boneh and R. Lipton, Algorithms for Black-Box Fields and Their Application to Cryptography. in Proccedings of CRYPTO '96, Lecture Notes in Computer Science No. 1109, Springer-Verlag, 1996. pp. 283-297.

No context found.

D. Boneh and R. Lipton, "Algorithms for black-box fields and their application to cryptography", in Advances in Cryptology - Crypto'96, Lecture Notes in Comp. Sc., vol. 1109, pp. 283-297, Springer Verlag, 1996.

No context found.

D. Boneh, R. Lipton, Algorithms for black box fields and their application to cryptography, to appear in the proceedings of Crypto '96

No context found.

Dan Boneh and Richard J. Lipton. Algorithms for black box fields and their application to cryptography. In Koblitz [32], pages 283--297. 246

No context found.

D. Boneh and R. Lipton, Algorithms for black-box fields and their application to cryptography, Advances in Cryptology -- Crypto '96, LNCS 1109, Springer-Verlag, 1996, pp. 283-297.

No context found.

D. Boneh and R. Lipton, Algorithms for black-box fields and their applications to cryptography, Advances in Cryptology --- CRYPTO '96, Lecture Notes in Computer Science, 1109 (1996), Springer-Verlag, pp. 283-297.

No context found.

Dan Boneh and Richard J. Lipton. Algorithms for black-box fields and their application to cryptography. In Neal Koblitz, editor, Advances in Cryptology---CRYPTO '96, pages 283--297. Springer-Verlag, 1996. Lecture Notes in Computer Science No. 1109.

No context found.

D. Boneh and R. Lipton, Algorithms for Black-Box Fields and Their Application to Cryptography. in Proccedings of CRYPTO '96, Lecture Notes in Computer Science No. 1109, Springer-Verlag, 1996. pp. 283-297.

No context found.

D. Boneh and R. J. Lipton, Algorithms for black-box fields and their application to cryptography, Advances in Cryptology - CRYPTO '96, Lecture Notes in Computer Science, Vol. 1109, pp. 283--297, Springer-Verlag, 1996.

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC