K. McCurley, A key distribution system equivalent to factoring, Journal of Cryptology, vol. 1, pp. 85--105, 1988.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....suggestions below. 4.1 Traceability Our proposal could offer some help in the management of key escrowing services. Consider the variant of the DiffieHellman key exchange protocol, where a composite modulus n is used. Such a variant has been studied by various researchers including Mc Curley in [20], where it is shown that some specific choices lead to a scheme that is at least as difficult as factoring. Assume further that the modulus n and the base for exponentiations g are chosen as described in section 1. It has been proposed (see e.g [14] that g and n could be defined by some kind of ....

K. McCurley, A key distribution system equivalent to factoring, Journal of Cryptology, vol. 1, pp. 85--105, 1988.

.... ground of RSA [29] and its variants such as Rabin Williams [28, 36] LUC s scheme [32] or elliptic curve versions of RSA like KMOV [20] Also the di#culty of the discrete logarithm problem forms the ground of Di#e Hellman type schemes like ElGamal [12] elliptic curve cryptosystem, DSS, McCurley [23]. There have been several e#orts to develop alternative PKC s that are not based on number theory. The first attempt was to use NP hard problems in combinatorics like Merkle Hellman Knapsack [24] and its modifications. Though many cryptographers have been pessimistic about combinatorial ....

K. McCurley, A key distribution system equivalent to factoring, Journal of Cryptology 1 (1988), 95--105.

....Motivated by this application, we provide in this note a proof that the GDH Assumption modulo a Blum integer is not stronger than the assumption that factoring Blum integers is hard. Similar reductions were previously described in the context of the standard Diffie Hellman assumption by McCurley [2] and Shmuely [5] In fact, Shmuely [5] also provided a related proof that the GDH Assumption (modulo a composite) itself can be reduced to factoring. Her reduction works when the algorithm that breaks the GDH Assumption succeeds in computing g Q i2[k] a i for every choice of values ha 1 ; a 2 ....

K. McCurley, A key distribution system equivalent to factoring, J. of Cryptology, vol 1, 1988, pp. 95-105.

....a variety of groups have been proposed for use in discrete log cryptosystems. These include: i) the multiplicative group of a nite eld of characteristic 2; ii) a proper subgroup of the multiplicative group of a nite eld [23] iii) the group of units of Z n , n being a composite integer [18]; iv) the group of points on an elliptic curve de ned over a nite eld [12, 19] v) the Jacobian of a hyperelliptic curve de ned over a nite eld [13] vi) the class group of an imaginary quadratic number eld [5] and (vii) the Jacobian of a superelliptic curve de ned over a nite eld [9] ....

K. McCurley, A key distribution system equivalent to factoring, J. Cryptology 1 (1988), 95-105. 10

....of its many applications. Additional evidence to the validity of the DDH Assumption lies in the fact that it endured the extensive research of the related CDH Assumption. To some extent, the DDH Assumption is also supported by the results on the strength of the CDH Assumption in several groups [13, 49, 50, 66] and by additional results [13, 18, 67] For instance, Shoup [67] showed that the DDH Problem is hard for any generic algorithm. However, a main conclusion of this paper is that the DDH Assumption deserve more attention since it implies the security of many attractive cryptographic ....

....is no reason to insist on working in a subgroup of Z P (where P is a prime) Therefore, a natural question is how valid is this assumption for other groups. Speci c groups that were considered in the context of the CDH Assumption are: 1) Z N where N is a composite. McCurley and Shmuely [50, 66] showed that for many of those groups breaking the CDH Assumption is at least as hard as factoring N . 2) Elliptic curve groups, for which (in some cases) no subexponential algorithms for the discrete log are currently known. We stress that the randomized reduction mentioned above relies on the ....

K. McCurley, A key distribution system equivalent to factoring, J. of Cryptology, vol 1, 1988, pp. 95-105.

....G ab in polynomial time. Clearly 6 this assumption relies on the hardness of computing discrete logs. Reductions in the inverse direction are not known. ElGamal over a composite. We are going to use the following variation of the ElGamal encryption scheme [13, 14] over a composite modulus [33, 40]. The public encryption key is EK = N; G 0 ; G; Y ) where N; G 0 and G are as described above. Y is computed as Y = G X mod N with X 2R ZN . X is the secret decryption key. A message M is encrypted under EK by choosing a random K 2R ZN and computing A = G K 0 mod N and B = Y K Delta M mod ....

K.S. McCurley. A key distribution system equivalent to factoring. J. of Cryptology. vol.1, pp.95--105, 1988.

....be pointed out that it is unknown whether such a group exists. Specific groups that have been proposed for application in this protocol are the multiplicative groups of large finite fields (prime fields [9] or extension fields) the multiplicative group of residues modulo a composite number [23, 25], elliptic curves over finite fields, the Jacobian of a hyperelliptic curve over a finite field and the class group of imaginary quadratic fields [5] In order to generate a mutual secret key, Alice and Bob secretly choose integers xA and xB , respectively, at random from the interval [0; jGj ....

....to digital signature schemes based on the discrete logarithm problem (e.g. 10] 35] it is not required for the Diffie Hellman protocol that the order of the group be known. In this case, xA and xB are chosen from a sufficiently large interval. In fact, it has been pointed out (e.g. see [25]) that using groups with unknown order may be advantageous, and the non interactive public key scheme of [23] relies crucially on the fact that the group order is unknown. We assume that jGj and its factorization jGj = Q r i=1 p e i i are known. We show under a plausible number theoretic ....

K.S. McCurley, A key distribution system equivalent to factoring, Journal of Cryptology, vol. 1, no. 2, pp. 95-105.

....uniformly distributed in the set fg c : c 2 Z jGj g. Specific groups that have been proposed for application in the DH protocol are the multiplicative groups of large finite fields (prime fields [16] or extension fields) the multiplicative group of residues modulo a composite number [37] [38], elliptic curves over finite fields [43] 24] the Jacobian of a hyperelliptic curve over a finite field [23] and the class group of imaginary quadratic fields [9] This paper is organized as follows. In Section 2, some computational problems related to the DH protocol are discussed such as ....

K. S. McCurley, A key distribution system equivalent to factoring, Journal of Cryptology, Vol. 1, No. 2, pp. 95--105, 1988.

....5 Where w is the cleartext, a r sender s key, a z receiver s public key, and a rz message specific public key. 10 encryption. The latter is a well studied randomized encryption function and is known to be resistant to this type of attack. In fact, an elegant result by McCurley [23] shows that the security of ElGamal encryption in composite order groups (as in our case) is provably at least as hard as factoring the modulus n (see also [24] p. 316) 5.4 Exculpability Lemma 5.4 Neither a group member nor the group manager can sign on behalf of other group members. Proof ....

K. McCurley. A key distribution system equivalent to factoring. Journal of Cryptology, 1:95--105, 1988.

.... Delta z h(m) m without needing partial results from other participants. This attack is very useful in situations where the quorum of t honest participants is not reached, which means that other members of the group cannot decrypt the message. 3 This problem has been considered by McCurley [8] and is proven to be hard as long as at least one of the problems of computing discrete logarithms and factoring large integers remains intractable. When the authority requires a proof of knowledge of the secret key, then C fails because he does not know the discrete logarithm of z he has ....

M. McCurley, "A Key Distribution System Equivalent to Factoring," Journal of Cryptology, vol. 1, no. 2, pp. 95--105, 1988.

No context found.

K. McCurley, A key distribution system equivalent to factoring, Journal of Cryptology, vol. 1, pp. 85--105, 1988.

No context found.

K. McCurley, A key distribution system equivalent to factoring, Journal of Cryptology, vol. 1, pp. 85--105, 1988.

No context found.

K. McCurley, A Key Distribution System Equivalent to Factoring, Journal of Cryptology, Vol. 1, pp. 95--105, 1988.

No context found.

K. McCurley, A Key Distribution System Equivalent to Factoring, Journal of Cryptology, Vol. 1, pp. 95--105, 1988.

No context found.

K.S. McCurley, A Key Distribution System equivalent to Factoring, preprint, 1987.

No context found.

K. McCurley, A Key Distribution System Equivalent to Factoring, Journal of Cryptology, Vol. 1, pp. 95--105, 1988.

No context found.

K. McCurley, A key distribution system equivalent to factoring, Journal of Cryptology, vol. 1, pp. 85--105, 1988.

No context found.

K. McCurley. A key distribution system equivalent to factoring. In Journal of Cryptology, pp. 95--105, Vol. 1, No. 2, Autumn 1988.

No context found.

K. McCurley, A key distribution system equivalent to factoring, Journal of Cryptology, vol. 1, pp. 85--105, 1988.

No context found.

K. McCurley, A Key Distribution System Equivalent to Factoring, Journal of Cryptology, Vol. 1, pp. 95--105, 1988.

No context found.

K. McCurley, A key distribution system equivalent to factoring, J. of Cryptology, vol 1, 1988, pp. 95-105.

No context found.

Kevin S. McCurley. A key distribution system equivalent to factoring. Journal of Cryptology: the journal of the International Association for Cryptologic Research, 1(2):95--105, 1988.

No context found.

K. McCurley, A Key Distribution System Equivalent to Factoring, Journal of Cryptology, Vol. 1, pp. 95--105, 1988.

No context found.

K. McCurley, A key distribution system equivalent to factoring, Journal of Cryptology, vol. 1, pp. 85--105, 1988.

No context found.

K. S. McCurley, `A key distribution system equivalent to factoring J. Cryptology 1 (1988), 95--105.

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC