D. Boneh. The decision diffie-hellman problem. In Third Algorithmic Number Theory Symposium (ANTS), volume 1423 of Lecture Notes in Computer Science. Springer-Verlag, Berlin Germany, 1998. Invited paper.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....at the cost of fewer than three modular exponentiations. This is comparable to another attractive construction by NR [20] of pseudorandom functions which are at least as secure as the Decisional Diffie Hellman (DDH) problem. While the DDH problem has received much attention recently (see [4]) it is not nearly as well established as factoring. Organization: The next section contains the background material and our construction. The main result of our work, the efficient construction of a pseudorandom function which is at least as secure as factoring Blum integers, is presented in ....

D. Boneh, The decision Diffie-Hellman problem, Proceedings of the Third Algorithmic Number Theory Symposium, Lecture Notes in Computer Science, Vol. 1423, Springer-Verlag, 1998, pp. 48-63.

....the extension is somewhat simpler and all of the important underlying ideas are illustrated. The theorem following Construction 5 shows that the construction is secure provided the Decision Diffie Hellman (DDH) assumption is hard. We informally state the assumption here, referring the reader to [1] for a more precise and detailed discussion and to [29, 10] for examples of proofs of reduction to the DDH problem. DDH is defined for any cyclic group G and generator g. The DDH assumption is that it is difficult to distinguish between the distributions of (gO, gb, gob) and (gO, gb, gO) where a, ....

D. Boneh. The Decision Diffie-Hellman Problem. In Proceedings of the Third Algorithmic Number Theory Symposium, Lecture Notes in Computer Science 1423, pp. 48-63, 1998.

...., i.e. the adversary does not control the choice of x. Example 1 Let DomF be all quadratic residues modulo p, where p is a safe prime number, i.e. both p and q = p Gamma 1) 2 are primes. Let Key F be f1; 2; q Gamma 1g. Then, assuming the Decisional Diffie Hellman hypothesis (DDH) [10], the power function fe(x) j x mod p is a commutative encryption: ffl The powers commute: x mod p = x de mod p = x mod p. ffl Each of the powers fe is a bijection with its inverse being e = f e Gamma1 modq . ffl DDH claims that for any generating (6=1) element g 2 DomF ....

D. Boneh. The decision diffie-hellman problem. In Proc. of the 3rd International Algorithmic Number Theory Symposium, volume 1423 of Lecture Notes in Computer Science, pages 48--63, Portland, Oregon, USA, June 1998. SpringerVerlag.

....In these systems, a group member wants to participate in the group activity without revealing her identity except when honor is awarded to herself as a winner. This is the basic problem of anonymous authentication. As the previous works, witness indistinguishability [6, 7] based or Zero Knowledge [1, 8, 9] based anonymous authentication has been achieved [2, 11, 15, 16] Up to now, most of previous works have been tried to reduce computation and communication complexity in their protocols. Yet no schemes are practical enough to be used in environment with power limited devices such as smart cards ....

D. Boneh, "The decision Diffie-Hellman problem", ANTS 1998.

....believed to be a hard problem. The G DDH problem appears to have first surfaced in the cryptographic literature in the paper of Steiner et al. 31] which also proves that the DDH assumption implies the G DDH assumption. Since then, the G DDH has been used in several other cryptographic settings [12, 25]. The G CDH assumption is a potentially weaker intractability assumption than G DDH. It is also believed that the CDH assumption implies the G CDH assumption but it has not yet been proved. The G CDH has however, when considered modulo a composite number, been related to factoring [9] 4 Model ....

....P(I n ) such that I n = 2 Gamma . We define the Group Diffie Hellman distribution relative to Gamma as: G CDH Gamma = n [ J2 Gamma (J; g j2J x j ) j (x 1 ; x n ) 2R Z p o If Gamma = P(I)nfI n g, we say that G CDH Gamma is the Full Generalized Diffie Hellman distribution [12, 25, 31]. Given Gamma , a (T ; ffl) G CDH Gamma attacker for G is a probabilistic Turing machine Delta running in time T that given G CDH Gamma outputs g with probability at least ffl. We denote this probability by Succ gcdh G ( Delta) The G CDH Gamma problem is (T ; ffl) intractable if there ....

D. Boneh. The Decision Diffie-Hellman Problem. In Third Algorithmic Number Theory Symposium, vol. 1423 of LNCS, pages 48--63. Springer, 1998.

.... col for the discrete logarithm relation based on the strong RSA assumption [4] and DCRA [45] As another example, we present a partial extracting Omega Gamma part col for proving knowledge of the plaintext of an ElGamal ciphertext [23] based on the Decision Diffie Hellman assumption [5]. We show that if the original protocol Pi is an Omega Gamma 4384 col, then the transformed protocol Pi is non malleable, basically by noting that if one could not extract a witness for Pi, then one could extract (and thus forge) a signature. Furthermore, the distribution of reference ....

D. Boneh. The decision Diffie-Hellman problem. In Proceedings of the Third Algorithmic Number Theory Symp. (LNCS 1423), pp. 48--63, 1998.

....key exchange protocol [43] Alice and Bob fix a finite cyclic G and a generator g. They respectively pick random a; b 2 [1; jGj] and exchange g . The secret key is g . Proving the security of the protocol under reasonable assumptions has been a challenging problem in cryptography (see [15]) Computing the most significant bits of g is as hard as computing g itself, in the case of prime fields: Theorem 2 (Boneh Venkatesan) Let q be an n bit prime and g be a generator of Z . Let 0 be fixed, and set = n) d ne. Suppose there exists an expected polynomial time (in ....

D. Boneh. The decision Diffie-Hellman problem. In Algorithmic Number Theory -- Proc. of ANTS-III, volume 1423 of LNCS. Springer-Verlag, 1998.

....for the standard Weil Pairing e(P,Q) A more comprehensive description is provided in [6] 3.2. Diffie Hellman Problem The Decisional Diffie Hellman (DDH) Problem is a gold mine. The key agreement protocols available today are mostly based on DDH problem. The problem is discussed thoroughly in [5]. When elliptic curves were first proposed in [16] computing the number of points of a given curve was a challenging task. For this reason and also to simplify the addition formulas, it was shown later on that some of these special cases are not good enough. Three weak special cases have been ....

D. Boneh, The Decision Diffie-Hellman Problem. In Proceesings of the 3 rd Algorithmic Number theory Symposium, Lecture Notes in Computer Science, Volume 1423, Springer, pp 48 - 63, 1998

....leading O s. Compute and output using the Bi s, which are the output of SME1 0 Fiji: H Hi) mod N, j: 1. L (3) Eij:l 1 Currently, there is no proof that the Computational Diffie Hellman assumption (CDH) implies that the result of the DH protocol contains a large enough number of secret bits [4]. Hence, we rely on DDH and not on CDH. That is, f modular products Pill, PIll are computed, one per each column of the exponent array, where a product P[j] is a modular multiplication of all the Bi s for which the corresponding bit Eij = 1 (if Vi, Eij = 0 then P[j] 1) Later, in Section 5, ....

D. Boneh. The decision Diffie-Hellman problem. In Proceedings of the Third Algorithmic Number Theory Syrup., LNCS Vol. 1423, Springer-Verlag, pages 48-63, 1998.

....key exchange protocol [36] Alice and Bob fix a finite cyclic G and a generator g. They respectively pick random a; b 2 [1; jGj] and exchange g . The secret key is g . Proving the security of the protocol under reasonable assumptions has been a challenging problem in cryptography (see [12]) Computing the most significant bits of g is as hard as computing g itself, in the case of prime fields: Theorem 2 (Boneh Venkatesan) Let q be an n bit prime and g be a generator of Z q . Let 0 be fixed, and set = n) d ne. Suppose there exists an expected polynomial time ....

D. Boneh. The decision Diffie-Hellman problem. In Algorithmic Number Theory -- Proc. of ANTS-III, volume 1423 of LNCS. Springer-Verlag, 1998.

....are exactly twice those of the basic ElGamal cryptosystem. The properties of standard semantic security and also universal semantic security under re encryption (as characterized by experiment uss) may be shown straightforwardly to be reducible to the Decision Diffie Hellman (DDH) 8 assumption [4] over the group G, in much the same way as the semantic security of ElGamal [37] Thus, one possible choice of G is the subgroup of order q of Z p , where p and q are primes such that q j p Gamma 1. An alternative, with the advantage of more compact ciphertext representation, is a group of ....

D. Boneh. The Decision Diffie-Hellman problem. In ANTS '98, pages 48--63. Springer-Verlag, 1998. LNCS no. 1423. 13

....of Diffie Hellman based key exchange protocols. Additionally, we will also use the Entropy Smoothing Theorem to transform random group elements into random bit strings via a universal hash function. See [17, Chapter 8] for an exposition on the Entropy Smoothing Theorem. The reader is referred to [10, 11, 18, 19] for further applications of and discussions about the DDH. 4.3 Security Analysis of DHKE The security property for the signature schemes we require is existential unforgeability against adaptive chosen message attack, as defined in [16] In the sequel, this is what we mean by a secure signature ....

D. Boneh. The Decision Diffie-Hellman Problem. In Ants-III, pages 48--63, 1998. Springer LNCS 1423.

....restricted to classes of functions that can be represented by a lowdimensional linear arrangement. It is widely believed that the Diffie Hellman function itself is hard to compute (computational Diffie Hellman assumption) or even hard to decide (Diffie Hellman indistinguishability assumption, see [1]) So unpredictability results of this kind are not a great surprise. On the other hand it would have a dramatic impact on modern cryptography if such a simple representation does exist. This observation was the motivation of various research papers that are closely related to our work. In [3, 14, ....

D. Boneh. The decision Diffie-Hellman problem. Lecture Notes in Computer Science, 1423:48-- 63, 1998.

....at the cost of fewer than three modular exponentiations. This is comparable to another attractive construction by NR [19] of pseudorandom functions which are at least as secure as the Decisional Diffie Hellman (DDH) problem. While the DDH problem has received much attention recently (see [4]) it is not nearly as well established as factoring. 1 Note the difference between a pseudorandom function and a bit generator the latter expands a random seed to some fixed length sequence that should be indistinguishable from a random sequence of similar length; there is no probing in the ....

D. Boneh, The decision Diffie-Hellman problem, Proceedings of the Third Algorithmic Number Theory Symposium, Lecture Notes in Computer Science, Vol. 1423, Springer-Verlag, 1998, pp. 48-63.

.... (i.e. it is not known whether an attacker can compute knowledge about them 15 ) The shared DH secret is indistinguishable from an element chosen at random from the group if and only if the Decisional Diffie Hellman problem in that group is hard (in several groups it is an easy problem) see [11]. Also notice that J K L does not span all the bit strings of length M . Hence if we take a random number, chances are greater that the most significant bit equals 0. Hence, it makes sense to spread the risk and have the bits in the new session key depend on all the bits of the shared DH ....

BONEH, D. The decision Diffie-Hellman problem. Lecture Notes in Computer Science 1423 (1998), 48--63.

....) such that I n = 2 Gamma . We define the Group Diffie Hellman distribution relative to Gamma as: G CDH Gamma = n [ J2 Gamma (J; g Q j2J x j ) j x = x 1 ; xn ) 2R Z n p o : If Gamma = P(I)nfIn g, we say that G CDH Gamma is the Full Generalized DiffieHellman distribution [9, 23, 30]. Given Gamma , a (T ; G CDH Gamma attacker in G is a probabilistic Turing machine Delta running in time T that given G CDH Gamma outputs g x1 Delta Delta Deltax n with probability at least . We denote this probability by Succ gcdh G ( Delta) The G CDH Gamma problem is (T ; ....

D. Boneh. The Decision Diffie-Hellman Problem. In Third Algorithmic Number Theory Symposium, volume 1423 of Lecture Notes in Computer Science, pages 48--63. Springer-Verlag, 1998.

No context found.

D. Boneh. The decision diffie-hellman problem. In Third Algorithmic Number Theory Symposium (ANTS), volume 1423 of Lecture Notes in Computer Science. Springer-Verlag, Berlin Germany, 1998. Invited paper.

No context found.

D. Boneh. The Decision Diffie-Hellman problem. In ANTS-III: Proceedings of the Third International Symposium on Algorithmic Number Theory, pages 48--63. Springer-Verlag, 1998.

No context found.

D. Boneh, The decision Diffie-Hellman problem, Proceedings of the Third Algorithmic Number Theory Symposium, Lecture Notes in Computer Science, Vol. 1423, Springer-Verlag, 1998, pp. 48-63.

No context found.

D. Boneh. The decision diffie-hellman problem. In Third International Symposium on Algorithmic Number Theory, volume 1423 of Lecture Notes in Computer Science, pages 48--63. Springer Verlag, 1998.

No context found.

D. Boneh. The decision diffie-hellman problem. In Proc. of the 3rd International Algorithmic Number Theory Symposium, volume 1423 of Lecture Notes in Computer Science, pages 48--63, Portland, Oregon, USA, June 1998. SpringerVe r l a g

No context found.

Dan Boneh. The Decision Diffie-Hellman problem. In Third Algorithmic Number Theory Symposium, number 1423 in Lecture Notes in Computer Science, pages 48--63. Springer-Verlag, Berlin Germany, 1998.

No context found.

Dan Boneh. The decision diffie-hellman problem. In the Third Algorithmic Number Theory Symposium, volume 1423 of Lecture Notes in Computer Science, pages 48--63. Springer-Verlag, 1998.

No context found.

D. Boneh. The decision Diffie-Hellman problem. In Proceedings of the Third Algorithmic Number Theory Symposium (LNCS 1423), pp. 48--63, 1998.

No context found.

D. Boneh. The Decision Diffie-Hellman problem. In Third Algorithmic Number Theory Symposium, number 1423 in Lecture Notes in Computer Science, pages 48--63. Springer-Verlag, Berlin Germany, 1998.

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC