Results 1  10
of
21
The Decision DiffieHellman Problem
, 1998
"... The Decision DiffieHellman assumption (ddh) is a gold mine. It enables one to construct efficient cryptographic systems with strong security properties. In this paper we survey the recent applications of DDH as well as known results regarding its security. We describe some open problems in this are ..."
Abstract

Cited by 237 (7 self)
 Add to MetaCart
(Show Context)
The Decision DiffieHellman assumption (ddh) is a gold mine. It enables one to construct efficient cryptographic systems with strong security properties. In this paper we survey the recent applications of DDH as well as known results regarding its security. We describe some open problems in this area. 1 Introduction An important goal of cryptography is to pin down the exact complexity assumptions used by cryptographic protocols. Consider the DiffieHellman key exchange protocol [12]: Alice and Bob fix a finite cyclic group G and a generator g. They respectively pick random a; b 2 [1; jGj] and exchange g a ; g b . The secret key is g ab . To totally break the protocol a passive eavesdropper, Eve, must compute the DiffieHellman function defined as: dh g (g a ; g b ) = g ab . We say that the group G satisfies the Computational DiffieHellman assumption (cdh) if no efficient algorithm can compute the function dh g (x; y) in G. Precise definitions are given in the next sectio...
Variations of diffiehellman problem
 In ICICS ’03, volume 2836 of LNCS
, 2003
"... Abstract. This paper studies various computational and decisional DiffieHellman problems by providing reductions among them in the high granularity setting. We show that all three variations of computational DiffieHellman problem: square DiffieHellman problem, inverse DiffieHellman problem and d ..."
Abstract

Cited by 38 (1 self)
 Add to MetaCart
(Show Context)
Abstract. This paper studies various computational and decisional DiffieHellman problems by providing reductions among them in the high granularity setting. We show that all three variations of computational DiffieHellman problem: square DiffieHellman problem, inverse DiffieHellman problem and divisible DiffieHellman problem, are equivalent with optimal reduction. Also, we are considering variations of the decisional DiffieHellman problem in single sample and polynomial samples settings, and we are able to show that all variations are equivalent except for the argument DDH ⇐ SDDH. We are not able to prove or disprove this statement, thus leave an interesting open problem. Keywords: DiffieHellman problem, Square DiffieHellman problem, Inverse DiffieHellman problem, Divisible DiffieHellman problem
The DiffieHellman Protocol
 DESIGNS, CODES, AND CRYPTOGRAPHY
, 1999
"... The 1976 seminal paper of Diffie and Hellman is a landmark in the history of cryptography. They introduced the fundamental concepts of a trapdoor oneway function, a publickey cryptosystem, and a digital signature scheme. Moreover, they presented a protocol, the socalled DiffieHellman protoco ..."
Abstract

Cited by 30 (0 self)
 Add to MetaCart
(Show Context)
The 1976 seminal paper of Diffie and Hellman is a landmark in the history of cryptography. They introduced the fundamental concepts of a trapdoor oneway function, a publickey cryptosystem, and a digital signature scheme. Moreover, they presented a protocol, the socalled DiffieHellman protocol, allowing two parties who share no secret information initially, to generate a mutual secret key. This paper summarizes the present knowledge on the security of this protocol.
Assumptions Related to Discrete Logarithms: Why Subtleties Make a Real Difference
 Advances in CryptologyEurocrypt 2001, LNCS 2045
, 2002
"... The security of many cryptographic constructions relies on assumptions related to Discrete Logarithms (DL), e.g., the Di#eHellman, Square Exponent, Inverse Exponent or Representation Problem assumptions. In the concrete formalizations of these assumptions one has some degrees of freedom o#ered ..."
Abstract

Cited by 22 (2 self)
 Add to MetaCart
(Show Context)
The security of many cryptographic constructions relies on assumptions related to Discrete Logarithms (DL), e.g., the Di#eHellman, Square Exponent, Inverse Exponent or Representation Problem assumptions. In the concrete formalizations of these assumptions one has some degrees of freedom o#ered by parameters such as computational model, problem type (computational, decisional) or success probability of adversary. However, these parameters and their impact are often not properly considered or are simply overlooked in the existing literature.
Generic Groups, Collision Resistance, and ECDSA
 Designs, Codes and Cryptography
, 2002
"... Proved here is the sufficiency of certain conditions to ensure the Elliptic Curve Digital Signature Algorithm (ECDSA) existentially unforgeable by adaptive chosenmessage attacks. The sufficient conditions include (i) a uniformity property and collisionresistance for the underlying hash function, ( ..."
Abstract

Cited by 17 (2 self)
 Add to MetaCart
Proved here is the sufficiency of certain conditions to ensure the Elliptic Curve Digital Signature Algorithm (ECDSA) existentially unforgeable by adaptive chosenmessage attacks. The sufficient conditions include (i) a uniformity property and collisionresistance for the underlying hash function, (ii) pseudorandomness in the private key space for the ephemeral private key generator, (iii) generic treatment of the underlying group, and (iv) a further condition on how the ephemeral public keys are mapped into the private key space. For completeness, a brief survey of necessary security conditions is also given. Some of the necessary conditions are weaker than the corresponding sufficient conditions used in the security proofs here, but others are identical.
On the security of serveraided RSA protocols
 Proc. PKC '98 , Lect. Notes in Comp. Sci., Vol.1431
, 1998
"... Abstract. In this paper we investigate the security of the serveraided ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper we investigate the security of the serveraided
Provable Security for Physical Cryptography
, 2010
"... The modern approach to cryptography is provable security, where one defines a meaningful formal security model and proves that schemes are secure in this model. An exception is the design of countermeasures against cryptographic sidechannel attacks, which even today is mostly based on heuristic arg ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
The modern approach to cryptography is provable security, where one defines a meaningful formal security model and proves that schemes are secure in this model. An exception is the design of countermeasures against cryptographic sidechannel attacks, which even today is mostly based on heuristic arguments, which only try to prevent particular attacks. It was long believed that sidechannels are a practical problem where theoretical cryptography was only of limited use, but recent results indicate that this view is too pessimistic, and in fact, it is possible to extend the realm of provable security also to sidechannel attacks. This survey is a personal and incomplete view on the current state of this exciting and fast moving field.
I.E.: Polynomial representations of the DiffieHellman mapping
 Bull. Aust. Math. Soc
, 2001
"... ..."
The Security of DSA and ECDSA Bypassing the Standard Elliptic Curve Certification Scheme, SpringerVerlag
, 2003
"... Abstract. DSA and ECDSA are well established standards for digital signature based on the discrete logarithm problem. In this paper we survey known properties, certification issues regarding the public parameters, and security proofs. ECDSA also includes a standard certification scheme for elliptic ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
Abstract. DSA and ECDSA are well established standards for digital signature based on the discrete logarithm problem. In this paper we survey known properties, certification issues regarding the public parameters, and security proofs. ECDSA also includes a standard certification scheme for elliptic curve which is assumed to guarantee that the elliptic curve was randomly selected, preventing from any potential malicious choice. In this paper we show how to bypass this scheme and certify any elliptic curve in characteristic two. The prime field case is also studied. Although this does not lead to any attack at this time since all possible malicious choices which are known at this time are specifically checked, this demonstrates that some part of the standard is not well designed. We finally propose a tweak. DSA was published in 1994 following a long dynasty of digital signature schemes based on the ElGamal scheme
The Generic Hardness of Subset Membership Problems under the Factoring Assumption
, 2009
"... Abstract. We analyze a large class of subset membership problems related to integer factorization. We show that there is no algorithm solving these problems efficiently without exploiting properties of the given representation of ring elements, unless factoring integers is easy. Our results imply th ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. We analyze a large class of subset membership problems related to integer factorization. We show that there is no algorithm solving these problems efficiently without exploiting properties of the given representation of ring elements, unless factoring integers is easy. Our results imply that problems with high relevance for a large number of cryptographic applications, such as the quadratic residuosity and the subgroup decision problems, are generically equivalent to factoring.