Results 1 
4 of
4
On the static DiffieHellman problem on elliptic curves over extension fields
, 2010
"... We show that for any elliptic curve E(Fqn), if an adversary has access to a Static DiffieHellman Problem (Static DHP) oracle, then by making O(q1− 1 n+1) Static DHP oracle queries during an initial learning phase, for fixed n> 1 and q → ∞ the adversary can solve any further instance of the St ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
We show that for any elliptic curve E(Fqn), if an adversary has access to a Static DiffieHellman Problem (Static DHP) oracle, then by making O(q1− 1 n+1) Static DHP oracle queries during an initial learning phase, for fixed n> 1 and q → ∞ the adversary can solve any further instance of the Static DHP in heuristic time Õ(q1− 1 n+1). Our proposal also solves the Delayed Target DHP as defined by Freeman, and naturally extends to provide algorithms for solving the Delayed Target DLP, the OneMore DHP and OneMore DLP, as studied by Koblitz and Menezes in the context of Jacobians of hyperelliptic curves of small genus. We also argue that for any group in which index calculus can be effectively applied, the above problems have a natural relationship, and will always be easier than the DLP. While practical only for very small n, our algorithm reduces the security provided by the elliptic curves defined over Fp2 and Fp4 proposed by Galbraith, Lin and Scott at EUROCRYPT 2009, should they be used in any protocol where a user can be made to act as a proxy Static DHP oracle, or if used in protocols whose security is related to any of the above problems.
DISCRETE LOGARITHMS, DIFFIEHELLMAN, AND REDUCTIONS
, 2011
"... We consider the OnePrimeNotp and AllPrimesButp variants of the Discrete Logarithm (DL) problem in a group of prime order p. We give reductions to the DiffieHellman (DH) problem that do not depend on any unproved conjectures about smooth or prime numbers in short intervals. We show that the ..."
Abstract
 Add to MetaCart
(Show Context)
We consider the OnePrimeNotp and AllPrimesButp variants of the Discrete Logarithm (DL) problem in a group of prime order p. We give reductions to the DiffieHellman (DH) problem that do not depend on any unproved conjectures about smooth or prime numbers in short intervals. We show that the OnePrimeNotpDL problem reduces to DH in time roughly Lp(1/2); the AllPrimesButpDL problem reduces to DH in time roughly Lp(2/5); and the AllPrimesButpDL problem reduces to the DH plus Integer Factorization problems in polynomial time. We also prove that under the Riemann Hypothesis, with ε log p queries to a yesorno oracle one can reduce DL to DH in time roughly Lp(1/2); and under a conjecture about smooth numbers, with εlog p queries to a yesorno oracle one can reduce DL to DH in polynomial time.
Hierarchical deterministic Bitcoin wallets that tolerate key leakage (Short paper)
"... Abstract. A Bitcoin wallet is a set of private keys known to a user and which allow that user to spend any Bitcoin associated with those keys. In a hierarchical deterministic (HD) wallet, child private keys are generated pseudorandomly from a master private key, and the corresponding child public ke ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. A Bitcoin wallet is a set of private keys known to a user and which allow that user to spend any Bitcoin associated with those keys. In a hierarchical deterministic (HD) wallet, child private keys are generated pseudorandomly from a master private key, and the corresponding child public keys can be generated by anyone with knowledge of the master public key. These wallets have several interesting applications including Internet retail, trustless audit, and a treasurer allocating funds among departments. A specification of HD wallets has even been accepted as Bitcoin standard BIP32. Unfortunately, in all existing HD wallets—including BIP32 wallets—an attacker can easily recover the master private key given the master public key and any child private key. This vulnerability precludes use cases such as a combined treasurerauditor, and some in the Bitcoin community have suspected that this vulnerability cannot be avoided. We propose a new HD wallet that is not subject to this vulnerability. Our HD wallet can tolerate the leakage of up to m private keys with a master public key size of O(m). We prove that breaking our HD wallet is at least as hard as the socalled “one more ” discrete logarithm problem. 1