Results 1  10
of
13
Elliptic curve cryptography: The serpentine course of a paradigm shift
 J. NUMBER THEORY
, 2008
"... Over a period of sixteen years elliptic curve cryptography went from being an approach that many people mistrusted or misunderstood to being a public key technology that enjoys almost unquestioned acceptance. We describe the sometimes surprising twists and turns in this paradigm shift, and compare ..."
Abstract

Cited by 22 (5 self)
 Add to MetaCart
(Show Context)
Over a period of sixteen years elliptic curve cryptography went from being an approach that many people mistrusted or misunderstood to being a public key technology that enjoys almost unquestioned acceptance. We describe the sometimes surprising twists and turns in this paradigm shift, and compare this story with the commonly accepted Ideal Model of how research and development function in cryptography. We also discuss to what extent the ideas in the literature on “social construction of technology” can contribute to a better understanding of this history.
Leakage Resilient ElGamal Encryption
"... Abstract. Blinding is a popular and wellknown countermeasure to protect publickey cryptosystems against sidechannel attacks. The high level idea is to randomize an exponentiation in order to prevent multiple measurements of the same operation on different data, as such measurements might allow th ..."
Abstract

Cited by 20 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Blinding is a popular and wellknown countermeasure to protect publickey cryptosystems against sidechannel attacks. The high level idea is to randomize an exponentiation in order to prevent multiple measurements of the same operation on different data, as such measurements might allow the adversary to learn the secret exponent. Several variants of blinding have been proposed in the literature, using additive or multiplicative secretsharing to blind either the base or the exponent. These countermeasures usually aim at preventing particular sidechannel attacks (mostly power analysis) and come without any formal security guarantee. In this work we investigate to which extend blinding can provide provable security against a general class of sidechannel attacks. Surprisingly, it turns out that in the context of publickey encryption some blinding techniques are more suited than others. In particular, we consider a multiplicatively blinded version of ElGamal publickey encryption where – we prove that the scheme, instantiated over bilinear groups of prime order p (where p−1 is not smooth) is leakage resilient in the genericgroup model. Here we consider the model of chosenciphertext security in the presence of continuous leakage, i.e., the scheme remains chosenciphertext secure even if with every decryption query the adversary can learn a bounded amount (roughly log(p)/2 bits) of arbitrary, adversarially chosen information about the computation. – we conjecture that the scheme, instantiated over arbitrary groups of prime order p (where p − 1 is not smooth) is leakage resilient. Previous to this work no encryption scheme secure against continuous leakage was known. Constructing a scheme that can be proven secure in the standard model remains an interesting open problem. 1
Another look at nonstandard discrete log and DiffieHellman problems
 J. Math. Cryptology
"... Abstract. We examine several versions of the onemorediscretelog and onemoreDiffieHellman problems. In attempting to evaluate their intractability, we find conflicting evidence of the relative hardness of the different problems. Much of this evidence comes from natural families of groups associ ..."
Abstract

Cited by 13 (3 self)
 Add to MetaCart
(Show Context)
Abstract. We examine several versions of the onemorediscretelog and onemoreDiffieHellman problems. In attempting to evaluate their intractability, we find conflicting evidence of the relative hardness of the different problems. Much of this evidence comes from natural families of groups associated with curves of genus 2, 3, 4, 5, and 6. This leads to questions about how to interpret reductionist security arguments that rely on these nonstandard problems. 1.
BonehBoyen signatures and the Strong DiffieHellman problem
 PairingBased Cryptography — Pairing 2009, Lecture Notes in Computer Science
"... Abstract. The BonehBoyen signature scheme is a pairing based short signature scheme which is provably secure in the standard model under the qStrong DiffieHellman assumption. In this paper, we prove the converse of this statement, and show that forging BonehBoyen signatures is actually equivalen ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
(Show Context)
Abstract. The BonehBoyen signature scheme is a pairing based short signature scheme which is provably secure in the standard model under the qStrong DiffieHellman assumption. In this paper, we prove the converse of this statement, and show that forging BonehBoyen signatures is actually equivalent to solving the qStrong DiffieHellman problem. Using this equivalence, we exhibit an algorithm which, on the vast majority of pairingfriendly curves, recovers BonehBoyen private keys in O(p 2 5 +ε) time, using O(p 1 5 +ε) signature queries. We present implementation results comparing the performance of our algorithm and traditional discrete logarithm algorithms such as Pollard’s lambda algorithm and Pollard’s rho algorithm. We also discuss some possible countermeasures and strategies for mitigating the impact of these findings. 1
INTRACTABLE PROBLEMS IN CRYPTOGRAPHY
"... Abstract. We examine several variants of the DiffieHellman and Discrete Log problems that are connected to the security of cryptographic protocols. We discuss the reductions that are known between them and the challenges in trying to assess the true level of difficulty of these problems, particular ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We examine several variants of the DiffieHellman and Discrete Log problems that are connected to the security of cryptographic protocols. We discuss the reductions that are known between them and the challenges in trying to assess the true level of difficulty of these problems, particularly if they are interactive or have complicated input. 1.
THE RANDOM ORACLE MODEL: A TWENTYYEAR RETROSPECTIVE
"... Abstract. It has been roughly two decades since the random oracle model for reductionist security arguments was introduced and one decade since we first discussed the controversy that had arisen concerning its use. In this retrospective we argue that there is no evidence that the need for the rand ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
(Show Context)
Abstract. It has been roughly two decades since the random oracle model for reductionist security arguments was introduced and one decade since we first discussed the controversy that had arisen concerning its use. In this retrospective we argue that there is no evidence that the need for the random oracle assumption in a proof indicates the presence of a realworld security weakness in the corresponding protocol. We give several examples of attempts to avoid random oracles that have led to protocols that have security weaknesses that were not present in the original ones whose proofs required random oracles. We also argue that the willingness to use random oracles gives one the flexibility to modify certain protocols so as to reduce dependence on potentially vulnerable pseudorandom bit generators. Finally, we discuss a modified version of ECDSA, which we call ECDSA+, that may have better realworld security than standard ECDSA, and compare it with a modified Schnorr signature. If one is willing to use the random oracle model (and the analogous generic group model), then various security arguments are known for these two schemes. If one shuns these models, then no provable security result is known for them. 1.
Programmability in the Generic Ring and Group Models
"... Abstract The programmability has long been used as a tool to prove security of schemes in the random oracle model (ROM) even in the cases where schemes do not seem to have a security proof in the standard model ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract The programmability has long been used as a tool to prove security of schemes in the random oracle model (ROM) even in the cases where schemes do not seem to have a security proof in the standard model
A Tunable Broadcast Encryption Scheme
"... Abstract. In this paper, we describe yet another broadcast encryption scheme for stateless receivers. The main difference between our scheme and the classical schemes derived from the complete subtree and its subsequent improvements is that in our scheme the group management is based upon a more ada ..."
Abstract
 Add to MetaCart
Abstract. In this paper, we describe yet another broadcast encryption scheme for stateless receivers. The main difference between our scheme and the classical schemes derived from the complete subtree and its subsequent improvements is that in our scheme the group management is based upon a more adaptable data structure. In these classical schemes, users must be spread on a tree structure where each level of the tree is associated to some distinguishing property of the users. The fact that the underlying data structure is a fixed tree is a strong limitation for some applications where an operator wants to select users very dynamically following criterions with changing levels of priority. Our scheme may be thought as if in the complete subtree it would be possible to exchange the different level of the tree in order to make it very efficient to revoke or select a class of users. It is also very efficient in the cases where there exists very unbalanced groups of users. This scheme allows one to select or revoke users by sending ciphertexts of linear size with respect to the number of groups which is in general far less than the number of users. Moreover, by using a specific group repartition, it is possible to recover a tree structure in order to apply the classical methods which guarantee that our scheme is in general as efficient as a usual ones. We prove that our scheme is fully collusion secure in the generic group with pairing model. Keywords: Publickey broadcast encryption, Group management, Generic model of groups with pairing