#### DMCA

## INTRACTABLE PROBLEMS IN CRYPTOGRAPHY

### Cached

### Download Links

Citations: | 4 - 1 self |

### Citations

1738 | Identity-based encryption from the weil pairing
- Boneh, Franklin
(Show Context)
Citation Context ...ve DDH simply by finding discrete logs; there is no known way to solve DDH that is faster than that. One of the first uses of pairing-based cryptography was the elegant solution by Boneh and Franklin =-=[8]-=- to an old question of Shamir [33], who had asked whether an efficient encryption scheme could be devised in which a user’s public key would be just her identity (e.g., her e-mail address). Such a sys... |

753 | Short signature from the Weil pairing
- Boneh, Lynn, et al.
- 2001
(Show Context)
Citation Context ...her direction. Indeed, there is an important class of groups in which the DDH is easy and the DH and DL problems are believed to be hard. These are the “Diffie-Hellman gap groups” (first described in =-=[21, 10]-=-) that are used in pairing-based cryptography (see §10). Remark 1. For a fixed group G let DL(P), DH(P), DDH(P) denote the Discrete Log, Diffie-Hellman, and the Decision Diffie-Hellman problems for a ... |

535 | A paractical public-key cryptosystem provably secure against adaptive chosen ciphertext attack
- Cramer, Shoup
- 1998
(Show Context)
Citation Context ...he second fixed input Q2 in the twin version of DDH). This gives the DH solver enough flexibility so that she can successfully simulate the oracle. This technique is reminiscent of the method used in =-=[16]-=- (see also the discussion in §2 of [23]) to develop a discrete-log based encryption scheme that has a reductionist security proof using only a “standard” assumption (rather than the random oracle assu... |

392 | Short Signatures Without Random Oracles - Boneh, Boyen - 2004 |

331 |
A one round protocol for tripartite Diffie–Hellman
- Joux
(Show Context)
Citation Context ...-based cryptosystems were proposed by Dan Boneh, Matt Franklin, and others. Although some of the ideas had been around for a couple ofINTRACTABLE PROBLEMS IN CRYPTOGRAPHY 17 years (see, for example, =-=[20, 32]-=-), their tremendous potential had not been realized before. The basic idea is that the Weil or Tate pairing on elliptic curves allows certain cryptographic goals to be achieved that no one knows how t... |

191 | Threshold Signatures, Multisignatures and Blind Signatures Based on the Gap-Diffie-Hellman-Group Signature Scheme
- Boldyreva
- 2003
(Show Context)
Citation Context ... queries to the discrete log oracle, the solver must find the discrete logs of all ℓ elements Yi. • The One-More-Diffie-Hellman (1MDH) problem as first formulated (in a slightly different version) in =-=[4]-=-. The solver is given an element X ∈ G, an oracle that can solve the Diffie-Hellman problem for the given X and arbitrary Y ∈ G, and a challenge oracle that produces random group elements Yi. After ℓ ... |

106 |
The Oracle Diffie-Hellman Assumptions and an Analysis of DHIES
- Abdalla, Bellare, et al.
- 2001
(Show Context)
Citation Context ...t the solver is also allowed to use a One-sided Decision Diffie-Hellman Oracle. In other words, in a group G of order p with generator 1 This problem was first defined by Abdalla, Bellare and Rogaway =-=[1]-=-, who called it the “Strong DH” problem. We have chosen a different name for the problem in order to avoid confusion with the “Strong DH” problem considered in §11. The problem should also not be conf... |

91 | The one-more-rsa-inversion problems and the security of chaum’s blind signature scheme
- Bellare, Namprempre, et al.
(Show Context)
Citation Context .... Here are some examples of such problems that arose in connection with protocols that use elliptic curves or other algebraic groups: • The One-More-Discrete-Log (1MDL) problem as first formulated in =-=[2]-=- and [3]. The solver is supplied with a challenge oracle that produces a random group element Yi ∈ G when queried and a discrete log oracle. After ℓ queries to the challenge oracle (where ℓ is chosen ... |

89 | GQ and Schnorr identification schemes: Proofs of security against impersonation under active and concurrent attack
- Bellare, Palacio
- 2002
(Show Context)
Citation Context ...re some examples of such problems that arose in connection with protocols that use elliptic curves or other algebraic groups: • The One-More-Discrete-Log (1MDL) problem as first formulated in [2] and =-=[3]-=-. The solver is supplied with a challenge oracle that produces a random group element Yi ∈ G when queried and a discrete log oracle. After ℓ queries to the challenge oracle (where ℓ is chosen by the s... |

87 |
Algorithms for black box fields and their applications to cryptography
- Boneh, Lipton
- 1996
(Show Context)
Citation Context ...dence seems to fail. In the presence of a DH oracle One-Prime-Not-p DL seems easier than DL. The former can be solved in polynomial time by Proposition 6, whereas the best results for the latter (see =-=[9]-=-) are subexponential but very far from polytime. The following corollary follows immediately from Proposition 6 by the transitivity of reductions. Corollary 1. Under Conjecture 1, the Discrete Log pro... |

78 | Towards the equivalence of breaking the Diffie–Hellman protocol and computing discrete logarithms
- Maurer
- 1994
(Show Context)
Citation Context ...G can be solved in polynomial time. Now the DL problem on E can be solved in polynomial time using the One-Prime-Not-p DL oracle along with Pohlig-Hellman. We can now use the technique of Maurer (see =-=[27, 29]-=-) to see that DL on G does in fact reduce in polynomial time to DL on E. We recall the main part of Maurer’s argument. Suppose that x is the unknown discrete log of Q to the base P in our DL instance ... |

73 | Another look at “provable security
- Koblitz, Menezes
(Show Context)
Citation Context ...rsion of DDH). This gives the DH solver enough flexibility so that she can successfully simulate the oracle. This technique is reminiscent of the method used in [16] (see also the discussion in §2 of =-=[23]-=-) to develop a discrete-log based encryption scheme that has a reductionist security proof using only a “standard” assumption (rather than the random oracle assumption) for the hash function. Remark 5... |

71 | Security analysis of the strong diffie-hellman problem
- Cheon
- 2006
(Show Context)
Citation Context ...e factor √ ℓ was an artifact of the proof and not a cause for concern, and that the true difficulty of the ℓ-SDH problem was probably √ p as in the case of DL and DH. However, at Eurocrypt 2006 Cheon =-=[15]-=-, using the same attack that had been described earlier in a different setting by Brown and Gallant [13] (see §3), showed that ℓ-SDH can be solved — and in fact the discrete logarithm x can be found —... |

46 | The twin diffie-hellman problem and applications,”
- Cash, Kiltz, et al.
- 2008
(Show Context)
Citation Context ...uery, we determine through our One-sided DDH oracle that (Q,R,S) is a Diffie-Hellman triple, at which point we have the solution of the DH problem, as desired. □ 5. The Twin Diffie-Hellman Problem In =-=[14]-=- Cash, Kiltz, and Shoup constructed an ElGamal type encryption scheme that is slightly more complicated than the one in §4. Its advantage is that their proof of chosen-ciphertext security assumes intr... |

46 | The relationship between breaking the Diffie-Hellman protocol and computing discrete logarithms
- Maurer, Wolf
- 1999
(Show Context)
Citation Context ...rch versions and in the opposite direction for the decision versions of the problems. 6.1. The Square Diffie-Hellman problem. The following variant of the DiffieHellman problem was first presented in =-=[28]-=-. • The Square Diffie-Hellman (SqDH) problem for a group G of prime order p with generator P has as input another point Q = xP ∈ G (with unknown x mod p) and asks for the point R ∈ G for which R = x 2... |

41 |
Separating decision Diffie-Hellman from computational Diffie-Hellman in cryptographic groups
- Joux, Nguyen
- 2003
(Show Context)
Citation Context ...her direction. Indeed, there is an important class of groups in which the DDH is easy and the DH and DL problems are believed to be hard. These are the “Diffie-Hellman gap groups” (first described in =-=[21, 10]-=-) that are used in pairing-based cryptography (see §10). Remark 1. For a fixed group G let DL(P), DH(P), DDH(P) denote the Discrete Log, Diffie-Hellman, and the Decision Diffie-Hellman problems for a ... |

32 |
Ordered Multisignatures and IdentityBased Sequential Aggregate Signatures, with Applications to Secure Routing
- Boldyreva, Gentry, et al.
(Show Context)
Citation Context ... to temper this exuberance. In the next section we describe a particularly dramatic example of how things can go wrong. 12. Sequential Aggregate Signatures In 2007 Boldyreva, Gentry, O’Neill, and Yum =-=[5]-=- constructed a new type of digital signature, called an ordered multi-signature (OMS). This means a single compact signature produced by several people acting in sequence. It has fixed length independ... |

30 | The Diffie-Hellman Protocol
- Maurer, Wolf
- 2000
(Show Context)
Citation Context ...DL implies the ability to solve DH. But it is much more difficult to determine whether the converse implication holds. There is considerable evidence that it does; for a survey of related results see =-=[29]-=-. Thus, the DH as well as DL problems on a suitable group are generally regarded as classical intractable problems. In §§2–5 we look at different versions of ElGamal encryption in order to highlight s... |

22 | Elliptic Curve Cryptography: The Serpentine Course of a Paradigm Shift
- Koblitz, Koblitz, et al.
(Show Context)
Citation Context ... is highly non-standard. The over-use of the word “standard” in connection with assumptions that are anything but standard provides another instance of narrative inversion in cryptography (see §12 of =-=[22]-=-). 10. Pairing-Based Cryptography Starting in 2001, pairing-based cryptosystems were proposed by Dan Boneh, Matt Franklin, and others. Although some of the ideas had been around for a couple ofINTRAC... |

16 | Generalized environmental security from number theoretic assumptions
- Malkin, Moriarty, et al.
- 2006
(Show Context)
Citation Context ...plements our empiricalINTRACTABLE PROBLEMS IN CRYPTOGRAPHY 13 analysis and adds to the evidence that 1MDL and 1MDH are strictly easier than DL and DH. 8. The All-Primes-But-p Discrete Log Problem In =-=[26]-=- the authors introduce a certain type of number-theoretic assumption to achieve a goal related to composition of secure computations. They summarize their assumption intuitively as follows: “it says t... |

13 | Another look at generic groups.
- Koblitz, Menezes
- 2006
(Show Context)
Citation Context ... to have doubts about the true security of Boneh-Boyen signatures. For short signatures using pairings, probably the best advice is to stick with the Boneh-Lynn-Shacham scheme [10]. As we remarked in =-=[24]-=-, in our opinion it is not a good idea to switch away from BLS signatures simply because its reductionist security argument uses the random oracle assumption. In this case the devil we know (the rando... |

13 | Another look at non-standard discrete log and DiffieHellman problems
- Koblitz, Menezes
(Show Context)
Citation Context ...g the discrete log of a single random element or finding the Diffie-Hellman element Z for fixed X and a single random Y . However, it turns out that this depends very much on what groups are used. In =-=[25]-=- we studied these problems and several others in the setting of the jacobian group of a genus-g curve. Assuming that one uses current state-of-the-art algorithms, we found that 1MDL is harder than 1MD... |

12 | The group of signed quadratic residues and applications,”
- Hofheinz, Kiltz
- 2009
(Show Context)
Citation Context ...umption) for the hash function. Remark 5. The One-sided Gap-DH problem and the version of ElGamal encryption discussed in §4 can also be considered in a group G of composite order. Hofheinz and Kiltz =-=[17]-=- studied the One-sided Gap-DH problem in the group of so-called signed quadratic residues modulo a composite integer N that is the product of two distinct8 NEAL KOBLITZ AND ALFRED MENEZES primes (sat... |

11 |
Universal forgery of the identity-based sequential aggregate signature scheme,” in
- Hwang, Lee, et al.
- 2009
(Show Context)
Citation Context ... that This has become a standard way of building confidence in the hardness of computational problems in groups equipped with bilinear maps. Just about a year after [5] appeared, Hwang, Lee, and Yung =-=[18]-=- made a startling discovery: the “provably secure” protocol in [5] can very easily be broken, and the supposedly intractable M-LRSW problem can very easily be solved! Here is the fast and simple solut... |

9 | Boneh-Boyen signatures and the Strong DiffieHellman problem
- Jao, Yoshida
- 2009
(Show Context)
Citation Context ...a group whose order has 50% greater bitlength. It should also be noted that, even though solving ℓ-SDH does not immediately imply the ability to forge Boneh-Boyen signatures, recently Jao and Yoshida =-=[19]-=- showed how, using the solution to ℓ-SDH in [15], one can forge signatures in roughly p 2/5 operations (with roughly p 1/5 signature queries) under certain conditions. On the one hand, the attack on t... |

9 | Separation results on the ”one-more” computational problems
- Bresson, Monnerat, et al.
- 2008
(Show Context)
Citation Context ...e risky to rely upon such problems for assurances about the security of protocols.INTRACTABLE PROBLEMS IN CRYPTOGRAPHY 13 Remark 7. It follows from a general result of Bresson, Monnerat and Vergnaud =-=[12]-=- and Brown [13] that no subexponential time reduction (for arbitrary G) can exist either from DL to 1MDL or from DH to 1MDH. (See §8, where we discuss a similar nonexistence result in the case of the ... |

6 |
The uber-assumption family: A unified complexity framework for bilinear groups
- Boyen
- 2008
(Show Context)
Citation Context ...e in security reductions for pairing-based protocols are even more ornate and contrived than the ℓ-SDH. Several such problems, such as the following Hidden Strong Diffie-Hellman (HSDH), are listed in =-=[11]-=-: • In ℓ-HSDH one is given P,xP,yP ∈ G and ℓ − 1 triples (wjP,(x + wj) −1 P,ywjP), j = 1,... ,ℓ − 1, and is required to find one more triple of the form (wP,(x + w) −1 P,ywP) that is distinct from any... |

6 | Irreducibility to the one-more evaluation problems: More may be less. Cryptology ePrint Archive, Report 2007/435
- Brown
(Show Context)
Citation Context ...g encryption and signature schemes, it nevertheless seems a little risky to rely upon such problems for assurances about the security of protocols. Remark 7. It follows from a general result of Brown =-=[12]-=- that no subexponential time reduction (for arbitrary G) can exist either from DL to 1MDL or from DH to 1MDH. (See §8, where we discuss a similar nonexistence result in the case of the One-Prime-Not-p... |

6 | On the static Diffie-Hellman problem on elliptic curves over extension fields
- Granger
- 2010
(Show Context)
Citation Context ...pdated version of our paper with the same title in the Proceedings of the 9th International Conference on Finite Fields and Their Applications. We incorporated recent observations by Granger in §7 of =-=[17]-=-. We also corrected the introduction to §12, which had confused the ordered multi-signature (OMS) and the identity-based sequential aggregate signature (IBSAS) schemes proposed in [5]. The same update... |

5 |
Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups
- Boneh, Boyen
(Show Context)
Citation Context ...ult of the form “if P is hard, then my protocol is safe from chosen-ciphertext attacks” as a type of guarantee of security.18 NEAL KOBLITZ AND ALFRED MENEZES 11. The Strong Diffie-Hellman Problem In =-=[6, 7]-=-, Boneh and Boyen proposed a new digital signature that works as follows. As before, let G be the group generated by a point P ∈ E(Fq) of prime order p, and let e : G × G −→ µp be a non-degenerate bil... |

5 |
Nechaev, “Complexity of a Deterministic Algorithm for the Discrete Logarithm
- I
- 1994
(Show Context)
Citation Context ...d was derive an exponential-time lower bound for the amount of time it takes to solve ℓ-SDH in the generic group model. The notion of a “generic group” in cryptography was first formalized by Nechaev =-=[30]-=- and Shoup [34]. The generic group assumption essentially means that the group has no special properties that could be exploited to help solve the problem. Rather, the only things that a solver can do... |

2 |
The static Diffie-Hellman problem, available at http://eprint.iacr
- Brown, Gallant
(Show Context)
Citation Context ...oup order p was chosen large enough4 NEAL KOBLITZ AND ALFRED MENEZES so that p 1/2 -attacks are not feasible but p 1/3 -attacks would be feasible. According to a striking result of Brown and Gallant =-=[13]-=-, if p − 1 has a factor of order p 1/3 and if roughly p 1/3 chosen-ciphertext queries are allowed, then Cynthia can learn Alice’s private key x in time of order p 1/3 — after which Cynthia can, of cou... |