Showing papers in "Journal of Cryptology in 2004"
TL;DR: A short signature scheme based on the Computational Diffie–Hellman assumption on certain elliptic and hyperelliptic curves is introduced for systems where signatures are typed in by a human or are sent over a low-bandwidth channel.
Abstract: We introduce a short signature scheme based on the Computational Diffie–Hellman assumption on certain elliptic and hyperelliptic curves. For standard security parameters, the signature length is about half that of a DSA signature with a similar level of security. Our short signature scheme is designed for systems where signatures are typed in by a human or are sent over a low-bandwidth channel. We survey a number of properties of our signature scheme such as signature aggregation and batch verification.
1,171 citations
TL;DR: A three participants variation of the Diffie--Hellman protocol is proposed, based on the Weil and Tate pairings on elliptic curves, which were first used in cryptography as cryptanalytic tools for reducing the discrete logarithm problem on some elliptic curve to the discreteLogarithms problem in a finite field.
Abstract: In this paper we propose a three participants variation of the Diffie--Hellman protocol. This variation is based on the Weil and Tate pairings on elliptic curves, which were first used in cryptography as cryptanalytic tools for reducing the discrete logarithm problem on some elliptic curves to the discrete logarithm problem in a finite field.
1,029 citations
TL;DR: The definition of the Weil Pairing is given, efficient algorithms to calculate it are described, two applications are given, and the motivation to considering it is described.
Abstract: The Weil Pairing, first introduced by Andre Weil in 1940, plays an important role in the theoretical study of the arithmetic of elliptic curves and Abelian varieties. It has also recently become extremely useful in cryptologic constructions related to those objects. This paper gives the definition of the Weil Pairing, describes efficient algorithms to calculate it, gives two applications, and describes the motivation to considering it.
637 citations
TL;DR: It is shown that finding an efficiently computable injective homomorphism from the X TR subgroup into the group of points over GF(p2) of a particular type of supersingular elliptic curve is at least as hard as solving the Diffie–Hellman problem in the XTR subgroup.
Abstract: We show that finding an efficiently computable injective homomorphism from the XTR subgroup into the group of points over GF(p2) of a particular type of supersingular elliptic curve is at least as hard as solving the Diffie–Hellman problem in the XTR subgroup. This provides strong evidence for a negative answer to the question posed by Vanstone and Menezes at the Crypto 2000 Rump Session on the possibility of efficiently inverting the MOV embedding into the XTR subgroup. As a side result we show that the Decision Diffie–Hellman problem in the group of points on this type of supersingular elliptic curves is efficiently computable, which provides an example of a group where the Decision Diffie–Hellman problem is simple, while the Diffie–Hellman and discrete logarithm problems are presumably not. So-called distortion maps on groups of points on elliptic curves that play an important role in our cryptanalysis also lead to cryptographic applications of independent interest. These applications are an improvement of Joux’s one round protocol for tripartite Diffie–Hellman key exchange and a non-refutable digital signature scheme that supports escrowable encryption. We also discuss the applicability of our methods to general elliptic curves defined over finite fields which includes a classification of elliptic curve groups where distortion maps exist.
226 citations
TL;DR: This paper describes how to construct ordinary (non-supersingular) elliptic curves containing groups with arbitrary embedding degree, and shows how to compute the Tate pairing on these groups efficiently.
Abstract: Pairing-based cryptosystems rely on the existence of bilinear, nondegenerate, efficiently computable maps (called pairings) over certain groups. Currently, all such pairings used in practice are related to the Tate pairing on elliptic curve groups whose embedding degree is large enough to maintain a good security level, but small enough for arithmetic operations to be feasible. In this paper we describe how to construct ordinary (non-supersingular) elliptic curves containing groups with arbitrary embedding degree, and show how to compute the Tate pairing on these groups efficiently.
179 citations
TL;DR: In this paper, sample-then-extract (S2E) is used to construct locally computable randomness extractors in Maurer's bounded-storage model, and lower bounds show that the parameters are nearly optimal.
Abstract: We consider the problem of constructing randomness extractors that are locally computable; that is, read only a small number of bits from their input. As recently shown by [Lu] locally computable extractors directly yield secure private-key cryptosystems in Maurer’s bounded-storage model.We suggest a general “sample-then-extract” approach to constructing locally computable extractors: use essentially any randomness-efficient sampler to select bits from the input and then apply any extractor to the selected bits. Plugging in known sampler and extractor constructions, we obtain locally computable extractors, and hence cryptosystems in the bounded-storage model, whose parameters improve upon previous constructions. We also provide lower bounds showing that the parameters we achieve are nearly optimal.The correctness of the sample-then-extract approach follows from a fundamental lemma of Nisan and Zuckerman, which states that sampling bits from a weak random source roughly preserves the min-entropy rate. We also present a refinement of this lemma, showing that the min-entropy rate is preserved up to an arbitrarily small additive loss, whereas the original lemma loses a logarithmic factor.
156 citations
TL;DR: In this paper, it was shown that OAEP offers semantic security against adaptive chosen-ciphertext attacks, in the random oracle model, under the partial-domain one-wayness of the underlying permutation.
Abstract: Recently Victor Shoup noted that there is a gap in the widely believed security result of OAEP against adaptive chosen-ciphertext attacks. Moreover, he showed that, presumably, OAEP cannot be proven secure from the one-wayness of the underlying trapdoor permutation. This paper establishes another result on the security of OAEP. It proves that OAEP offers semantic security against adaptive chosen-ciphertext attacks, in the random oracle model, under the partial-domain one-wayness of the underlying permutation. Therefore, this uses a formally stronger assumption. Nevertheless, since partial-domain one-wayness of the RSA function is equivalent to its (full-domain) onewayness, it follows that the security of RSA-OAEP can actually be proven under the sole RSA assumption, although the reduction is not tight.
114 citations
TL;DR: It is shown that an encryption scheme with such nice properties can be derived immediately from any strong randomness extractor, a function which extracts randomness from a slightly random source, so that its output and its seed together are almost random.
Abstract: We study the problem of information-theoretically secure encryption in the bounded-storage model introduced by Maurer. The sole assumption of this model is a limited storage bound on an eavesdropper Eve, who is even allowed to be computationally unbounded. Suppose a sender Alice and a receiver Bob agreed on a short private key beforehand, and there is a long public random string accessible by all parties, say broadcast from a satellite or sent by Alice. Eve can only store some partial information of this long random string due to her limited storage. Alice and Bob read the public random string using the shared private key, and produce a one-time pad for encryption or decryption. In this setting, Aumann et al. proposed protocols with a nice property called everlasting security, which says that the security holds even if Eve later manages to obtain that private key. Ding and Rabin gave a better analysis showing that the same private key can be securely reused for an exponential number of times, against some adaptive attacks.We show that an encryption scheme with such nice properties can be derived immediately from any strong randomness extractor, a function which extracts randomness from a slightly random source, so that its output and its seed together are almost random. To have an efficient encryption scheme, one needs a strong extractor that can be evaluated in an on-line and efficient way. We give one such construction, which yields an encryption scheme that has the nice security properties as before but now can encrypt longer messages using shorter private keys.
87 citations
TL;DR: This paper proves the first non-restricted security result in the bounded-storage model: K is short, X is very long, and t needs to be only moderately larger than $s + n$ and hence the storage bound is essentially optimal.
Abstract: In the bounded-storage model for information-theoretically secure encryption and key-agreement one can prove the security of a cipher based on the sole assumption that the adversary’s storage capacity is bounded, say by $s$ bits, even if her computational power is unlimited. Assume that a random $t$-bit string $R$ is either publicly available (e.g., the signal of a deep-space radio source) or broadcast by one of the legitimate parties. If $s ns$), or the adversary was assumed to be able to store only $s$ actual bits of $R$ rather than arbitrary $s$ bits of information about $R$, or the adversary received a non-negligible amount of information about $X$. In this paper we prove the first non-restricted security result in the bounded-storage model: $K$ is short, $X$ is very long, and $t$ needs to be only moderately larger than $s + n$. In fact, $s/t$ can be arbitrarily close to $1$ and hence the storage bound is essentially optimal. The security can be proved also if $R$ is not uniformly random, provided that the min-entropy of $R$ is sufficiently greater than $s$.
70 citations
TL;DR: The full costs of several cryptanalytic attacks are determined, including Shanks’ method for computing discrete logarithms in cyclic groups of prime order n, which requires n1/2+o(1) processor steps but, when all factors are taken into account, has full cost n2/3+ o(1).
Abstract: An open question about the asymptotic cost of connecting many processors to a large memory using three dimensions for wiring is answered, and this result is used to find the full cost of several cryptanalytic attacks. In many cases this full cost is higher than the accepted complexity of a given algorithm based on the number of processor steps. The full costs of several cryptanalytic attacks are determined, including Shanks’ method for computing discrete logarithms in cyclic groups of prime order n, which requires n1/2+o(1) processor steps, but, when all factors are taken into account, has full cost n2/3+o(1). Other attacks analyzed are factoring with the number field sieve, generic attacks on block ciphers, attacks on double and triple encryption, and finding hash collisions. In many cases parallel collision search gives a significant asymptotic advantage over well-known generic attacks.
66 citations
TL;DR: In this article, the authors proposed a sublinear communication protocol for PIR, where the servers' computation for each retrieval is at least linear in the size of the entire database, even if the user requires just one bit.
Abstract: Private information retrieval (PIR) enables a user to retrieve a specific data item from a database, replicated among one or more servers, while hiding from each server the identity of the retrieved item. This problem was suggested by Chor et al. [11], and since then efficient protocols with sub-linear communication were suggested. However, in all these protocols the servers’ computation for each retrieval is at least linear in the size of entire database, even if the user requires just one bit.
TL;DR: The relations between adaptive security and nonadaptive security are studied, according to two definitions and in several models of computation.
Abstract: Security analysis of multi-party cryptographic protocols distinguishes between two types of adversarial settings: In the non-adaptive setting the set of corrupted parties is chosen in advance, before the interaction begins. In the adaptive setting the adversary chooses who to corrupt during the course of the computation. We study the relations between adaptive security (i.e., security in the adaptive setting) and nonadaptive security, according to two definitions and in several models of computation.
TL;DR: In this article, the security of the Blum-Micali pseudo-random generator combined with the Goldreich-Levin bit against nearly one-sided tests was studied.
Abstract: We study statistical tests with binary output that rarely outputs one, which we call nearly one-sided statistical tests. We provide an efficient reduction establishing improved security for the Goldreich–Levin hard-core bit against nearly one-sided tests. The analysis is extended to prove the security of the Blum–Micali pseudo-random generator combined with the Goldreich–Levin bit. Finally, some applications where nearly one-sided tests occur naturally are discussed.