A public key cryptosystem and a signature scheme based on discrete logarithms
23 Aug 1985-Vol. 31, Iss: 4, pp 10-18
TL;DR: A new signature scheme is proposed, together with an implementation of the Diffie-Hellman key distribution scheme that achieves a public key cryptosystem that relies on the difficulty of computing discrete logarithms over finite fields.
Abstract: A new signature scheme is proposed, together with an implementation of the Diffie-Hellman key distribution scheme that achieves a public key cryptosystem. The security of both systems relies on the difficulty of computing discrete logarithms over finite fields.
Citations
More filters
02 May 1999
TL;DR: A new trapdoor mechanism is proposed and three encryption schemes are derived : a trapdoor permutation and two homomorphic probabilistic encryption schemes computationally comparable to RSA, which are provably secure under appropriate assumptions in the standard model.
Abstract: This paper investigates a novel computational problem, namely the Composite Residuosity Class Problem, and its applications to public-key cryptography. We propose a new trapdoor mechanism and derive from this technique three encryption schemes : a trapdoor permutation and two homomorphic probabilistic encryption schemes computationally comparable to RSA. Our cryptosystems, based on usual modular arithmetics, are provably secure under appropriate assumptions in the standard model.
7,008 citations
Cites methods from "A public key cryptosystem and a sig..."
...Another famous technique, related to Die-Hellman-type schemes (El Gamal [ 7 ], DSA, McCurley [14], etc.) combines the homomorphic properties of the modular exponentiation and the intractability of extracting discrete logarithms over nite groups....
[...]
31 May 2009
TL;DR: This work proposes a fully homomorphic encryption scheme that allows one to evaluate circuits over encrypted data without being able to decrypt, and describes a public key encryption scheme using ideal lattices that is almost bootstrappable.
Abstract: We propose a fully homomorphic encryption scheme -- i.e., a scheme that allows one to evaluate circuits over encrypted data without being able to decrypt. Our solution comes in three steps. First, we provide a general result -- that, to construct an encryption scheme that permits evaluation of arbitrary circuits, it suffices to construct an encryption scheme that can evaluate (slightly augmented versions of) its own decryption circuit; we call a scheme that can evaluate its (augmented) decryption circuit bootstrappable.Next, we describe a public key encryption scheme using ideal lattices that is almost bootstrappable.Lattice-based cryptosystems typically have decryption algorithms with low circuit complexity, often dominated by an inner product computation that is in NC1. Also, ideal lattices provide both additive and multiplicative homomorphisms (modulo a public-key ideal in a polynomial ring that is represented as a lattice), as needed to evaluate general circuits.Unfortunately, our initial scheme is not quite bootstrappable -- i.e., the depth that the scheme can correctly evaluate can be logarithmic in the lattice dimension, just like the depth of the decryption circuit, but the latter is greater than the former. In the final step, we show how to modify the scheme to reduce the depth of the decryption circuit, and thereby obtain a bootstrappable encryption scheme, without reducing the depth that the scheme can evaluate. Abstractly, we accomplish this by enabling the encrypter to start the decryption process, leaving less work for the decrypter, much like the server leaves less work for the decrypter in a server-aided cryptosystem.
5,770 citations
TL;DR: The question of primitive points on an elliptic curve modulo p is discussed, and a theorem on nonsmoothness of the order of the cyclic subgroup generated by a global point is given.
Abstract: We discuss analogs based on elliptic curves over finite fields of public key cryptosystems which use the multiplicative group of a finite field. These elliptic curve cryptosystems may be more secure, because the analog of the discrete logarithm problem on elliptic curves is likely to be harder than the classical discrete logarithm problem, especially over GF(2'). We discuss the question of primitive points on an elliptic curve modulo p, and give a theorem on nonsmoothness of the order of the cyclic subgroup generated by a global point.
5,378 citations
Book•
01 Jan 1986TL;DR: It is shown here how Elliptic Curves over Finite Fields, Local Fields, and Global Fields affect the geometry of the elliptic curves.
Abstract: Algebraic Varieties.- Algebraic Curves.- The Geometry of Elliptic Curves.- The Formal Group of Elliptic Curves.- Elliptic Curves over Finite Fields.- Elliptic Curves over C.- Elliptic Curves over Local Fields.- Elliptic Curves over Global Fields.- Integral Points on Elliptic Curves.-Computing the Mordell Weil Group.- Appendix A: Elliptic Curves in Characteristics.-Appendix B: Group Cohomology (H0 and H1).
4,680 citations
TL;DR: A digital signature scheme based on the computational difficulty of integer factorization possesses the novel property of being robust against an adaptive chosen-message attack: an adversary who receives signatures for messages of his choice cannot later forge the signature of even a single additional message.
Abstract: We present a digital signature scheme based on the computational difficulty of integer factorization. The scheme possesses the novel property of being robust against an adaptive chosen-message attack: an adversary who receives signatures for messages of his choice (where each message may be chosen in a way that depends on the signatures of previously chosen messages) cannot later forge the signature of even a single additional message. This may be somewhat surprising, since in the folklore the properties of having forgery being equivalent to factoring and being invulnerable to an adaptive chosen-message attack were considered to be contradictory. More generally, we show how to construct a signature scheme with such properties based on the existence of a "claw-free" pair of permutations--a potentially weaker assumption than the intractibility of integer factorization. The new scheme is potentially practical: signing and verifying signatures are reasonably fast, and signatures are compact.
3,150 citations
References
More filters
TL;DR: This paper suggests ways to solve currently open problems in cryptography, and discusses how the theories of communication and computation are beginning to provide the tools to solve cryptographic problems of long standing.
Abstract: Two kinds of contemporary developments in cryptography are examined. Widening applications of teleprocessing have given rise to a need for new types of cryptographic systems, which minimize the need for secure key distribution channels and supply the equivalent of a written signature. This paper suggests ways to solve these currently open problems. It also discusses how the theories of communication and computation are beginning to provide the tools to solve cryptographic problems of long standing.
14,980 citations
"A public key cryptosystem and a sig..." refers background or methods in this paper
...N 1975, Diffie and Hellman [3] introduced the concept of public key cryptography....
[...]
...For more details refer to [3]....
[...]
...Section II shows a way to implement the public key distribution scheme introduced by Diffie and Hellman [3] to encrypt and decrypt messages....
[...]
TL;DR: An encryption method is presented with the novel property that publicly revealing an encryption key does not thereby reveal the corresponding decryption key.
Abstract: An encryption method is presented with the novel property that publicly revealing an encryption key does not thereby reveal the corresponding decryption key. This has two important consequences: (1) Couriers or other secure means are not needed to transmit keys, since a message can be enciphered using an encryption key publicly revealed by the intented recipient. Only he can decipher the message, since only he knows the corresponding decryption key. (2) A message can be “signed” using a privately held decryption key. Anyone can verify this signature using the corresponding publicly revealed encryption key. Signatures cannot be forged, and a signer cannot later deny the validity of his signature. This has obvious applications in “electronic mail” and “electronic funds transfer” systems. A message is encrypted by representing it as a number M, raising M to a publicly specified power e, and then taking the remainder when the result is divided by the publicly specified product, n, of two large secret primer numbers p and q. Decryption is similar; only a different, secret, power d is used, where e * d ≡ 1(mod (p - 1) * (q - 1)). The security of the system rests in part on the difficulty of factoring the published divisor, n.
14,659 citations
"A public key cryptosystem and a sig..." refers background or methods in this paper
...For example, the RivesShamirAdleman (RSA) system [9] depends on the difficulty of factoring large integers....
[...]
...Since then, several attempts have been made to find practical public key systems (see, for example, [6], [7], [9]) depending on the difficulty of solving some problems....
[...]
...Then the best known algorithm for both computing discrete logarithms and factoring integers (which is the function used in some of the existing systems such as the RSA system [9]) is given by (see [1], [5], [10]) ( ), ln exp m cm O (8)...
[...]
TL;DR: An improved algorithm is derived which requires O =(\log^{2} p) complexity if p - 1 has only small prime factors and such values of p must be avoided in the cryptosystem.
Abstract: A cryptographic system is described which is secure if and only if computing logarithms over GF(p) is infeasible. Previously published algorithms for computing this function require O(p^{1/2}) complexity in both time and space. An improved algorithm is derived which requires O =(\log^{2} p) complexity if p - 1 has only small prime factors. Such values of p must be avoided in the cryptosystem. Constructive uses for the new algorithm are also described.
1,292 citations
TL;DR: An improved algorithm is derived which requires O(log2 p) complexity if p 1 has only small prime factors and such values of p must be avoided in the cryptosystem.
Abstract: A cryptographic system is described which is secure if and only if computing logarithms over GF(p) is infeasible. Previously published algorithms for computing this function require O(P’/~) complexity in both time and space. An improved algorithm is derived which requires O(log2 p) complexity if p 1 has only small prime factors. Such values of p must be avoided in the cryptosystem. Constructive uses for the new algorithm are also described.
1,120 citations
01 Dec 1985
TL;DR: This paper surveys and analyzes known algorithms in this area, with special attention devoted to algorithms for the fields GF(2n), finding that in order to be safe from attacks using these algorithms, the value of n for which GF( 2n) is used in a cryptosystem has to be very large and carefully chosen.
Abstract: Given a primitive element g of a finite field GF(q), the discrete logarithm of a nonzero element u ? GF(q) is that integer k, 1 ? k ? q-1, for which u = gk. The well-known problem of computing discrete logarithms in finite fields has acquired additional importance in recent years due to its applicability in cryptography. Several cryptographic systems would become insecure if an efficient discrete logarithm algorithm were discovered. This paper surveys and analyzes known algorithms in this area, with special attention devoted to algorithms for the fields GF(2n). It appears that in order to be safe from attacks using these algorithms, the value of n for which GF(2n) is used in a cryptosystem has to be very large and carefully chosen. Due in large part to recent discoveries, discrete logarithms in fields GF(2n) are much easier to compute than in fields GF(p) with p prime. Hence the fields GF(2n) ought to be avoided in all cryptographic applications. On the other hand, the fields GF(p) with p prime appear to offer relatively high levels of security.
384 citations
"A public key cryptosystem and a sig..." refers background or methods in this paper
...69 for factoring integers (due to Schnorr and Lenstra [10]), as well as for discrete logarithms over GF(p) (see [5])....
[...]
...Then the best known algorithm for both computing discrete logarithms and factoring integers (which is the function used in some of the existing systems such as the RSA system [9]) is given by (see [1], [5], [10]) ( ), ln exp m cm O (8)...
[...]
...The public key system can be easily extended to any GF(p), but recent progress in computing discrete logarithms over GF(p) where m is large (see [2,5]) makes the key size required very large for the system to be secure....
[...]