# Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring

Save this PDF as:

Size: px
Start display at page:

Download "Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring"

## Transcription

1 Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring Eli Biham Dan Boneh Omer Reingold Abstract The Diffie-Hellman key-exchange protocol may naturally be extended to k > 2 parties. This gives rise to the generalized Diffie-Hellman assumption (GDH-Assumption). Naor and Reingold have recently shown an efficient construction of pseudo-random functions and proved its security based on the GDH-Assumption. In this note, we prove that breaking this assumption modulo a so called Blum-integer would imply an efficient algorithm for factorization. Therefore, both the key-exchange protocol and the pseudo-random functions are secure as long as factoring Blum-integers is hard. Our reduction strengthen a previous worst-case reduction of Shmuely [6]. Keywords: Cryptography, Diffie-Hellman Assumption, Factoring, Key-Exchange, Pseudo- Random Function. Computer Science Department, Technion, Haifa 32000, Israel. Dept. of Computer Science, Stanford University, Staford, CA, Dept. of Computer Science and Applied Mathematics, Weizmann Institute of Science, Rehovot 76100, Israel. Research supported by a Clore Scholars award, an Eshkol Fellowship of the Israeli Ministry of Science and by a grant from the Israel Science Foundation administered by the Israeli Academy of Sciences.

2 1 Introduction The Generalized Diffie-Hellman (GDH) Assumption was originally considered in the context of a key-exchange protocol for k > 2 parties (see e.g., [6, 8]). This protocol is an extension of the (extremely influential) Diffie-Hellman key-exchange protocol [2]. Given a group G and an element g G, the high-level structure of the protocol is as follows: Party i [k] def = {1, 2,..., k} chooses a secret value, a i. The parties exchange messages of the form g i I a i for several proper subsets, I [k]. Given these messages, each of the parties can compute g i [k] ai and this value defines their common key (in some publicly known way). Since the parties use an insecure (though authenticated) channel, it is essential that the messages they exchange do not reveal g i [k] ai. The GDH-Assumption is even stronger: informally, it states that it is hard to compute g i [k] ai for an algorithm that can query g i I a i for any proper subset, I [k] of its choice. The precise statement of the assumption is given in Section 2.1. Recently, another application to the GDH-Assumption was proposed by Naor and Reingold [4]. They showed an attractive construction of pseudo-random functions that is secure as long as the GDH-Assumption holds. Motivated by this application, we provide in this note a proof that the GDH-Assumption modulo a Blum-integer follows from the assumption that factoring Blum-integers is hard. Similar reductions were previously described in the context of the standard Diffie-Hellman assumption by McCurley [3] and Shmuely [6]. In fact, Shmuely [6] also provided a related reduction for the GDH-Assumption (modulo a composite) itself. Her reduction works when the algorithm that breaks the GDH-Assumption succeeds in computing g i [k] ai for every choice of values a 1, a 2,..., a k (which is not sufficient for the applications of the GDH-Assumption). In contrast, our reduction works even when the algorithm breaking the GDH-Assumption only succeeds for some non-negligible fraction of the a 1,..., a k. 2 The Assumptions In this section we define the GDH-Assumption in Z N (the multiplicative group modulo N), where N is a so called Blum-integer. We also define the assumption that factoring Blum-integers is hard. The restriction to Blum-integers is quite standard and it makes the reduction of factoring to the GDH-Problem much simpler. In order to keep our result general, we let N (in both assumptions) be generated by some polynomial-time algorithm F IG (where F IG stands for factoring-instance-generator): Definition 2.1 (F IG) The factoring-instance-generator, F IG, is a probabilistic polynomialtime algorithm such that on input 1 n its output, N = P Q, is distributed over 2n bit integers, where P and Q are two n bit primes and P = Q = 3 mod 4 (such N is known as a Blum-integer). A natural way to define F IG is to let F IG(1 n ) be uniformly distributed over 2n bit Blum-integers 1. However, other choices were previously considered (e.g., letting P and Q 1 We note that 2n bit Blum-integers are a non-negligible fraction of all 2n bit integers and that it is easy to sample a uniformly distributed 2n bit Blum-integer. 1

3 obey some safety conditions). 2.1 The GDH-Assumption To formalize the GDH-Assumption (which is described in the introduction) we use the following two definitions: Definition 2.2 Let N be any possible output of F IG(1 n ), let g be any quadratic-residue in Z N and let a = a 1, a 2,..., a k be any sequence of k 2 elements of [N]. Define the function h N,g, a with domain {0, 1} k such that for any k-bit input, x = x 1 x 2 x k, h N,g, a (x) def x = g i =1 ai mod N Define h r N,g, a to be the restriction of h N,g, a to the set of all k-bit strings except 1 k (i.e., the restriction of h N,g, a to {0, 1} k \ {1 k }). Definition 2.3 (ϵ-solving the GDH k -Problem) Let A be a probabilistic oracle machine, k = k(n) an integer-valued function such that n, k(n) 2 and ϵ = ϵ(n) a real-valued function. A ϵ-solves the GDH k -Problem if for infinitely many n s Pr[A hr N,g, a(n, g) = h N,g, a (1 n )] > ϵ(n) where the probability is taken over the random bits of A, the choice of N according to the distribution F IG(1 n ), the choice of g uniformly at random in the set of quadratic-residues in Z N and the choice of each of the values in a = a 1, a 2,..., a k(n) uniformly at random in [N]. Informally, the GDH-Assumption is that there is no efficient oracle machine A that ϵ-solves the GDH k -Problem for non-negligible ϵ. We formalize this in the standard way of interpreting efficient as probabilistic polynomial-time and non-negligible as larger than 1/poly. However, our reduction (Theorem 3.1) is more quantitative. Assumption 2.1 (The GDH-Assumption Modulo a Blum-Integer) Let A be any probabilistic polynomial-time oracle machine and k = k(n) 2 any integer-valued function that is bounded by a polynomial (and is efficiently-constructible). There is no positive constant α such that A 1 n -solves the GDH α k -Problem. 2.2 The Factoring-Assumption We formalize the assumption that factoring Blum-integers is hard in an analogous way: Definition 2.4 (ϵ-factoring) Let A be a probabilistic Turing-machine and ϵ = ϵ(n) a real-valued function. A ϵ-factors if for infinitely many n s Pr[A(P Q) {P, Q}] > ϵ(n) where the distribution of N = P Q is F IG(1 n ). Assumption 2.2 (Factoring Blum-Integers) Let A be any probabilistic polynomial-time oracle machine. There is no positive constant α such that A 1 n α -factors. 2

4 3 Reducing Factoring to the GDH-Problem Theorem 3.1 Assumption 2.1 (the GDH-Assumption) is implied by Assumption 2.2 (Factoring). Furthermore, assume that A is a probabilistic oracle machine with running-time t = t(n) such that A ϵ-solves the GDH k -Problem (where k = k(n) 2, is an integer-valued function that is efficiently-constructible and ϵ = ϵ(n) a real-valued function). Then there exists a probabilistic Turing-machine A with running time t (n) = poly(n, k(n)) t(n) that ϵ -factors, where ϵ (n) = ϵ(n)/2 O(k(n) 2 n ). As an intuition to the proof, let us first describe it under the assumption that A computes h N,g, a (1 k ) for any sequence a = a 1, a 2,..., a k(n). The algorithm A can use A to extract square-roots in Z N and consequently A can factor N (as shown in [5]). This is done as follows: A first samples v uniformly at random in Z N and computes g = v2k mod N. Let l be the order of g in Z N (note that l is not known to A ). Since N is a Blum-integer and g is a quadratic-residue we have that l is odd. This implies that 2 Z l and therefore 2 1 mod l exists (and is simply l+1 2 ). For simplicity of exposition, denote by g2 1 mod N the value g 2 1modl mod N. Hence, g 2 1 mod N is not any square-root of g in Z N but is rather precisely equal to g l+1 2 mod N. In the same way denote by g 2 i mod N the value g 2 imodl mod N. Under this notation we have for every 0 < i < k that g 2 i = v 2k i mod N. Let a = a 1,..., a k be the vector, where for all i, a i = 2 1 mod l. It follows that algorithm A can easily compute h N,g, a (x) for any x 1 k (if exactly i < k bits of x are 1 we have that h N,g, a (x) = g 2 i mod N = v 2k i mod N). Hence, A can invoke A with input N, g and answer every query, q, of A with h r N,g, a (q). Eventually, A outputs the value u = h N,g, a (1 n ) = g 2 k mod N. We now have that u 2 = v 2 mod N and that Pr[u = ±v] = 1/2. This implies that Pr[gcd(u v, N) {P, Q}] = 1/2 which enables A to factor N. The complete proof follows the same lines along with additional randomization of the a i s (achieved by taking a i = 2 1 +r i ) which eliminates the assumption that A always succeeds. Proof: Assume that A is as in Theorem 3.1, we define the algorithm A that is guaranteed to exist by the theorem. Let N = P Q be any 2n-bit Blum-integer. Given N as its input, A performs the following basic steps (we later describe how these steps can be carried out in the required running time): 1. Sample v uniformly at random in Z N. Compute k = k(n) and g = v2k mod N. Denote by l the order of g in Z N (note that l is not known to A ). As mentioned above, since N is a Blum-integer and g is a quadratic-residue we have that l is odd. This implies that 2 Z l and therefore 2 1 mod l exists (and is simply l+1 2 ). 2. Sample each one of the values in r 1, r 2,..., r k uniformly at random in [N]. For 1 i k, denote by a i the value r i mod l (again, note that a i is not known to A ). Denote by a the sequence a 1, a 2,..., a k. 3. Invoke A with input N, g and answer each query, q, of A with the value h r N,g, a (q). 3

5 4. Given that A outputs the correct value h N,g, a (1 n ), compute u = g 2 k mod N. As will be noted below, u 2 = v 2 mod N. If u ±v mod N, output gcd(u v, N) which is indeed in {P, Q}. Otherwise, output failed. The Running-Time of A : Steps (1) and (2) can easily be carried out in time poly(n, k(n)). For steps (3) and (4) to be carried out in time t (n) = poly(n, k(n)) t(n) it is enough to show that: a. For every query q {0, 1} k \ {1 k } the value h N,g, a (q) can be computed in time poly(n, k(n)). b. Given h N,g, a (1 n ), the value g 2 k mod N can be computed in time poly(n, k(n)). Recall that whenever 2 1 appears in the exponent it denotes the value 2 1 mod l = l+1 ) 2. i Similarly, 2 i in the exponent denotes the value 2 i mod l = mod l. Therefore, under this notation, for every i the value g 2 i mod N is a quadratic-residue (since g is a quadratic-residue). The key-observation for proving (a) and (b) is that for all 0 < i < k, we have that g 2 i = v 2k i mod N. For i = 1, this is implied by the fact that both g 2 1 and v 2k 1 are square roots of g and they are both quadratic-residues. Since squaring is a permutation over the set of quadratic-residues in Z N (for any Blum-integer, N) we must have that g2 1 and v 2k 1 are equal. By induction on 0 < i < k, we get that g 2 i = v 2k i mod N in the same way. Therefore, for every q = q 1 q 2... q k 1 k : ( l+1 2 q h N,g, a (q) = g i =1 ai = g qi =1 (r i+2 1 ) k 1 = g j=0 α j2 j k 1 = v j=0 α j2 k j mod N where the values {α j } k 1 j=0 are the integers for which the two polynomials (in the variable x) q i =1 (r i +x) and k 1 j=0 α jx j are identical over Z. Since these values can easily be computed in time poly(n, k(n)), we get that (a) holds. Similarly: h N,g, a (1 k k ) = g i=1 a k i = g i=1 (r i+2 1) k 1 = g 2 k g j=0 β j2 j k 1 = g 2 k v j=0 β j2 k j mod N where the values {β j } k 1 j=0 can easily be computed in time poly(n, k(n)). We now get that (b) holds since: ( ) g 2 k = h N,g, a (1 k k 1 ) v j=0 β j2 k j 1 mod N The Success-Probability of A : It remains to show that A ϵ -factors, where ϵ (n) = ϵ(n)/2 O(k(n) 2 n ). Recall that u denotes the value g 2 k mod N. As shown above v 2 = g 2 (k 1) (= u 2 ) mod N. Therefore, it is not hard to verify that: [ Pr[A (N) {P, Q}] = Pr (u ±v mod N) and ( )] A hr N,g, a(n, g) = h N,g, a (1 n ) Note that A hr N,g, a(n, g) does not depend on v itself but rather on v 2. Therefore, A hr N,g, a(n, g) is equally distributed for any two assignments, w and w, of v as long as w 2 = w 2 mod N. 4

6 This follows from the fact that all the values of h r N,g, a (including g = hr N,g, a (0n )) only depend on v 2 : For every q = q 1 q 2... q k 1 k the value h N,g, a (q) was shown above to be k 1 v j=0 α j2 k j mod N = (v 2) k j=1 α j 12 k j mod N where the α j s only depend on q and the r i s. We therefore get that: Pr[A (N) {P, Q}] = 1/2 Pr[A hr N,g, a(n, g) = h N,g, a (1 n )] Let N be chosen from F IG(1 n ). We need to show that for infinitely many n s Pr[A (N) {P, Q}] > ϵ (n) Which is equivalent to showing that for infinitely many n s Pr[A hr N,g, a(n, g) = h N,g, a (1 n )] > ϵ(n) O(k(n) 2 n ) To do so, we need a couple of simple facts on the distribution of g and of each a i mod l. Let us first recall the definition of statistical distance: Definition 3.1 Let X and Y be two random variables over D. The statistical difference between X and Y is defined to be We now have that: 1 Pr[X = a] Pr[Y = a] 2 a D Fact 1 g is a uniformly distributed quadratic-residue in Z N. Reason: v 2 is a uniformly distributed quadratic-residue in Z N and squaring is a permutation over the set of quadratic-residues in Z N (since N is a Blum-integer). Fact 2 Let r and a be uniformly distributed in [N] and denote by a the value r+2 1 mod l. Then a and a mod l are of statistical distance O(2 n ). Reason: l divides (Q 1)(P 1). Therefore the distribution of a conditioned on the event that r [(Q 1)(P 1)] is the same as the distribution of a mod l conditioned on the event that a [(Q 1)(P 1)] (and in both cases it is simply the uniform distribution over Z l ). It remains to notice that Pr [r [(Q 1)(P 1)]] = Pr [a (Q 1)(P 1) [(Q 1)(P 1)]] = N = 1 P +Q N + 1 N = 1 O(2 n ). Let each value in a = a 1, a 2,..., a k be uniformly distributed in [N]. Since A ϵ-solves the GDH k -Problem and given Fact 1, we have that: Pr[A hr N,g, a (N, g) = h N,g, a (1 n )] > ϵ(n) Given Fact 2, it is easy to verify that the two random variables h N,g, a and h N,g, a statistical distance O(k(n) 2 n ). Therefore, we can conclude that: are of Pr[A hr N,g, a(n, g) = h N,g, a (1 n )] > ϵ(n) O(k(n) 2 n ) which completes the proof of the theorem. 5

7 4 Conclusions We showed that breaking the generalized Diffie-Hellman assumption modulo a Blum-integer is at least as hard as factoring Blum-integers. This implies that the security of the generalized Diffie-Hellman key-exchange protocol (which is mentioned in the introduction) can be based on the assumption that factoring is hard. In addition, as shown in [4], it implies the existence of efficient pseudo-random functions which are at least as secure as factoring. A possible line for further research is the study of the generalized Diffie-Hellman assumption in other groups and the relation between the generalized Diffie-Hellman assumption and the standard Diffie-Hellman assumption. It is interesting to note that the decisional version of the generalized Diffie-Hellman assumption is equivalent to the decisional version of the standard Diffie-Hellman assumption (as shown in [8]). Two examples of results that support the validity of the decisional version of the standard Diffie-Hellman can be found in the work of Boneh and Venkatesan [1] and in the work of Shoup [7]. Boneh and Venkatesan showed that computing the k ( log P ) most significant bits of g a b (given g, g a, g b ) is as hard as computing g a b itself. Shoup showed that the DDH-Problem is hard for what he calls a generic algorithm. Acknowledgments We thank Moni Naor for many helpful discussions and the anonymous referees for many helpful comments. References [1] D. Boneh and R. Venkatesan, Hardness of computing most significant bits in secret keys in Diffie-Hellman and related schemes, Advances in Cryptology - CRYPTO 96, LNCS, vol. 1109, Springer, 1996, pp [2] W. Diffie and M. Hellman, New directions in cryptography, IEEE Trans. Inform. Theory, vol. 22(6), 1976, pp [3] K. McCurley, A key distribution system equivalent to factoring, J. of Cryptology, vol 1, 1988, pp [4] M. Naor and O. Reingold, Number-Theoretic constructions of efficient pseudo-random functions, Proc. 38th IEEE Symp. on Foundations of Computer Science, [5] M. O. Rabin, Digitalized signatures and public-key functions as intractable as factorization, Technical Report, TR-212, MIT Laboratory for Computer Science, [6] Z. Shmuely, Composite Diffie-Hellman public-key generating systems are hard to break, Technical Report No. 356, Computer Science Department, Technion, Israel, [7] V. Shoup, Lower bounds for discrete logarithms and related problems, Proc. Advances in Cryptology - EUROCRYPT 97, LNCS, Springer-Verlag, 1997, pp [8] M. Steiner, G. Tsudik and M. Waidner, Diffie-Hellman key distribution extended to group communication, Proceedings 3rd ACM Conference on Computer and Communications Security, 1996, pp

### International Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013

FACTORING CRYPTOSYSTEM MODULI WHEN THE CO-FACTORS DIFFERENCE IS BOUNDED Omar Akchiche 1 and Omar Khadir 2 1,2 Laboratory of Mathematics, Cryptography and Mechanics, Fstm, University of Hassan II Mohammedia-Casablanca,

### Improved Online/Offline Signature Schemes

Improved Online/Offline Signature Schemes Adi Shamir and Yael Tauman Applied Math. Dept. The Weizmann Institute of Science Rehovot 76100, Israel {shamir,tauman}@wisdom.weizmann.ac.il Abstract. The notion

### On-Line/Off-Line Digital Signatures

J. Cryptology (996) 9: 35 67 996 International Association for Cryptologic Research On-Line/Off-Line Digital Signatures Shimon Even Computer Science Department, Technion Israel Institute of Technology,

### A Factoring and Discrete Logarithm based Cryptosystem

Int. J. Contemp. Math. Sciences, Vol. 8, 2013, no. 11, 511-517 HIKARI Ltd, www.m-hikari.com A Factoring and Discrete Logarithm based Cryptosystem Abdoul Aziz Ciss and Ahmed Youssef Ecole doctorale de Mathematiques

### 2.1 Complexity Classes

15-859(M): Randomized Algorithms Lecturer: Shuchi Chawla Topic: Complexity classes, Identity checking Date: September 15, 2004 Scribe: Andrew Gilpin 2.1 Complexity Classes In this lecture we will look

### Concrete Security of the Blum-Blum-Shub Pseudorandom Generator

Appears in Cryptography and Coding: 10th IMA International Conference, Lecture Notes in Computer Science 3796 (2005) 355 375. Springer-Verlag. Concrete Security of the Blum-Blum-Shub Pseudorandom Generator

### On Factoring Integers and Evaluating Discrete Logarithms

On Factoring Integers and Evaluating Discrete Logarithms A thesis presented by JOHN AARON GREGG to the departments of Mathematics and Computer Science in partial fulfillment of the honors requirements

### The Mathematics of the RSA Public-Key Cryptosystem

The Mathematics of the RSA Public-Key Cryptosystem Burt Kaliski RSA Laboratories ABOUT THE AUTHOR: Dr Burt Kaliski is a computer scientist whose involvement with the security industry has been through

### NEW DIGITAL SIGNATURE PROTOCOL BASED ON ELLIPTIC CURVES

NEW DIGITAL SIGNATURE PROTOCOL BASED ON ELLIPTIC CURVES Ounasser Abid 1, Jaouad Ettanfouhi 2 and Omar Khadir 3 1,2,3 Laboratory of Mathematics, Cryptography and Mechanics, Department of Mathematics, Fstm,

### Introduction. Digital Signature

Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology

### Public Key Cryptography. c Eli Biham - March 30, 2011 258 Public Key Cryptography

Public Key Cryptography c Eli Biham - March 30, 2011 258 Public Key Cryptography Key Exchange All the ciphers mentioned previously require keys known a-priori to all the users, before they can encrypt

### Ch.9 Cryptography. The Graduate Center, CUNY.! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis

Ch.9 Cryptography The Graduate Center, CUNY! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis Why is Modern Cryptography part of a Complexity course? Short answer:! Because Modern Cryptography

### Pricing via Processing or Combatting Junk Mail

Pricing via Processing or Combatting Junk Mail Cynthia Dwork Moni Naor Draft of full version Abstract We present a computational technique for combatting junk mail, in particular, and controlling access

### Study of algorithms for factoring integers and computing discrete logarithms

Study of algorithms for factoring integers and computing discrete logarithms First Indo-French Workshop on Cryptography and Related Topics (IFW 2007) June 11 13, 2007 Paris, France Dr. Abhijit Das Department

### Lecture 15 - Digital Signatures

Lecture 15 - Digital Signatures Boaz Barak March 29, 2010 Reading KL Book Chapter 12. Review Trapdoor permutations - easy to compute, hard to invert, easy to invert with trapdoor. RSA and Rabin signatures.

### Non-Black-Box Techniques In Crytpography. Thesis for the Ph.D degree Boaz Barak

Non-Black-Box Techniques In Crytpography Introduction Thesis for the Ph.D degree Boaz Barak A computer program (or equivalently, an algorithm) is a list of symbols a finite string. When we interpret a

### SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES

www.arpapress.com/volumes/vol8issue1/ijrras_8_1_10.pdf SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES Malek Jakob Kakish Amman Arab University, Department of Computer Information Systems, P.O.Box 2234,

### CIS 5371 Cryptography. 8. Encryption --

CIS 5371 Cryptography p y 8. Encryption -- Asymmetric Techniques Textbook encryption algorithms In this chapter, security (confidentiality) is considered in the following sense: All-or-nothing secrecy.

### Breaking The Code. Ryan Lowe. Ryan Lowe is currently a Ball State senior with a double major in Computer Science and Mathematics and

Breaking The Code Ryan Lowe Ryan Lowe is currently a Ball State senior with a double major in Computer Science and Mathematics and a minor in Applied Physics. As a sophomore, he took an independent study

### U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, 2009. Notes on Algebra

U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, 2009 Notes on Algebra These notes contain as little theory as possible, and most results are stated without proof. Any introductory

### Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption Ronald Cramer Victor Shoup December 12, 2001 Abstract We present several new and fairly practical public-key

### A Secure Protocol for the Oblivious Transfer (Extended Abstract) M. J. Fischer. Yale University. S. Micali Massachusetts Institute of Technology

J, Cryptoiogy (1996) 9:191-195 Joumol of CRYPTOLOGY O 1996 International Association for Cryptologic Research A Secure Protocol for the Oblivious Transfer (Extended Abstract) M. J. Fischer Yale University

Family Name:... First Name:... Section:... Advanced Cryptography Final Exam July 18 th, 2006 Start at 9:15, End at 12:00 This document consists of 12 pages. Instructions Electronic devices are not allowed.

### 1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks

### On Generating the Initial Key in the Bounded-Storage Model

On Generating the Initial Key in the Bounded-Storage Model Stefan Dziembowski Institute of Informatics, Warsaw University Banacha 2, PL-02-097 Warsaw, Poland, std@mimuw.edu.pl Ueli Maurer Department of

### 2 Primality and Compositeness Tests

Int. J. Contemp. Math. Sciences, Vol. 3, 2008, no. 33, 1635-1642 On Factoring R. A. Mollin Department of Mathematics and Statistics University of Calgary, Calgary, Alberta, Canada, T2N 1N4 http://www.math.ucalgary.ca/

### Security Arguments for Digital Signatures and Blind Signatures

Journal of Cryptology, Volume 13, Number 3. Pages 361 396, Springer-Verlag, 2000. 2000 International Association for Cryptologic Research Security Arguments for Digital Signatures and Blind Signatures

### Security in Electronic Payment Systems

Security in Electronic Payment Systems Jan L. Camenisch, Jean-Marc Piveteau, Markus A. Stadler Institute for Theoretical Computer Science, ETH Zurich, CH-8092 Zurich e-mail: {camenisch, stadler}@inf.ethz.ch

### A Secure and Efficient Conference Key Distribution System

********************** COVER PAGE ********************** A Secure and Efficient Conference Key Distribution System (Extended Abstract) Mike Burmester Department of Mathematics Royal Holloway University

### Security Analysis of DRBG Using HMAC in NIST SP 800-90

Security Analysis of DRBG Using MAC in NIST SP 800-90 Shoichi irose Graduate School of Engineering, University of Fukui hrs shch@u-fukui.ac.jp Abstract. MAC DRBG is a deterministic random bit generator

### Victor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract

Session Key Distribution Using Smart Cards Victor Shoup Avi Rubin Bellcore, 445 South St., Morristown, NJ 07960 fshoup,rubing@bellcore.com Abstract In this paper, we investigate a method by which smart

### Efficient Unlinkable Secret Handshakes for Anonymous Communications

보안공학연구논문지 (Journal of Security Engineering), 제 7권 제 6호 2010년 12월 Efficient Unlinkable Secret Handshakes for Anonymous Communications Eun-Kyung Ryu 1), Kee-Young Yoo 2), Keum-Sook Ha 3) Abstract The technique

### Factoring & Primality

Factoring & Primality Lecturer: Dimitris Papadopoulos In this lecture we will discuss the problem of integer factorization and primality testing, two problems that have been the focus of a great amount

### Secure Computation Without Authentication

Secure Computation Without Authentication Boaz Barak 1, Ran Canetti 2, Yehuda Lindell 3, Rafael Pass 4, and Tal Rabin 2 1 IAS. E:mail: boaz@ias.edu 2 IBM Research. E-mail: {canetti,talr}@watson.ibm.com

### A New and Efficient Signature on Commitment Values

International Journal of Network Security, Vol.7, No., PP.0 06, July 2008 0 A New and Efficient Signature on Commitment Values Fangguo Zhang,3, Xiaofeng Chen 2,3, Yi Mu 4, and Willy Susilo 4 (Corresponding

### LUC: A New Public Key System

LUC: A New Public Key System Peter J. Smith a and Michael J. J. Lennon b a LUC Partners, Auckland UniServices Ltd, The University of Auckland, Private Bag 92019, Auckland, New Zealand. b Department of

### Lecture 25: Pairing-Based Cryptography

6.897 Special Topics in Cryptography Instructors: Ran Canetti and Ron Rivest May 5, 2004 Lecture 25: Pairing-Based Cryptography Scribe: Ben Adida 1 Introduction The field of Pairing-Based Cryptography

### Identity-Based Encryption from the Weil Pairing

Appears in SIAM J. of Computing, Vol. 32, No. 3, pp. 586-615, 2003. An extended abstract of this paper appears in the Proceedings of Crypto 2001, volume 2139 of Lecture Notes in Computer Science, pages

MACs Message authentication and integrity Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction MACs Constructing Secure MACs Secure communication and

### Lecture 2: Complexity Theory Review and Interactive Proofs

600.641 Special Topics in Theoretical Cryptography January 23, 2007 Lecture 2: Complexity Theory Review and Interactive Proofs Instructor: Susan Hohenberger Scribe: Karyn Benson 1 Introduction to Cryptography

### Capture Resilient ElGamal Signature Protocols

Capture Resilient ElGamal Signature Protocols Hüseyin Acan 1, Kamer Kaya 2,, and Ali Aydın Selçuk 2 1 Bilkent University, Department of Mathematics acan@fen.bilkent.edu.tr 2 Bilkent University, Department

### A New Forward-Secure Digital Signature Scheme

The extended abstract of this work appears Advances in Cryptology Asiacrypt 2000, Tatsuaki Okamoto, editor, Lecture Notes in Computer Science vol. 1976, Springer-Verlag, 2000. c IACR A New Forward-Secure

### On the Difficulty of Software Key Escrow

On the Difficulty of Software Key Escrow Lars R. Knudsen and Torben P. Pedersen Katholieke Universiteit Leuven, Belgium, email: knudsen@esat.kuleuven.ac.be Cryptomathic, Denmark, email: tpp@cryptomathic.aau.dk

### On the Fly Authentication and Signature Schemes Based on Groups of Unknown Order

J. Cryptology (2006) 19: 463 487 DOI: 10.1007/s00145-006-0224-0 2006 International Association for Cryptologic Research On the Fly Authentication and Signature Schemes Based on Groups of Unknown Order

### Lecture 13 - Basic Number Theory.

Lecture 13 - Basic Number Theory. Boaz Barak March 22, 2010 Divisibility and primes Unless mentioned otherwise throughout this lecture all numbers are non-negative integers. We say that A divides B, denoted

### Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike

### Lecture 5 - CPA security, Pseudorandom functions

Lecture 5 - CPA security, Pseudorandom functions Boaz Barak October 2, 2007 Reading Pages 82 93 and 221 225 of KL (sections 3.5, 3.6.1, 3.6.2 and 6.5). See also Goldreich (Vol I) for proof of PRF construction.

### Cryptography and Network Security

Cryptography and Network Security Fifth Edition by William Stallings Chapter 9 Public Key Cryptography and RSA Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared

### RSA Attacks. By Abdulaziz Alrasheed and Fatima

RSA Attacks By Abdulaziz Alrasheed and Fatima 1 Introduction Invented by Ron Rivest, Adi Shamir, and Len Adleman [1], the RSA cryptosystem was first revealed in the August 1977 issue of Scientific American.

### 3-6 Toward Realizing Privacy-Preserving IP-Traceback

3-6 Toward Realizing Privacy-Preserving IP-Traceback The IP-traceback technology enables us to trace widely spread illegal users on Internet. However, to deploy this attractive technology, some problems

### A New Generic Digital Signature Algorithm

Groups Complex. Cryptol.? (????), 1 16 DOI 10.1515/GCC.????.??? de Gruyter???? A New Generic Digital Signature Algorithm Jennifer Seberry, Vinhbuu To and Dongvu Tonien Abstract. In this paper, we study

### CUNSHENG DING HKUST, Hong Kong. Computer Security. Computer Security. Cunsheng DING, HKUST COMP4631

Cunsheng DING, HKUST Lecture 08: Key Management for One-key Ciphers Topics of this Lecture 1. The generation and distribution of secret keys. 2. A key distribution protocol with a key distribution center.

### Twin Signatures: an Alternative to the Hash-and-Sign Paradigm

Proceedings of the 8th ACM Conference on Computer and Communications Security. Pages 20 27. (november 5 8, 2001, Philadelphia, Pennsylvania, USA) Twin Signatures: an Alternative to the Hash-and-Sign Paradigm

### FAREY FRACTION BASED VECTOR PROCESSING FOR SECURE DATA TRANSMISSION

FAREY FRACTION BASED VECTOR PROCESSING FOR SECURE DATA TRANSMISSION INTRODUCTION GANESH ESWAR KUMAR. P Dr. M.G.R University, Maduravoyal, Chennai. Email: geswarkumar@gmail.com Every day, millions of people

### Limits of Computational Differential Privacy in the Client/Server Setting

Limits of Computational Differential Privacy in the Client/Server Setting Adam Groce, Jonathan Katz, and Arkady Yerukhimovich Dept. of Computer Science University of Maryland {agroce, jkatz, arkady}@cs.umd.edu

### Security Aspects of. Database Outsourcing. Vahid Khodabakhshi Hadi Halvachi. Dec, 2012

Security Aspects of Database Outsourcing Dec, 2012 Vahid Khodabakhshi Hadi Halvachi Security Aspects of Database Outsourcing Security Aspects of Database Outsourcing 2 Outline Introduction to Database

### Chosen-Ciphertext Security from Identity-Based Encryption

Chosen-Ciphertext Security from Identity-Based Encryption Dan Boneh Ran Canetti Shai Halevi Jonathan Katz Abstract We propose simple and efficient CCA-secure public-key encryption schemes (i.e., schemes

### Embedding more security in digital signature system by using combination of public key cryptography and secret sharing scheme

International Journal of Computer Sciences and Engineering Open Access Research Paper Volume-4, Issue-3 E-ISSN: 2347-2693 Embedding more security in digital signature system by using combination of public

### Primality - Factorization

Primality - Factorization Christophe Ritzenthaler November 9, 2009 1 Prime and factorization Definition 1.1. An integer p > 1 is called a prime number (nombre premier) if it has only 1 and p as divisors.

### The Conference Call Search Problem in Wireless Networks

The Conference Call Search Problem in Wireless Networks Leah Epstein 1, and Asaf Levin 2 1 Department of Mathematics, University of Haifa, 31905 Haifa, Israel. lea@math.haifa.ac.il 2 Department of Statistics,

### arxiv:1112.0829v1 [math.pr] 5 Dec 2011

How Not to Win a Million Dollars: A Counterexample to a Conjecture of L. Breiman Thomas P. Hayes arxiv:1112.0829v1 [math.pr] 5 Dec 2011 Abstract Consider a gambling game in which we are allowed to repeatedly

### A New, Publicly Veriable, Secret Sharing Scheme

Scientia Iranica, Vol. 15, No. 2, pp 246{251 c Sharif University of Technology, April 2008 A New, Publicly Veriable, Secret Sharing Scheme A. Behnad 1 and T. Eghlidos A Publicly Veriable Secret Sharing

### Announcements. CS243: Discrete Structures. More on Cryptography and Mathematical Induction. Agenda for Today. Cryptography

Announcements CS43: Discrete Structures More on Cryptography and Mathematical Induction Işıl Dillig Class canceled next Thursday I am out of town Homework 4 due Oct instead of next Thursday (Oct 18) Işıl

### Lecture 11: The Goldreich-Levin Theorem

COM S 687 Introduction to Cryptography September 28, 2006 Lecture 11: The Goldreich-Levin Theorem Instructor: Rafael Pass Scribe: Krishnaprasad Vikram Hard-Core Bits Definition: A predicate b : {0, 1}

### New Efficient Searchable Encryption Schemes from Bilinear Pairings

International Journal of Network Security, Vol.10, No.1, PP.25 31, Jan. 2010 25 New Efficient Searchable Encryption Schemes from Bilinear Pairings Chunxiang Gu and Yuefei Zhu (Corresponding author: Chunxiang

### Lecture 9 - Message Authentication Codes

Lecture 9 - Message Authentication Codes Boaz Barak March 1, 2010 Reading: Boneh-Shoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,

### 9 Digital Signatures: Definition and First Constructions. Hashing.

Leo Reyzin. Notes for BU CAS CS 538. 1 9 Digital Signatures: Definition and First Constructions. Hashing. 9.1 Definition First note that encryption provides no guarantee that a message is authentic. For

### Modular Security Proofs for Key Agreement Protocols

Modular Security Proofs for Key Agreement Protocols Caroline Kudla and Kenneth G. Paterson Information Security Group Royal Holloway, niversity of London, K {c.j.kudla,kenny.paterson}@rhul.ac.uk Abstract.

### Cryptography and Network Security Chapter 10

Cryptography and Network Security Chapter 10 Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 10 Other Public Key Cryptosystems Amongst the tribes of Central

### Lecture Note 5 PUBLIC-KEY CRYPTOGRAPHY. Sourav Mukhopadhyay

Lecture Note 5 PUBLIC-KEY CRYPTOGRAPHY Sourav Mukhopadhyay Cryptography and Network Security - MA61027 Modern/Public-key cryptography started in 1976 with the publication of the following paper. W. Diffie

### On the representability of the bi-uniform matroid

On the representability of the bi-uniform matroid Simeon Ball, Carles Padró, Zsuzsa Weiner and Chaoping Xing August 3, 2012 Abstract Every bi-uniform matroid is representable over all sufficiently large

### Reusable Anonymous Return Channels

Reusable Anonymous Return Channels Philippe Golle Stanford University Stanford, CA 94305, USA pgolle@cs.stanford.edu Markus Jakobsson RSA Laboratories Bedford, MA 01730, USA mjakobsson@rsasecurity.com

### Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs Enes Pasalic University of Primorska Koper, 2014 Contents 1 Preface 3 2 Problems 4 2 1 Preface This is a

### Masao KASAHARA. Public Key Cryptosystem, Error-Correcting Code, Reed-Solomon code, CBPKC, McEliece PKC.

A New Class of Public Key Cryptosystems Constructed Based on Reed-Solomon Codes, K(XII)SEPKC. Along with a presentation of K(XII)SEPKC over the extension field F 2 8 extensively used for present day various

### The RSA Algorithm: A Mathematical History of the Ubiquitous Cryptological Algorithm

The RSA Algorithm: A Mathematical History of the Ubiquitous Cryptological Algorithm Maria D. Kelly December 7, 2009 Abstract The RSA algorithm, developed in 1977 by Rivest, Shamir, and Adlemen, is an algorithm

### INTERACTIVE TWO-CHANNEL MESSAGE AUTHENTICATION BASED ON INTERACTIVE-COLLISION RESISTANT HASH FUNCTIONS

INTERACTIVE TWO-CHANNEL MESSAGE AUTHENTICATION BASED ON INTERACTIVE-COLLISION RESISTANT HASH FUNCTIONS ATEFEH MASHATAN 1 AND DOUGLAS R STINSON 2 Abstract We propose an interactive message authentication

### Public Key (asymmetric) Cryptography

Public-Key Cryptography UNIVERSITA DEGLI STUDI DI PARMA Dipartimento di Ingegneria dell Informazione Public Key (asymmetric) Cryptography Luca Veltri (mail.to: luca.veltri@unipr.it) Course of Network Security,

### Quantum Computing Lecture 7. Quantum Factoring. Anuj Dawar

Quantum Computing Lecture 7 Quantum Factoring Anuj Dawar Quantum Factoring A polynomial time quantum algorithm for factoring numbers was published by Peter Shor in 1994. polynomial time here means that

### A New Credit Card Payment Scheme Using Mobile Phones Based on Visual Cryptography

A New Credit Card Payment Scheme Using Mobile Phones Based on Visual Cryptography Chao-Wen Chan and Chih-Hao Lin Graduate School of Computer Science and Information Technology, National Taichung Institute

### A new probabilistic public key algorithm based on elliptic logarithms

A new probabilistic public key algorithm based on elliptic logarithms Afonso Comba de Araujo Neto, Raul Fernando Weber 1 Instituto de Informática Universidade Federal do Rio Grande do Sul (UFRGS) Caixa

### IMPROVED SECURITY MEASURES FOR DATA IN KEY EXCHANGES IN CLOUD ENVIRONMENT

INTERNATIONAL JOURNAL OF RESEARCH IN COMPUTER APPLICATIONS AND ROBOTICS ISSN 2320-7345 IMPROVED SECURITY MEASURES FOR DATA IN KEY EXCHANGES IN CLOUD ENVIRONMENT Merlin Shirly T 1, Margret Johnson 2 1 PG

### Improvement of digital signature with message recovery using self-certified public keys and its variants

Applied Mathematics and Computation 159 (2004) 391 399 www.elsevier.com/locate/amc Improvement of digital signature with message recovery using self-certified public keys and its variants Zuhua Shao Department

### Message Authentication Codes 133

Message Authentication Codes 133 CLAIM 4.8 Pr[Mac-forge A,Π (n) = 1 NewBlock] is negligible. We construct a probabilistic polynomial-time adversary A who attacks the fixed-length MAC Π and succeeds in

### 1 Formulating The Low Degree Testing Problem

6.895 PCP and Hardness of Approximation MIT, Fall 2010 Lecture 5: Linearity Testing Lecturer: Dana Moshkovitz Scribe: Gregory Minton and Dana Moshkovitz In the last lecture, we proved a weak PCP Theorem,

### CS 758: Cryptography / Network Security

CS 758: Cryptography / Network Security offered in the Fall Semester, 2003, by Doug Stinson my office: DC 3122 my email address: dstinson@uwaterloo.ca my web page: http://cacr.math.uwaterloo.ca/~dstinson/index.html

### Development of enhanced Third party Auditing Scheme for Secure Cloud Storage

Development of enhanced Third party Auditing Scheme for Secure Cloud Storage Bhanu Prakash Chamakuri*1, D. Srikar*2, Dr. M.Suresh Babu*3 M.Tech Scholar, Dept of CSE, Grandhi Varalakshmi Institute Of Technology,

### Textbook: Introduction to Cryptography 2nd ed. By J.A. Buchmann Chap 12 Digital Signatures

Textbook: Introduction to Cryptography 2nd ed. By J.A. Buchmann Chap 12 Digital Signatures Department of Computer Science and Information Engineering, Chaoyang University of Technology 朝 陽 科 技 大 學 資 工

### Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels

Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels Ran Canetti 1 and Hugo Krawczyk 2, 1 IBM T.J. Watson Research Center, Yorktown Heights, New York 10598. canetti@watson.ibm.com

### Lecture 13: Factoring Integers

CS 880: Quantum Information Processing 0/4/0 Lecture 3: Factoring Integers Instructor: Dieter van Melkebeek Scribe: Mark Wellons In this lecture, we review order finding and use this to develop a method

### Randomized algorithms

Randomized algorithms March 10, 2005 1 What are randomized algorithms? Algorithms which use random numbers to make decisions during the executions of the algorithm. Why would we want to do this?? Deterministic

### The Complexity of Online Memory Checking

The Complexity of Online Memory Checking Moni Naor Guy N. Rothblum Abstract We consider the problem of storing a large file on a remote and unreliable server. To verify that the file has not been corrupted,

### Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

UT DALLAS Erik Jonsson School of Engineering & Computer Science Overview of Cryptographic Tools for Data Security Murat Kantarcioglu Pag. 1 Purdue University Cryptographic Primitives We will discuss the

### MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC by Brittanney Jaclyn Amento A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science in Partial

### Cryptanalysis of a Partially Blind Signature Scheme or How to make \$100 bills with \$1 and \$2 ones

Cryptanalysis of a Partially Blind Signature Scheme or How to make \$100 bills with \$1 and \$2 ones Gwenaëlle Martinet 1, Guillaume Poupard 1, and Philippe Sola 2 1 DCSSI Crypto Lab, 51 boulevard de La Tour-Maubourg

### ALGEBRAIC APPROACH TO COMPOSITE INTEGER FACTORIZATION

ALGEBRAIC APPROACH TO COMPOSITE INTEGER FACTORIZATION Aldrin W. Wanambisi 1* School of Pure and Applied Science, Mount Kenya University, P.O box 553-50100, Kakamega, Kenya. Shem Aywa 2 Department of Mathematics,

### Simplified Security Notions of Direct Anonymous Attestation and a Concrete Scheme from Pairings

Simplified Security Notions of Direct Anonymous Attestation and a Concrete Scheme from Pairings Ernie Brickell Intel Corporation ernie.brickell@intel.com Liqun Chen HP Laboratories liqun.chen@hp.com March

### Structural properties of oracle classes

Structural properties of oracle classes Stanislav Živný Computing Laboratory, University of Oxford, Wolfson Building, Parks Road, Oxford, OX1 3QD, UK Abstract Denote by C the class of oracles relative