Another look at non-standard discrete log and Diffie-Hellman problems

Koblitz, Neal; Menezes, Alfred

doi:10.1515/jmc.2008.014

Cited by 19 publications

(20 citation statements)

References 32 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This result establishes the equivalence of the q-SDH assumption and the security of Boneh-Boyen signatures, thus resolving an open problem posed in [7,17]. Together with Cheon's solution to q-SDH, the reduction algorithm allows us to recover Boneh-Boyen private keys in time O(p 2 5 +ε ) for groups of order p whenever p ± 1 satisfies certain divisibility properties.…”

Section: Resultssupporting

confidence: 58%

“…Although the resulting algorithm remains exponential, a lower exponent is still interesting in the context of a short signature scheme, especially for extremely short signature lengths at the lower margins of security. A further motivation for proving equivalence is given by Koblitz and Menezes [16,17]. They argue that an equivalence result is preferable from a philosophical standpoint, since researchers have more incentive to solve the underlying hard problem (that is, q-SDH) if such solutions lead immediately to cryptanalysis of a concrete scheme.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Boneh-Boyen Signatures and the Strong Diffie-Hellman Problem

Jao

Yoshida

2009

Pairing-Based Cryptography – Pairing 2009

View full text Add to dashboard Cite

Abstract. The Boneh-Boyen signature scheme is a pairing based short signature scheme which is provably secure in the standard model under the q-Strong Diffie-Hellman assumption. In this paper, we prove the converse of this statement, and show that forging Boneh-Boyen signatures is actually equivalent to solving the q-Strong Diffie-Hellman problem. Using this equivalence, we exhibit an algorithm which, on the vast majority of pairing-friendly curves, recovers Boneh-Boyen private keys in O(p 2 5 +ε ) time, using O(p 1 5 +ε ) signature queries. We present implementation results comparing the performance of our algorithm and traditional discrete logarithm algorithms such as Pollard's lambda algorithm and Pollard's rho algorithm. We also discuss some possible countermeasures and strategies for mitigating the impact of these findings.

show abstract

Section: Resultssupporting

confidence: 58%

Section: Introductionmentioning

confidence: 99%

Boneh-Boyen Signatures and the Strong Diffie-Hellman Problem

Jao

Yoshida

2009

Pairing-Based Cryptography – Pairing 2009

View full text Add to dashboard Cite

show abstract

“…× 10.28 sec ≈ 5.5 hr. Even if it is still too slow to seriously threaten the DLP on this IPSEC standard, these experiments show that other non-standard problems like the oracle-assisted static Diffie-Hellman problem [12] are no longer secure on this curve.…”

Section: Examples and Applicationsmentioning

confidence: 97%

Symmetrized Summation Polynomials: Using Small Order Torsion Points to Speed Up Elliptic Curve Index Calculus

Faugère

Huot

Joux

et al. 2014

Advances in Cryptology – EUROCRYPT 2014

View full text Add to dashboard Cite

Abstract. Decomposition-based index calculus methods are currently efficient only for elliptic curves E defined over non-prime finite fields of very small extension degree n. This corresponds to the fact that the Semaev summation polynomials, which encode the relation search (or "sieving"), grow over-exponentially with n. Actually, even their computation is a first stumbling block and the largest Semaev polynomial ever computed is the 6-th. Following ideas from Faugère, Gaudry, Huot and Renault, our goal is to use the existence of small order torsion points on E to define new summation polynomials whose symmetrized expressions are much more compact and easier to compute. This setting allows to consider smaller factor bases, and the high sparsity of the new summation polynomials provides a very efficient decomposition step. In this paper the focus is on 2-torsion points, as it is the most important case in practice. We obtain records of two kinds: we successfully compute up to the 8-th symmetrized summation polynomial and give new timings for the computation of relations with degree 5 extension fields.

show abstract

“…, a L using at most L−1 queries to the oracle. Such problems are surveyed in several papers by Koblitz and Menezes [83,84], also see Joux, Lercier, Naccache and Thomé [75] and Granger [55]. We do not discuss such problems further in this paper, except briefly in Section 9.3.…”

Section: Computational Problemsmentioning

confidence: 99%