Certificates of Recoverability with Scalable Recovery Agent Security

Verheul, Eric R.

doi:10.1007/978-3-540-46588-1_18

Cited by 18 publications

(12 citation statements)

References 27 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Finally, we remark that somewhat similar problem for extensions of finite fields have been considered in [16]. The results of that paper and some of their improvements in [15] have applications to the security of the new cryptosystem designed in [4,10].…”

Section: Remarksmentioning

confidence: 63%

On the Security of Diffie-Hellman Bits

Vasco

Shparlinski

2001

Cryptography and Computational Number Theory

View full text Add to dashboard Cite

Abstract. Boneh and Venkatesan have recently proposed a polynomial time algorithm for recovering a "hidden" element α of a finite field IFp of p elements from rather short strings of the most significant bits of the remainder modulo p of αt for several values of t selected uniformly at random from IF * p . We use some recent bounds of exponential sums to generalize this algorithm to the case when t is selected from a quite small subgroup of IF * p . Namely, our results apply to subgroups of size at least p 1/3+ε for all primes p and to subgroups of size at least p ε for almost all primes p, for any fixed ε > 0. We also use this generalization to improve (and correct) one of the statements of the aforementioned work about the computational security of the most significant bits of the Diffie-Hellman key.

show abstract

Section: Remarksmentioning

confidence: 63%

On the Security of Diffie-Hellman Bits

Vasco

Shparlinski

2001

Cryptography and Computational Number Theory

View full text Add to dashboard Cite

show abstract

“…It is shown in [16] that Lemma 3.1 is a consequence of a much broader result. To this end, let t > 1 be an integer (t = 6 in the current setting).…”

Section: As Least As Difficult As Solving the Diffie-hellman Problem mentioning

confidence: 97%

Doing More with Fewer Bits

Brouwer

Pellikaan

Verheul

1999

Advances in Cryptology - ASIACRYPT’99

View full text Add to dashboard Cite

show abstract

“…21.ii states that determining the (small) XTR-DH key is as hard as determining the whole DH key in the representation group g . From the results in [24] it actually follows that determining the image of the XTR-DH key under any non-trivial GF(p)-linear function is also as hard as the whole DH key. This means that, for example, finding the α or the α 2 coefficient of the XTR-DH key is as hard as finding the whole DH key, implying that cryptographic applications may be based on just one of the coefficients.…”

Section: Remark 522mentioning

confidence: 99%

“…In particular the choice p = 2 is an option, which has the property (cf. [24]) that bits of the XTR-DH exchanged key are as hard as the whole key. However, for such very small p one should take into account that they make computation of discrete logarithms easier (cf.…”

Section: Extensionsmentioning

confidence: 99%