A hierarchy of polynomial time lattice basis reduction algorithms
Theoretical Computer Science
An interactive identification scheme based on discrete logarithms and factoring
Journal of Cryptology - Eurocrypt '90
Improved low-density subset sum algorithms
Computational Complexity
Generating hard instances of lattice problems (extended abstract)
STOC '96 Proceedings of the twenty-eighth annual ACM symposium on Theory of computing
Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC '97
SAC '98 Proceedings of the Selected Areas in Cryptography
Efficient Identification and Signatures for Smart Cards
CRYPTO '89 Proceedings of the 9th Annual International Cryptology Conference on Advances in Cryptology
More Flexible Exponentiation with Precomputation
CRYPTO '94 Proceedings of the 14th Annual International Cryptology Conference on Advances in Cryptology
CRYPTO '97 Proceedings of the 17th Annual International Cryptology Conference on Advances in Cryptology
The Béguin-Quisquater Server-Aided RSA Protocol from Crypto '95 is not Secure
ASIACRYPT '98 Proceedings of the International Conference on the Theory and Applications of Cryptology and Information Security: Advances in Cryptology
On the security of the Schnorr scheme using preprocessing
EUROCRYPT'91 Proceedings of the 10th annual international conference on Theory and application of cryptographic techniques
Fast exponentiation with precomputation
EUROCRYPT'92 Proceedings of the 11th annual international conference on Theory and application of cryptographic techniques
Attacking the Chor-Rivest cryptosystem by improved lattice reduction
EUROCRYPT'95 Proceedings of the 14th annual international conference on Theory and application of cryptographic techniques
Secure Server-Aided Signature Generation
PKC '01 Proceedings of the 4th International Workshop on Practice and Theory in Public Key Cryptography: Public Key Cryptography
Compact Encoding of Non-adjacent Forms with Applications to Elliptic Curve Cryptography
PKC '01 Proceedings of the 4th International Workshop on Practice and Theory in Public Key Cryptography: Public Key Cryptography
On the Security of Lenstra's Variant of DSA without Long Inversions
PKC '01 Proceedings of the 4th International Workshop on Practice and Theory in Public Key Cryptography: Public Key Cryptography
The Two Faces of Lattices in Cryptology
CaLC '01 Revised Papers from the International Conference on Cryptography and Lattices
The Insecurity of Nyberg-Rueppel and Other DSA-Like Signature Schemes with Partially Known Nonces
CaLC '01 Revised Papers from the International Conference on Cryptography and Lattices
Towards a provably secure dos-resilient key exchange protocol with perfect forward secrecy
INDOCRYPT'11 Proceedings of the 12th international conference on Cryptology in India
Finite Fields and Their Applications
On the Distribution of the Diffie-Hellman Pairs
Finite Fields and Their Applications
Hi-index | 0.00 |
At Eurocrypt'98, Boyko, Peinado and Venkatesan presented simple and very fast methods for generating randomly distributed pairs of the form (x, gx mod p) using precomputation. The security of these methods relied on the potential hardness of a new problem, the so-called hidden subset sum problem. Surprisingly, apart from exhaustive search, no algorithm to solve this problem was known. In this paper, we exhibit a security criterion for the hidden subset sum problem, and discuss its implications on the practicability of the precomputation schemes. Our results are twofold. On the one hand, we present an efficient lattice-based attack which is expected to succeed if and only if the parameters satisfy a particular condition that we make explicit. Experiments have validated the theoretical analysis, and show the limitations of the precomputation methods. For instance, any realistic smart-card implementation of Schnorr's identification scheme using these precomputations methods is either vulnerable to the attack, or less efficient than with traditional precomputation methods. On the other hand, we show that, when another condition is satisfied, the pseudo-random generator based on the hidden subset sum problem is strong in some precise sense which includes attacks via lattice reduction. Namely, using the discrete Fourier transform, we prove that the distribution of the generator's output is indistinguishable from the uniform distribution. The two conditions complement each other quite well, and therefore form a convincing picture of the security level.