Maria Isabel Gonzalez Vasco

On the Security of Diffie-Hellman Bits

Boneh and Venkatesan have recently proposed a polynomial time algorithm for recovering a “hidden” element α of a finite field \(\mathbb{F}_p \) of p elements from rather short strings of the most significant bits of the remainder modulo p of αt for several values of t selected uniformly at random from \(\mathbb{F}_p^* \) We use some recent bounds of exponential sums to generalize this algorithm to the case when t is selected from a quite small subgroup of \(\mathbb{F}_p^* \). Namely, our results apply to subgroups of size at least p 1/3+ɛ for all primes p and to subgroups of size at least p ɛ for almost all primes p, for any fixed ɛ > 0. We also use this generalization to improve (and correct) one of the statements of the aforementioned work about the computational security of the most significant bits of the Diffie-Hellman key.

(Password) authenticated key establishment: from 2-party to group

A protocol compiler is described, that transforms any provably secure authenticated 2-party key establishment into a provably secure authenticated group key establishment with 2 more rounds of communication. The compiler introduces neither idealizing assumptions nor high-entropy secrets, e. g., for signing. In particular, applying the compiler to a password-authenticated 2-party key establishment without random oracle assumption, yields a password-authenticated group key establishment without random oracle assumption. Our main technical tools are non-interactive and non-malleable commitment schemes that can be implemented in the common reference string (CRS) model.

A Survey of Hard Core Functions

The security of public key protocols relies nowadays on the use of one-way functions. However, even assuming a certain function f(x) is hard enough to invert, we should always keep in mind the fact that some information may leak through. A function b(x) that does not leak in this way is said to be a hard core for f; given f(x), b(x) cannot even be computationally distinguished from a random string. In this survey, we review what is known in this area, both from a more theoretical point of view and also for ‘practical’ choices of f such as RSA.

On Minimal Length Factorizations of Finite Groups

Logarithmic signaturesare a special type of group factorizations, introduced as basic components of certain cryptographic keys. Thus, short logarithmic signatures are of special interest. We deal with the question of finding logarithmic signatures of minimal length in finite groups. In particular, such factorizations exist for solvable, symmetric, and alternating groups. We show how to use the known examples to derive minimal length logarithmic signatures for other groups. Namely, we prove the existence of such factorizations for several classical groups and—in parts by direct computation—for all groups of order <175560 (= ord(J 1), where J 1 is Jankos first sporadic simple group). Whether there exists a minimal length logarithmic signature for each finite group still remains an open question.

Weak Keys in MST1

The public key cryptosystem MST1 has been introduced by Magliveras et al. [12] (Public Key Cryptosystems from Group Factorizations. Jatra Mountain Mathematical Publications). Its security relies on the hardness of factoring with respect to wild logarithmic signatures. To identify ‘wild-like’ logarithmic signatures, the criterion of being totally-non-transversal has been proposed. We present tame totally-non-transversal logarithmic signatures for the alternating and symmetric groups of degree ≥ 5. Hence, basing a key generation procedure on the assumption that totally-non-transversal logarithmic signatures are ‘wild like’ seems critical. We also discuss the problem of recognizing ‘weak’ totally-non-transversal logarithmic signatures, and demonstrate that another proposed key generation procedure based on permutably transversal logarithmic signatures may produce weak keys.

A Reaction Attack on a Public Key Cryptosystem Based on the Word Problem

Abstract.Wagner and Magyarik outlined a conceptual public key cryptosystem based on the hardness of the word problem for finitely presented groups. At the same time, they gave a specific example of such a system. We prove that in the present form their approach is vulnerable to so-called reaction attacks. In particular, for the proposed instance it is possible to retrieve the private key just by watching the performance of a legitimate recipient.

New Results on the Hardness of Diffie-Hellman Bits

We generalize and extend results obtained by Boneh and Venkatesan in 1996 and by Gonzalez Vasco and Shparlinski in 2000 on the hardness of computing bits of the Diffie-Hellman key, given the public values. Specifically, while these results could only exclude (essentially) error-free predictions, we here exclude any non-negligible advantage, though for larger fractions of the bits. We can also demonstrate a trade-off between the tolerated error rate and the number of unpredictable bits.

A note on the security of MST3

In this paper, we study the recently proposed encryption scheme MST3, focusing on a concrete instantiation using Suzuki-2-groups. In a passive scenario, we argue that the one wayness of this scheme may not, as claimed, be proven without the assumption that factoring group elements with respect to random covers for a subset of the group is hard. As a result, we conclude that for the proposed Suzuki 2-groups instantiation, impractical key sizes should be used in order to prevent more or less straightforward factorization attacks.

Cryptanalysis of a key exchange scheme based on block matrices

In this paper we describe a cryptanalysis of a key exchange scheme recently proposed by Alvarez, Tortosa, Vicent and Zamora. The scheme is based on exponentiation of block matrices over a finite field of prime order, and its security is claimed to rely in the hardness of a discrete logarithm problem in a subgroup of GL n ( ? p ) . However, the proposals design allows for a clean attack strategy which exploits the fact that exponents are at some point added instead of multiplied as in a standard Diffie-Hellman construction. This strategy is moreover successful for a much more general choice of parameters than that put forward by Alvarez et al.

Towards a Uniform Description of Several Group Based Cryptographic Primitives

The public key cryptosystems MST1 and MST2 make use of certain kinds of factorizations of finite groups. We show that generalizing such factorizations to infinite groups allows a uniform description of several proposed cryptographic primitives. In particular, a generalization of MST2 can be regarded as a unifying framework for several suggested cryptosystems including the ElGamal public key system, a public key system based on braid groups, and the MOR cryptosystem.