Fast generators for the Diffie-Hellman key agreement protocol and malicious standards

The Diffie-Hellman key agreement protocol is based on taking large powers of a generator of a prime-order cyclic group. Some generators allow faster exponentiation. We show that to a large extent, using the fast generators is as secure as using a randomly chosen generator. On the other hand, we show that if there is some case in which fast generators are less secure, then this could be used by a malicious authority to generate a standard for the Diffie-Hellman key agreement protocol which has a hidden trapdoor.Comment: Small update

PLUME: An ECDSA Nullifier Scheme for Unique Pseudonymity within Zero Knowledge Proofs

ZK-SNARKs (Zero Knowledge Succinct Noninteractive ARguments of Knowledge) are one of the most promising new applied cryptography tools: proofs allow anyone to prove a property about some data, without revealing that data. Largely spurred by the adoption of cryptographic primitives in blockchain systems, ZK-SNARKs are rapidly becoming computationally practical in real-world settings, shown by i.e. tornado.cash and rollups. These have enabled ideation for new identity applications based on anonymous proof-of-ownership. One of the primary technologies that would enable the jump from existing apps to such systems is the development of deterministic nullifiers. Nullifiers are used as a public commitment to a specific anonymous account, to forbid actions like double spending, or allow a consistent identity between anonymous actions. We identify a new deterministic signature algorithm that both uniquely identifies the keypair, and keeps the account identity secret. In this work, we will define the full DDH-VRF construction, and prove uniqueness, secrecy, and existential unforgeability. We will also demonstrate a proof of concept of our Pseudonymously Linked Unique Message Entity (PLUME) scheme

Two remarks on the vectorization problem

We share two small but general observations on the vectorization problem for group actions, which appear to have been missed by the existing literature. The first observation is pre-quantum: explicit examples show that, for classical adversaries, the vectorization problem cannot in general be reduced to the parallelization problem. The second observation is post-quantum: by combining a method for solving systems of linear disequations due to Ivanyos with a Kuperberg-style sieve, one can solve the hidden shift problem, and therefore the vectorization problem, for any finite abelian $2^tp^k$-torsion group in polynomial time and using mostly classical work; here $t, k$ are any fixed non-negative integers and $p$ is any fixed prime number

The Relationship Between Breaking the Diffie-Hellman Protocol and Computing Discrete Logarithms

Both uniform and non-uniform results concerning the security of the Diffie-Hellman key-exchange protocol are proved. First, it is shown that in a cyclic group G of order jGj = Q p e i i , where all the multiple prime factors of jGj are polynomial in log jGj, there exists an algorithm that reduces the computation of discrete logarithms in G to breaking the Diffie-Hellman protocol in G and has complexity p maxf(p i )g \Delta (log jGj) O(1) , where (p) stands for the minimum of the set of largest prime factors of all the numbers d in the interval [p \Gamma 2 p p+1; p+2 p p+ 1]. Under the unproven but plausible assumption that (p) is polynomial in log p, this reduction implies that the Diffie-Hellman problem and the discrete logarithm problem are polynomial-time equivalent in G. Second, it is proved that the Diffie-Hellman problem and the discrete logarithm problem are equivalent in a uniform sense for groups whose orders belong to certain classes: there exists a p..

Compter (rapidement) le nombre de solutions d'\'equations dans les corps finis

The number of solutions in finite fields of a system of polynomial equations obeys a very strong regularity, reflected for example by the rationality of the zeta function of an algebraic variety defined over a finite field, or the modularity of Hasse-Weil's $L$-function of an elliptic curve over \Q. Since two decades, efficient methods have been invented to compute effectively this number of solutions, notably in view of cryptographic applications. This expos\'e presents some of these methods, generally relying on the use of Lefshetz's trace formula in an adequate cohomology theory and discusses their respective advantages. ----- Le nombre de solutions dans les corps finis d'un syst\`eme d'\'equations polynomiales ob\'eit \`a une tr\`es forte r\'egularit\'e, refl\'et\'ee par exemple par la rationalit\'e de la fonction z\^eta d'une vari\'et\'e alg\'ebrique sur un corps fini, ou la modularit\'e de la fonction $L$ de Hasse-Weil d'une courbe elliptique sur \Q. Depuis une vingtaine d'ann\'ees des m\'ethodes efficaces ont \'et\'e invent\'ees pour calculer effectivement ce nombre de solutions, notamment en vue d'applications \`a la cryptographie. L'expos\'e en pr\'esentera quelques-unes, g\'en\'eralement fond\'ees l'utilisation de la formule des traces de Lefschetz dans une th\'eorie cohomologique convenable, et expliquera leurs avantages respectifs.Comment: S\'eminaire Bourbaki, 50e ann\'ee, expos\'e 968, Novembre 2006. 48 pages, in french. Final version to appear in Ast\'erisqu

Some Facets of Complexity Theory and Cryptography: A Five-Lectures Tutorial

In this tutorial, selected topics of cryptology and of computational complexity theory are presented. We give a brief overview of the history and the foundations of classical cryptography, and then move on to modern public-key cryptography. Particular attention is paid to cryptographic protocols and the problem of constructing the key components of such protocols such as one-way functions. A function is one-way if it is easy to compute, but hard to invert. We discuss the notion of one-way functions both in a cryptographic and in a complexity-theoretic setting. We also consider interactive proof systems and present some interesting zero-knowledge protocols. In a zero-knowledge protocol one party can convince the other party of knowing some secret information without disclosing any bit of this information. Motivated by these protocols, we survey some complexity-theoretic results on interactive proof systems and related complexity classes.Comment: 57 pages, 17 figures, Lecture Notes for the 11th Jyvaskyla Summer Schoo

Boneh-Boyen Signatures and the Strong Diffie-Hellman Problem

The Boneh-Boyen signature scheme is a short signature scheme which is provably secure in the standard model under the q-Strong Diffie-Hellman (SDH) assumption. The primary objective of this thesis is to examine the relationship between the Boneh-Boyen signature scheme and SDH. The secondary objective is to survey surrounding topics such as the generic group model, related signature schemes, intractability assumptions, and the relationship to identity-based encryption (IBE) schemes. Along these lines, we analyze the plausibility of the SDH assumption using the generic bilinear group model. We present the security proofs for the Boneh-Boyen signature scheme, with the addition of a small improvement in one of the probability bounds. Our main contribution is to give the reduction in the reverse direction; that is, to show that if the SDH problem can be solved then the Boneh-Boyen signature scheme can be forged. This contribution represents the first known proof of equivalence between the SDH problem and Boneh-Boyen signatures. We also discuss the algorithm of Cheon for solving the SDH problem. We analyze the implications of Cheon's algorithm for the security of the Boneh-Boyen signature scheme, accompanied by a brief discussion on how to counter the attack