Search CORE

6 research outputs found

A kilobit hidden SNFS discrete logarithm computation

Author: A Commeine
A Enge
A Joux
A Joux
A Young
AJ Menezes
B Beckerman
C Pomerance
D Coppersmith
D Coppersmith
DJ Bernstein
DM Gordon
DM Gordon
DV Matyukhin
E Kaltofen
E Thomé
IA Semaev
K Aoki
ME Smid
O Schirokauer
R Rivest
T Kleinjung
Y Desmedt
Publication venue: 'Springer Science and Business Media LLC'
Publication date: 01/09/2016
Field of study

We perform a special number field sieve discrete logarithm computation in a 1024-bit prime field. To our knowledge, this is the first kilobit-sized discrete logarithm computation ever reported for prime fields. This computation took a little over two months of calendar time on an academic cluster using the open-source CADO-NFS software. Our chosen prime

p

looks random, and

p--1

has a 160-bit prime factor, in line with recommended parameters for the Digital Signature Algorithm. However, our p has been trapdoored in such a way that the special number field sieve can be used to compute discrete logarithms in

\mathbb{F}\_p^*

, yet detecting that p has this trapdoor seems out of reach. Twenty-five years ago, there was considerable controversy around the possibility of back-doored parameters for DSA. Our computations show that trapdoored primes are entirely feasible with current computing technology. We also describe special number field sieve discrete log computations carried out for multiple weak primes found in use in the wild. As can be expected from a trapdoor mechanism which we say is hard to detect, our research did not reveal any trapdoored prime in wide use. The only way for a user to defend against a hypothetical trapdoor of this kind is to require verifiably random primes

arXiv.org e-Print Archive

Crossref

INRIA a CCSD electronic archive server

Cryptology ePrint Archive

Efficient Ephemeral Elliptic Curve Cryptographic Keys

Author: A Weng
AK Lenstra
AK Lenstra
AOL Atkin
AR Rajwade
D Coppersmith
DJ Bernstein
DJ Bernstein
E Brier
H Stark
HW Lenstra Jr.
I Biehl
IA Semaev
IM Duursma
J Fan
JH Cheon
JH Silverman
JW Bos
JW Bos
K Rubin
MJ Wiener
N Ishii
N Koblitz
N Koblitz
NP Smart
P-A Fouque
PB Wamelen van
PL Montgomery
PSLM Barreto
R Crandall
RM Avanzi
RP Gallant
T Izu
T Satoh
TC Hales
VS Miller
Publication venue: 'Springer Science and Business Media LLC'
Publication date: 01/07/2015
Field of study

We show how any pair of authenticated users can on-the-fly agree on an elliptic curve group that is unique to their communication session, unpredictable to outside observers, and secure against known attacks. Our proposal is suitable for deployment on constrained devices such as smartphones, allowing them to efficiently generate ephemeral parameters that are unique to any single cryptographic application such as symmetric key agreement. For such applications it thus offers an alternative to long term usage of standardized or otherwise pre-generated elliptic curve parameters, obtaining security against cryptographic attacks aimed at other users, and eliminating the need to trust elliptic curves generated by third parties

Infoscience - École polytechnique fédérale de Lausanne

CiteSeerX

Crossref

Cryptology ePrint Archive