A Public-Key Encryption Scheme with Pseudo-random Ciphertexts

Möller, Bodo

doi:10.1007/978-3-540-30108-0_21

Cited by 38 publications

(24 citation statements)

References 28 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Even thought quadratic twists were previously introduced in the literature, their practical aspects were not fully studied [11,12]. We thus also show that appropriate curves can be easily generated.…”

Section: Contribution and Organizationmentioning

confidence: 88%

See 1 more Smart Citation

The Twist-AUgmented Technique for Key Exchange

Chevassut

Fouque

Gaudry

et al. 2006

Public Key Cryptography - PKC 2006

View full text Add to dashboard Cite

Abstract. Key derivation refers to the process by which an agreed upon large random number, often named master secret, is used to derive keys to encrypt and authenticate data. Practitioners and standardization bodies have usually used the random oracle model to get key material from a Diffie-Hellman key exchange. However, formal proofs in the standard model require randomness extractors to formally extract the entropy of the random master secret into a seed prior to derive other keys. Whereas this is a quite simple tool, it is not easy to use in practice -or it is easy to misuse it-. In addition, in many standards, the acronym PRF (Pseudo-Random Functions) is used for several tasks, and namely the randomness extraction. While randomness extractors and pseudo-random functions are a priori distinct tools, we first study whether such an application is correct or not. We thereafter study DH-key exchange, in the cases of prime subgroups of Z p (and namely where p is a safe-prime) and of elliptic curves, since in IPSec, for example, only these groups are considered. We present very efficient and provable randomness extraction techniques for these groups under the DDH assumption. In the special case of elliptic curves, we present a new technique -the so-called 'Twist-AUgmented' technique-an alternative to randomness extractors which exploits specific properties of some elliptic curves. We finally compare the efficiency of this method with other solutions.

show abstract

Section: Contribution and Organizationmentioning

confidence: 88%

“…The goal was to make the Bellovin et al's encrypted key exchange protocol [4] immune to partition attacks but did not explain how to specify the key-derivation function. It has also been applied to the context of public-key encryption [11].…”

Section: The 'Twist-augmented' Techniquementioning

confidence: 99%

The Twist-AUgmented Technique for Key Exchange

Chevassut

Fouque

Gaudry

et al. 2006

Public Key Cryptography - PKC 2006

View full text Add to dashboard Cite

show abstract

“…Such a scheme was for instance proposed by Kaliski in 1991 for getting a random permutation from a random function [14]. More recently, Boyd et al applies this idea to the field of passwordauthenticated exchange [4] to avoid partition attack, Möller to the field of public key encryption [16] and Chevassut et al to the field of randomness extraction for the Internet Key Exchange protocol [6]. Of course, real implementations of these protocols must resist to side-channel attacks and in this context, one especially must take care how the switch between a curve and its quadratic twist is implemented.…”

Section: The Twist Of An Elliptic Curvementioning

confidence: 99%

Fault Attack on Elliptic Curve Montgomery Ladder Implementation

Fouque

Lercier

Réal

et al. 2008

2008 5th Workshop on Fault Diagnosis and Tolerance in Cryptography

View full text Add to dashboard Cite

In this paper, we present a new fault attack on elliptic curve scalar product algorithms. This attack is tailored to work on the classical Montgomery ladder method when the y-coordinate is not used. No weakness has been reported so far on such implementations, which are very efficient and were promoted by several authors. But taking into account the twist of the elliptic curves, we show how, with few faults (around one or two faults), we can retrieve the full secret exponent even if classical countermeasures are employed to prevent fault attacks. It turns out that this attack has not been anticipated as the security of the elliptic curve parameters in most standards can be strongly reduced. Especially, the attack is meaningful on some NIST or SECG parameters.

show abstract

“…One possible approach is to modify protocols so that transmitted points randomly lie either on the given elliptic curve or on its quadratic twist (and the curve parameters must therefore be chosen to be twist-secure). This is the approach taken by Möller [21], who constructed a CCA-secure KEM and a corresponding hybrid public-key encryption scheme based on elliptic curves, using a binary (to avoid modulus based distinguishers like in RSA) elliptic curve and its twist. Similarly, Young and Yung constructed secure key exchange [26] and encryption [27] without random oracles based on the hardness of DDH in an elliptic curve and its twist.…”

Section: Introductionmentioning

confidence: 99%

Elligator Squared: Uniform Points on Elliptic Curves of Prime Order as Uniform Random Strings

Tibouchi

2014

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. When represented as a bit string in a standard way, even using point compression, an elliptic curve point is easily distinguished from a random bit string. This property potentially allows an adversary to tell apart network traffic that makes use of elliptic curve cryptography from random traffic, and then intercept, block or otherwise tamper with such traffic.Recently, Bernstein, Hamburg, Krasnova and Lange proposed a partial solution to this problem in the form of Elligator: an algorithm for representing around half of the points on a large class of elliptic curves as close to uniform random strings. Their proposal has the advantage of being very efficient, but suffers from several limitations:-Since only a subset of all elliptic curve points can be encoded as a string, their approach only applies to cryptographic protocols transmitting points that are rerandomizable in some sense. -Supported curves all have non-trivial 2-torsion, so that Elligator cannot be used with prime-order curves, ruling out standard ECC parameters and many other cryptographically interesting curves such as BN curves. -For indistinguishability to hold, transmitted points have to be uniform in the whole set of representable points; in particular, they cannot be taken from a prime order subgroup, which, in conjunction with the non-trivial 2-torsion, rules out protocols that require groups of prime order.

show abstract

A Public-Key Encryption Scheme with Pseudo-random Ciphertexts

Cited by 38 publications

References 28 publications

The Twist-AUgmented Technique for Key Exchange

The Twist-AUgmented Technique for Key Exchange

Fault Attack on Elliptic Curve Montgomery Ladder Implementation

Elligator Squared: Uniform Points on Elliptic Curves of Prime Order as Uniform Random Strings

Contact Info

Product

Resources

About