A Key Recovery Attack on Discrete Log-based Schemes Using a Prime Order Subgroupp
نویسندگان
چکیده
Consider the well-known oracle attack: Somehow one gets a certain computation result as a function of a secret key from the secret key owner and tries to extract some information on the secret key. This attacking scenario is well understood in the cryptographic community. However, there are many protocols based on the discrete logarithm problem that turn out to leak many of the secret key bits from this oracle attack, unless suitable checkings are carried out. In this paper we present a key recovery attack on various discrete log-based schemes working in a prime order subgroup. Our attack can disclose part of, or the whole secret key in most Diie-Hellman-type key exchange protocols and some applications of ElGamal encryption and signature schemes.
منابع مشابه
A Key Recovery Attack on Discrete Log - basedSchemes Using a Prime Order Subgroup ? Chae
Consider the well-known oracle attack: somehow one gets a certain computation result as a function of a secret key from the secret key owner and tries to extract some information on the secret key. This attacking scenario is well understood in the cryptographic community. However, there are many protocols based on the discrete logarithm problem that turn out to leak many of the secret key bits ...
متن کاملA Secure Signature Scheme from Bilinear Maps
We present a new class of signature schemes based on properties of certain bilinear algebraic maps. These signatures are secure against existential forgery under a chosen message attack in the standard model (without using the random oracle model). Security is based on the computational Diffie-Hellman problem. The concrete schemes that we get are the most efficient provable discrete-log type si...
متن کاملA New Method for Computing DLP Based on Extending Smooth Numbers to Finite Field for Ephemeral Key Recovery
In this paper, new algorithms to solve certain special instances of the Discrete Logarithm Problem (DLP) is presented. These instances are generally considered hard in literature. If a cryptosystem is based on a prime p such that p − 1 is either 2q with q a prime; or 2ρ where ρ = γ1γ2 . . . γkq with γs being small prime factors and q a large prime factor, and the exponent is chosen in the middl...
متن کاملNotes in Computer Science 4004
Let g be an element of prime order p in an abelian group and α ∈ Zp. We show that if g, g, and g d are given for a positive divisor d of p − 1, we can compute the secret α in O(log p · ( p/d + √ d)) group operations using O(max{ p/d, √ d}) memory. If gαi (i = 0, 1, 2, . . . , d) are provided for a positive divisor d of p + 1, α can be computed in O(log p · ( p/d+ d)) group operations using O(ma...
متن کاملSecurity Analysis of the Strong Diffie-Hellman Problem
Let g be an element of prime order p in an abelian group and α ∈ Zp. We show that if g, g, and g d are given for a positive divisor d of p−1, we can compute the secret α in O(log p·( √ p/d+ √ d)) group operations using O(max{ √ p/d, √ d}) memory. If g i (i = 0, 1, 2, . . . , d) are provided for a positive divisor d of p + 1, α can be computed in O(log p · ( √ p/d + d)) group operations using O(...
متن کامل