#### Filter Results:

#### Publication Year

2007

2016

#### Co-author

#### Key Phrase

#### Publication Venue

Learn More

We prove that if one can predict any of the bits of the input to an elliptic curve based one-way function over a finite field, then we can invert the function. In particular, our result implies that if one can predict any of the bits of the input to a classical pairing-based one-way function with non-negligible advantage over a random guess then one can… (More)

Consider a joint distribution (X, A) on a set X × {0, 1} ℓ. We show that for any family F of distinguishers f : X × {0, 1} ℓ → {0, 1}, there exists a simulator h : X → {0, 1} ℓ such that 1. no function in F can distinguish (X, A) from (X, h(X)) with advantage ǫ, 2. h is only O(2 3ℓ ǫ −2) times less efficient than the functions in F. For the most interesting… (More)

Dimitar Jetchev (joint with Onur¨Ozen and Martijn Stam)

We show that the least significant bits (LSB) of the elliptic curve Diffie–Hellman secret keys are hardcore. More precisely, we prove that if one can efficiently predict the LSB with non-negligible advantage on a polynomial fraction of all the curves defined over a given finite field Fp, then with polynomial factor overhead, one can compute the entire… (More)

We study the security of elliptic curve Diffie-Hellman secret keys in the presence of oracles that provide partial information on the value of the key. Unlike the corresponding problem for finite fields, little is known about this problem, and in the case of elliptic curves the difficulty of representing large point multiplications in an algebraic manner… (More)

We prove collision bounds for the Pollard rho algorithm to solve the discrete logarithm problem in a general cyclic group G. Unlike the setting studied by Kim et al. we consider additive walks: the setting used in practice to solve the elliptic curve discrete logarithm problem. Our bounds differ from the birthday bound O(|G|) by a factor of log |G| and are… (More)

We present a new construction of a compression function H : {0, 1} 3n → {0, 1} 2n that uses two parallel calls to an ideal primitive (an ideal blockcipher or a public random function) from 2n to n bits. This is similar to the well-known MDC-2 or the recently proposed MJH by Lee and Stam (CT-RSA'11). However, unlike these constructions, we show already in… (More)

We construct certain isogeny graphs of principally polarized ordinary abelian surfaces over finite fields and prove (under the Generalized Riemann Hypothesis) rapid mixing properties for these graphs. We use these graphs, together with a recent algorithm of Dudeanu, Jetchev and Robert for computing explicit isogenies in genus 2, to prove random… (More)