No abstract available.
Cryptanalysis of the NTRU Signature Scheme (NSS) from Eurocrypt 2001
In 1996, a new cryptosystem called NTRU was introduced, related to the hardness of finding short vectors in specific lattices. At Eurocrypt 2001, the NTRU Signature Scheme (NSS), a signature scheme apparently related to the same hard problem, was ...
On the Insecurity of a Server-Aided RSA Protocol
At Crypto '88, Matsumoto, Kato and Imai proposed a protocol, known as RSA-S1, in which a smart card computes an RSA signature, with the help of an untrusted powerful server. There exist two kinds of attacks against such protocols: passive attacks (where ...
The Modular Inversion Hidden Number Problem
We study a class of problems called Modular Inverse Hidden Number Problems (MIHNPs). The basic problem in this class is the following: Given many pairs 〈xi, MSBk((α + xi)-1 mod p)〉 for random xi ∈ Zp the problem is to find α ∈ Zp (here MSBk(x) refers to ...
Secure Human Identification Protocols
One interesting and important challenge for the cryptologic community is that of providing secure authentication and identification for unassisted humans. There are a range of protocols for secure identification which require various forms of trusted ...
Unbelievable Security. Matching AES Security Using Public Key Systems
The Advanced Encryption Standard (AES) provides three levels of security: 128, 192, and 256 bits. Given a desired level of security for the AES, this paper discusses matching public key sizes for RSA and the ElGamal family of protocols. For the latter ...
A Probable Prime Test with Very High Confidence for n equiv 1 mod 4
Although the Miller-Rabin test is very fast in practice, there exist composite integers n for which this test fails for 1/4 of all bases coprime to n. In 1998 Grantham developed a probable prime test with failure probability of only 1/7710 and ...
Computation of Discrete Logarithms in F2607
We describe in this article how we have been able to extend the record for computationsof discrete logarithmsin characteristic 2 from the previousrecord over F2503 to a newer mark of F2607 , using Coppersmith's algorithm. This has been made possible by ...
Speeding Up XTR
This paper describes several speedups and simplifications for XTR. The most important results are new XTR double and single exponentiation methods where the latter requires a cheap precomputation. Both methods are on average more than 60% faster than ...
An Efficient Implementation of Braid Groups
We implement various computations in the braid groups via practically efficient and theoretically optimized algorithms whose pseudo-codes are provided. The performance of an actual implementation under various choices of parameters is listed.
How to Achieve a McEliece-Based Digital Signature Scheme
McEliece is one of the oldest known public key cryptosystems. Though it was less widely studied than RSA, it is remarkable that all known attacks are still exponential. It is widely believed that code-based cryptosystems like McEliece do not allow ...
Efficient Traitor Tracing Algorithms Using List Decoding
We use powerful new techniques for list decoding errorcorrecting codes to efficiently trace traitors. Although much work has focusedon constructing traceability schemes, the complexity of the tracing algorithm has receivedlittle attention. Because the ...
Security of Reduced Version of the Block Cipher Camellia against Truncated and Impossible Differential Cryptanalysis
This paper describes truncated and impossible differential cryptanalysis of the 128-bit block cipher Camellia, which was proposed by NTT and Mitsubishi Electric Corporation. Our work improves on the best known truncated and impossible differential ...
Known-IV Attacks on Triple Modes of Operation of Block Ciphers
With chosen-IV chosen texts, David Wagner has analyzed the multiple modes of operation proposed by Eli Biham in FSE'98. However, his method is too unrealistic. We use only known-IV chosen texts to attack many triple modes of operation which are combined ...
Generic Attacks on Feistel Schemes
Let A be a Feistel scheme with 5 rounds from 2n bits to 2n bits. In the present paper we show that for most such schemes A: 1. It is possible to distinguish A from a random permutation from 2n bits to 2n bits after doing at most O(2 7n/4) computations ...
A Compact Rijndael Hardware Architecture with S-Box Optimization
Compact and high-speed hardware architectures and logic optimization methods for the AES algorithm Rijndael are described. Encryption and decryption data paths are combined and all arithmetic components are reused. By introducing a new composite field, ...
Provable Security of KASUMI and 3GPP Encryption Mode f8
Within the security architecture of the 3GPP system there is a standardised encryption mode f8 based on the block cipher KASUMI. In this work we examine the pseudorandomness of the block cipher KASUMI and the provable security of f8. First we show that ...
Efficient and Mutually Authenticated Key Exchange for Low Power Computing Devices
In this paper, we consider the problem of mutually authenticated key exchanges between a low-power client and a powerful server. We show how the Jakobsson-Pointcheval scheme proposed recently [15] can be compromised using a variant of interleaving ...
Provably Authenticated Group Diffie-Hellman Key Exchange - The Dynamic Case
Dynamic group Diffie-Hellman protocols for Authenticated Key Exchange (AKE) are designed to workin a scenario in which the group membership is not known in advance but where parties may join and may also leave the multicast group at any given time. ...
Fully Distributed Threshold RSA under Standard Assumptions
The aim of this article is to propose a fully distributed environment for the RSA scheme. What we have in mind is highly sensitive applications and even if we are ready to pay a price in terms of efficiency, we do not want any compromise of the security ...
Adaptive Security in the Threshold Setting: From Cryptosystems to Signature Schemes
Threshold cryptosystems and signature schemes give ways to distribute trust throughout a group and increase the availability of cryptographic systems. A standard approach in designing these protocols is to base them upon existing single-server systems ...
Threshold Cryptosystems Secure against Chosen-Ciphertext Attacks
Semantic security against chosen-ciphertext attacks (INDCCA) is widely believed as the correct security level for public-key encryption scheme. On the other hand, it is often dangerous to give to only one people the power of decryption. Therefore, ...
Oblivious Polynomial Evaluation and Oblivious Neural Learning
We study the problem of Oblivious Polynomial Evaluation (OPE). There are two parties, Alice who has a polynomial P, and Bob who has an input x. The goal is for Bob to compute P(x) in such way that Alice learns nothing about x and Bob learns only what ...
Mutually Independent Commitments
We study the two-party commitment problem, where two players have secret values they wish to commit to each other. Traditional commitment schemes cannot be used here because they do not guarantee independence of the committed values. We present three ...
Efficient Zero-Knowledge Authentication Based on a Linear Algebra Problem MinRank
A Zero-knowledge protocol provides provably secure entity authentication based on a hard computational problem. Among many schemes proposed since 1984, the most practical rely on factoring and discrete log, but still they are practical schemes based on ...
Responsive Round Complexity and Concurrent Zero-Knowledge
The number of communication rounds is a classic complexity measure for protocols; reducing round complexity is a major goal in protocol design. However, when the communication time is inconstant, and in particular, when one of the parties intentionally ...
Practical Construction and Analysis of Pseudo-Randomness Primitives
We give a careful, fixed-size parameter analysis of a standard [1,4] way to form a pseudorandom generator by iterating a one-way function and then pseudo-random functions from said generator, [3]. We improve known bounds also asymptotically when many ...
Autocorrelation Coefficients and Correlation Immunity of Boolean Functions
We apply autocorrelation and Walsh coefficients for the investigation of correlation immune and resilient Boolean functions. We prove new lower bound for the absolute indicator of resilient functions that improves significantly (for m > (n - 3)/2) the ...
An Extension of Kedlaya's Point-Counting Algorithm to Superelliptic Curves
We present an algorithm for counting points on superelliptic curves yr = f(x) over a finite field Fq of small characteristic different from r. This is an extension of an algorithm for hyperelliptic curves due to Kedlaya. In this extension, the ...
Supersingular Curves in Cryptography
Frey and Rück gave a method to transform the discrete logarithm problem in the divisor class group of a curve over Fq into a discrete logarithm problem in some finite field extension Fqk. The discrete logarithm problem can therefore be solved using ...
Short Signatures from the Weil Pairing
We introduce a short signature scheme based on the Computational Diffie-Hellman assumption on certain elliptic and hyperelliptic curves. The signature length is half the size of a DSA signature for a similar level of security. Our short signature scheme ...
Cited By
- Cortier V, Galindo D, Glondu S and Izabachène M Distributed ElGamal à la Pedersen Proceedings of the 12th ACM workshop on Workshop on privacy in the electronic society, (131-142)
- Bernstein D and Lange T Never trust a bunny Proceedings of the 8th international conference on Radio Frequency Identification: security and privacy issues, (137-148)
- Bernstein D, Lange T and Peters C Wild McEliece Proceedings of the 17th international conference on Selected areas in cryptography, (143-158)