Browse Proceedings

In 1996, a new cryptosystem called NTRU was introduced, related to the hardness of finding short vectors in specific lattices. At Eurocrypt 2001, the NTRU Signature Scheme (NSS), a signature scheme apparently related to the same hard problem, was ...

At Crypto '88, Matsumoto, Kato and Imai proposed a protocol, known as RSA-S1, in which a smart card computes an RSA signature, with the help of an untrusted powerful server. There exist two kinds of attacks against such protocols: passive attacks (where ...

We study a class of problems called Modular Inverse Hidden Number Problems (MIHNPs). The basic problem in this class is the following: Given many pairs 〈x_i, MSB_k((α + x_i)^-1 mod p)〉 for random x_i ∈ Z_p the problem is to find α ∈ Z_p (here MSBk(x) refers to ...

One interesting and important challenge for the cryptologic community is that of providing secure authentication and identification for unassisted humans. There are a range of protocols for secure identification which require various forms of trusted ...

The Advanced Encryption Standard (AES) provides three levels of security: 128, 192, and 256 bits. Given a desired level of security for the AES, this paper discusses matching public key sizes for RSA and the ElGamal family of protocols. For the latter ...

Although the Miller-Rabin test is very fast in practice, there exist composite integers n for which this test fails for 1/4 of all bases coprime to n. In 1998 Grantham developed a probable prime test with failure probability of only 1/7710 and ...

We describe in this article how we have been able to extend the record for computationsof discrete logarithmsin characteristic 2 from the previousrecord over F₂503 to a newer mark of F₂607 , using Coppersmith's algorithm. This has been made possible by ...

This paper describes several speedups and simplifications for XTR. The most important results are new XTR double and single exponentiation methods where the latter requires a cheap precomputation. Both methods are on average more than 60% faster than ...

We implement various computations in the braid groups via practically efficient and theoretically optimized algorithms whose pseudo-codes are provided. The performance of an actual implementation under various choices of parameters is listed.

McEliece is one of the oldest known public key cryptosystems. Though it was less widely studied than RSA, it is remarkable that all known attacks are still exponential. It is widely believed that code-based cryptosystems like McEliece do not allow ...

We use powerful new techniques for list decoding errorcorrecting codes to efficiently trace traitors. Although much work has focusedon constructing traceability schemes, the complexity of the tracing algorithm has receivedlittle attention. Because the ...

This paper describes truncated and impossible differential cryptanalysis of the 128-bit block cipher Camellia, which was proposed by NTT and Mitsubishi Electric Corporation. Our work improves on the best known truncated and impossible differential ...

With chosen-IV chosen texts, David Wagner has analyzed the multiple modes of operation proposed by Eli Biham in FSE'98. However, his method is too unrealistic. We use only known-IV chosen texts to attack many triple modes of operation which are combined ...

Let A be a Feistel scheme with 5 rounds from 2n bits to 2n bits. In the present paper we show that for most such schemes A: 1. It is possible to distinguish A from a random permutation from 2n bits to 2n bits after doing at most O(2 7n/4) computations ...

Compact and high-speed hardware architectures and logic optimization methods for the AES algorithm Rijndael are described. Encryption and decryption data paths are combined and all arithmetic components are reused. By introducing a new composite field, ...

Within the security architecture of the 3GPP system there is a standardised encryption mode f8 based on the block cipher KASUMI. In this work we examine the pseudorandomness of the block cipher KASUMI and the provable security of f8. First we show that ...

In this paper, we consider the problem of mutually authenticated key exchanges between a low-power client and a powerful server. We show how the Jakobsson-Pointcheval scheme proposed recently [15] can be compromised using a variant of interleaving ...

Dynamic group Diffie-Hellman protocols for Authenticated Key Exchange (AKE) are designed to workin a scenario in which the group membership is not known in advance but where parties may join and may also leave the multicast group at any given time. ...

The aim of this article is to propose a fully distributed environment for the RSA scheme. What we have in mind is highly sensitive applications and even if we are ready to pay a price in terms of efficiency, we do not want any compromise of the security ...

Threshold cryptosystems and signature schemes give ways to distribute trust throughout a group and increase the availability of cryptographic systems. A standard approach in designing these protocols is to base them upon existing single-server systems ...

Semantic security against chosen-ciphertext attacks (INDCCA) is widely believed as the correct security level for public-key encryption scheme. On the other hand, it is often dangerous to give to only one people the power of decryption. Therefore, ...

We study the problem of Oblivious Polynomial Evaluation (OPE). There are two parties, Alice who has a polynomial P, and Bob who has an input x. The goal is for Bob to compute P(x) in such way that Alice learns nothing about x and Bob learns only what ...

We study the two-party commitment problem, where two players have secret values they wish to commit to each other. Traditional commitment schemes cannot be used here because they do not guarantee independence of the committed values. We present three ...

A Zero-knowledge protocol provides provably secure entity authentication based on a hard computational problem. Among many schemes proposed since 1984, the most practical rely on factoring and discrete log, but still they are practical schemes based on ...

The number of communication rounds is a classic complexity measure for protocols; reducing round complexity is a major goal in protocol design. However, when the communication time is inconstant, and in particular, when one of the parties intentionally ...

We give a careful, fixed-size parameter analysis of a standard [1,4] way to form a pseudorandom generator by iterating a one-way function and then pseudo-random functions from said generator, [3]. We improve known bounds also asymptotically when many ...

We apply autocorrelation and Walsh coefficients for the investigation of correlation immune and resilient Boolean functions. We prove new lower bound for the absolute indicator of resilient functions that improves significantly (for m > (n - 3)/2) the ...

We present an algorithm for counting points on superelliptic curves y^r = f(x) over a finite field F_q of small characteristic different from r. This is an extension of an algorithm for hyperelliptic curves due to Kedlaya. In this extension, the ...

Frey and Rück gave a method to transform the discrete logarithm problem in the divisor class group of a curve over F_q into a discrete logarithm problem in some finite field extension F_qk. The discrete logarithm problem can therefore be solved using ...

We introduce a short signature scheme based on the Computational Diffie-Hellman assumption on certain elliptic and hyperelliptic curves. The signature length is half the size of a DSA signature for a similar level of security. Our short signature scheme ...