Routing is one of the most basic networking functions in mobile ad hoc networks. Hence, an adversary can easily paralyze the operation of the network by attacking the routing protocol. This has been realized by many researchers, and several ``secure'' routing protocols have been proposed for ad hoc networks. However, the security of those protocols have mainly been analyzed by informal means only. In this paper, we argue that flaws in ad hoc routing protocols can be very subtle, and we advocate a more systematic way of analysis. We propose a mathematical framework in which security can be precisely defined, and routing protocols for mobile ad hoc networks can be analyzed rigorously. Our framework is tailored for on-demand source routing protocols, but the general principles are applicable to other types of protocols too. Our approach is based on the simulation paradigm, which has already been used extensively for the analysis of key establishment protocols, but to the best of our knowledge, it has not been applied in the context of ad hoc routing so far. We also propose a new on-demand source routing protocol, called endairA, and we demonstrate the usage of our framework by proving that it is secure in our model.

The miniaturization of electronics and recent developments in biometric and screen technologies will permit a pervasive presence of embedded systems. This - and the inclusion of networking capabilities and IP addresses in many handheld devices - will foster the widespread deployment of personal mobile equipment.\smallskip This work attempts to overview these diverse aspects of mobile device security. We will describe mobile networks' security (WLAN and WPAN security, GSM and 3GPP security) and address platform security issues such as bytecode verification for mobile equipment and protection against viruses and Trojan horses in mobile environment - with a concrete J2ME implementation example. Finally we will turn to hardware attacks and briefly survey the physical weaknesses that can be exploited to compromise mobile equipment.\smallskip

Although identity based cryptography offers a number of functional advantages over conventional public key methods, the computational costs are significantly greater. The dominant part of this cost is the Tate pairing which, in characteristic three, is best computed using the algorithm of Duursma and Lee. However, in hardware and constrained environments this algorithm is unattractive since it requires online computation of cube roots or enough storage space to pre-compute required results. We examine the use of normal basis arithmetic in characteristic three in an attempt to get the best of both worlds: an efficient method for computing the Tate pairing that requires no pre-computation and that may also be implemented in hardware to accelerate devices such as smart-cards. Since normal basis arithmetic in characteristic three has not received much attention before, we also discuss the construction of suitable bases and associated curve parameterisations.

Quantum Key Exchange (QKE, also known as Quantum Key Distribution or QKD) allows communicating parties to securely establish cryptographic keys. It is a well-established fact that all QKE protocols require that the parties have access to an authentic channel. Without this authenticated link, QKE is vulnerable to man-in-the-middle attacks. Overlooking this fact results in exaggerated claims and/or false expectations about the potential impact of QKE. In this paper we present a systematic comparison of QKE with traditional key establishment protocols in realistic secure communication systems.

In spite of the use of standard web security measures (SSL/TLS), users enter sensitive information such as passwords into scam web sites. Such scam sites cause substantial damages to individuals and corporations. In this work, we analyze these attacks, and find they often exploit usability failures of browsers. We developed and describe TrustBar, a browser extension for improved secure identification indicators. Users can assign a name/logo to a secure site, presented by TrustBar when the browser presents that secure site; otherwise, TrustBar presents the certified site's owner name, and the name/logo of the Certificate Authority (CA) who identified the owner. Some of these ideas are already adopted by browsers, following our work. We describe usability experiments, which measure, and prove the effectiveness, of TrustBar's improved security and identification indicators. We derive general secure-usability principles from our experiments and experience with TrustBar

Unsolicited and undesirable e-mail (spam) is a growing problem for Internet users and service providers. We present the Secure Internet Content Selection (SICS) protocol, an efficient cryptographic mechanism for spam-control, based on allocation of responsibility (liability). With SICS, e-mail is sent with a content label, and a cryptographic protocol ensures labels are authentic and penalizes falsely labeled e-mail (spam). The protocol supports trusted senders (penalized by loss of trust) and unknown senders (penalized financially). The recipient can determine the compensation amount for falsely labeled e-mail (spam)). SICS is practical, with negligible overhead, gradual adoption path, and use of existing relationships; it is also flexible and appropriate for most scenarios, including deployment by end users and/or ISPs and support for privacy and legitimate, properly labeled commercial e-mail. SICS improves on other crypto-based proposals for spam controls, and complements non-cryptographic spam controls

In this article, we examine how the index calculus approach for computing discrete logarithms in small genus hyperelliptic curves can be improved by introducing a double large prime variation. Two algorithms are presented. The first algorithm is a rather natural adaptation of the double large prime variation to the intended context. On heuristic and experimental grounds, it seems to perform quite well but lacks a complete and precise analysis. Our second algorithm is a considerably simplified variant, which can be analyzed easily. The resulting complexity improves on the fastest known algorithms. Computer experiments show that for hyperelliptic curves of genus three, our first algorithm surpasses Pollard's Rho method even for rather small field sizes.

We give an informal analysis and critique of several typical ``provable security'' results. In some cases there are intuitive but convincing arguments for rejecting the conclusions suggested by the formal terminology and ``proofs,'' whereas in other cases the formalism seems to be consistent with common sense. We discuss the reasons why the search for mathematically convincing theoretical evidence to support the security of public-key systems has been an important theme of researchers. But we argue that the theorem-proof paradigm of theoretical mathematics is of limited relevance here and often leads to papers that are confusing and misleading. Because our paper is aimed at the general mathematical public, it is self-contained and as jargon-free as possible.

Computing the order of the Jacobian group of a hyperelliptic curve over a finite field is very important to construct a hyperelliptic curve cryptosystem (HCC), because to construct secure HCC, we need Jacobian groups of order in the form $l(J\(Bcdot c$ where $l$ is a prime greater than about $2^{160}$ and $c$ is a very small integer. But even in the case of genus two, known algorithms to compute the order of a Jacobian group for a general curve need a very long running time over a large prime field. In the case of genus three, only a few examples of suitable curves for HCC are known. In the case of genus four, no example has been known over a large prime field. In this article, we give explicit formulae of the order of Jacobian groups for hyperelliptic curves over a finite prime field of type $y^2=x^{2k+1}+a x$, which allows us to search suitable curves for HCC. By using these formulae, we can find many suitable curves for genus-4 HCC and show some examples.

In 2003, Al-Riyami and Paterson \cite{AP} proposed the certificateless public key cryptography(CL-PKC) which is intermediate between traditional certificated PKC and identity-based PKC. In this paper, we propose an authenticated certificateless public key encryption scheme. Our result improves their public key encryption scheme in efficiency and security. The security of the protocol is based on the hardness of two problems; the computational Diffie-Hellman problem(CDHP) and the bilinear Diffie-Hellman problem(BDHP). We also give a formal security model for both confidentiality and unforgeability, and then show that our scheme is provably secure in the random oracle model.

In implementing cryptographic algorithms on limited devices such as smart cards, speed and memory requirements had always presented a challenge. With the advent of side channel attacks, this task became even more difficult because a programmer must take into account countermeasures against such attacks, which often increases computational time, or memory requirements, or both. In this paper we describe a new method for secure implementation of the Advanced Encryption Standard algorithm. The method is based on a data masking technique, which is the most widely used countermeasure against power analysis and timing attacks at a software level. The change of element representation allows us to replace all multiplications in the field with table lookups using masked log/alog tables, and achieve an efficient solution that combines low memory requirements with high speed and resistance to attacks.

In this paper, we first show that previous proxy signature schemes by delegation with certificate are not provably secure under adaptive-chosen message attacks and adaptive-chosen warrant attacks. The schemes do not provide the strong undeniability. Then we construct a proxy signature scheme by delegation with certificate based on Co-GDH group from bilinear map. Our proxy signature scheme is existentially unforgeable against adaptive-chosen message attacks and adaptive-chosen warrant attacks in random oracle model. We adopt a straight method of security reduction in which our scheme's security is reduced to hardness of the computational co-Diffie-Hellem problem. The proposed signature scheme is the first secure delegation-by-certificate proxy signature based on co-GDH groups from bilinear maps under the formal security model in random oracle model.

This paper analyzes a key recovery method for RSA signature generation or decryption implementations using the Chinese Remainder Theorem (CRT) speed up. The CRT-based RSA implementation is common in both low computing power devices and high speed cryptographic acceleration cards. This recovery method is designed to work in conjunction with a side-channel attack where the CRT exponents are discovered from a message decryption or signature generation operation, the public exponent is assumed small and the public modulus is unknown. Since many RSA implementations use the small, low hamming weight public exponent 65537 this turns out to be a realistic method. An algorithm for recovering the private key, modulus and prime factorization candidates is presented with a proof of correctness. Runtime estimates and sample source code is given.

In this paper we find two near-collisions of the full compression function of SHA-0, in which up to 142 of the 160 bits of the output are equal. We also find many full collisions of 65-round reduced SHA-0, which is a large improvement to the best previous result of 35 rounds. We use the very surprising fact that the messages have many neutral bits, some of which do not affect the differences for about 15--20 rounds. We also show that 82-round SHA-0 is much weaker than the (80-round) SHA-0, although it has more rounds. This fact demonstrates that the strength of SHA-0 is not monotonous in the number of rounds.

We show how to attack an FPGA implementation of AES where all bytes are processed in parallel using differential electromagnetic analysis. We first focus on exploiting local side channels to isolate the behaviour of our targeted byte. Then, generalizing the Square attack, we describe a new way of retrieving information, mixing algebraic properties and physical observations.

The class of Rotation Symmetric Boolean Functions (RSBFs) has received serious attention recently in searching functions of cryptographic significance. These functions are invariant under circular translation of indices. In this paper we study such functions on odd number of variables and interesting combinatorial properties related to Walsh spectra of such functions are revealed. In particular we concentrate on plateaued functions (functions with three valued Walsh spectra) in this class and derive necessary conditions for existence of balanced rotation symmetric plateaued functions. As application of our result we show the non existence of 9-variable, 3-resilient RSBF with nonlinearity 240 that has been posed as an open question in FSE 2004. Further we show how one can make efficient search in the space of RSBFs based on our theoretical results and as example we complete the search for unbalanced 9-variable, 3rd order correlation immune plateaued RSBFs with nonlinearity 240.

This paper should be considered as a draft. Part of it is an extended version of the paper Generic Attacks and the Security of Quartz presented at PKC 2003 and at the second Nessie workshop. It also contains a lot of new material that is not published elsewhere: -(yet another) discussion about what is and what isn't a secure signature scheme -up-to-date security results fo Sflash and Quartz -new results on computational security of Sflash w.r.t algebraic relation attacks in the light of Faugère-Joux Crypto 2003 paper. -and more... Comments are welcome !

Signcryption is a novel public key primitive to achieve the combined functionality of authentication and confidentiality in an efficient manner. A new Elliptic Curve Cryptosystems based Signcryption which combines ECDSA and PSCE-1 is presented in the paper. The signcryption scheme is a publicly verifiable scheme which can be verified by the third party after the specific recipient removes his key information. Analysis shows that the proposed scheme is secure against the adaptive chosen ciphertext attack. The signcryption saves the communication cost at least 1.25 times and enhances computation cost 1.19 times over ECDSA-then-PSCE-1. Compared with other signcryption schemes, such as Y.Zheng¡¯s ECSCS, the new signcryption uses a uniform elliptic curve cryptosystem platform instead of four kinds of cryptosystem components: hash function, keyed hash function, symmetric cipher and elliptic curve. While keeping high security and efficiency, the scheme can be implemented in software and hardware at low price because of above advantages. Base on the signcryption, a broadcast scheme for multiple recipients and a threshold scheme with key distributed generation for multiple senders are also proposed.

Recently an algorithmic schema was proposed for converting any existing block cipher into one which excepts variable length inputs with the computational workload increasing in proportion to the block size. The resulting cipher is referred to as an elastic block cipher. The initial work presented immunity to certain key recovery attacks, and left open further analysis of the method and its possible instantiations. In order to provide a concrete example of an elastic block cipher, we design and implement an elastic version of the Advanced Encryption Standard (AES) cipher which accepts all block sizes in the range 128 to 255 bits. To validate the design we perform differential cryptanalysis on elastic AES which confirms that the cipher does not introduce potential differential attacks as a result of a subset of bits being omitted from each round (which is at the heart of the elastic design). We also compare the performance of software implementations of elastic AES and regular AES on variable size inputs, as a step in determining the practicality of the elastic version.

Two alternative architectures and VLSI implementations of the 64-bit NESSIE proposal, MISTY1 block cipher, are presented in this paper. For these implementations, FPGA devices were used. The first architecture is suitable for applications with high throughput requirements. A throughput of up to 7.2 Gbps can be achieved at a clock frequency of 96 MHz. The main characteristic of this implementation is that uses RAM blocks that are embedded in the FPGA device in order to implement the necessary by the algorithm S-boxes. The second architecture can be used in applications with constrained hardware resources. It uses feedback logic and inner pipeline with negative edge-triggered register. So, it causes the critical path to be shorter, without increasing the latency of the cipher execution. Compared with an implementation without inner pipeline, performance improvement of 97% is achieved. The measured throughput of the second architecture implementation is 561 Mbps at 79 MHz.

We propose a modification to the framework of Universally Composable (UC) security [Canetti'01]. Our new notion, involves comparing the protocol executions with an ideal execution involving ideal functionalities (just as in UC-security), but allowing the environment and adversary access to some super-polynomial computational power. We argue the meaningfulness of the new notion, which in particular subsumes many of the traditional notions of security. We generalize the Universal Composition theorem of [Canetti'01] to the new setting. Then under new computational assumptions, we realize secure multi-party computation (for static adversaries) without a common reference string or any other set-up assumptions, in the new framework. This is known to be impossible under the UC framework.

This paper presents the theoretical blueprint of a new secure token called the Externalized Microprocessor (XmP). Unlike a smart-card, the XmP contains no ROM at all. While exporting all the device's executable code to potentially untrustworthy terminals poses formidable security problems, the advantages of ROM-less secure tokens are numerous: chip masking time disappears, bug patching becomes a mere terminal update and hence does not imply any roll-out of cards in the field. Most importantly, code size ceases to be a limiting factor. This is particularly significant given the steady increase in on-board software complexity. After describing the machine's instruction-set we will introduce two XmP variants. The first design is a public-key oriented architecture which relies on a new RSA screening scheme and features a relatively low communication overhead at the cost of computational complexity, whereas the second variant is secret-key oriented and relies on simple MACs and hash functions but requires more communication. For each of these two designs, we propose two protocols that execute and dynamically authenticate arbitrary programs. We also provide a strong security model for these protocols and prove their security under appropriate complexity assumptions.

A new GF(2n) redundant representation is presented. Squaring in the representation is almost cost-free. Based on the representation, two multipliers are proposed. The XOR gate complexity of the first multiplier is lower than a recently proposed normal basis multiplier when CN (the complexity of the basis) is larger than 3n-1.

Even though passwords are the most convenient means of authentication, they bring along themselves the threat of dictionary attacks. Dictionary attacks may be of two kinds: online and offline. While offline dictionary attacks are possible only if the adversary is able to collect data for a successful protocol execution by eavesdropping on the communication channel and can be successfully countered using public key cryptography, online dictionary attacks can be performed by anyone and there is no satisfactory solution to counter them. This paper presents a new authentication protocol which is called CompChall (computational challenge). The proposed protocol uses only one way hash functions as the building blocks and attempts to eliminate online dictionary attacks by implementing a challenge-response system. This challenge-response system is designed in a fashion that it does not pose any difficulty to a genuine user but is time consuming and computationally intensive for an adversary trying to launch a large number of login requests per unit time as in the case of an online dictionary attack. The protocol is stateless and thus less vulnerable to DoS (Denial of Service) attacks.

Server assisted one time signature scheme was recently presented as a non-repudiation service for mobile and constrained devices. However, the scheme suffered with high storage requirements for the virtual server and high memory requirements for the mobile client. We improve the scheme by significantly reducing virtual server storage requirements as well as mobile client memory requirements. More precisely, the virtual server storage requirements in our scheme are reduced by a factor of more than 80 compared to the original scheme. Further, memory requirements for the mobile client are reduced by a factor of more than 130. This is done by generating various quantities pseudorandomly and storing just their cryptographic hash (instead of storing them fully) wherever possible, while still being able to perform dispute resolution.

This document discusses masking approaches with a special focus on the AES S-box. Firstly, we discuss previously presented masking schemes with respect to their security and implementation. We conclude that algorithmic countermeasures to secure the AES algorithm against side-channel attacks have not been resistant against all first-order side-channel attacks. Secondly, we introduce a new masking countermeasure which is not only secure against first-order side-channel attacks, but which also leads to relatively small implementations compared to other masking schemes when implemented in dedicated hardware.

Secret handshake protocols were recently introduced by Balfanz et al. [IEEE, Oakland 2003] to allow members of the same group to authenticate each other *secretly*, in the sense that someone who is not a group member cannot tell, by engaging some party in the handshake protocol, whether that party is a member of the group. On the other hand, any two parties who are members of the same group will recognize each other as members. Thus, secret handshakes can be used in any scenario where group members need to identify each other without revealing their group affiliations to outsiders. The secret handshake protocol of Balfanz et al. relies on a Bilinear Diffie-Hellman assumption (in ROM) on certain elliptic curves. We show how to build secret handshake protocols secure under more standard cryptographic assumption of Computational Diffie Hellman(CDH), using a novel tool of CA-oblivious public key encryption, which is an encryption scheme s.t. neither the public key nor the ciphertext reveal any information about the Certification Authority (CA) which certified the public key. We construct such CA-oblivious encryption, and hence a handshake scheme, based on CDH (in ROM). The new scheme takes 3 communication rounds like the scheme of Balfanz et al., but it is about twice cheaper computationally, and it relies on a weaker computational assumption.

The output of the Tate pairing on an elliptic curve over a finite field may be viewed as an element of an algebraic torus. Using this simple observation, we transfer techniques recently developed for torus-based cryptography to pairing-based cryptography, resulting in more efficient computations, and lower bandwidth requirements. To illustrate the efficacy of this approach, we apply the method to pairings on supersingular elliptic curves in characteristic three.

An identity (ID)-based signature scheme allows any pair of users to communicate securely and to verify each other's signatures without exchanging public key certificates. We have several ID-based signatures based on the discrete logarithm problem. While they have an advantage that the system secret can be shared by several parties through threshold schemes, they have a critical disadvantage in efficiency. To enhance the efficiency of verification, we propose a new ID-based signature scheme that allows batch verification of multiple signatures. The verification cost of the proposed signature scheme for $k$ signatures is almost constant with minimal security loss and when a new signature by a different signer is added to the batch verification, the additional cost is almost a half of that of a single signature. We prove that the proposed signature scheme is secure against existential forgery under adaptively chosen message and ID attack in the random oracle model and show why other ID-based signature schemes are hard to achieve these properties.

Access control can be used to ensure that database queries pertaining to sensitive information are not answered. This is not enough to prevent users from learning sensitive information though, because users can combine non-sensitive information to discover something sensitive. Inference control prevents users from obtaining sensitive information via such ``inference channels'', however, existing inference control techniques are not private - that is, they require the server to learn what queries the user is making in order to deny inference-enabling queries. We propose a new primitive - private inference control (PIC) - which is a means for the server to provide inference control without learning what information is being retrieved. PIC is a generalization of private information retrieval (PIR) and symmetrically-private information retrieval (SPIR). While it is straightforward to implement access control using PIR (simply omit sensitive information from the database), it is nontrivial to implement inference control efficiently. We measure the efficiency of a PIC protocol in terms of its communication complexity, its round complexity, and the work the server performs per query. Under existing cryptographic assumptions, we give a PIC scheme which is simultaneously optimal, up to logarithmic factors, in the work the server performs per query, the total communication complexity, and the number of rounds of interaction. We also present a scheme requiring more communication but sufficient storage of state by the server to facilitate private user revocation. Finally, we present a generic reduction which shows that one can focus on designing PIC schemes for which the inference channels take a particularly simple threshold form.

K. Kedlaya proposed an method to count the number of ${\mathbb F}_q$-rational points in a hyper-elliptic curve, using the Leschetz fixed points formula in Monsky-Washinitzer Cohomology. The method has been extended to super-elliptic curves (Gaudry and Gürel) immediately, to characteristic two hyper-elliptic curves, and to $C_{ab}$ curves (J. Denef, F. Vercauteren). Based on Miura theory, which is associated with how a curve is expressed as an affine variety, this paper applies Kedlaya's method to so-called strongly telescopic curves which are no longer plane curves and contain super-elliptic curves as special cases.

We introduce the new concept of elastic block ciphers, symmetric-key encryption algorithms that (1) for a variable-size input do not expand the plaintext (i.e., do not require plaintext padding) and (2) adjust their computational load proportionally to the size increase. Contrary to stream ciphers, elastic block ciphers maintain the diffusion property and non-synchronicity of traditional block ciphers. Elastic block ciphers are ideal (when combined with encryption modes) for applications where length-preserving encryption is most beneficial, such as protecting variable-length database fields or network packets. We present a general algorithm for converting a traditional block cipher, such as AES, to its elastic version, and analyze the security of the resulting cipher against key recovery attacks. Our approach allows us to ``stretch'' the supported block size of a block cipher up to twice the original length, while increasing the computational load proportionally to the expanded block size. Our approach does not allow us to use the original cipher as a ``black box'' (i.e., as an ideal cipher or a pseudorandom permutation as is used in constructing modes of encryption). Nevertheless, under some reasonable conditions on the cipher's structure and its key schedule, we reduce certain key recovery attacks of the elastic version to such attacks on the fixed-size block cipher. This schema and the security reduction enable us to capitalize on secure ciphers and their already established security properties in developing elastic designs. We note that we are not aware of previous ``reduction type'' proofs of security in the area of concrete (i.e., non ``black-box'') block cipher design. Our work puts forth the notion of elasticity in block cipher design.

A group key agreement protocol is designed to efficiently implement secure multicast channels for a group of parties communicating over an untrusted, open network by allowing them to agree on a common secret key. In the past decade many problems related to group key agreement have been tackled and solved (diminished if not solved), and recently some constant-round protocols have been proven secure in concrete, realistic setting. However, all forward-secure protocols so far are still too expensive for small mobile devices. In this paper we propose a new constant-round protocol well suited for a mobile environment and prove its security under the Decisional Diffie-Hellman assumption. The protocol meets simplicity, efficiency, and all the desired security properties.

In this paper, two different normal basis multiplication algorithms for software implementation are proposed over GF(2n). The first algorithm is suitable for high complexity normal bases and the second algorithm is fast for type-I optimal normal bases and low complexity normal bases. The ANSI C source program is also included in this paper.

This work describes a mode of operation, EME*, that turns a regular block cipher into a length-preserving enciphering scheme for messages of (almost) arbitrary length. Specifically, the resulting scheme can handle any bit-length, not shorter than the block size of the underlying cipher, and it also handles associated data of arbitrary bit-length. Such a scheme can either be used directly in applications that need encryption but cannot afford length expansion, or serve as a convenient building block for higher-level modes. The mode EME* is a refinement of the EME mode of Halevi and Rogaway, and it inherits the efficiency and parallelism from the original EME.

Many problems have been solved by protocols using discrete-logarithm based threshold cryptosystems. Such protocols require a random joint public key for which the secret key is shared among the parties. A multiparty protocol that generates such a key is called a DKG protocol. Until now no DKG protocol is known to be universally composable. We extend Feldman's original verifiable secret sharing scheme to construct a DKG protocol, and prove that it is universally composable. Our result holds in a common random string model under the Decision Diffie-Hellman assumption. We stress that we do not need any trapdoor for the common random string. Our protocol is optimistic. If all parties behave honestly, each party computes only $O(3k)$ exponentiations, where $k$ is the number of parties. In the worst case each party computes $O(k^2)$ exponentiations. This should be contrasted with previous constructions in which each party computes $\Omega(k^2)$ exponentiations regardless of if they behave honestly or not. In the optimistic case the number of bits sent in our protocol is essentially equal to the number of bits sent in $k$ independent copies of Feldman's original protocol.

The XTR public key system was introduced at Crypto 2000. Application of XTR in cryptographic protocols leads to substantial savings both in communication and computational overhead without compromising security. It is regarded that XTR is suitable for a variety of environments, including low-end smart cards, and XTR is the excellent alternative to either RSA or ECC. In \cite{LV00a,SL01}, authors remarked that XTR single exponentiation (XTR-SE) is less susceptible than usual exponentiation routines to environmental attacks such as timing attacks and Differential Power Analysis (DPA). In this paper, however, we investigate the security of side channel attack (SCA) on XTR. This paper shows that XTR-SE is immune against simple power analysis (SPA) under assumption that the order of the computation of XTR-SE is carefully considered. However we show that XTR-SE is vulnerable to Data-bit DPA (DDPA)\cite{Cor99}, Address-bit DPA (ADPA)\cite{IIT02}, and doubling attack \cite{FV03}. Moreover, we propose two countermeasures that prevent from DDPA and a countermeasure against ADPA. One of the countermeasures using randomization of the base element proposed to defeat DDPA, i.e., randomization of the base element using field isomorphism, could be used to break doubling attack. Thus if we only deal with SPA, DDPA, ADPA, and doubling attack as the attack algorithm for XTR-SE, XTR-SE should be added following countermeasures: randomization of the base element using field isomorphism (DDPA and doubling attack) + randomized addressing (ADPA). But the proposed countermeasure against doubling attack is very inefficient. So to maintain the advantage of efficiency of XTR a good countermeasure against doubling attack is actually necessary.

We present a new two-party identity-based key agreement that is more efficient than previously proposed schemes. It is inspired on a new identity-based key pair derivation algorithm first proposed by Sakai and Kasahara. We show how this key agreement can be used in either escrowed or escrowless mode. We also describe conditions under which users of different Key Generation Centres can agree on a shared secret key. We give an overview of existing two-party key agreement protocols, and compare our new scheme with existing ones in terms of computational cost and storage requirements.

We present the first blind identity-based signcryption (BIBSC). We formulate its security model and define the security notions of blindness and parallel one-more unforgeability (p1m-uf). We present an efficient construction from pairings, then prove a security theorem that reduces its p1m-uf to Schnorr¡¦s ROS Problem in the random oracle model plus the generic group and pairing model. The latter model is an extension of the generic group model to add support for pairings, which we introduce in this paper. In the process, we also introduce a new security model for (non-blind) identity-based signcryption (IBSC) which is a strengthening of Boyen¡¦s. We construct the first IBSC scheme proven secure in the strenghened model which is also the fastest (resp. shortest) IBSC in this model or Boyen¡¦s model. The shortcomings of several existing IBSC schemes in the strenghened model are shown.

We analyse the consequences of specific properties of the key-setup phase in symmetric encryption schemes for their security. We find that key-setup routines satisfying IND-CNA and one-wayness allow to construct schemes which are provably secure against key-recovery attacks. We propose a specific cryptosystem based on a stream cipher with a one-way IND-CNA key-setup, for which we present a proof, based on a set of scheme-specific assumptions, that it remains secure even if a successful key-recovery attack against the underlying cipher is found.

We propose the first distributed discrete-log key generation (DLKG) protocol from scratch which is adaptively-secure in the non-erasure model, and at the same time completely avoids the use of interactive zero-knowledge proofs. As a consequence, the protocol can be proven secure in a universally-composable (UC) like framework which prohibits rewinding. We prove the security in what we call the single-inconsistent-player (SIP) UC model, which guarantees arbitrary composition as long as all protocols are executed by the same players. As applications, we propose a fully UC threshold Schnorr signature scheme, a fully UC threshold DSS signature scheme, and a SIP UC threshold Cramer-Shoup cryptosystem. Our results are based on a new adaptively-secure Feldman VSS scheme. Although adaptive security was already addressed by Feldman in the original paper, the scheme requires secure communication, secure erasure, and either a linear number of rounds or digital signatures to resolve disputes. Our scheme overcomes all of these shortcomings, but on the other hand requires some restriction on the corruption behavior of the adversary, which however disappears in some applications including our new DLKG protocol. We also propose several new adaptively-secure protocols, which may find other applications, like a distributed trapdoor-key generation protocol for Pedersen's commitment scheme, an adaptively-secure Pedersen VSS scheme (as a {\em committed} VSS), or distributed-verifier proofs for proving relations among commitments or even any NP relations in general.

We present a fast addition algorithm in the Jacobian of a genus $3$ non-hyperelliptic curve over a field of any characteristic. When the curve has a rational flex and $\textrm{char}(k) > 5$, the computational cost for addition is $148M+15SQ+2I$ and $165M+20SQ+2I$ for doubling. An appendix focuses on the computation of flexes in all characteristics. For large odd $q$, we also show that the set of rational points of a non-hyperelliptic curve of genus $3$ can not be an arc.

Several signcryption schemes proposed in the literature are known to lack semantic security, and semantically secure signcryption schemes tend to be more computationally expensive. In fact, devising an efficient signcryption scheme providing both public verifiability and forward security was until now an open problem. In this paper, we show how a particular kind of signcryption scheme may become completely insecure when implemented with certain efficient instantiations of the Tate or Weil pairing. We also address the drawbacks of the secure schemes by proposing efficient, semantically and forward-secure signcryption schemes, in both transferable and non-transferable form, that can be realised on top of any pairing instantiation. As a bonus, we also derive from them a new, efficient identity-based signature scheme.

The recently proposed {\em universally composable {\em (UC)} security} framework for analyzing security of cryptographic protocols provides very strong security guarantees. In particular, a protocol proven secure in this framework is guaranteed to maintain its security even when run concurrently with arbitrary other protocols. It has been shown that if a majority of the parties are honest, then universally composable protocols exist for essentially any cryptographic task in the {\em plain model} (i.e., with no setup assumptions beyond that of authenticated communication). When honest majority is not guaranteed, general feasibility results are known only given trusted set-up, such as in the common reference string model. Only little was known regarding the existence of universally composable protocols in the plain model without honest majority, and in particular regarding the important special case of two-party protocols. We study the feasibility of universally composable two-party {\em function evaluation} in the plain model. Our results show that in this setting, very few functions can be securely computed in the framework of universal composability. We demonstrate this by providing broad impossibility results that apply to large classes of deterministic and probabilistic functions. For some of these classes, we also present full characterizations of what can and cannot be securely realized in the framework of universal composability. Specifically, our characterizations are for the classes of deterministic functions in which (a) both parties receive the same output, (b) only one party receives output, and (c) only one party has input.

Group key agreement protocols are designed to solve the fundamental problem of securely establishing a session key among a group of parties communicating over a public channel. Although a number of protocols have been proposed to solve this problem over the years, they are not well suited for a high-delay wide area network; their communication overhead is significant in terms of the number of communication rounds or the number of exchanged messages, both of which are recognized as the dominant factors that slow down group key agreement over a networking environment with high communication latency. In this paper we present a communication-efficient group key agreement protocol and prove its security in the random oracle model under the factoring assumption. The proposed protocol provides perfect forward secrecy and requires only a constant number of communication rounds for any of group rekeying operations, while achieving optimal message complexity.

We present an identity-based signcryption scheme that we believe is the most efficient proposed to date. We provide random oracle model~\cite{ROP} proofs of security under the definitions proposed in~\cite{MIBS}

Recent experimental results in quantum cryptography have renewed the interest in information-theoretically secure ciphers. In April 2004, in Vienna a bank transfer was secured by means of a one time pad encryption, with the key material being derived from a quantum key exchange. However, in this experiment the integrity of the transmitted message remained unprotected. This can have severe consequences, if the bank transfer form itself contains no authentication mechanism and there is a known position where the amount of money or the recipient is specified. Through flipping bits at the corresponding positions in the ciphertext, the amount of transfered money or the recipient of the money can be changed. This concrete example illustrates the necessity for a thorough theoretical analysis of information-theoretically secure cryptographic techniques that are to be deployed in practice. In this work we show how to implement a statistically secure and composable system for message passing, that is, a channel with negligible failure rate secure against unbounded adversaries, using a one time pad based cryptosystem. We prove the security of our system in an asynchronous adversarially-controlled network using the framework put forward by Backes, Pfitzmann, and Waidner. The composition theorem offered by this framework enables the use of our scheme as a building block of more complex protocols as needed in practical applications.

We clarify a relation between the XL algorithm and Groebner bases algorithms. The XL algorithm was proposed to be a more efficient algorithm to solve a system of equations with a special assumption without trying to calculate a whole Groebner basis. But in our result, it is shown that the XL algorithm is also a Groebner bases algorithm which can be represented as a redundant version of a Groebner bases algorithm F4 under the assumption in XL.

The Secure Sockets Layer (SSL) protocol is widely used for securing communication over the Internet. When utilizing block ciphers for encryption, the SSL standard mandates the use of the cipher block chaining (CBC) mode of encryption which requires an initialization vector (IV) in order to encrypt. Although the initial IV used by SSL is a (pseudo)random string which is generated and shared during the initial handshake phase, subsequent IVs used by SSL are chosen in a deterministic, predictable pattern; in particular, the IV of a message is taken to be the final ciphertext block of the immediately-preceding message. We show that this introduces a vulnerability in SSL which (potentially) enables easy recovery of low-entropy strings such as passwords or PINs that have been encrypted. Moreover, we argue that the open nature of web browsers provides a feasible ``point of entry'' for this attack via a corrupted plug-in; thus, implementing the attack is likely to be much easier than, say, installing a Trojan Horse for ``keyboard sniffing''. Finally, we suggest a number of modifications to the SSL standard which will prevent this attack.

Recently, Courtois and Pieprzyk proposed an attack on symmetric ciphers that takes advantage of a previously-unexploited property of substitution boxes, or s-boxes, in the round function. This paper gives a brief overview of this ``overdefined system of equations'' attack and shows how the attack may be avoided through the use of round functions that contain a variety of protection mechanisms, including combinations of operators from different algebraic groups, a circular rotation step, and substitution boxes (s-boxes) of large dimension.

Hidden credentials are useful in protecting sensitive resource requests, resources, policies and credentials. We propose a significant improvement in decryption performance when implementing hidden credentials using the Franklin/Boneh IBE. We also propose a substantially improved secret splitting scheme for enforcing complex policies, and show how it improves concealment of policies from nonsatisfying recipients.

A blind signature scheme is a protocol for obtaining a digital signature from a signer, but the signer can neither learn the messages he/she sign nor the signatures the recipients obtain afterwards. Partially blind signature is a variant such that part of the message contains pre-agreed information (agreed by the signer and the signature requester) in unblinded form, while threshold blind signature distributes the signing power to a group of signers such that a signature can only be produced by interacting with a predetermined numbers of signers. In this paper, we propose a threshold partially blind signature scheme from bilinear pairings and an ID-based partially blind signature scheme, which are provably secure in the random oracle model. To the best of authors' knowledge, we give the first discussion on these two notions.

To obtain efficient cryptosystems based on hyperelliptic curves, we studied genus 2 isomorphism classes of hyperelliptic curves in characteristic 2. We found general and optimal form for these curves, just as the short Weierstrass form for elliptic curves. We studied the security and the arithmetic on their jacobian. We also rewrote and optimized the formulas of Lange in characteristic 2, and we introduced a new system of coordinate. Therefore, we deduced the best form of hyperelliptic curves of genus 2 in characteristic 2 to use in cryptography.

In this paper, we formulate precisely the requirements for privacy protecting biometric authentication systems. The secrecy capacity $\Cs$ is investigated for the discrete and the continuous case. We present, furthermore, a general algorithm that meets the requirements and achieves $\Cs$ as well as $\Cid$ (the identification capacity). Finally, we present some practical constructions of the general algorithm and analyze their properties.

We present a voting protocol that protects voters' privacy and achieves universal verifiability, receipt-freeness, and uncoercibility without ad hoc physical assumptions or procedural constraints (such as untappable channels, voting booths, smart cards, third-party randomizers, and so on). We discuss under which conditions the scheme allows voters to cast write-in ballots, and we show how it can be practically implemented through voter-verified (paper) ballots. The scheme allows voters to combine voting credentials with their chosen votes applying the homomorphic properties of certain probabilistic cryptosystems.

Group signature schemes are cryptographic systems that provide revocable anonymity for signers. We propose a group signature scheme with constant-size public key and signature length that does not require trapdoor. So system parameters can be shared by multiple groups belonging to different organizations. The scheme is provably secure in the formal model recently proposed by Bellare, Shi and Zhang (BSZ04), using random oracle model, Decisional Bilinear Diffie-Hellman and Strong Diffie-Hellman assumptions. We give a more efficient variant scheme and prove its security in a formal model which is a modification of BSZ04 model and has a weaker anonymity requirement. Both schemes are very efficient and the sizes of signatures are approximately one half and one third, respectively, of the sizes of the well-known ACJT00 scheme. We will show that the schemes can be used to construct a traceable signature scheme and identity escrow schemes. They can also be extended to provide membership revocation.

Sflash is a fast multivariate signature scheme. Though the first version Sflash-v1 was flawed, a second version, Sflash-v2 was selected by the Nessie Consortium and was recommended for implementation of low-end smart cards. Very recently, due to the security concern, the designer of Sflash recommended that Sflash-v2 should not be used, instead a new version Sflash-v3 is proposed, which essentially only increases the length of the signature. The Sflash family of signature schemes is a variant of the Matsumoto and Imai public key cryptosystem. The modification is through the Minus method, namely given a set of polynomial equations, one takes out a few of them to make them much more difficult to solve. In this paper, we attack the Sflash-v3 scheme by combining an idea from the relinearization method by Kipnis and Shamir, which was used to attack the Hidden Field Equation schemes, and the linearization method by Patarin. We show that the attack complexity is less than 2^80, the security standard required by the Nessie Consortium.

This paper first positively answers the previously open question of whether it was possible to obtain an optimal security reduction for an identity based signature (IBS) under a reasonable computational assumption. We revisit the Sakai-Ogishi-Kasahara IBS that was recently proven secure by Bellare, Namprempre and Neven through a general framework applying to a large family of schemes. We show that their modified SOK-IBS scheme can be viewed as a one-level instantiation of Gentry and Silverberg's alternative hierarchical IBS the exact security of which was never considered before. We also show that this signature is as secure as the one-more Diffie-Hellman problem. As an application, we propose a modification of Boyen's "Swiss Army Knife" identity based signature encryption (IBSE) that presents better security reductions and satisfies the same strong security requirements with a similar efficiency.

A general method to secure cryptographic algorithm implementations against side-channel attacks is the use of randomization techniques and, in particular, masking. Roughly speaking, using random values unknown to an adversary one masks the input to a cryptographic algorithm. As a result, the intermediate results in the algorithm computation are uncorrelated to the input and the adversary cannot obtain any useful information from the side-channel. Unfortunately, previous AES randomization techniques have based their security on heuristics and experiments. Thus, flaws have been found which make AES randomized implementations still vulnerable to side-channel cryptanalysis. In this paper, we provide a formal notion of security for randomized maskings of arbitrary cryptographic algorithms. Furthermore, we present an AES randomization technique that is provably secure against side-channel attacks if the adversary is able to access a single intermediate result. Our randomized masking technique is quite general and it can be applied to arbitrary algorithms using only arithmetic operations over some even characteristic finite field. We notice that to our knowledge this is the first time that a randomization technique for the AES has been proven secure in a formal model.

The effect of faults on electronic systems has been studied since the 1970s when it was noticed that radioactive particles caused errors in chips. This led to further research on the effect of charged particles on silicon, motivated by the aerospace industry who was becoming concerned about the effect of faults in airborn electronic systems. Since then various mechanisms for fault creation and propagation have been discovered and researched. This paper covers the various methods that can be used to induce faults in semiconductors and exploit such errors maliciously. Several examples of attacks stemming from the exploiting of faults are explained. Finally a series of countermeasures to thwart these attacks are described.

We show that in applications that use the Diffie-Hellman (DH) transform but take care of hashing the DH output (as required, for example, for secure DH-based encryption and key exchange) the usual requirement to work over a DDH group (i.e., a group in which the Decisional Diffie-Hellman assumption holds) can be relaxed to only requiring that the DH group contains a large enough DDH subgroup. In particular, this implies the security of (hashed) Diffie-Hellman over non-prime order groups such as $Z_p^*$. Moreover, our results show that one can work directly over $Z_p^*$ without requiring any knowledge of the prime factorization of $p-1$ and without even having to find a generator of $Z_p^*$. These results are obtained via a general characterization of DDH groups in terms of their DDH subgroups, and a relaxation (called $t$-DDH) of the DDH assumption via computational entropy. We also show that, under the short-exponent discrete-log assumption, the security of the hashed Diffie-Hellman transform is preserved when replacing full exponents with short exponents.

We point out several security flaws in the cryptosystem based on tree replacement systems proposed by Samuel, Thomas, Abisha and Subramanian at INDOCRYPT 2002. Due to the success of (among others) very simple ciphertext-only attacks, we evidence that this system does not, in its present form, offer acceptable security guarantees for cryptographic applications.

Hash Chains are used extensively in various cryptographic systems such as one-time passwords, server supported signatures, secure address resolution, certificate revocation, micropayments etc. However, currently they suffer from the limitation that they have a finite number of links which when exhausted requires the system to be re-initialized. In this paper, we present a new kind of hash chain which we call a Re-initializable Hash Chain (RHC). A RHC has the property that if its links are exhausted, it can be securely re-initialized in a non-repudiable manner to result in another RHC. This process can be continued indefinitely to give rise to an infinite length hash chain, or more precisely, an infinite number of finite length hash chains tied together. Finally we illustrate how a conventional hash chain (CHC) may be profitable replaced with a RHC in cryptographic systems.

We point out that the notion of {\em ambiguity} introduced in the concurrent signatures proposed by Chen, Kudla, and Paterson in Eurocrypt 2004 is incorrect. Any third party who observed two signatures can differentiate who has/have produced the signatures by performing the verification algorithm. We note that the model proposed in the paper is sound, but the concrete scheme does not really provide what is required in the model.

GNFS (general number field sieve) algorithm is currently the fastest known algorithm for factoring large integers. Up to the present, several running time estimates for GNFS are announced. These estimates are usually based on the previous factoring results. However, since the previous factoring results were done by various programs and/or computers, it is difficult to compare those running time. We implemented GNFS and factored 100- to 150-digits number on the same environment. This manuscript describes the statistics of these factorings.

In these lecture notes we survey the state of the art in symmetric key encryption, in particular in the block ciphers and stream ciphers area. The area of symmetric key encryption has been very active in the last five years due to growing interest from academic and industry research, standardization efforts like AES, NESSIE and CRYPTREC, as well as due to ease of government control over export of cryptography.

This paper analyzes the modified Nyberg-Rueppel signature scheme (mNR), proving it secure in the Generic Group Model (GM). We also show that the security of the mNR signature is equivalent (in the standard model) to that of a twin signature, while achieving computational and bandwidth improvements. As a provably secure signature scheme, mNR is very efficient. We demonstrate its practical relevance by providing an application to the construction of a provably secure, self-certified, identity-based scheme (SCID). SCID schemes combine some of the best features of both PKI-based schemes (functionally trusted authorities, public keys revocable without the need to change identifier strings) and ID-based ones (lower bandwidth requirements). The new SCID scheme matches the performance achieved by the most efficient ones based on the discrete logarithm, while requiring only standard security assumptions in the Generic Group Model.

HC-256 is a software-efficient stream cipher. It generates keystream from a 256-bit secret key and a 256-bit initialization vector. The encryption speed of the C implementation of HC-256 is about 1.9 bits per clock cycle (4.2 cycle/byte) on the Intel Pentium 4 processor. A variant of HC-256 is also introduced in this paper.

Database outsourcing is a popular industry trend which involves organizations delegating their data management needs to an external service provider. In this model, a service provider hosts its clients’ databases and offers mechanisms for clients to create, store, update and access (query) their databases. Since a service provider is almost never fully trusted, security and privacy of outsourced data are important concerns. This paper focuses on integrity and authenticity issues in outsourced databases. Whenever someone queries a hosted database, the returned results must be demonstrably authentic: the querier needs to establish – in an efficient manner – that both integrity and authenticity (with respect to the actual data owner) are assured. To this end, some recent work examined two relevant signature schemes: one based on a condensed variant of batch RSA and the other – on aggregated signature scheme by Boneh, et al. In this paper, we introduce the notion of immutability for aggregated signature schemes. Immutability refers to the difficulty of computing new valid aggregated signatures from a set of other aggregated signatures. This is an important feature, particularly for outsourced databases, as lack thereof would enable a frequent querier to eventually amass enough aggregated signatures to answer other (un-posed) queries, thus becoming a de facto service provider. Since the schemes considered in [19] do not offer immutability, we propose several practical methods to achieve it.

We present a provably secure authenticated tree based key agreement protocol. The protocol is obtained by combining Boldyreva's multi-signature with an unauthenticated ternary tree based multi-party extension of Joux's key agreement protocol. The securiry is in the standard model as formalized by Bresson et al. The proof is based on the techniques used by Katz and Yung in proving the security of their key agreement protocol.

Key pre-distribution (KPD) schemes, are inherently trade-offs between security and complexity, and are perhaps well suited for securing large-scale deployments of resource constrained nodes without persistent access to a trusted authority (TA). However, the need to offset their inherent security limitations, calls for some degree of tamper - resistance of nodes. Obviously, if absolute tamper-resistance is guaranteed, KPD schemes are rendered secure. In practice, however, tamper-resistance will have some limitations which will be exploited by attackers. In this paper, we analyze the security of deployments of random key pre-distribution schemes based on some assumptions on the "extent of tamper-resistance." We argue that a "limited extent of tamper resistance" when used in conjunction with a mechanism for "periodic key updates," drastically improves the security of (especially random) KPD schemes.

In this paper we present batch signature verification schemes for identity and non-identity signatures schemes based on bilinear maps. We examine some signature schemes and exploit their properties so that we can batch process the verification of these signatures in an efficient manner. Batch verification of message signatures is useful in real world applications. Most email clients are predominantly offline and so do not download emails one at a time. Instead the mails arrive at an online mail server individually, where they are collected together and stored. It is only after some period of time that any mails on the server are downloaded in bulk. It is not unreasonable to have 5 - 10 emails download into your inbox in any one transaction with the mail server. Say these mails were all signed, then this would be an ideal time to do batch signature verification. We show that we can make substantial savings over the naïve approach of verifying one message signature at a time.

This paper gives a survey of some ways to improve the efficiency of discrete log-based cryptography by using the restriction of scalars and the geometry and arithmetic of algebraic tori and abelian varieties.

We introduce a new type of Identity-Based Encryption (IBE) scheme that we call Fuzzy Identity-Based Encryption. In Fuzzy IBE we view an identity as set of descriptive attributes. A Fuzzy IBE scheme allows for a private key for an identity, $\omega$, to decrypt a ciphertext encrypted with an identity, $\omega'$, if and only if the identities $\omega$ and $\omega'$ are close to each other as measured by the ``set overlap'' distance metric. A Fuzzy IBE scheme can be applied to enable encryption using biometric inputs as identities; the error-tolerance property of a Fuzzy IBE scheme is precisely what allows for the use of biometric identities, which inherently will have some noise each time they are sampled. Additionally, we show that Fuzzy-IBE can be used for a type of application that we term ``attribute-based encryption''. In this paper we present two constructions of Fuzzy IBE schemes. Our constructions can be viewed as an Identity-Based Encryption of a message under several attributes that compose a (fuzzy) identity. Our IBE schemes are both error-tolerant and secure against collusion attacks. Additionally, our basic construction does not use random oracles. We prove the security of our schemes under the Selective-ID security model.

In this paper we describe our new CS$^2$ block cipher which is an extension of the original CS-Cipher. Our new design inherits the efficiency of the original design while being upgraded to support a larger block size as well as use a slightly improved substitution box. We prove that our design is immune to differential and linear cryptanalysis as well as argue it resists several other known attacks.

Several efforts have been made recently to put forward a set of cryptographic primitives for public key encryption, suitable to be standardized. In two of them (in the first place the NESSIE european evaluation project, already finished, and in the second place the standardisation bodies ISO/IEC), the methodology by Victor Shoup for hybrid encryption, known as {\em Key Encapsulation Method-Data Encapsulation Mechanism} (KEM-DEM), has been accepted. In this work we re-evaluate the elliptic curve based KEMs studied to become standards, which are called ACE-KEM, ECIES-KEM and PSEC-KEM. Their security is based on different assumptions related to the elliptic curve discrete logarithm (ECDL) problem on a random elliptic curve. First of all, we fix some inexact results claimed in the previous literature. As a consequence, the performance features of PSEC-KEM are dramatically affected. In second place, we analyse both their security properties and performance when elliptic curves with computable bilinear maps ({\em pairing curves} for short) are used. It turns out that these KEMs present a very tight security reduction to the same problem, namely the ECDH problem on such curves; moreover, one can even relate their security to the ECDL problem in certain curves with a small security loss. It is also argued that ECIES-KEM arises as the best option among these KEMs when pairing curves are used. This is remarkable, since NESSIE did not include ECIES-KEM over a random curve in its portfolio of recommended cryptographic primitives. It is concluded that for medium security level applications, which is likely the case for many embedded systems (e.g. smart cards), implementing these KEMs over pairing curves should be considered a very reasonable option.

Scan based test is a double edged sword. On one hand, it is a powerful test technique. On the other hand, it is an equally powerful attack tool. In this paper we show that scan chains can be used as a side channel to recover secret keys from a hardware implementation of the Data Encryption Standard (DES). By loading pairs of known plaintexts with one-bit difference in the normal mode and then scanning out the internal state in the test mode, we first determine the position of all scan elements in the scan chain. Then, based on a systematic analysis of the structure of the non-linear substitution boxes, and using three additional plaintexts we discover the DES secret key. Finally, some assumptions in the attack are discussed.

We define \emph{reactive simulatability} for general asynchronous systems. Roughly, simulatability means that a real system implements an ideal system (specification) in a way that preserves security in a general cryptographic sense. Reactive means that the system can interact with its users multiple times, e.g., in many concurrent protocol runs or a multi-round game. In terms of distributed systems, reactive simulatability is a type of refinement that preserves particularly strong properties, in particular confidentiality. A core feature of reactive simulatability is \emph{composability}, i.e., the real system can be plugged in instead of the ideal system within arbitrary larger systems; this is shown in follow-up papers, and so is the preservation of many classes of individual security properties from the ideal to the real systems. A large part of this paper defines a suitable system model. It is based on probabilistic IO automata (PIOA) with two main new features: One is \emph{generic distributed scheduling}. Important special cases are realistic adversarial scheduling, procedure-call-type scheduling among colocated system parts, and special schedulers such as for fairness, also in combinations. The other is the definition of the \emph{reactive runtime} via a realization by Turing machines such that notions like polynomial-time are composable. The simple complexity of the transition functions of the automata is not composable. As specializations of this model we define security-specific concepts, in particular a separation beween honest users and adversaries and several trust models. The benefit of IO automata as the main model, instead of only interactive Turing machines as usual in cryptographic multi-party computation, is that many cryptographic systems can be specified with an ideal system consisting of only one simple, deterministic IO automaton without any cryptographic objects, as many follow-up papers show. This enables the use of classic formal methods and automatic proof tools for proving larger distributed protocols and systems that use these cryptographic systems.

Recently proposed algebraic attacks [AK03,CM03] and fast algebraic attacks [A04,C03] have provided the best analyses against some deployed LFSR-based ciphers. The process complexity is exponential in the degree of the equations. Fast algebraic attacks were introduced [C03] as a way of reducing run-time complexity by reducing the degree of the system of equations. Previous reports on fast algebraic attacks [A04,C03] have underestimated the complexity of substituting the keystream into the system of equations, which in some cases dominates the attack. We also show how the Fast Fourier Transform (FFT) [CT65] can be applied to decrease the complexity of the substitution step, although in one case this step still dominates the attack complexity. Finally, we show that all functions of degree d satisfy a common, function-independent linear combination that may be used in the pre-computation step of the fast algebraic attack and provide an explicit factorization of the corresponding characteristic polynomial. This yields the fastest known method for performing the pre-computation step.

The purpose of this paper is to revise the HENKOS Stream Cipher paper present in the archive at 2004/080 and to provide a clear description of the proposed HENKOS cryptographic algorithm.

Since Joux published the first pairing-based one-round tripartite key agreement protocol [13], many authenticated protocols have been proposed. However most of them were soon broken or demonstrated not to achieve some desirable security attributes. In this paper we present a protocol variant based on Shim's work [20]. As the formalized model of this type of AK protocols is not mature, the security properties of the protocol are heuristically investigated by attempting a list of attacks. The attack list presented in the paper has both the importance in theory and the meaning in practice and can be used to evaluate other tripartite and group key agreement protocols.

WinZip is a popular compression utility for Microsoft Windows computers, the latest version of which is advertised as having "easy-to-use AES encryption to protect your sensitive data." We exhibit several attacks against WinZip's new encryption method, dubbed "AE-2" or "Advanced Encryption, version two." We then discuss secure alternatives. Since at a high level the underlying WinZip encryption method appears secure (the core is exactly Encrypt-then-Authenticate using AES-CTR and HMAC-SHA1), and since one of our attacks was made possible because of the way that WinZip Computing, Inc.~decided to fix a different security problem with its previous encryption method AE-1, our attacks further underscore the subtlety of designing cryptographically secure software.

A first step toward establishing foundations for group signatures was taken by Bellare, Micciancio and Warinschi (Eurocrypt 2003) with a treatment of the case where the group is static. However the bulk of existing practical schemes and applications are for dynamic groups, and these involve important new elements and security issues. This paper treats this case, providing foundations for dynamic group signatures, in the form of a model, strong formal definitions of security, and a construction proven secure under general assumptions. We believe this is an important and useful step because it helps bridge the gap between Bellare Micciancio and Warinschi and the previous practical work, and delivers a basis on which existing practical schemes may in future be evaluated or proven secure.

To date, a group signature construction which is efficient, scalable, allows dynamic adversarial joins, and proven secure in a formal model has not been suggested. In this work we give the first such construction in the random oracle model. The demonstration of an efficient construction proven secure in a formal model that captures all intuitive security properties of a certain primitive is a basic goal in cryptographic design. To this end we adapt a formal model for group signatures capturing all the basic requirements that have been identified as desirable in the area and we construct an efficient scheme and prove its security. Our construction is based on the Strong-RSA assumption (as in the work of Ateniese et al.). In our system, due to the requirements of provable security in a formal model, we give novel constructions as well as innovative extensions of the underlying mathematical requirements and properties. Our task, in fact, requires the investigation of some basic number-theoretic techniques for arguing security over the group of quadratic residues modulo a composite when its factorization is known. Along the way we discover that in the basic construction, anonymity does not depend on factoring-based assumptions, which, in turn, allows the natural separation of user join management and anonymity revocation authorities. Anonymity can, in turn, be shown even against an adversary controlling the join manager.

In this paper I propose a tweakable block cipher construction with a mode of operation that combines counter and chaining methods. Using a single key, the direct application of this mode produces unrepeatable message authentication tags.

This report presents the results from the completed computation of an algorithm introduced by the authors in [11] for evaluating the provable security of the AES (Rijndael) against linear cryptanalysis. This algorithm, later named KMT2, can in fact be applied to any SPN [8]. Preliminary results in [11] were based on 43\% of total computation, estimated at 200,000 hours on our benchmark machine at the time, a Sun Ultra 5. After some delay, we obtained access to the necessary computational resources, and were able to run the algorithm to completion. In addition to the above, this report presents the results from the dual version of our algorithm (KMT2-DC) as applied to the AES.

We propose an index calculus algorithm for the discrete logarithm problem on general abelian varieties. The main difference with the previous approaches is that we do not make use of any embedding into the Jacobian of a well-suited curve. We apply this algorithm to the Weil restriction of elliptic curves and hyperelliptic curves over small degree extension fields. In particular, our attack can solve all elliptic curve discrete logarithm problems defined over $GF(q^3)$ in time $O(q^{10/7})$, with a reasonably small constant; and an elliptic problem over $GF(q^4)$ or a genus 2 problem over $GF(p^2)$ in time $O(q^{14/9})$ with a larger constant.

The most popular public key cryptosystems rely on assumptions from algebraic number theory, e.g., the difficulty of factorisation or the discrete logarithm. The set of problems on which secure public key systems can be based is therefore very small: e.g., a breakthrough in factorisation would make RSA insecure and hence affect our digital economy quite dramatically. This would be the case if quantum-computer with a large number of qbits were available. Therefore, a wider range of candidate hard problems is needed. In 1996, Patarin proposed the ``Hidden Field Equations" (HFE) as a base for public key cryptosystems. In a nutshell, they use polynomials over finite fields of different size to disguise the relationship between the private key and the public key. In these systems, the public key consists of multivariate polynomials over finite fields with up to 256 elements for practical implementations. Over finite fields, solving these equations has been shown to be an NP-complete problem. In addition, empirical results show that this problem is also hard on average, i.e., it can be used for a secure public key signature or encryption scheme. In this article, we outline HFE, and its the variations HFE-, HFEv. Moreover, we describe the signature scheme Quartz, which is based on Hidden Field Equations. In addition, we describe the most recent attacks against HFE and sketch two versions of Quartz which are immune against these attacks.

We present a variant of the Boneh \& Franklin Identiy-based Encryption {\sc ibe} scheme to derive an authenticated symmetric key-exchange protocol, when combined with a signature scheme. Our protocol uses {\sc ibe} as a secure channel to establish a symmetric key between two users and, after that, further communication can be done by symmetric cryptography, much faster than pairing-based cryptography.

It is already known that the Weil and Tate pairings can be used to solve many decision-Diffie-Hellman (DDH) problems on elliptic curves. A natural question is whether all DDH problems are easy on supersingular curves. To answer this question it is necessary to have suitable distortion maps. Verheul states that such maps exist, and this paper gives methods to construct them. The paper therefore shows that all DDH problems on supersingular elliptic curves are easy. We also discuss the issue of which DDH problems on ordinary curves are easy. A related contribution is a discussion of distortion maps which are not isomorphisms. We give explicit distortion maps for elliptic curves with complex multiplication of discriminants $D=-7$ and $D=-8$.

In~\cite{B02} it was proved that 20 out of 64 PGV-hash functions~\cite{P94} based on block cipher are collision resistant and one-way-secure in black-box model of the underlying block cipher. Here, we generalize the definition of PGV-hash function into a hash family and we will prove that besides the previous 20 hash functions we have 22 more collision resistant and one-way secure hash families. As all these 42 families are keyed hash family, these become target collision resistant also. All these 42 hash families have tight upper and lower bounds on (target) collision resistant and one-way-ness.

This paper describes the synthesis of Dynamic Differential Logic to increase the resistance of FPGA implementations against Differential Power Analysis. The synthesis procedure is developed and a detailed description is given of how EDA tools should be used appropriately to implement a secure digital design flow. Compared with an existing technique to implement Dynamic Differential Logic on FPGA, the technique saves a factor 2 in slice utilization. Experimental results also indicate that a secure version of the AES encryption algorithm can now be implemented with a mere 50% increase in time delay and 90% increase in slice utilization when compared with a normal non-secure single ended implementation.

Charge Recycling Sense Amplifier Based Logic is presented. This logic is derived from Sense Amplifier Based Logic, which is a logic style with signal independent power consumption that is capable to protect security devices such as Smart Cards against power attacks. Experimental results show that utilization of advanced circuit techniques save 20% in power consumption and 63% in peak supply current and that the logic style preserves the energy masking behavior.

We present a dynamic and differential CMOS logic style, which has a signal independent switching behavior. It is shown that during each clock cycle, power consumption and all circuit characteristics, such as leakage current, instantaneous current and input-output delay are identical and independent of the logic value and the sequence of the input data. Implementing the encryption module in this logic will protect it against any Side Channel Attack that takes advantage of power, timing and leakage information. We have built a set of logic gates and a flip-flop needed for cryptographic functions and implemented a larger module, for which area, total power consumption and variation on the power consumption have been compared with implementations in Static Complementary CMOS logic, genuine Dynamic and Differential Logic and Current Mode Logic.

In this paper we propose three refinements to Miller's algorithm for computing Weil/Tate Pairing.The first one is an overall improvement and achieves its optimal behavior if the binary expansion of the involved integer has more zeros. If more ones are presented in the binary expansion, second improvement is suggested. The third one is especially efficient in the case base three. We also have some performance analysis.

The bilinear pairing such as Weil pairing or Tate pairing on elliptic and hyperelliptic curves have recently been found applications in design of cryptographic protocols. In this survey, we have tried to cover different cryptographic protocols based on bilinear pairings which possess, to the best of our knowledge, proper security proofs in the existing security models.

We propose a one-round $1$-out-of-$n$ computationally-private information retrieval protocol for $\ell$-bit strings with low-degree polylogarithmic receiver-computation, linear sender-computation and communication $\Theta(k\cdot\log^2{n}+\ell\cdot\log{n})$, where $k$ is a possibly non-constant security parameter. The new protocol is receiver-private if the underlying length-flexible additively homomorphic public-key cryptosystem is IND-CPA secure. It can be transformed to a one-round computationally receiver-private and information-theoretically sender-private $1$-out-of-$n$ oblivious-transfer protocol for $\ell$-bit strings, that has the same asymptotic communication and is private in the standard complexity-theoretic model.

Fix a small, non-empty set of blockcipher keys K. We say a blockcipher-based hash function is "highly-efficient" if it makes exactly one blockcipher call for each message block hashed, and all blockcipher calls use a key from K. Although a few highly-efficient constructions have been proposed, no one has been able to prove their security. In this paper we prove, in the ideal-cipher model, that it is impossible to construct a highly-efficient iterated blockcipher-based hash function that is provably secure. Our result implies, in particular, that the Tweakable Chain Hash (TCH) construction suggested by Liskov, Rivest, and Wagner is not correct under an instantiation suggested for this construction, nor can TCH be correctly instantiated by any other efficient means.

We herein discuss two modes of attack on multivariate public-key cryptosystems. A 2000 Goubin-Courtois article applied these techniques against a special class of multivariate PKC's called ``Triangular-Plus-Minus'' (TPM), and may explain in part the present dearth of research on ``true'' multivariates -- multivariate PKC's in which the middle map is not really taken in a much larger field. These attacks operate by finding linear combinations of matrices with a given rank. Indeed, we can describe the two attacks very aptly as ``high-rank'' and ``low-rank''. However, TPM was not general enough to cover all pertinent true multivariate PKC's. \emph{Tame-like} PKC's, multivariates with relatively few terms per equation in the central map and an easy inverse, is a superset of TPM that can enjoy both fast private maps and short set-up times. However, inattention can still let rank attacks succeed in tame-like PKCs. The TTS (Tame Transformation Signatures) family of digital signature schemes lies at this cusp of contention. Previous TTS instances (proposed at ICISC '03) claim good resistance to other known attacks. But we show how careless construction in current TTS instances (TTS/4 and TTS/$2'$) exacerbates the security concern of rank, and show two different cryptanalysis in under $2^{57}$ AES units. TTS is not the only tame-like PKC with these liabilities -- they are shared by a few other misconstructed schemes. A suitable equilibrium between speed and security must be struck. We suggest a generic way to craft tame-like PKC's more resistant to rank attacks. A demonstrative TTS variant with similar dimensions is built for which rank attack takes $>2^{80}$ AES units, while remaining very fast and as resistant to other attacks. The proposed TTS variants can scale up. In short: We show that rank attacks apply to the wider class of tame-like PKC's, sometimes even better than previously described. However, this is relativized by the realization that we can build adequately resistant tame-like multivariate PKC's, so the general theme still seem viable compared to more traditional or large-field multivariate alternatives.

Informally, an obfuscator $\Obf$ is an efficient, probabilistic ``compiler'' that transforms a program $P$ into a new program $\Obf(P)$ with the same functionality as $P$, but such that $\Obf(P)$ protects any secrets that may be built into and used by $P$. Program obfuscation, if possible, would have numerous important cryptographic applications, including: (1) ``Intellectual property'' protection of secret algorithms and keys in software, (2) Solving the long-standing open problem of homomorphic public-key encryption, (3) Controlled delegation of authority and access, (4) Transforming Private-Key Encryption into Public-Key Encryption, and (5) Access Control Systems. Unfortunately however, program obfuscators that work on arbitrary programs cannot exist [Barak et al]. No positive results for program obfuscation were known prior to this work. In this paper, we provide the first positive results in program obfuscation. We focus on the goal of access control, and give several provable obfuscations for complex access control functionalities, in the random oracle model. Our results are obtained through non-trivial compositions of obfuscations; we note that general composition of obfuscations is impossible, and so developing techniques for composing obfuscations is an important goal. Our work can also be seen as making initial progress toward the goal of obfuscating finite automata or regular expressions, an important general class of machines which are not ruled out by the impossibility results of Barak et al. We also note that our work provides the first formal proof techniques for obfuscation, which we expect to be useful in future work in this area.