Recently we solved the long-standing open problem of justifying a Dolev-Yao type model of cryptography as used in virtually all automated protocol provers under active attacks. The justification was done by defining an ideal system handling Dolev-Yao-style terms and a cryptographic realization with the same user interface, and by showing that the realization is as secure as the ideal system in the sense of reactive simulatability. This definition encompasses arbitrary active attacks and enjoys general composition and property-preservation properties. Security holds in the standard model of cryptography and under standard assumptions of adaptively secure primitives. A major primitive missing in that library so far is symmetric encryption. We show why symmetric encryption is harder to idealize in a way that allows general composition than existing primitives in this library. We discuss several approaches to overcome these problems. For our favorite approach we provide a detailed provably secure idealization of symmetric encryption within the given framework for constructing nested terms.

In their seminal paper, Miyaji, Nakabayashi and Takano~\cite{miyaji-nakabayashi-takano} describe a simple method for the creation of elliptic curves of prime order with embedding degree 3, 4, or 6. Such curves are important for the realisation of pairing-based cryptosystems on ordinary (non-supersingular) elliptic curves. We provide an alternative derivation of their results, and extend them to allow for the generation of many more suitable curves.

In this paper we study the long standing problem of information extraction from multiple linear approximations. We develop a formal statistical framework for block cipher attacks based on this technique and derive explicit and compact gain formulas for generalized versions of Matsui's Algorithm 1 and Algorithm 2. The theoretical framework allows both approaches to be treated in a unified way, and predicts significantly improved attack complexities compared to current linear attacks using a single approximation. In order to substantiate the theoretical claims, we benchmarked the attacks against reduced-round versions of DES and observed a clear reduction of the data and time complexities, in almost perfect correspondence with the predictions. The complexities are reduced by several orders of magnitude for Algorithm 1, and the significant improvement in the case of Algorithm 2 suggests that this approach may outperform the currently best attacks on the full DES algorithm.

In this paper we introduce a new way to represent elements of a finite field of characteristic $2$. We describe a new type of polynomial basis, called {\it redundant trinomial basis} and discuss how to implement it efficiently. Redundant trinomial bases are well suited to build $\mathbb{F}_{2^n}$ when no irreducible trinomial of degree $n$ exists. Tests with {\tt NTL} show that improvements for squaring and exponentiation are respectively up to $45$\% and $25$\%. More attention is given to relevant extension degrees for doing elliptic and hyperelliptic curve cryptography. For this range, a scalar multiplication can be speeded up by a factor up to $15$\%.

In a (t, n) proxy signature scheme, the original signer can delegate his/her signing capability to n proxy signers such that any t or more proxy singers can sign messages on behalf of the former, but t-1 or less of them cannot do the same thing. Such schemes have been suggested for use in a number of applications, particularly in distributed computing where delegation of rights is quite common. Based on the RSA cryptosystem, Hwang et al. recently proposed an efficient (t, n) threshold proxy signature scheme. In this paper we identify several security weaknesses in their scheme and show that their scheme is insecure.

Committed Oblivious Transfer (COT) is a useful cryptographic primitive that combines the functionalities of bit commitment and oblivious transfer. In this paper, we introduce an extended version of COT (ECOT) which additionally allows proofs of relations among committed bits, and we construct an efficient protocol that securely realizes an ECOT functionality in the universal-composability (UC) framework in the common reference string (CRS) model. Our construction is more efficient than previous (non-UC) constructions of COT, involving only a constant number of exponentiations and communication rounds. Using the ECOT functionality as a building block, we construct efficient UC protocols for general two-party and multi-party functionalities (in the CRS model), each gate requiring a constant number of ECOT's.

For the last two decades the notion and implementations of proxy signatures have been used to allow transfer of digital signing power within some context (in order to enable flexibility of signers within organizations and among entities). On the other hand, various notions of the key-evolving signature paradigms (forward-secure, key-insulated, and intrusion-resilient signatures) have been suggested in the last few years for protecting the security of signature schemes, localizing the damage of secret key exposure. In this work we relate the various notions via direct and concrete security reductions that are tight. We start by developing the first formal model for fully hierarchical proxy signatures, which, as we point out, also addresses vulnerabilities of previous schemes when self-delegation is used. Next, we prove that proxy signatures are, in fact, equivalent to key-insulated signatures. We then use this fact and other results to establish a tight hierarchy among the key-evolving notions, showing that intrusion-resilient signatures and key-insulated signatures are equivalent, and imply forward-secure signatures. We also introduce other relations among extended notions. Besides the importance of understanding the relationships among the various notions that were originally designed with different goals or with different system configuration in mind, our findings imply new designs of schemes. For example, many proxy signatures have been presented without formal model and proofs, whereas using our results we can employ the work on key-insulated schemes to suggest new provably secure designs of proxy signatures schemes.

We consider the following problem: a user \U\ wants to store his files in an encrypted form on a remote file server \FS. Later the user \U\ wants to efficiently retrieve some of the encrypted files containing (or indexed by) specific keywords, keeping the keywords themselves secret and not jeopardizing the security of the remotely stored files. For example, a user may want to store old e-mail messages encrypted on a server managed by Yahoo or another large vendor, and later retrieve certain messages while traveling with a mobile device. In this paper, we offer solutions for this problem under well-defined security requirements. Our schemes are efficient in the sense that no public-key cryptosystem is involved. Indeed, our approach is independent of the encryption method chosen for the remote files. They are also incremental, in that \U\ can submit new files which are totally secure against previous queries but still searchable against future queries.

In 1988, Harn, Laih and Huang proposed a password authentication scheme based on quadratic residues. However, in 1995, Chang, Wu and Laih pointed out that if the parameters d b a , , and l are known by the intruder, this scheme can be broken. In this paper, we presented another attack on the Harn-Laih-Huang scheme. In our attack, it doesn’t need to know the parameters and it is more efficient than the Chang-Wu-Laih attack.

Side-channel analysis has been recognized for several years as a practical and powerful means to reveal secret keys of [publicly known] cryptographic algorithms. Only very recently this kind of cryptanalysis has been applied to reverse engineer a non-trivial part of the specification of a proprietary (i.e., secret) algorithm. The target here is no longer the value of secret key but the secret specifications of the cryptographic algorithm itself. In a recent paper, Roman Novak (2003) describes how to recover the value of one (out of two) substitution table of a secret instance of the A3/A8 algorithm, the GSM authentication and session-key generation algorithm. His attack presents however two drawbacks from a practical viewpoint. First, in order to retrieve one substitution table ($T_2$), the attacker must know the value of the other substitution table ($T_1$). Second, the attacker must also know the value of secret key $K$. In this paper, we improve Novak's attack and show how to retrieve \emph{both} substitution tables ($T_1$ and $T_2$) \emph{without any prior knowledge about the secret key}. Furthermore, as a side-effect, we also recover the value of the secret key. With this contribution, we intend to present a practical SCARE (Side Channel Analysis for Reverse Engineering) attack, anticipate a growing interest for this new area of side-channel signal exploitation, and remind, if needed, that security cannot be achieved through obscurity alone.

Tail-MAC, A predecessor to the VMPC-MAC, algorithm for computing Message Authentication Codes for stream ciphers is described along with the analysis of its security. The proposed algorithm was designed to employ some of the data already computed by the underlying stream cipher in the purpose of minimizing the computational cost of the operations required by the MAC algorithm. The performed analyses indicate several problems with the security of the scheme and lead to a new design which described in a paper "VMPC-MAC: A Stream Cipher Based Authenticated Encryption Scheme". The new scheme solves all the problems found at a cost of some compromise in the performance.

This paper considers a weak variant on the notion of zero-knowledge. The weak notion is compatible with the chosen ciphertext security. In fact, arguments of knowledge based on IND-CCA encryption schemes are shown to be statistical zero-knowledge in that sense.

We introduce a new public-key cryptosystem with tractable rational maps. As an application of abstract algebra and algebraic geometry to cryptography, TRMC (Tractable Rational Map Cryptosystem) has many superior properties including high complexity, easy implementation and very fast execution. We describe the principles and implementation of TRMC and analyze its properties. Also, we give a brief account of security analysis.

In the setting of concurrent self composition, a single protocol is executed many times concurrently by a single set of parties. In this paper, we prove lower bounds and impossibility results for secure protocols in this setting. First and foremost, we prove that there exist large classes of functionalities that {\em cannot} be securely computed under concurrent self composition, by any protocol. We also prove a {\em communication complexity} lower bound on protocols that securely compute a large class of functionalities in this setting. Specifically, we show that any protocol that computes a functionality from this class and remains secure for $m$ concurrent executions, must have bandwidth of at least $m$ bits. The above results are unconditional and hold for any type of simulation (i.e., even for non-black-box simulation). In addition, we prove a severe lower bound on protocols that are proven secure using black-box simulation. Specifically, we show that any protocol that computes the blind signature or oblivious transfer functionalities and remains secure for $m$ concurrent executions, where security is proven via {\em black-box simulation}, must have at least $m$ rounds of communication. Our results hold for the plain model, where no trusted setup phase is assumed. While proving our impossibility results, we also show that for many functionalities, security under concurrent {\em self} composition (where a single secure protocol is run many times) is actually equivalent to the seemingly more stringent requirement of security under concurrent {\em general} composition (where a secure protocol is run concurrently with other arbitrary protocols). This observation has significance beyond the impossibility results that are derived by it for concurrent self composition.

Transitive signature, motivated by signing vertices and edges of a dynamically growing, transitively closed graph, was first proposed by Micali and Rivest. The general designing paradigm proposed there involved a underlying standard signature scheme, which is required to be existentially unforgeable against adaptive chosen message attacks. We show that the requirement for the underlying signature is not necessarily so strong, instead non-adaptive security is enough to guarantee the transitive signature scheme secure in the strongest sense, i.e, transitively unforgeable under adaptive chosen message attack (defined by Bellare and Neven). We give a general proof of such transitive signature schemes, and also propose a specific transitive signature scheme based on factoring and strong-RSA. Hence the choice of standard signatures that can be employed by transitive signature schemes is enlarged. The efficiency of transitive signature schemes may be improved since efficiency and security are trade-off parameters for standard signature schemes.

Sequences with almost perfect linear complexity profile are defined by H.~Niederreiter[4]. C.P. Xing and K.Y. Lam[5, 6] extended this concept from the case of single sequences to the case of multi-sequences and furthermore proposed the concept of d-perfect. In this paper, based on the technique of m-continued fractions due to Dai et al, we investigate the property of d-perfect multi-sequences and obtain the sufficient and necessary condition on d-perfect property. We show that multi-sequences with d-perfect property are not always strongly d-perfect. In particular, we give one example to disprove the conjecture on d-perfect property of multi-sequences proposed by C.P. Xing in [6].

We present an algebraic cryptanalysis of Bresson, et al.'s spontaneous anonymous threshold signature for ad hoc groups. The technique is to reduce a degenerate condition in Lagrange interpolation to an algebraically solvable high-density knapsack problem over $GF(2^\ell)$. We repair their protocol by revisiting and updating Cramer, et al.'s result on spontaneous anonymous threshold proof-of-knowledge (partial proof-of-knowledge). We generalize their proof by removing two assumptions, and reduce its security to a new candidate hard problem, PoK-Collision, in the random oracle model. To add to the urgency of our update, we present major versions of major PoK schemes that do not satisfy their special soundness assumption.

In this paper we propose a very efficient two-round k-out-of-n oblivious transfer scheme, in which R sends O(k) messages to S, and S sends O(n) messages back to R. The computation cost of R and S is reasonable as R needs O(k) operations and S needs O(n)operations. The choices of R are unconditionally secure and the secrecy of unchosen messages is guaranteed as well if the decisional bilinear Diffie-Hellman problem is hard. When k=1, our scheme is as efficient as the most efficient 1-out-of-n oblivious transfer scheme up to now. Our scheme has the nice property of universal parameters. That is, each pair of R and S need neither hold any secret key nor perform any prior setup. The system parameters can be used by all senders and receivers without any trapdoor specification. Our k-out-of-n oblivious transfer scheme is the most efficient one in terms of the communication cost, in both rounds and the number of messages. Moreover, our scheme can be extended in a straightforward way to an adaptive k-out-of-n oblivious transfer scheme, which allows the receiver R to choose the secrets one by one adaptively. In our scheme, S sends O(n) messages to R in one round in the commitment phase. For each query of R, only O(1) messages are exchanged and O(1) operations (in elliptic curves) are performed. In fact, the number k of queries need not be pre-fixed or known beforehand. This makes our scheme highly flexible.

Recently, J.-J. Shen, C.-W. Lin and M.-S. Hwang (Computers & Security, Vol 22, No 7, pp 591-595, 2003) proposed a modified Yang-Shieh scheme to enhance security. They claimed that their modified scheme can withstand the forged login attack and also provide a mutual authentication method to prevent the forged server attack. In this paper, we show that the Shen-Lin-Hwang scheme cannot resist the forged login attack either. The intruder is able to forge a valid forge request of a legitimate user Ui and then successfully impersonate him by intercepting a login request sent by Ui and registering a smart card.

We present an adaptive chosen-plaintext cryptanalysis of Boneh, et al.'s bilinear spontaneous anonymous ad hoc group signature. Then we present a patch, and an extension to a threshold version complete with a security proof in the random oracle model (ROM).

Chameleon signatures are based on well established hash-and-sign paradigm, where a \emph{chameleon hash function} is used to compute the cryptographic message digest. Chameleon signatures simultaneously provide the properties of non-repudiation and non-transferability for the signed message, $i.e.,$ the designated recipient is capable of verifying the validity of the signature, but cannot disclose the contents of the signed information to convince any third party without the signer's consent. One disadvantage of the initial chameleon signature scheme is that signature forgery results in the signer recovering the recipient's trapdoor information, $i.e.,$ private key. Therefore, the signer can use this information to deny \emph{other} signatures given to the recipient. This creates a strong disincentive for the recipient to forge signatures, partially undermining the concept of non-transferability. In this paper, we firstly propose a chameleon hashing scheme in the gap Diffie-Hellman group to solve the problem of key exposure. We can prove that the recipient's trapdoor information will never be compromised under the assumption of Computation Diffie-Hellman Problem (CDHP) is intractable. Moreover, we use the proposed chameleon hashing scheme to design a chameleon signature scheme.

A secure scheme of restrictive partially blind signature was presented. The proposed scheme has several advantages over the previous scheme: 1. The scheme is provable secure against the one-more signature forgery under the adaptively parallel attack. 2. The issued signatures can be of polynomial number whereas the previous work allows only logarithmic number. 3. The scheme is more efficient than previous scheme in both communicational and computational complexities.

In this paper, we study the problem of single database private information retrieval, and present schemes with only logarithmic server-side communication complexity. Previously the best result could only achieve polylogarithmic communication, and was based on certain less well-studied assumptions in number theory \cite{CMS99}. On the contrary, our construction is based on Paillier's cryptosystem \cite{P99}, which along with its variants have drawn extensive studies in recent cryptographic researches \cite{PP99,G00,CGGN01,DJ01,CGG02,CNS02,ST02,GMMV03,KT03}, and have many important applications (e.g., the Cramer-Shoup CCA2 encryption scheme in the standard model \cite{CS02}). Actually, our schemes can be directly used to implement $1$-out-of-$N$ {\em $\ell$-bit string} oblivious transfer with $O(\ell)$ sender-side communication complexity (against semi-honest receivers and malicious senders). Note the sender-side communication complexity is independent of $N$, the constant hidden in the big-$O$ notation is in fact small, and $\ell$ is unrestricted. Moreover, We also show a way to do communication balancing between the sender-side and the receiver-side. In addition, we show how to handle malicious receivers with small communication overheads, which itself is a non-trivial result.

We consider basic notions of security for cryptographic hash functions: collision resistance, preimage resistance, and second-preimage resistance. We give seven different definitions that correspond to these three underlying ideas, and then we work out all of the implications and separations among these seven definitions within the concrete-security, provable-security framework. Because our results are concrete, we can show two types of implications, "conventional" and "provisional", where the strength of the latter depends on the amount of compression achieved by the hash function. We also distinguish two types of separations, "conditional" and "unconditional". When constructing counterexamples for our separations, we are careful to preserve specified hash-function domains and ranges; this rules out some pathological counterexamples and makes the separations more meaningful in practice. Four of our definitions are standard while three appear to be new; some of our relations and separations have appeared, others have not. Here we give a modern treatment that acts to catalog, in one place and with carefully-considered nomenclature, the most basic security notions for cryptographic hash functions.

Every integer n > 0 º N defines an increasing monotonic series of integers: n1, n2, ...nk, such that nk = nk +k(k-1)/2. We define as s(m) the number of such series that an integer m belongs to. We prove that there are infinite number of integers with s=1, all of the form 2^t (they belong only to the series that they generate, not to any series generated by a smaller integer). We designate them as s-prime integers. All integers with a factor other than 2 are not s-prime (s>1), but are s-composite. However, the arithmetic s function shows great variability, lack of apparent pattern, and it is conjectured that s(n) is unbound. Two integers, n and m, are defined as s-congruent if they have a common s-series. Every arithmetic equation can be seen as an expression without explicit unknowns -- provided every integer variable can be replaced by any s-congruent number. To validate the equation one must find a proper match of such members. This defines a special arithmetic, which appears well disposed towards certain cryptographic applications.

We investigate efficient protocols for password-authenticated key exchange based on the RSA public-key cryptosystem. To date, most of the published protocols for password-authenticated key exchange were based on Diffie-Hellman key exchange. It appears inappropriate to design password-authenticated key exchange protocols using RSA and other public-key cryptographic techniques. In fact, many of the proposed protocols for password-authenticated key exchange based on RSA have been shown to be insecure; the only one that remains secure is the SNAPI protocol. Unfortunately, the SNAPI protocol has to use a prime public exponent $e$ larger than the RSA modulus $n$. In this paper, we present a new password-authenticated key exchange protocol, called {\em PEKEP}, which allows using both large and small prime numbers as RSA public exponents. Based on number-theoretic techniques, we show that the new protocol is secure against the $e$-{\em residue attack}, a special type of off-line dictionary attack against RSA-based password-authenticated key exchange protocols. We also provide a formal security analysis of PEKEP under the RSA assumption and the random oracle model. On the basis of PEKEP, we present a computationally-efficient key exchange protocol to mitigate the burden on communication entities.

Pairing-based cryptosystems rely on bilinear non-degenerate maps called pairings, such as the Tate and Weil pairings defined over certain elliptic curve groups. In this paper we show how to compress pairing values, how to couple this technique with that of point compression, and how to benefit from the compressed representation to speed up exponentiations involving pairing values, as required in many pairing based protocols.

The aim of the paper is the construction of the index calculus algorithm for the discrete logarithm problem on elliptic curves. The construction presented here is based on the problem of finding bounded solutions to some explicit modular multivariate polynomial equations. These equations arise from the elliptic curve summation polynomials introduced here and may be computed easily. Roughly speaking, we show that given the algorithm for solving such equations, which works in polynomial or low exponential time in the size of the input, one finds discrete logarithms faster than by means of Pollard's methods.

Hyperelliptic curve cryptography recently received a lot of attention, especially for constrained environments. Since there space is critical, compression techniques are interesting. In this note we propose a new method which avoids factoring the first representing polynomial. In the case of genus two the cost for decompression is, essentially, computing two square roots in $\F_q$, the cost for compression is much less.

Hardware accelerators are often used in cryptographic applications for speeding up the highly arithmetic-intensive public-key primitives, e.g. in high-end smart cards. One of these emerging and very promising public-key scheme is based on HyperElliptic Curve Cryptosystems (HECC). In the open literature only a few considerations deal with hardware implementation issues of HECC. Our contribution appears to be the first one to propose architectures for the latest findings in efficient group arithmetic on HEC. The group operation of HECC allows parallelization at different levels: bit-level parallelization (via different digit-sizes in multipliers) and arithmetic operation-level parallelization (via replicated multipliers). We investigate the trade-offs between both parallelization options and identify speed and time-area optimized configurations. We found that a coprocessor using a single multiplier (D = 8) instead of two or more is best suited. This coprocessor is able to compute group addition and doubling in 479 and 334 clock cycles, respectively. Providing more resources it is possible to achieve 288 and 248 clock cycles, respectively.

In a verifiable encryption, an asymmetrically encrypted ciphertext can be publicly verified to be decipherable by a designated receiver while maintaining the semantic security of the message \cite{AsokanShWa98,CamenischDa00,CamenischSh03}. In this paper, we introduce {\em Custodian-Hiding Verifiable Encryption}, where it can be publicly verified that there exists at least one custodian (user), out of a designated group of $n$ custodians (users), who can decrypt the message, while the semantic security of the message and the anonymity of the actual decryptor are maintained. Our scheme is proven secure in the random oracle model. We also introduce two extensions to decryption by a subset of more than one user.

We present a linkable spontaneously anonymous group (LSAG) signature scheme (alternatively known as linkable ring signature scheme) satisfying the following three properties. (1) Anonymity, or signer indistinguishability. (2) Linkability: That two signatures by the same signer can be linked. (3) Spontaneity: No group secret, therefore no group manager or group secret sharing setup. We reduce the security of our scheme to well-known problems under the random oracle model. Using the scheme, we construct a new efficient one-round e-voting system which does not have a registration phase. We also present a new efficient reduction of famous rewind simulation lemma which only relies on elementary probability theory. Threshold extensions of our scheme are also presented.

In this paper we show how to combine the design concepts of the SQUARE and CS block ciphers to produce a pseudo-random permutation CSQUARE suitable for use in block cipher and hash design with a very high multi-round trail weight. The new design inherits the hardware efficiency of the SQUARE linear transform pattern as well as the efficiency of the fast pseudo-Hadamard transform over a finite field. We demonstrate the DMWT hash function which makes use of our new results.

To ensure the security of software executing on malicious hosts, as in digital rights management (DRM) applications, it is desirable to encrypt or decrypt content using white-box encoded cryptographic algorithms in the manner of Chow et al. Such encoded algorithms must run on an adversary’s machine without revealing the private key information used, despite the adversary’s ability to observe and manipulate the running algorithm. We have implemented obfuscated (white-box) DES and 3DES algorithms along the lines of Chow et al., with alterations that improve the security of the key, eliminating attacks that extract the key from Chow et al.’s obfuscated DES. Our system is secure against two previously published attacks on Chow et al.’s system, as well as a new adaptation of a statistical bucketing attack on their system. During implementation of white-box DES we found that a number of optimizations were needed for practical generation and execution. On a typical laptop we can generate obfuscated DES functions in a Lisp environment in under a minute allocating 11 MB, including the space required for the resulting function. The resulting function occupies 4.5 MB and encrypts or decrypts each block in approximately 30 ms on an 800 MHz G4 processor; slight run-time performance of the obfuscated DES could be traded to further reduce our algorithm’s representation to 2.3 MB. Although it is over an order of magnitude slower than typical DES systems, we believe it is fast enough for application to some DRM problems.

Exponentiation in finite fields of characteristic 2 is proposed to construct large bijective S-boxes of block ciphers. We obtain some properties of the exponential S-boxes that are related to differential, higher order differential, and linear cryptanalysis methods.

As of today no solely software-based solution that a priori protects the computation of any mobile code and/or mobile agent was presented. Furthermore, Algesheimer et al. [1], argue that minimal trust in a third party is essential for the protection of mobile entities. This paper shows that under very mild assumptions, there exists a software-only based solution that can protect any computation of mobile entities in polynomial time bound systems, and without relaying on the minimal trust requirement. A novel Remote Distributed Scheme, called RDS, is described. RDS is based on fault-tolerant and modest cryptographic techniques and supports an a priori protection of any mobile computation that is carried in an honest-but-curious environment (“trusted entities”). We next show, by using on probabilistic techniques, that RDS provides an a priori protection for any mobile computation, in any environment, and for any required level of secrecy. We also prove that RDS equivalents, and by thus, provides the same level of protection that is supports by the traditional client/server scheme.

It is often necessary for two or more or more parties that do not fully trust each other to selectively share data. We propose a search scheme based on Bloom filters and Pohlig-Hellman encryption. A semi-trusted third party can transform one party's search queries to a form suitable for querying the other party's database, in such a way that neither the third party nor the database owner can see the original query. Furthermore, the encryption keys used to construct the Bloom filters are not shared with this third party. Provision can be made for third-party ``warrant servers'', as well as ``censorship sets'' that limit the data to be shared.

The 9/11 tragedy triggered an increased interest in biometric passports. According to several sources \cite{sp2}, the electronic ID market is expected to increase by more than 50\% {\sl per annum} over the three coming years, excluding China. \smallskip To cost-effectively address this foreseen explosion, a very inexpensive memory card (phonecard-like card) capable of performing fingerprint matching is paramount.\smallskip This paper presents such a solution. The proposed protocol is based on the following idea: the card stores the user's fingerprint information to which random minutiae were added at enrolment time (we denote this scrambled template by $t$). The card also stores a binary string $w$ encoding which of the minutiae in $t$ actually belong to the holder. When an identification session starts, the terminal reads $t$ from the card and, based upon the incoming scanner data, determines which of the minutiae in $t$ are genuine. The terminal forms a candidate $w'$ and sends it to the card. All the card needs to do is test that the Hamming weight of $w \oplus w'$ is smaller than a security threshold $d$. \smallskip It follows that the card only needs to embark passive data storage capabilities, one exclusive-or gate, a shift register, a counter and a comparator (less than 40 logical gates).

We build several highly-practical and optimized signcryption constructions directly from trapdoor permutations, in the random oracle model. All our constructions share features such as simplicity, efficiency, generality, near-optimal exact security, flexible and ad-hoc key management, key reuse for sending/receiving data, optimally-low message expansion, "backward" use for plain signature/encryption, long message and associated data support, the strongest-known qualitative security (so-called IND-CCA and sUF-CMA) and, finally, complete compatibility with the PKCS#1 infrastructure. While some of these features are present in previous works to various extents, we believe that our schemes improve on earlier proposals in at least several dimensions, making the overall difference quite noticeable in practice. Concretely, we present three methods generally based on what we call Parallel, Sequential, and eXtended sequential Padding schemes (P-Pad, S-Pad, X-Pad). P-Pad offers parallel "signing" and "encrypting", optimal exact security, and minimum ciphertext length twice as long as the length of a TDP , while still maintaining optimal bandwidth. S-Pad loses parallelism and some exact security, but has minimal ciphertext length equal to that of a TDP. Any S-Pad can also be used as a "universal padding" scheme. X-Pad is similar to S-Pad, but regains optimal exact security at the expense of a marginally-longer minimum ciphertext length. Moreover, to unify various padding options, we construct a single versatile padding scheme PSEP (Probabilistic Signature-Encryption Padding) which, by simply adjusting the lengths of the parameters, can work optimally as either a P-Pad, S-Pad or X-Pad.

This paper analyses the 3GPP confidentiality and integrity schemes adopted by Universal Mobile Telecommunication System, an emerging standard for third generation wireless communications. The schemes, known as $f8$ and $f9$, are based on the block cipher KASUMI. Although previous works claim security proofs for $f8$ and $f9'$, where $f9'$ is a generalized versions of $f9$, it was recently shown that these proofs are incorrect. Moreover, Iwata and Kurosawa (2003) showed that it is \emph{impossible} to prove $f8$ and $f9'$ secure under the standard PRP assumption on the underlying block cipher. We address this issue here, showing that it is possible to prove $f8'$ and $f9'$ secure if we make the assumption that the underlying block cipher is a secure PRP-RKA against a certain class of related-key attacks; here $f8'$ is a generalized version of $f8$. Our results clarify the assumptions necessary in order for $f8$ and $f9$ to be secure and, since no related-key attacks are known against the full eight rounds of KASUMI, lead us to believe that the confidentiality and integrity mechanisms used in real 3GPP applications are secure.

It is well known that the NIST statistical test suite was used for the evaluation of AES candidate algorithms. We have found that the test setting of Discrete Fourier Transform test and Lempel-Ziv test of this test suite are wrong. We give four corrections of mistakes in the test settings. This suggests that re-evaluation of the test results should be needed.

In a paper recently published in the ACM Operating Systems Review, Kim, Lee and Yoo \cite{kim-lee-yoo} describe two ID-based password authentication schemes for logging onto a remote network server using smart cards, passwords and fingerprints. Various claims are made regarding the security of the schemes, but no proof is offered. Here we show how a passive eavesdropper, without access to any smart card, password or fingerprint, and after passively eavesdropping only one legitimate log-on, can subsequently log-on to the server claiming any identity.

This work develops a composable notion of security in a synchronous communication network to analyze cryptographic primitives and protocols in a reliable network with guaranteed delivery. In such a synchronous model the abort of protocols must be handled explicitly. It is shown that a version of *global bit commitment* which allows to identify parties that did not give proper input cannot be securely realized with the primitives *oblivious transfer* and *broadcast*. This proves that the primitives oblivious transfer and broadcast are not complete in our synchronous model of security. In the synchronous model presented ideal functionalities as well as parties can be equipped with a ``shell'' which can delay communication until the adversary allows delivery or the number of rounds since the shell received the message exceeds a specified threshold. This additionally allows asynchronous specification of ideal functionalities and allows to model a network where messages are not necessarily delivered in the right order. If these latency times are chosen to be infinite the network is no more reliable and becomes completely asynchronous. It is shown that secure protocols in the setting of [Canetti01] or [CLOS02] can be transformed to secure realizations in the new model if latency times are chosen to be infinite.

Given an ordinary elliptic curve on Hesse form over a finite field of characteristic three, we give a sequence of elliptic curves which leads to an effective construction of the canonical lift, and obtain an algorithm for computing the number of points. Our methods are based on the study of an explicitly and naturally given $3$-isogeny between elliptic curves on Hesse form.

In this paper we study the additive crosscorrelation spectra between two Boolean functions whose supports are union of certain cosets. These functions on even number of input variables have been introduced by Dillon and we refer to them as Dillon type functions. Our general result shows that the crosscorrelation spectra between any two Dillon type functions are at most $5$-valued. As a consequence we find that the crosscorrelation spectra between two Dillon type bent functions on $n$-variables are at most $3$-valued with maximum possible absolute value at the nonzero points being $\leq 2^{\frac{n}{2}+1}$. Moreover, in the same line, the autocorrelation spectra of Dillon type bent functions at different decimations is studied. Further we demonstrate that these results can be used to show the existence of a class of polynomials for which the absolute value of the Weil sum has a sharper upper bound than the Weil bound. Patterson and Wiedemann extended the idea of Dillon for functions on odd number of variables. We study the crosscorrelation spectra between two such functions and then use the results for the calculating the autocorrelation spectra too.

We present a cryptanalysis of a provably secure cryptographic hash function proposed by Augot, Finiasz and Sendrier on eprint. Our attack is a variant of Wagner's generalized birthday attack. It is significantly faster than the attack considered by the authors, and it is practical for two of the three proposed parameters.

At INDOCRYPT 2003 Abisha, Thomas, and Subramanian proposed two public key schemes based on word problems in free partially commutative monoids and groups. We show that both proposals are vulnerable to chosen ciphertext attacks, and thus in the present form must be considered as insecure.

One of the approaches to deliver real-time video encryption is to apply permutations to the bytes within a frame of a fully encoded MPEG stream as presented in [2]. We demonstrate that this particular algorithm is vulnerable to a known-plaintext attack, and hence its use should be carefully considered. We also discuss modifications that can make the algorithm resistant to our attack.

We prove that the fast pseudo-Hadamard transform (FPHT) over a finite field has a bounded branch number. We shall demonstrate that the transform has an efficient implementation for various platforms compared to an equal dimension MDS code. We prove that when using a CS-Cipher\cite{CSC} like construction the weight of any $2R$ trail is bounded for the case of an $8 \times 8$ transform. We show that the FPHT can also be combined with MDS codes to produce efficient transforms with half of the branch of a comparable sized MDS code. We present the FPHT-HASH one-way hash function which is constructed using a $32 \times 32$ FPHT which produces a $256$-bit digest and processes the input at 24 cycles per byte with ISO C source code on an AMD Athlon XP processor.

We study the problem of constructing secure multi-party computation (MPC) protocols that are {\em completely fair} --- meaning that either all the parties learn the output of the function, or nobody does --- even when a majority of the parties are corrupted. We first propose a framework for fair multi-party computation, within which we formulate a definition of secure and fair protocols. The definition follows the standard simulation paradigm, but is modified to allow the protocol to depend on the runing time of the adversary. In this way, we avoid a well-known impossibility result for fair MPC with corrupted majority; in particular, our definition admits constructions that tolerate up to $(n-1)$ corruptions, where $n$ is the total number of parties. Next, we define a ``commit-prove-fair-open'' functionality and construct an efficient protocol that realizes it, using a new variant of a cryptographic primitive known as ``time-lines.'' With this functionality, we show that some of the existing secure MPC protocols can be easily transformed into fair protocols while preserving their security. Putting these results together, we construct efficient, secure MPC protocols that are completely fair even in the presence of corrupted majorities. Furthermore, these protocols remain secure when arbitrarily composed with any protocols, which means, in particular, that they are concurrently-composable and non-malleable. Finally, as an example of our results, we show a very efficient protocol that fairly and securely solves the socialist millionaires' problem.

Hada and Tanaka showed the existence of 3-round, negligible-error zero-knowledge arguments for NP based on a pair of non-standard assumptions, here called KEA1 and KEA2. In this paper we show that KEA2 is false. This renders vacuous the results of Hada and Tanaka. We recover these results, however, under a suitably modified new assumption called KEA3. What we believe is most interesting is that we show that it is possible to ``falsify'' assumptions like KEA2 that, due to their nature and quantifier-structure, do not lend themselves easily to ``efficient falsification'' (Naor).

We present, implement and apply a new privacy primitive that we call ``Traceable Signatures.'' To this end we develop the underlying mathematical and protocol tools, present the concepts and the underlying security model, and then realize the scheme and its security proof. Traceable signatures support an extended set of fairness mechanisms (mechanisms for anonymity management and revocation) when compared with the traditional group signature mechanism. We demonstrate that this extended function is needed for proper operation and adequate level of privacy in various settings and applications. For example, the new notion allows (distributed) tracing of all signatures by a single (misbehaving) party without opening signatures and revealing identities of any other user in the system. In contrast, if such tracing is implemented by a state of the art group signature system, such wide opening of all signatures of a single user is a (centralized) operation that requires the opening of {\em all} anonymous signatures and revealing the users associated with them, an act that violates the privacy of all users. Our work includes a novel modeling of security in privacy systems that leads to simulation-based proofs. Security notions in privacy systems are typically more complex than the traditional security of cryptographic systems, thus our modeling methodology may find future applications in other settings. To allow efficient implementation of our scheme we develop a number of basic tools, zero-knowledge proofs, protocols, and primitives that we use extensively throughout. These novel mechanisms work directly over a group of unknown order, contributing to the efficiency and modularity of our design, and may be of independent interest. The interactive version of our signature scheme yields the notion of ``traceable (anonymous) identification.''

Universally composable protocols (Canetti, FOCS 2000) are cryptographic protocols that remain secure even when run concurrently with arbitrary other protocols. Thus, universally composable protocols can be run in modern networks, like the Internet, and their security is guaranteed. However, the definition of universal composition actually assumes that each execution of the protocol is assigned a unique session identifier, and furthermore, that this identifier is known to all the participating parties. In addition, all universally composable protocols assume that the set of participating parties and the specification of the protocol to be run are a-priori agreed upon and known to all parties. In a decentralized network like the Internet, this setup information must be securely generated by the parties themselves. In this note we formalize the setup problem and show how to securely realize it with a simple and highly efficient protocol.

In this paper, we provide a new approach to study undeniable signatures by translating secure digital signatures to secure undeniable signatures so that the existing algorithms can be used. Our mechanism is that any verifier without trapdoor information cannot distinguish whether a message is encoded from Diffie-Hellamn resource $D$ or random resource $R$ while a signer with trapdoor information can distinguish efficiently a codeword which is computed from $D$ or $R$. We show how our mechanism can be efficiently achieved and provide proofs of security for our schemes in the standard complexity model. We also provide evidences to show that our approach can be applied to construct designated confirmer signatures, designated verifier signatures as well.

None

Many modern stream ciphers consist of a keystream generator and a key schedule algorithm. In fielded systems, security of the keystream generator is often based on a large inner state rather than an inherently secure design. Note, however, that little theory on the initialisation of large inner states exists, and many practical designs are based on an ad-hoc approach. As a consequence, an increasing number of attacks on stream ciphers exploit the (re-)initialisation of large inner states by a weak key schedule algorithm. In this paper, we propose a strict separation of keystream generator and key schedule algorithm in stream cipher design. A formal definition of inner state size is given, and lower bounds on the necessary inner state size are proposed. After giving a construction for a secure stream cipher from an insecure keystream generator, the limitations of such an approach are discussed. We introduce the notion of inner state size efficiency and compare it for a number of fielded stream ciphers, indicating that a secure cipher can be based on reasonable inner state sizes. Concluding, we ask a number of open questions that may give rise to a new field of research that is concerned with the security of key schedule algorithms.

Coron et al. proposed the ES-based scheme PSS-ES which realizes an encryption scheme and a signature scheme with a unique padding scheme and key pair. The security of PSS-ES as an encryption scheme is based on the \textit{partial-domain one-wayness} of the encryption permutation. In this paper, we propose new ES schemes OAEP-ES, OAEP++-ES, and REACT-ES, and prove their security under the assumption of \textit{only} the \textit{one-wayness} of encryption permutation. OAEP-ES, OAEP++-ES, and REACT-ES suit practical implementation because they use the same padding technique for encryption and for signature, and their security proof guarantees that we can prepare one key pair to realize encryption and signature in the same way as PSS-ES. Since \textit{one-wayness} is a weaker assumption than \textit{partial-domain one-wayness}, the proposed schemes offer tighter security than PSS-ES. Hence, we conclude that OAEP-ES, OAEP++-ES, and REACT-ES are more effective than PSS-ES. OAEP++-ES is the most practical approach in terms of the tightness of security and communication efficiency.

In this work, we investigate concurrent knowledge-extraction (CKE) and concurrent non-malleability (CNM) for concurrent (and stronger, resettable) ZK protocols in the bare public-key model. We formulate, driven by concrete attacks, and achieve CKE for constant-round concurrent/resettable arguments in the BPK model under standard polynomial assumptions. We get both generic and practical implementations. Here, CKE is a new concurrent verifier security that is strictly stronger than concurrent soundness in public-key model. We investigate, driven by concrete attacks, and clarify the subtleties in formulating CNM in the public-key model. We then give a new (augmented) CNM formulation in the public-key model and a construction of CNMZK in the public-key model satisfying the new CNM formulation.

In many crypographic hardware or software packages, a considerable part is devoted to finite field arithmetic. The finite field arithmetic is a very costly operation in comparison to other finite field operations. Taming the complexity of this operation has been a major challenge for researchers and implementers. One approach for the purpose is accumulate all the elements to be inverted and to compute several inversions simultaneously at the cost of one inversion and some multiplictions. One such algorithm is known as Montgomery's trick. However Montgomery's trick does not allow much parallelism. In~\cite{SMB03} an algorithm for computation of inverses of several field elements simultaneously in parallel has been proposed. The algorithm allows ample scope for parallelism and performes well if there is no restriction on the number of processors used. In the current work, we present an algorithm, which is same in complexity as Montgomery's trick but suitable for a parallel implementation. In parallel implementation, it computes inverse of $n$ elements in $2\log n$ parallel rounds. It performs better than both the previous algorithms under the circumstances where the restricted number of multipliers is used.

In this paper, we analyze two proxy signatures scheme [1], [2] proposed by Lal and Awasthi and found that both the schemes suffer with the security flaws. The scheme [1] suffers with proxy signer's forgery attacks and misuse of original signer's delegated information. The other scheme [2] suffers with original signer's forgery attack, proxy signer's undeniability and misuse of delegated information.

Verifiable Pairing and its Applications. In Chae Hoon Lim and Moti Yung, editors, Information Security Applications: 5th International Workshop, WISA 2004, Jeju Island, Korea, August 23-25, 2004, Revised Selected Papers, volume 3325 of Lecture Notes in Computer Science, pp. 170-187. (http://www.springerlink.com/index/C4QB7C13NL0EY5VN) which contains an improved and generalized result of this paper.

Identity-based (ID) cryptosystems avoid the necessity of certificates to authenticate public keys in a digital communications system. This is desirable, specially for these applications which involve a large number of public keys in each execution. For example, any computation and verification of a ring signature scheme, where a user anonymously signs a message on behalf of a set of users including himself, requires to authenticate the public keys of all the members of the set. We use bilinear pairings to design a new ID-based ring signature scheme. We extend to the ID-based scehario some known results about the security of generic ring signature schemes. This allows us to formally prove the security of our scheme, under the assumption that the Computational Diffie-Hellman problem is hard to solve.

Authenticated group key agreement problem is important in many modern collaborative and distributed applications. There are two ID-based authenticated group key agreement schemes have been proposed by Choi et al. and us, which are based on bilinear pairings and BD scheme. Recently, Zhang and Chen propose an impersonation attack on the two schemes, which means the schemes are not fully authenticated. In this paper, we propose an improved ID-based authenticated group key agreement scheme which can resist this attack.

Authenticated group key agreement problem is important in many modern collaborative and distributed applications. Recently, there are two ID-based authenticated group key agreement schemes have been proposed, one is Choi $et\ al.$'s \cite{CHL04} scheme, the other is Du $et\ al.$'s \cite{Du03} scheme. They are all constructed from bilinear pairings based on Burmester and Desmedt scheme \cite{BD94}. In this paper, we propose an impersonation attack on the two schemes. We show that any two malicious users can impersonate an entity to agree some session keys in a new group if these two malicious users have the previous authentication transcripts of this entity. So, the two ID-based authenticated group key agreement schemes can not provide the authenticity as claimed. We propose a proposal to repair these schemes.

Alghoritms: HIEROCRYPT-3, CAMELLIA and ANUBIS, GRAND CRU, NOEKEON, NUSH, Q, RC6, SAFER++128, SC2000, SHACAL were requested for the submission of block ciphers (high level block cipher) to NESSIE (New European Schemes for Signatures, Integrity, and Encryption) project. The main purpose of this project was to put forward a portfolio of strong cryptographic primitives of various types. The NESSIE project was a three year long project and has been divided into two phases. The first was finished in June 2001r. CAMELLIA, RC6, SAFER++128 and SHACAL were accepted for the second phase of the evaluation process. HIEROCRYPT-3 had key schedule problems, and there were attacks for up to 3,5 rounds out of 6, at least hardware implementations of this cipher were extremely slow. HIEROCRYPT-3 was not selected to Phase II. CAMELLIA was selected as an algorithm suggested for future standard. In the paper we present the hardware implementations these two algorithms with 128-bit blocks and 128-bit keys, using ALTERA devices and their comparisons.

Recently, Eisentraeger-Lauter-Montgomery proposed a method for speeding up scalar multiplication on elliptic curves. That method relies on improved formulae for evaluating S = 2P + Q from given points P and Q on an elliptic curve. Compared to the naive approach, the improved formulae save a field multiplication each time the operation is performed. This paper proposes a variant which is faster whenever a field inversion is more expensive than six field multiplications. We also give an improvement when tripling or quadrupling a point, and present a ternary/binary method to perform efficient scalar multiplication.

As a value-added service to deliver important data over the Internet with guaranteed receipt for each successful delivery, certified email has been discussed for years and a number of research papers appeared in the literature. But most of them deal with the two-party scenarios, i.e., there are only one sender and one recipient. In some applications, however, the same certified message may need to be sent to a set of recipients. In ISC'02, Ferrer-Gomila et. al. presented a multi-party certified email protocol~\cite{FPH02}. It has two major features. A sender could notify multiple recipients of the same information while only those recipients who acknowledged are able to get the information. In addition, its exchange protocol is optimized, which has only three steps. In this paper, we demonstrate some flaws and weaknesses in that protocol, and propose an improved version which is robust against the identified attacks while preserving the features of the original protocol.

Golle et al introduced universal re-encryption, defining it as re- encryption by a player who does not know the key used for the original encryption, but which still allows an intended player to recover the plaintext. Universal re-encryption is potentially useful as part of many information-hiding techniques, as it allows any player to make ciphertext unidentifiable without knowing the key used. Golle et al’s techniques for universal re-encryption are reviewed, and improved constructions for both simple and hybrid universal re-encryption systems are presented, including a hybrid construction that permits indefinite re-encryptions with better efficiency and an almost-optimally small increase in file size. Some implementational issues and possible future directions are also discussed.

Encryption is often conceived as a committing process, in the sense that the ciphertext may serve as a commitment to the plaintext. But this does not follow from the standard definitions of secure encryption. We define and construct symmetric and asymmetric committing encryption schemes, enabling publicly verifiable non-repudiation. Committing encryption eliminates key-spoofing attacks and has also the robustness to be signed afterwards. Our constructions are very efficient and practical. In particular, we show that most popular asymmetric encryption schemes, e.g. RSA, are committing encryption schemes; we also have an (efficient) construction given an arbitrary asymmetric encryption scheme. Our construction of symmetric committing encryption retains the efficiency of the symmetric encryption for real-time operations, although it uses few public key signatures in the setup phase. Finally, we investigate how to achieve both confidentiality and non-repudiation, and present a publicly verifiable signcryption scheme. Contrary to previous signcryption schemes, which are not publicly verifiable, our publicly verifiable signcryption supports non-repudiation. We construct a simple and efficient publicly verifiable signcryption scheme based on a new composition method which we call “commit-encrypt-then-sign” (CEtS) that preserves security properties of both committing encryption and digital signature schemes.

This paper presents an implementation of genus 2 and 3 hyperelliptic curves over prime fields, with a comparison with elliptic curves. To allow a fair comparison, we developed an ad-hoc arithmetic library, designed to remove most of the overheads that penalise implementations of curve-based cryptography over prime fields. These overheads get worse for smaller fields, and thus for large genera. We also use techniques such as lazy and incomplete modular reduction, originally developed for performing arithmetic in field extensions, to reduce the number of modular reductions occurring in the formulae for the group operations. The result is that the performance of hyperelliptic curves of genus 2 over prime fields is much closer to the performance of elliptic curves than previously thought. For groups of 192 and 256 bits the difference is about 18% and 15% respectively.

We study the recently introduced notion of a simulation-sound trapdoor commitment (SSTC) scheme. In this paper, we present a new, simpler definition for an SSTC scheme that admits more efficient constructions and can be used in a larger set of applications. Specifically, we show how to construct SSTC schemes from any one-way functions, and how to construct very efficient SSTC schemes based on specific number-theoretic assumptions. We also show how to construct simulation-sound, non-malleable, and universally-composable zero-knowledge protocols using SSTC schemes, yielding, for instance, the most efficient universally-composable zero-knowledge protocols known. Finally, we explore the relation between SSTC schemes and non-malleable commitment schemes by presenting a sequence of implication and separation results, which in particular imply that SSTC schemes are non-malleable.

We give the number of the isomorphism classes of hyperelliptic curves of genus 3 defined over finite fields F_{p^n}, $p \neq 2,7. These results have applications to cryptography.

Whitenoise is a stream cipher with specification given at http://eprint.iacr.org/2003/249. In this paper, we show that Whitenoise is extremely weak. It can be broken by solving about 80,000 linear equations. And only about 80,000 bytes keystream are needed in the attack.

Whitenoise Substitution Stream Cipher is a multi-key-Super key hierarchical cryptographic process. This cryptographic system utilizes a method of encryption that can reasonably be described conceptually as an algorithmic representation of a multi-dimensional encrypting cipher matrix. The Whitenoise algorithm takes several sub keys and then creates a very long non-repeating key stream. This was revised to respond to security concerns brought up in 2003/250.

The optimization of the Harley algorithm is an active area of hyperelliptic curve cryptography. We propose an efficient method for software implementation of genus three Harley algorithm over GF(2^n). Our method is based on fast finite field multiplication using one SIMD operation, SSE2 on Pentium 4, and parallelized Harley algorithm. We demonstrated that software implementation using proposed method is about 11% faster than conventional implementation.

This paper proposes an ID-based authenticated two round multi-party key agreement among n parties. Several ID-based two-party and tripartite key agreement schemes were proposed recently. Our two round multi-party key agreement scheme utilizes the idea of the two-round group key exchange protocol of Burmester and Desmedt. The authenticity of the protocol is assured by a special signature scheme, so the messages carrying the information of ephemeral key can be broadcasted authentically by an entity. Security attributes of our protocol are presented, and computational overhead and band width of the broadcast messages are analyzed as well.

A quantum digital signature scheme based on quantum mechanics is proposed in this paper. The security of the protocol relies on the existence of quantum one-way functions by fundamental quantum principles. Our protocol involves a so-called arbitrator who validates and authenticates the signed message. This scheme uses public quantum keys publicized by the signatory to verify the validity of the signature and uses quantum one-time pad to ensure the security of quantum information on channel. To guarantee the authenticity of the transmitted quantum states, a family of quantum stabilizer code is employed. The proposed scheme presents a novel method to construct secure quantum signature systems for future secure communications.

A practical key substitution attack on SFLASH^{v3} is described: Given a valid (message, signature) pair (m,\sigma) for some public key v_0, one can derive another public key v_1 (along with matching secret data) such that (m,\sigma) is also valid for v_1. The computational effort needed for finding such a `duplicate' key is comparable to the effort needed for ordinary key generation.

We define the notion of adative chosen stegotext security. We then construct \emph{efficient} public key steganographic schemes secure against adaptively chosen stegotext attacks, without resort to any special existence assumption such as unbiased functions. This is the first time such a construction is obtained. Not only our constructions are \emph{secure}, but also are essentially optimal and have \emph{no error} decoding. We achieve this by applying a primitive called $\ch{P}$-codes.

At Crypto'89, Chaum and van Antwerpen first introduced the concept of undeniable signatures, which has a special property such that a signature cannot be verified without the signer's cooperation. In 1996, Jakobsson, Sako, and Impagliazzo proposed a not-interactive undeniable signature scheme by employing a new primitive called designated verifier proofs. However, this paper shows that their scheme is insecure by demonstrating a simple attack that allows a dishonest signer to convince a designated verifier receiving invalid signatures. In addition, two intuitive countermeasures are presented.

We present algorithms for computing the {\it squared} Weil and Tate pairings on an elliptic curve and the {\it squared} Tate pairing for hyperelliptic curves. The squared pairings introduced in this paper have the advantage that our algorithms for evaluating them are deterministic and do not depend on a random choice of points. Our pairings save about 20-30\% over the usual pairings.

A broadcast encryption scheme for stateless receivers is a data distribution method which never updates users' secret information while in order to maintain the security the system efficiency decreases with the number of revoked users. Another method, a rekeying scheme is a data distribution approach where it revokes illegal users in an {\em explicit} and {\em immediate} way whereas it may cause inconvenience for users. A hybrid approach that appropriately combines these two types of mechanisms seems resulting in a good scheme. In this paper, we suggest such a hybrid framework by proposing a rekeying algorithm for subset cover broadcast encryption framework (for stateless receivers) due to Naor et al. Our rekeying algorithm can simultaneously revoke a number of users. A hybrid approach that appropriately combines these two types of mechanisms seems resulting in a good scheme. In this paper, we suggest such a hybrid framework by proposing a rekeying algorithm for subset cover broadcast encryption framework (for stateless receivers) due to Naor et al. Our rekeying algorithm can simultaneously revoke a number of users. As an important contribution, we formally prove that this hybrid framework has a pre-CCA like security, where in addition to pre-CCA power, the adversary is allowed to {\em adaptively} corrupt and revoke users. Finally, we realize the hybrid framework by two secure concrete schemes that are based on complete subtree method and Asano method, respectively.

Canetti and Rabin recently proposed a universally composable ideal functionality F_SIG for digital signatures. We show that this functionality cannot be securely realized by \emph{any} signature scheme, thereby disproving their result that any signature scheme that is existentially unforgeable under adaptive chosen-message attack is a secure realization. Next, an improved signature functionality is presented. We show that our improved functionality can be securely realized by precisely those signature schemes that are secure against existential forgery under adaptive chosen-message attacks.

Recently some efforts were made towards capturing the security requirements from digital signature schemes as an ideal functionality within a composable security framework. This modeling of digital signatures potentially has some significant analytical advantages (such as enabling component-wise analysis of complex systems that use signature schemes, as well as symbolic and automatable analysis of such systems). However, it turns out that formulating ideal functionalities that capture the properties expected from signature schemes in a way that is both sound and enjoys the above advantages is not a trivial task. This work has several contributions. We first correct some flaws in the definition of the ideal signature functionality of Canetti, 2001, andsubsequent formulations. Next we provide a minimal formalization of ``ideal certification authorities'' and show how authenticated communication can be obtained using ideal signatures and an ideal certification authority. This is done while guaranteeing full modularity (i.e., each component is analyzed as stand-alone), and in an unconditional and errorless way. This opens the door to symbolic and automated analysis of protocols for these tasks, in a way that is both modular and cryptographically sound.

Chameleon signatures are non-interactive signatures based on a hash-and-sign paradigm, and similar in efficiency to regular signatures. The distinguishing characteristic of chameleon signatures is that there are non-transferable, with only the designated recipient capable of asserting its validity. In this paper, we introduce a new ID-based chameleon hash function based on bilinear pairing and build the ID-based chameleon signature scheme. Compared with the conventional chameleon hashing functions, the owner of a public hash key in the ID-based chameleon hashing scheme does not necessarily need to retrieve the associated secret key. The scheme enjoys all the attributes in the normal chameleon signature and the added characteristics of ID-based cryptography based on bilinear pairing.

This paper introduces simple methods to convert a cryptographic algorithm into an algorithm protected against simple side-channel attacks. Contrary to previously known solutions, the proposed techniques are not at the expense of the execution time. Moreover, they are generic and apply to virtually any algorithm. In particular, we present several novel exponentiation algorithms, namely a protected square-and-multiply algorithm, its right-to-left counterpart, and several protected sliding-window algorithms. We also illustrate our methodology applied to point multiplication on elliptic curves. All these algorithms share the common feature that the complexity is globally unchanged compared to the corresponding unprotected implementations.

Low power consumption, low gate count and high throughput used to be standard design criteria for cryptographic coprocessors designated for smart cards and related embedded devices. Not anymore. With the advent of side channel attacks, the first and foremost concern is device resistance to such attacks. This paper describes how to to embed data masking technique at a hardware level for an AES coprocessor. We concentrate on inversion in the field since it is the only non-linear operation that was assumed to require complex transformations on masked data and on masks. Our paper demonstares that it is possible to compute inverses directly on masked data, without ever revealing unmasked intermediate results in the process. Our approach consists in transition to composite fields, where inversion can be efficiently implemented in combinational logic using only bitwise XOR and AND operations. A breakthrough idea is to replace these operations on masked data by simple combinational circuits operating on bits of masked data and on bits of a mask in such a manner that a proper "mask correction" is computed on-the fly. Combining these elementary building blocks, we obtain a complete hardware solution for a "masked AES", thus effectively resolving the problem of a secure AES co-processor.

We provide formal definitions and efficient secure techniques for -- turning noisy information into keys usable for any cryptographic application, and, in particular, -- reliably and securely authenticating biometric data. Our techniques apply not just to biometric information, but to any keying material that, unlike traditional cryptographic keys, is (1) not reproducible precisely and (2) not distributed uniformly. We propose two primitives: a fuzzy extractor reliably extracts nearly uniform randomness R from its input; the extraction is error-tolerant in the sense that R will be the same even if the input changes, as long as it remains reasonably close to the original. Thus, R can be used as a key in a cryptographic application. A secure sketch produces public information about its input w that does not reveal w, and yet allows exact recovery of w given another value that is close to w. Thus, it can be used to reliably reproduce error-prone biometric inputs without incurring the security risk inherent in storing them. We define the primitives to be both formally secure and versatile, generalizing much prior work. In addition, we provide nearly optimal constructions of both primitives for various measures of "closeness" of input data, such as Hamming distance, edit distance, and set difference.

Key exposures, known or inconspicuous, are a real security threat. Recovery mechanisms from such exposures are required. For digital signatures such a recovery should ideally ---and when possible--- include invalidation of the signatures issued with the compromised keys. We present new signature schemes with such recovery capabilities. We consider two models for key exposures: full and partial reveal. In the first, a key exposure reveals {\em all} the secrets currently existing in the system. This model is suitable for the pessimistic inconspicuous exposures scenario. The partial reveal model permits the signer to conceal some information under exposure: e.g., under coercive exposures the signer is able to reveal a ``fake'' secret key. We propose a definition of {\em generalized key-evolving signature scheme}, which unifies forward-security and security against the coercive and inconspicuous key exposures (previously considered separately \cite{BM99,NPT02-mono,I02-TE}). The new models help us address repudiation problems inherent in the monotone signatures \cite{NPT02-mono}, and achieve performance improvements.

Informally, a public-key steganography protocol allows two parties, who have never met or exchanged a secret, to send hidden messages over a public channel so that an adversary cannot even detect that these hidden messages are being sent. Unlike previous settings in which provable security has been applied to steganography, public-key steganography is information-theoretically impossible. In this work we introduce computational security conditions for public-key steganography similar to those introduced by Hopper, Langford and von Ahn for the private-key setting. We also give the first protocols for public-key steganography and steganographic key exchange that are provably secure under standard cryptographic assumptions. Additionally, in the random oracle model, we present a protocol that is secure against adversaries that have access to a decoding oracle (the steganographic equivalent of CCA-2 adversaries).

Blum integers (BL), which has extensively been used in the domain of cryptography, are integers with form $p^{k_1}q^{k_2}$, where $p$ and $q$ are different primes both $\equiv 3\hspace{4pt}mod\hspace{4pt}4$ and $k_1$ and $k_2$ are odd integers. These integers can be divided two types: 1) $M=pq$, 2) $M=p^{k_1}q^{k_2}$, where at least one of $k_1$ and $k_2$ is greater than 1.\par In \cite{dbk3}, Bruce Schneier has already proposed an open problem: {\it it is unknown whether there exists a truly practical zero-knowledge proof for $M(=pq)\in BL$}. In this paper, we construct two statistical zero-knowledge proofs based on discrete logarithm, which satisfies the two following properties: 1) the prover can convince the verifier $M\in BL$ ; 2) the prover can convince the verifier $M=pq$ or $M=p^{k_1}q^{k_2}$, where at least one of $k_1$ and $k_2$ is more than 1.\par In addition, we propose a statistical zero-knowledge proof in which the prover proves that a committed integer $a$ is not equal to 0.\par

A complexity-theoretic model for public-key steganography with active attacks is introduced. The notion of steganographic security against adaptive chosen-covertext attacks (SS-CCA) and a relaxation called steganographic security against publicly-detectable replayable adaptive chosen-covertext attacks (SS-PDR-CCA) are formalized. These notions are closely related to CCA-security and PDR-CCA-security for public-key cryptosystems. In particular, it is shown that any SS-(PDR-)CCA stegosystem is a (PDR-)CCA-secure public-key cryptosystem and that an SS-PDR-CCA stegosystem can be realized from any PDR-CCA-secure public-key cryptosystem with pseudorandom ciphertexts.

We propose a family of fast and provably secure cryptographic hash functions. The security of these functions relies directly on the well-known syndrome decoding problem for linear codes. Attacks on this problem are well identified and their complexity is known. This enables us to study precisely the practical security of the hash functions and propose valid parameters for implementation. Furthermore, the design proposed here is fully scalable, with respect to security, hash size and output rate.

We apply the algebraic attacks on stream ciphers with memories to the summation generator. For a summation generator that uses $n$ LFSRs, the algebraic equation relating the key stream bits and LFSR output bits can be made to be of degree less than or equal to $2^{\lceil\log_2 n \rceil}$, using $\lceil\log_2 n \rceil + 1$ consecutive key stream bits. This is much lower than the upper bound given by previous general results.

In this paper, we study the security notions of verifiably committed signatures by introducing privacy and cut-off time, and then we propose the first scheme which is provably secure in the standard complexity model based on the strong RSA assumption. The idea behind the construction is that given any valid partial signature of messages, if a co-signer with its auxiliary input is able to generate variables called the resolution of messages such that the distribution of the variables is indistinguishable from that generated by the primary signer alone from the views of the verifier/arbitrator, a verifiably committed signature can be constructed.

At ICICS 2001, Zou, Ramamurthy, and Magliveras proposed CRTHACS, a chinese remainder theorem based scheme for secure group communication with hierarchical access control. The scheme is designed in such a way that the underlying hierarchy remains hidden from the participating parties/users. This contribution describes several practical attacks on CRTHACS which can reveal significant parts of the hierarchy.

A group signature scheme allows a group member of a given group to sign messages on behalf of the group in an anonymous and unlinkable way. In case of a dispute, however, a designated group manager can reveal the signer of a valid group signature. Based on Song's forward-secure group signature schemes, Zhang, Wu, and Wang proposed a new group signature scheme with forward security at ICICS 2003. Their scheme is very efficient in both communication and computation aspects. Unfortunately, their scheme is insecure. In this paper we present a security analysis to show that their scheme is linkable, untraceable, and forgeable.

We study the class of masking based domain extenders for UOWHFs. Our first contribution is to show that any correct masking based domain extender for UOWHF which invokes the compression UOWHF $s$ times must use at least $\lceil\log s\rceil$ masks. As a consequence we obtain the optimality of Shoup's algorithm among the class of masking based domain extenders. Our second contribution is to present a new parallel domain extender for UOWHF. The new algorithm obtains an asymptotically optimal speed-up over the sequential algorithm and the key expansion is almost everywhere optimal, i.e., it is optimal for almost all possible number of invocations of the compression UOWHF.

In this paper we present two new protocols from the Tate Pairing. The first is a secret handshake, in which we introduce a covert channel into Smarts “An identity based key agreement protocol based on the weil pairing” and the second is an efficient Signcryption scheme for low bandwidth channels.

A public key cryptosystem based on Drinfeld modules has been proposed by Gillard, Leprevost, Panchishkin and Roblot. The paper shows how an adversary can directly recover a private key using only the public key, and so the cryptosystem is insecure.