Catálogo de publicaciones - libros

The demonstration of an efficient construction proven secure in a formal model that captures all intuitive security properties of a certain primitive is an ultimate goal in cryptographic design. This work offers the above for the case of a group signature scheme (with the traditional notion of dynamically joining users and untrusted join manager). To this end we adapt a formal model for group signatures capturing the state-of-the-art requirements in the area and we construct an efficient scheme and prove its security. Our construction is based on the scheme of Ateniese et al., which is modified appropriately so that it becomes provably secure. This task required designing novel cryptographic constructs as well as investigating some basic number-theoretic techniques for arguing security over the group of quadratic residues modulo a composite when its factorization is known. Along the way, we discover that in the basic construction, anonymity does not depend on factoring-based assumptions, which, in turn, allows the natural separation of user join management and anonymity revocation authorities. Anonymity can, in turn, be shown even against an adversary controlling the join manager.

In this paper we produce a practical and efficient algorithm to find a decomposition of type

It is conjectured that one can take = 2 above. Then this decomposition is refined into an effective scalar multiplication algorithm to compute on some supersingular elliptic curves of characteristic 3 with running time bounded by

and essentially no storage. To our knowledge, this is the first instance of a scalar multiplication algorithm that requires (log ) curve operations on an elliptic curve over with log ≈ log and uses comparable storage as in the standard double-and-add algorithm.

This leads to an efficient algorithm very useful for cryptographic protocols based on supersingular curves. This is for example the case of the well-studied (in the past four years) identity based schemes. The method carries over to any supersingular curve of fixed characteristic.

In this paper, we will point out a new side-channel vulnerability of cryptosystems implementation based on BRIP or square-multiply-always algorithm by exploiting specially chosen input message of order two. A recently published countermeasure, BRIP, against conventional simple power analysis (SPA) and differential power analysis (DPA) will be shown to be vulnerable to the proposed SPA in this paper. Another well known SPA countermeasure, the square-multiply-always algorithm, will also be shown to be vulnerable to this new attack. Further extension of the proposed attack is possible to develop more powerful attacks.

This article presents optimization results on the MOVA undeniable signature scheme presented last year by Monnerat and Vaudenay at PKC ’04 as well as its generalization proposed at Asiacrypt ’04 which is based on a secret group homomorphism. The original MOVA scheme uses characters on and some additional candidate homomorphisms were proposed with its generalization. We give an overview of the expected performance of the MOVA scheme depending on the group homomorphism. Our optimizations focus on the quartic residue symbol and a homomorphism based on the computation of a discrete logarithm in a hidden subgroup of . We demonstrate that the latter provides a signature generation which is three times faster than RSA.

In this paper we investigate a primitive called a questionable encryption that is related to oblivious transfer. We consider a mobile agent that asymmetrically encrypts plaintext data from the host machine that it resides on and then broadcasts the resulting ciphertext so that it can be obtained by the creator of the agent. We formally define the notion of a scheme that can be used to perform this operation. The user of a questionable encryption scheme chooses to generate a real or fake public key. The choice is conveyed to the key generation algorithm which then outputs a poly-sized witness and either a real or fake key pair. If the public key is ‘real’ then it produces decipherable encryptions and the poly-sized witness proves this. If the key is generated to be ‘fake’ then it produces indecipherable encryptions (even with the private key) and the poly-sized witness proves this. Without knowledge of the witness it is intractable to distinguish between the two types of public keys. We present a construction for a questionable encryption scheme based on the Paillier cryptosystem. We prove the security of the scheme based on the difficulty of deciding degree composite residuosity. When applied to this application, the creator of the agent retains the exclusive ability to reveal whether or not the agent in fact transmits plaintexts. Our results show that agents that appear to compute asymmetric encryptions may in fact not (in a provable sense). We present other applications of questionable encryptions as well.

We introduce , pairs of RSA moduli (,+2), and formulate several questions related to it. Our main questions are: is Twin RSA secure, and what is it good for?

Identity-based cryptography has become extremely fashionable in the last few years. As a consequence many proposals for identity-based key establishment have emerged, the majority in the two party case. We survey the currently proposed protocols of this type, examining their security and efficiency. Problems with some published protocols are noted.

Data-dependent permutations (DDPs) which are very suitable for cheap hardware implementations have been introduced as a cryptographic primitive. Cobra-S128 and Cobra-F64 (which is a generic name for Cobra-F64a and Cobra-F64b) are 128-bit and 64-bit iterated block ciphers with a 128-bit key size based on such DDPs, respectively. Unlike the predecessor DDP-based ciphers [16,5], Cobra-S128 is a software-oriented cipher and Cobra-F64 is a firmware-suitable cipher. In this paper, we derive several structural properties of Cobra-S128 and Cobra-F64 and then use them to devise key recovery attacks on Cobra-S128 and Cobra-F64. These works are the first known attacks on Cobra-S128 and Cobra-F64.

Slide attacks are powerful tools that enable the cryptanalyst to break ciphers with up to 4-round self-similarity. This paper introduces an advanced sliding technique that breaks ciphers with self-similarity more than 4 rounds, and even allows for sliding encryptions with dissimilar rounds in the middle of the slide. In particular, we present the on variants of 14-, 15- and full 16-round DES. We hope our results will spur more effort into ways to extend the slide attacks to apply to larger classes of block ciphers with complex key schedules.

This paper presents the first security evaluation of the . We describe new higher-order multiset distinguishers for such large-block instances of Rijndael. Both Rijndael and the AES were designed to resist differential and linear cryptanalysis, which is indicated by the number of active S-boxes (minimum of 25 for 4-round AES) for the best differential and linear distinguishers, for which the probability and correlation values are estimated as 2 and 2. All of these Rijndael variants have been formally defined by their designers as extensions of the AES. We describe new 5-round distinguishers for Rijndael with 160 up to 256-bit blocks, all holding with certainty, and with many more than 25 active S-boxes.