Catálogo de publicaciones - libros

As the importance of information security is widely recognized today, development of cryptography in practical use is rapidly taking place. On the other hand, however, many cases have been reported, where problems are found in the cryptographic systems already in use, or where the cryptographic systems are broken. Causes for a cryptographic system to get corrupted can be: defects in cryptographic algorithm designs; defects in implementation; defects in attack models and definitions of security; progress in computers and attack algorithms; inapplicability due to the change of environment. It is to be noted that the cryptographic system that has been created in the circumstance where there can be some kind of defects is generally vulnerable to breakdown. In the world of cryptography, we should regard ”Anything that can happen, happens.”

Klimov and Shamir proposed a new class of simple cryptographic primitives named T-functions. For two concrete proposals based on the squaring operation, a single word T-function and a previously unbroken multi-word T-function with a 256-bit state, we describe an efficient distinguishing attack having a 2 data complexity. Furthermore, Hong recently proposed two fully specified stream ciphers, consisting of multi-word T-functions with 128-bit states and filtering functions. We describe distinguishing attacks having a 2 and a 2 data complexity, respectively. The attacks have been implemented.

Algebraic attacks have established themselves as a powerful method for the cryptanalysis of LFSR-based keystream generators (e.g., used in Bluetooth). The attack is based on solving an overdetermined system of low-degree equations =0, where is an expression in the state of the LFSRs at clock and one or several successive keystream bits ,...,.

In fast algebraic attacks, new equations of a lower degree are constructed in a precomputation step. This is done by computing appropriate linear combinations of successive initial equations =0. The successive data complexity of the attack is the number of successive equations.

We propose a new variant of fast algebraic attacks where the same approach is employed to eliminate some unknowns, making a divide-and-conquer attack possible. In some cases, our variant is applicable whereas the first one is not.

Both variants can have a high successive data complexity (e.g., ≥ 8.822.188 for ). We describe how to keep it to a minimum and introduce suitable efficient algorithms for the precomputation step.

In this article, we investigate the question of equivalent keys for two ultivariate uadratic public key schemes HFE and C and improve over a previously known result, which appeared at PKC 2005. Moreover, we show a new non-trivial extension of these results to the classes HFE-, HFEv, HFEv-, and C, which are cryptographically stronger variants of the original HFE and C schemes. In particular, we are able to reduce the size of the private — and hence the public — key space by at least one order of magnitude and several orders of magnitude on average. While the results are of independent interest themselves as they broaden our understanding of ultivariate uadratic schemes, we also see applications both in cryptanalysis and in memory efficient implementations.

In this paper we look at the Gabidulin version of the McEliece cryptosystem (GPT) and its variants. We propose a new polynomial time attack, which recovers an alternative private key. Our attack is applicable to all variants proposed so far and breaks some of them completely.

Recently, some collisions have been exposed for a variety of cryptographic hash functions [20,21] including some of the most widely used today. Many other hash functions using similar constructions can however still be considered secure. Nevertheless, this has drawn attention on the need for new hash function designs.

In this article is presented a family of secure hash functions, whose security is directly related to the syndrome decoding problem from the theory of error-correcting codes.

Taking into account the analysis by Coron and Joux [4] based on Wagner’s generalized birthday algorithm [19] we study the asymptotical security of our functions. We demonstrate that this attack is always exponential in terms of the length of the hash value.

We also study the work-factor of this attack, along with other attacks from coding theory, for non asymptotic range, i.e. for practical values. Accordingly, we propose a few sets of parameters giving a good security and either a faster hashing or a shorter description for the function.

Although secret sharing techniques have been applied to implement secure electronic sealed-bid auction for a long time, problems and attacks still exist in secret-sharing-based electronic sealed-bid auction schemes. In this paper, a new secret-sharing-based first-bid e-auction scheme is designed to achieve satisfactory properties and efficiency. Correctness and fairness of the new auction are based on hard computation problems and do not depend on any trust. Complete bid privacy based on a threshold trust is achieved in the new scheme. Attacks to existing secret-sharing-based sealed-bid e-auction schemes are prevented.

Delegation of authorities is a common practice in various organizations. The way delegation is performed can be quite complicated. To capture possible delegation structures, the concept of is proposed, so that anyone can be convinced of who obtained delegation from whom in order to produce the final proxy signature. In this paper, we consider the delegation network for identity-based (ID-based) scenario. Since the public key is just a string denoting the user’s identity, certificate management is simplified. Proxy signature schemes have been devised to delegate signing authorities. We show that a trivial attempt of extending an existing ID-based proxy signature may result in an insecure scheme. After that we propose a building block of our ID-based delegation network, which is an ID-based proxy signature supporting batch verifications. Our proposed ID-based delegation network is flexible in the sense that the whole delegation network does not need to be known in advance. Our proposal is provably secure under the random oracle model.

We examine the role of session key construction in provably-secure key establishment protocols. We revisit an ID-based key establishment protocol due to Chen & Kudla (2003) and an ID-based protocol 2P-IDAKA due to McCullagh & Barreto (2005). Both protocols carry proofs of security in a weaker variant of the Bellare & Rogaway (1993) model where the adversary is not allowed to make any Reveal query. We advocate the importance of such a (Reveal) query as it captures the known-key security requirement. We then demonstrate that a small change to the way that session keys are constructed in both protocols results in these protocols being secure without restricting the adversary from asking the Reveal queries in most situations. We point out some errors in the existing proof for protocol 2P-IDAKA, and provide proof sketches for the improved Chen & Kudla’s protocol. We conclude with a brief discussion on ways to construct session keys in key establishment protocols.

We first prove that the following three probabilistic multisignature schemes based on a trapdoor permutation have tight security; PFDH (probabilistic full domain hash) based multisignature scheme (PFDH-MSS), PSS (probabilistic signature scheme) based multisignature scheme (PSS-MSS), and short signature PSS based multisignature scheme (S-PSS-MSS). Second, we give an optimal proof (general result) for multisignature schemes, which derives the lower bound for the length of random salt. We also estimate the upper bound for the length in each scheme and derive the optimal length of a random salt. Two of the schemes are promising in terms of security tightness and optimal signature length.