From the Publisher:
A valuable reference for the novice as well as for the expert who needs a wider scope of coverage within the area of cryptography, this book provides easy and rapid access of information and includes more than 200 algorithms and protocols; more than 200 tables and figures; more than 1,000 numbered definitions, facts, examples, notes, and remarks; and over 1,250 significant references, including brief comments on each paper.

Handbook of Applied Cryptography

We present a digital signature scheme based on the computational difficulty of integer factorization. The scheme possesses the novel property of being robust against an adaptive chosen-message attack: an adversary who receives signatures for messages of his choice (where each message may be chosen in a way that depends on the signatures of previously chosen messages) cannot later forge the signature of even a single additional message. This may be somewhat surprising, since in the folklore the properties of having forgery being equivalent to factoring and being invulnerable to an adaptive chosen-message attack were considered to be contradictory. More generally, we show how to construct a signature scheme with such properties based on the existence of a "claw-free" pair of permutations--a potentially weaker assumption than the intractibility of integer factorization. The new scheme is potentially practical: signing and verifying signatures are reasonably fast, and signatures are compact.

/pdf/a-digital-signature-scheme-secure-against-adaptive-chosen-55cza64ufz.pdf

A digital signature scheme secure against adaptive chosen-message attacks

The Data Encryption Standard (DES) is the best known and most widely used cryptosystem for civilian applications. It was developed at IBM and adopted by the National Bureau of Standards in the mid 1970s, and has successfully withstood all the attacks published so far in the open literature. In this paper we develop a new type of cryptanalytic attack which can break the reduced variant of DES with eight rounds in a few minutes on a personal computer and can break any reduced variant of DES (with up to 15 rounds) using less than 256 operations and chosen plaintexts. The new attack can be applied to a variety of DES-like substitution/permutation cryptosystems, and demonstrates the crucial role of the (unpublished) design rules.

/pdf/differential-cryptanalysis-of-des-like-cryptosystems-32wfmjcs4n.pdf

Differential cryptanalysis of DES-like cryptosystems

Usually, a proof of a theorem contains more knowledge than the mere fact that the theorem is true. For instance, to prove that a graph is Hamiltonian it suffices to exhibit a Hamiltonian tour in it; however, this seems to contain more knowledge than the single bit Hamiltonian/non-Hamiltonian.In this paper a computational complexity theory of the “knowledge” contained in a proof is developed. Zero-knowledge proofs are defined as those proofs that convey no additional knowledge other than the correctness of the proposition in question. Examples of zero-knowledge proof systems are given for the languages of quadratic residuosity and 'quadratic nonresiduosity. These are the first examples of zero-knowledge proofs for languages not known to be efficiently recognizable.

/pdf/the-knowledge-complexity-of-interactive-proof-systems-31apre0ecf.pdf

The knowledge complexity of interactive proof-systems

In this paper we present a new type of signature for a group of persons, called a group signature, which has the following properties: (i) only members of the group can sign messages; (ii) the receiver can verify that it is a valid group signature, but cannot discover which group member made it; (iii) if necessary, the signature can be "opened", so that the person who signed the message is revealed.

The group signatures are a "generalization" of the credential/ membership authentication schemes, in which one person proves that he belongs to a certain group.

We present four schemes that satisfy the properties above. Not all these schemes arc based on the same cryptographic assumption. In some of the schemes a trusted centre is only needed during the setup; and in other schemes, each pason can create the group he belongs to.

Group signatures

The best known cryptanalytic attack on McEliece's public-key cryptosystem based on algebraic coding theory is to repeatedly select k bits at random from an n-bit ciphertext vector, which is corrupted by at most t errors, in hope that none of the selected k bits are in error until the cryptanalyst recovers the correct message. The method of determining whether the recovered message is the correct one has not been throughly investigated. In this paper, we suggest a systematic method of checking, and describe a generalized version of the cryptanalytic attack which reduces the work factor sigdicantly (factor of 211 for the commonly used example of n=1024 Goppa code case). Some more improvements are also given. We also note that these cryptanalytic algorithms can be viewed as generalized probabilistic decoding algorithms for any linear error correcting codes.

/pdf/an-observation-on-the-security-of-mceliece-s-public-key-3f30peqlal.pdf

An observation on the security of McEliece's public-key cryptosystem

Protocols are presented allowing someone with a secret discrete logarithm to release it, bit by bit, such that anyone can verify each bit’s correctness as they receive it. This new notion of release of secrets generalizes and extends that of the already known exchange of secrets protocols. Consequently, the protocols presented allow exchange of secret discrete logs between any number of parties.

/pdf/gradual-and-verifiable-release-of-a-secret-extended-abstract-mni6j6ydbt.pdf

GRADUAL AND VERIFIABLE RELEASE OF A SECRET (Extended Abstract)

An additive privacy homomorphism is an encryption function in which the decryption of a sum (or possibly some other operation) of ciphers is the sum of the corresponding messages. Rivest, Adleman, and Dertouzos have proposed four different additive privacy homomorphisms. In this paper, we show that two of them are insecure under a ciphertext only attack and the other two can be broken by a known plaintext attack. We also introduce the notion of an R-additive privacy homomorphism, which is essentially an additive privacy homomorphism in which only at most R messages need to be added together. We give an example of an R-additive privacy homomorphism that appears to be secure against a ciphertext only attack.

On privacy homomorphisms

An additive privacy homomorphism is an encryption function in which the decryption of a sum (or possibly some other operation) of ciphers is the sum of the corresponding messages. Rivest, Adleman, and Dertouzos have proposed four different additive privacy homomorphisms. In this paper, we show that two of them are insecure under a ciphertext only attack and the other two can be broken by a known plaintext attack. We also introduce the notion of an R -additive privacy homomorphism, which is essentially an additive privacy homomorphism in which only at most R messages need to be added together. We give an example of an R -additive privacy homomorphism that appears to be secure against a ciphertext only attack.

/pdf/on-privacy-homomorphisms-extended-abstract-nwbw1phcdd.pdf

On Privacy Homomorphisms (Extended Abstract)

Recently Okamoto and Shiraishi proposed a public key authentication system [1]. The security of the scheme is based on the difficulty of solving quadratic inequalities. This new system is interesting since the amount of computing needed for the proposed scheme is significantly less than that needed for an RSA encryption.This report is an investigation into the security of the proposed digital signature scheme. We demonstrate that if the system is used as it is presented, an opponent could sign messages without factoring the modulus. Further, we suggest a modification which may not have the same flaw as the proposed scheme.

/pdf/an-attack-on-a-signature-scheme-proposed-by-okamoto-and-2hg811d1q2.pdf

Ernest F. Brickell

Papers

An observation on the security of McEliece's public-key cryptosystem

GRADUAL AND VERIFIABLE RELEASE OF A SECRET (Extended Abstract)

On privacy homomorphisms

On Privacy Homomorphisms (Extended Abstract)

An attack on a signature scheme proposed by Okamoto and Shiraishi