This paper investigates a novel computational problem, namely the Composite Residuosity Class Problem, and its applications to public-key cryptography. We propose a new trapdoor mechanism and derive from this technique three encryption schemes : a trapdoor permutation and two homomorphic probabilistic encryption schemes computationally comparable to RSA. Our cryptosystems, based on usual modular arithmetics, are provably secure under appropriate assumptions in the standard model.

/pdf/public-key-cryptosystems-based-on-composite-degree-1zopwb21ba.pdf

Public-key cryptosystems based on composite degree residuosity classes

We introduce a short signature scheme based on the Computational Diffie-Hellman assumption on certain elliptic and hyperelliptic curves. The signature length is half the size of a DSA signature for a similar level of security. Our short signature scheme is designed for systems where signatures are typed in by a human or signatures are sent over a low-bandwidth channel.

/pdf/short-signatures-from-the-weil-pairing-5ajupg0cpi.pdf

Short Signatures from the Weil Pairing

1. The Advanced Encryption Standard Process.- 2. Preliminaries.- 3. Specification of Rijndael.- 4. Implementation Aspects.- 5. Design Philosophy.- 6. The Data Encryption Standard.- 7. Correlation Matrices.- 8. Difference Propagation.- 9. The Wide Trail Strategy.- 10. Cryptanalysis.- 11. Related Block Ciphers.- Appendices.- A. Propagation Analysis in Galois Fields.- A.1.1 Difference Propagation.- A.l.2 Correlation.- A. 1.4 Functions that are Linear over GF(2).- A.2.1 Difference Propagation.- A.2.2 Correlation.- A.2.4 Functions that are Linear over GF(2).- A.3.3 Dual Bases.- A.4.2 Relationship Between Trace Patterns and Selection Patterns.- A.4.4 Illustration.- A.5 Rijndael-GF.- B. Trail Clustering.- B.1 Transformations with Maximum Branch Number.- B.2 Bounds for Two Rounds.- B.2.1 Difference Propagation.- B.2.2 Correlation.- B.3 Bounds for Four Rounds.- B.4 Two Case Studies.- B.4.1 Differential Trails.- B.4.2 Linear Trails.- C. Substitution Tables.- C.1 SRD.- C.2 Other Tables.- C.2.1 xtime.- C.2.2 Round Constants.- D. Test Vectors.- D.1 KeyExpansion.- D.2 Rijndael(128,128).- D.3 Other Block Lengths and Key Lengths.- E. Reference Code.

The Design of Rijndael: AES - The Advanced Encryption Standard

After two decades of research and development, elliptic curve cryptography now has widespread exposure and acceptance. Industry, banking, and government standards are in place to facilitate extensive deployment of this efficient public-key mechanism. Anchored by a comprehensive treatment of the practical aspects of elliptic curve cryptography (ECC), this guide explains the basic mathematics, describes state-of-the-art implementation methods, and presents standardized protocols for public-key encryption, digital signatures, and key establishment. In addition, the book addresses some issues that arise in software and hardware implementation, as well as side-channel attacks and countermeasures. Readers receive the theoretical fundamentals as an underpinning for a wealth of practical and accessible knowledge about efficient application. Features & Benefits: * Breadth of coverage and unified, integrated approach to elliptic curve cryptosystems * Describes important industry and government protocols, such as the FIPS 186-2 standard from the U.S. National Institute for Standards and Technology * Provides full exposition on techniques for efficiently implementing finite-field and elliptic curve arithmetic* Distills complex mathematics and algorithms for easy understanding* Includes useful literature references, a list of algorithms, and appendices on sample parameters, ECC standards, and software toolsThis comprehensive, highly focused reference is a useful and indispensable resource for practitioners, professionals, or researchers in computer science, computer engineering, network design, and network data security.

https://cdn.preterhuman.net/texts/cryptography/Hankerson,%20Menezes,%20Vanstone.%20Guide%20to%20elliptic%20curve%20cryptography%20(Springer,%202004)(ISBN%20038795273X)(332s)_CsCr_.pdf

Guide to Elliptic Curve Cryptography

A classical model is used for the power consumption of cryptographic devices. It is based on the Hamming distance of the data handled with regard to an unknown but constant reference state. Once validated experimentally it allows an optimal attack to be derived called Correlation Power Analysis. It also explains the defects of former approaches such as Differential Power Analysis.

/pdf/correlation-power-analysis-with-a-leakage-model-43r492wcsc.pdf

Correlation Power Analysis with a Leakage Model

Paul Kocher recently developped attacks based on the electric consumption of chips that perform cryptographic computations. Among those attacks, the "Differential Power Analysis" (DPA) is probably one of the most impressive and most difficult to avoid.In this paper, we present several ideas to resist this type of attack, and in particular we develop one of them which leads, interestingly, to rather precise mathematical analysis. Thus we show that it is possible to build an implementation that is provably DPA-resistant, in a "local" and restricted way (i.e. when - given a chip with a fixed key - the attacker only tries to detect predictable local deviations in the differentials of mean curves). We also briefly discuss some more general attacks, that are sometimes efficient whereas the "original" DPA fails. Many measures of consumption have been done on real chips to test the ideas presented in this paper, and some of the obtained curves are printed here.

/pdf/des-and-differential-power-analysis-the-duplication-method-13c5pvbj46.pdf

DES and Differential Power Analysis (The Duplication Method)

In [16], J. Patarin designed a new scheme, called "Oil and Vinegar", for computing asymmetric signatures. It is very simple, can be computed very fast (both in secret and public key) and requires very little RAM in smartcard implementations. The idea consists in hiding quadratic equations in n unknowns called "oil" and v = n unknowns called "vinegar" over a finite field K, with linear secret functions. This original scheme was broken in [10] by A. Kipnis and A. Shamir. In this paper, we study some very simple variations of the original scheme where v > n (instead of v = n). These schemes are called "Unbalanced Oil and Vinegar" (UOV), since we have more "vinegar" unknowns than "oil" unknowns. We show that, when v ≃ n, the attack of [10] can be extended, but when v ≥ 2n for example, the security of the scheme is still an open problem. Moreover, when v ≃ n2/2, the security of the scheme is exactly equivalent (if we accept a very natural but not proved property) to the problem of solving a random set of n quadratic equations in n2/2 unknowns (with no trapdoor). However, we show that (in characteristic 2) when v ≥ n2, finding a solution is generally easy. Then we will see that it is very easy to combine the Oil and Vinegar idea and the HFE schemes of [14]. The resulting scheme, called HFEV, looks at the present also very interesting both from a practical and theoretical point of view. The length of a UOV signature can be as short as 192 bits and for HFEV it can be as short as 80 bits.

/pdf/unbalanced-oil-and-vinegar-signature-schemes-5f66ksdsnc.pdf

Unbalanced oil and vinegar signature schemes

As Elliptic Curve Cryptosystems are becoming more and more popular and are included in many standards, an increasing demand has appeared for secure implementations that are not vulnerable to side-channel attacks. To achieve this goal, several generic countermeasures against Power Analysis have been proposed in recent years.In particular, to protect the basic scalar multiplication - on an elliptic curve - against Differential Power Analysis (DPA), it has often been recommended using "random projective coordinates", "random elliptic curve isomorphisms" or "random field isomorphisms". So far, these countermeasures have been considered by many authors as a cheap and secure way of avoiding the DPA attacks on the "scalar multiplication" primitive. However we show in the present paper that, for many elliptic curves, such a DPA-protection of the "scalar" multiplication is not sufficient. In a chosen message scenario, a Power Analysis attack is still possible even if one of the three aforementioned countermeasures is used. We expose a new Power Analysis strategy that can be successful for a large class of elliptic curves, including most of the sample curves recommended by standard bodies such as ANSI, IEEE, ISO, NIST, SECG or WTLS.This result means that the problem of randomizing the basepoint may be more difficult than expected and that "standard" techniques have still to be improved, which may also have an impact on the performances of the implementations.

/pdf/a-refined-power-analysis-attack-on-elliptic-curve-2ipyq3nw4d.pdf

A Refined Power-Analysis Attack on Elliptic Curve Cryptosystems

In 1985 Fell and Diffie proposed constructing trapdoor functions with multivariate equations [11]. They used several sequentially solved stages that combine into a triangular system we call T. In the present paper, we study a more general family of TPM (for "Triangle Plus Minus") schemes: a triangular construction mixed with some u random polynomials and with some r of the beginning equations removed. We go beyond all previous attacks proposed on such cryptosystems using a low degree component of the inverse function. The cryptanalysis of TPM is reduced to a simple linear algebra problem called MinRank(r): Find a linear combination of given matrices that has a small rank r.

We introduce a new attack for MinRank called 'Kernel Attack' that works for qr small. We explain that TPM schemes can be used in encryption only if qr is small and therefore they are not secure.

As an application, we showed that the TTM cryptosystem proposed by T.T. Moh at CrypTec'99 [15,16] reduces to MinRank(2). Thus, though the cleartext size is 512 bits, we break it in O(252). The particular TTM of [15,16] can be broken in O(228) due additional weaknesses, and we needed only few minutes to solve the challenge TTM 2.1. from the website of the TTM selling company, US Data Security.

We also studied TPM in signature, possible only if qu small. It is equally insecure: the 'Degeneracy Attack' we introduce runs in qu polynomial.

/pdf/cryptanalysis-of-the-ttm-cryptosystem-jadpq5vckj.pdf

Cryptanalysis of the TTM Cryptosystem

For some applications of digital signatures the traditional schemes as RSA, DSA or Elliptic Curve schemes, give signature size that are not short enough (with security 280, the minimal length of these signatures is always ? 320 bits, and even ? 1024 bits for RSA). In this paper we present a first well defined algorithm and signature scheme, with concrete parameter choice, that gives 128-bit signatures while the best known attack to forge a signature is in 280. It is based on the basic HFE scheme proposed on Eurocrypt 1996 along with several modifications, such that each of them gives a scheme that is (quite clearly) strictly more secure. The basic HFE has been attacked recently by Shamir and Kipnis (cf [3]) and independently by Courtois (cf this RSA conference) and both these authors give subexponential algorithms that will be impractical for our parameter choices. Moreover our scheme is a modification of HFE for which there is no known attack other that inversion methods close to exhaustive search in practice. Similarly there is no method known, even in theory to distinguish the public key from a random quadratic multivariate function.QUARTZ is so far the only candidate for a practical signature scheme with length of 128-bits.QUARTZ has been accepted as a submission to NESSIE (New European Schemes for Signatures, Integrity, and Encryption), a project within the Information Societies Technology (IST) Programme of the European Commission.

Louis Goubin

Papers

DES and Differential Power Analysis (The Duplication Method)

Unbalanced oil and vinegar signature schemes

A Refined Power-Analysis Attack on Elliptic Curve Cryptosystems

Cryptanalysis of the TTM Cryptosystem

QUARTZ, 128-Bit Long Digital Signatures