Showing papers in "Designs, Codes and Cryptography in 2005"

Elliptic Curves Suitable for Pairing Based Cryptography

Abstract: For pairing based cryptography we need elliptic curves defined over finite fields $$\mathbb{F}_{q}$$ whose group order is divisible by some prime $$\ell$$ with $$\ell | q^{k-1}$$ where k is relatively small. In Barreto et al. and Dupont et al. [Proceedings of the Third Workshop on Security in Communication Networks (SCN 2002), LNCS, 2576, 2003; Building curves with arbitrary small Mov degree over finite fields, Preprint, 2002], algorithms for the construction of ordinary elliptic curves over prime fields $$\mathbb{F}_{p}$$ with arbitrary embedding degree k are given. Unfortunately, p is of size $$O(\ell^{2})$$ . We give a method to generate ordinary elliptic curves over prime fields with p significantly less than $$\ell^{2}$$ which also works for arbitrary k. For a fixed embedding degree k, the new algorithm yields curves with $$p \approx \ell^{s}$$ where $$s = 2 - 2/\varphi(k)$$ or $$s = 2 - 1/\varphi(k)$$ depending on k. For special values of k even better results are obtained. We present several examples. In particular, we found some curves where $$\ell$$ is a prime of small Hamming weight resp. with a small addition chain.

XOR-based Visual Cryptography Schemes

Abstract: A recent publication introduced a Visual Crypto (VC) system, based on the polarisation of light. This VC system has goodresolution, contrast and colour properties.Mathematically, the VC system is described by the XOR operation (modulo two addition). In this paper we investigate Threshold Visual Secret Sharing schemes associated to XOR-based VC systems. Firstly, we show that n out of n schemes with optimal resolution and contrast exist, and that (2,n) schemes are equivalent to binary codes. It turns out that these schemes have much better resolution than their OR-based counterparts. Secondly, we provide two explicit constructions for general k out of n schemes. Finally, we derive bounds on the contrast and resolution of XOR-based schemes. It follows from these bounds that for k

Elliptic Curve Cryptosystems in the Presence of Permanent and Transient Faults

Abstract: Elliptic curve cryptosystems in the presence of faults were studied by Biehl et al., Advances in Cryptology CRYPTO 2000, Springer Verlag (2000) pp. 131--146. The first fault model they consider requires that the input point P in the computation of dP is chosen by the adversary. Their second and third fault models only require the knowledge of P. But these two latter models are less `practical' in the sense that they assume that only a few bits of error are inserted (typically exactly one bit is supposed to be disturbed) either into P just prior to the point multiplication or during the course of the computation in a chosen location. This paper relaxes these assumptions and shows how random (and thus unknown) errors in either coordinates of point P, in the elliptic curve parameters or in the field representation enable the (partial) recovery of multiplier d. Then, from multiple point multiplications, we explain how this can be turned into a total key recovery. Simple precautions to prevent the leakage of secrets are also discussed.

Two Linear Transformations each Tridiagonal with Respect to an Eigenbasis of the other; Comments on the Parameter Array

Abstract: Let $${\mathbb K} $$ denote a field. Let it d denote a nonnegative integer and consider a sequence p=( $$\theta_i, \theta^*_i,i=0...d; \varphi_j, \phi_j,j=1...{\it d})$$ consisting of scalars taken from $${\mathbb K} $$ . We call p a parameter array whenever: (PA1) $$\theta_i ot=\theta_j, \; \theta^*_i ot=\theta^*_j$$ if $$i ot=j$, $(0 \leq i, j\leq d)$; (PA2) $ \varphi_i ot=0$, $\phi_i ot=0$ $(1 \leq i \leq d)$; (PA3) $\varphi_i = \phi_1 \sum_{h=0}^{i-1} ({\theta_h-\theta_{d-h}})/({\theta_0-\theta_d}) + (\theta^*_i-\theta^*_0)(\theta_{i-1}-\theta_d)$ $(1 \leq i \leq d)$; (PA4) $\phi_i = \varphi_1 \sum_{h=0}^{i-1} ({\theta_h-\theta_{d-h}})/({\theta_0-\theta_d}) + (\theta^*_i-\theta^*_0)(\theta_{d-i+1}-\theta_0)$ $(1 \leq i \leq d)$; (PA5) $(\theta_{i-2}-\theta_{i+1})(\theta_{i-1}-\theta_i)^{-1}$, $(\theta^*_{i-2}-\theta^*_{i+1})(\theta^*_{i-1}-\theta^*_i)^{-1}$$ are equal and independent of i for $$2 \leq i \leq d-1$$ . In Terwilliger, J. Terwilliger, Linear Algebra Appl., Vol. 330(2001) p. 155 we showed the parameter arrays are in bijection with the isomorphism classes of Leonard systems. Using this bijection we obtain the following two characterizations of parameter arrays. Assume p satisfies PA1 and PA2. Let A, B,A^*, B^* denote the matrices in $${Mat}_{{\it d}+1}$$ ( $${\mathbb K} $$ ) which have entries A ii =θ i , B ii =θ d-i , A * ii =θ* i , B * ii =θ* i (0 ≤ i ≤ d), A i,i-1=1, B i,i-1=1, A * i-1,i =φ i , B * i-1,i =ϕ i (1 ≤ i ≤ d), and all other entries 0. We show the following are equivalent: (i) p satisfies PA3–PA5; (ii) there exists an invertible G ∈Mat d+1( $${\mathbb K} $$ ) such that G −1 AG=B and G −1 A * G=B *; (iii) for 0 ≤ i ≤ d the polynomial $$ \sum_{n=0}^i \frac{ (\lambda-\theta_0) (\lambda-\theta_1) \cdots (\lambda-\theta_{n-1}) (\theta^*_i-\theta^*_0) (\theta^*_i-\theta^*_1) \cdots (\theta^*_i-\theta^*_{n-1}) } {\varphi_1\varphi_2\cdots \varphi_n}$$ is a scalar multiple of the polynomial $$\sum_{n=0}^i \frac{ (\lambda-\theta_d) (\lambda-\theta_{d-1}) \cdots (\lambda-\theta_{d-n+1}) (\theta^*_i-\theta^*_0) (\theta^*_i-\theta^*_1) \cdots (\theta^*_i-\theta^*_{n-1}) } {\phi_1\phi_2\cdots \phi_n}.$$ We display all the parameter arrays in parametric form. For each array we compute the above polynomials. The resulting polynomials form a class consisting of the q-Racah, q-Hahn, dual q-Hahn, q-Krawtchouk, dual q-Krawtchouk, quantum q-Krawtchouk, affine q-Krawtchouk, Racah, Hahn, dual-Hahn, Krawtchouk, Bannai/Ito, and Orphan polynomials. The Bannai/Ito polynomials can be obtained from the q-Racah polynomials by letting q tend to −1. The Orphan polynomials have maximal degree 3 and exist for ( $${\mathbb K} $$ )=2 only. For each of the polynomials listed above we give the orthogonality, 3-term recurrence, and difference equation in terms of the parameter array.

How to Mask the Structure of Codes for a Cryptographic Use

Abstract: In this paper we show how to strengthen public-key cryptosystems against known attacks, together with the reduction of the public-key. We use properties of subcodes to mask the structure of the codes used by the conceiver of the system. We propose new parameters for the cryptosystems and even a modified Niederreiter cryptosystem in the case of Gabidulin codes, with a public-key size of less than 4000 bits.

Generic Groups, Collision Resistance, and ECDSA

Abstract: Proved here is the sufficiency of certain conditions to ensure the Elliptic Curve Digital Signature Algorithm (ECDSA) existentially unforgeable by adaptive chosen-message attacks. The sufficient conditions include (i) a uniformity property and collision-resistance for the underlying hash function, (ii) pseudorandomness in the private key space for the ephemeral private key generator, (iii) generic treatment of the underlying group, and (iv) a further condition on how the ephemeral public keys are mapped into the private key space. For completeness, a brief survey of necessary security conditions is also given. Some of the necessary conditions are weaker than the corresponding sufficient conditions used in the security proofs here, but others are identical. Despite the similarity between DSA and ECDSA, the main result is not appropriate for DSA, because the fourth condition above seems to fail for DSA. (The corresponding necessary condition is plausible for DSA, but is not proved here nor is the security of DSA proved assuming this weaker condition.) Brickell et al. [Vol. 1751 of Lecture Notes in computer Science, pp. 276--292], Jakobsson et al. [Vol. 1976 of Lecture Notes in computer Science, pp. 73--89] and Pointcheval et al. [Vol. 13 of Journal of Cryptology, pp. 361--396] only consider signature schemes that include the ephemeral public key in the hash input, which ECDSA does not do, and moreover, assume a condition on the hash function stronger than the first condition above. This work seems to be the first advance in the provable security of ECDSA.

On Goppa Codes and Weierstrass Gaps at Several Points

Abstract: We generalize results of Homma and Kim [J. Pure Appl. Algebra Vol. 162, (2001), pp. 273--290] concerning an improvement on the Goppa bound on the minimum distance of certain Goppa codes.

Optimal colored threshold visual cryptography schemes

Abstract: Visual cryptography schemes allow the encoding of a secret image into n shares which are distributed to the participants. The shares are such that only qualified subsets of participants can "visually" recover the secret image. Usually the secret image consist of black and white pixels. In colored threshold visual cryptography schemes the secret image is composed of pixels taken from a given set of c colors. The pixels expansion and the contrast of a scheme are two measures of the goodness of the scheme.In this paper, we study c-color (k,n)-threshold visual cryptography schemes and provide a characterization of contrast-optimal schemes. More specifically we prove that there exists a contrast-optimal scheme that is a member of a special set of schemes, which we call canonical schemes, and that satisfy strong symmetry properties.Then we use canonical schemes to provide a constructive proof of optimality, with respect to the pixel expansion, of c-color (n,n)-threshold visual cryptography schemes.Finally, we provide constructions of c-color (2,n)-threshold schemes whose pixels expansion improves on previously proposed schemes.

Systematic construction of q -analogs of t - ( v, k , λ)-designs

Abstract: In the present paper we consider a q-analog of t - (v, k, λ)-designs. It is canonic since it arises by replacing sets by vector spaces over GF(q), and their orders by dimensions. These generalizations were introduced by Thomas [Geom.Dedicata vol. 63, pp. 247-253 (1996)] they are called t - (v, k, λ q)- designs. A few of such q-analogs are known today, they were constructed using sophisticated geometric arguments and case-by-case methods. It is our aim now to present a general method that allows systematically to construct such designs, and to give complete catalogs (for small parameters, of course) using an implemented software package.In order to attack the (highly complex) construction, we prepare them for an enormous data reduction by embedding their definition into the theory of group actions on posets, so that we can derive and use a generalization of the Kramer-Mesner matrix for their definition, together with an improved version of the LLL-algorithm. By doing so we generalize the methods developed in a research project on t - (v, k, λ)-designs on sets, obtaining this way new results on the existence of t - (v, k, λ q)-designs on spaces for further quintuples (t, v, k, λ q) of parameters. We present several 2 - (6, 3, λ 2)-designs, 2 - (7.3, λ 2)-designs and, as far as we know, the very first 3-designs over GF(q).

The Field Descent Method

Abstract: We obtain a broadly applicable decomposition of group ring elements into a "subfield part" and a "kernel part". Applications include the verification of Lander's conjecture for all difference sets whose order is a power of a prime >3 and for all McFarland, Spence and Chen/Davis/Jedwab difference sets. We obtain a new general exponent bound for difference sets. We show that there is no circulant Hadamard matrix of order v with 4

Secret sharing schemes with three or four minimal qualified subsets

Abstract: In this paper we study secret sharing schemes whose access structure has three or four minimal qualified subsets. The ideal case is completely characterized and for the non-ideal case we provide bounds on the optimal information rate.

Toward the Determination of the Minimum Distance of Two-Point Codes on a Hermitian Curve

Abstract: This is a first step toward the determination of the parameters of two-point codes on a Hermitian curve. We describe the dimension of such codes and determine the minimum distance of some two-point codes.

On the Linear Complexity and Multidimensional Distribution of Congruential Generators over Elliptic Curves

Abstract: We show that the elliptic curve analogue of the linear congruential generator produces sequences with high linear complexity and good multidimensional distribution.

Weierstrass Semigroups and Codes from a Quotient of the Hermitian Curve

Abstract: We consider the quotient of the Hermitian curve defined by the equation yq + y = xm over $${\mathbb F}_{q^2}$$ where m > 2 is a divisor of q+1. For 2? r ? q+1, we determine the Weierstrass semigroup of any r-tuple of $${\mathbb F}_{q^2}$$ -rational points $$(P_\infty, P_{0b_2},\ldots,P_{0b_r})$$ on this curve. Using these semigroups, we construct algebraic geometry codes with minimum distance exceeding the designed distance. In addition, we prove that there are r-point codes, that is codes of the form $$C_\Omega(D, \alpha_1P_\infty, \alpha_2P_{0b_2},+\cdots+ \alpha_rP_{0b_r})$$ where r ? 2, with better parameters than any comparable one-point code on the same curve. Some of these codes have better parameters than comparable one-point Hermitian codes over the same field. All of our results apply to the Hermitian curve itself which is obtained by taking m=q +1 in the above equation

A Public-Key Traitor Tracing Scheme with Revocation Using Dynamic Shares

Abstract: We proposed a new public-key traitor tracing scheme with revocation capability using dynamic shares and entity revocation techniques. Our scheme's traitor tracing and revocation programs cohere tightly. The size of the enabling block of our scheme is independent of the number of receivers. Each receiver holds one decryption key only. The distinct feature of our scheme is that when traitors are found, we can revoke their private keys (up to some threshold z) without updating the private keys of other receivers. In particular, no revocation messages are broadcast and all receivers do nothing. Previously proposed revocation schemes need update existing keys and entail large amount of broadcast messages. Our traitor tracing algorithm works in a black-box way. It is conceptually simple and fully k-resilient, that is, it can find all traitors if the number of them is k or less. The encryption algorithm of our scheme is semantically secure assuming that the decisional Diffie-Hellman problem is hard.

New Constructions for IPP Codes

Abstract: Identifiable parent property (IPP) codes are introduced to provide protection against illegal producing of copyrighted digital material. In this paper we consider explicit construction methods for IPP codes by means of recursion techniques. The first method directly constructs IPP codes, whereas the second constructs perfect hash families that are then used to derive IPP codes. In fact, the first construction provides an infinite class of IPP codes having the best known asymptotic behavior. We also prove that this class has a traitor tracing algorithm with a runtime of O(M) in general, where M is the number of codewords.

Kernels and p-Kernels of pr-ary 1-Perfect Codes

Abstract: The rank of a q-ary code C is the dimension of the subspace spanned by C. The kernel of a q-ary code C of length n can be defined as the set of all translations leaving C invariant. Some relations between the rank and the dimension of the kernel of q-ary 1-perfect codes, over $$\mathbb{F}_{q} = GF(q)$$ as well as over the prime field $$\mathbb{F}_{p}$$ , are established. Q-ary 1-perfect codes of length n=(qm ? 1)/(q ? 1) with different kernel dimensions using switching constructions are constructed and some upper and lower bounds for the dimension of the kernel, once the rank is given, are established.

Symmetric (4, 4)-nets and generalized Hadamard matrices over groups of order 4

Abstract: The symmetric class-regular (4, 4)-nets having a group of bitranslations G of order four are enumerated up to isomorphism. There are 226 nets with G ≅ Z2 × Z2, and 13 nets with G ≅ Z4. Using a (4, 4)-net with full automorphism group of smallest order, the lower bound on the number of pairwise non-isomorphic affine 2-(64, 16, 5) designs is improved to 21,621,600. The classification of class-regular (4, 4)-nets implies the classification of all generalized Hadamard matrices (or difference matrices) of order 16 over a group of order four up to monomial equivalence. The binary linear codes spanned by the incidence matrices of the nets, as well as the quaternary and Z4-codes spanned by the generalized Hadamard matrices are computed and classified. The binary codes include the affine geometry [64, 16, 16] code spanned by the planes in AG(3, 4) and two other inequivalent codes with the same weight distribution. These codes support non-isomorphic affine 2-(64, 16, 5) designs that have the same 2-rank as the classical affine design in AG(3, 4), hence provide counter-examples to Hamada's conjecture. Many of the F4-codes spanned by generalized Hadamard matrices are self-orthogonal with respect to the Hermitian inner product and yield quantum error-correcting codes, including some codes with optimal parameters.

Distributing the Encryption and Decryption of a Block Cipher

Abstract: In threshold cryptography, the goal is to distribute the computation of basic cryptographic primitives across a number of nodes in order to relax trust assumptions on individual nodes, as well as to introduce a level of fault-tolerance against node compromise. Most threshold cryptography has previously looked at the distribution of public key primitives, particularly threshold signatures and threshold decryption mechanisms. In this paper, we look at the application of threshold cryptography to symmetric primitives, and in particular the encryption or decryption of a symmetric key block cipher. We comment on some previous work in this area and then propose a model for shared encryption / decryption of a block cipher. We will present several approaches to enable such systems and will compare them.

Signcryption with Non-interactive Non-repudiation

Abstract: Signcryption [33] is a public key primitive that achieves the functionality of both an encryption scheme and a signature scheme simultaneously. It does this more efficiently than a composition of public key encryption and public key signature. We present a model of security for signcryption schemes that offer non-interactive non-repudiation. This is non-repudiation in which the judge settling a repudiation dispute does not have to get involved in an interactive zero-knowledge proof. Our model applies to many existing schemes in the literature Bao and Deng, [4] He and Wu, [22] Peterson and Michels, [28]. We explain why the scheme proposed in Bao and Deng, [4] is insecure under any definition of privacy based on the idea of indistinguishable encryptions Goldwasser and Micali, [20]. We describe a modified scheme to overcome the problem. Proofs of security are given for the scheme in the random oracle model Bellare and Rogaway, [10].

Resolvable maximum packings with quadruples

Abstract: Let V be a finite set of v elements. A packing of the pairs of V by k-subsets is a family F of k-subsets of V, called blocks, such that each pair in V occurs in at most one member of F. For fixed v and k, the packing problem is to determine the number of blocks in any maximum packing. A maximum packing is resolvable if we can partition the blocks into classes (called parallel classes) such that every element is contained in precisely one block of each class. A resolvable maximum packing of the pairs of V by k-subsets is denoted by RP(v, k). It is well known that an RP(v, 4) is equivalent to a resolvable group divisible design (RGDD) with block 4 and group size h, where h = 1, 2 or 3. The existence of 4-RGDDs with group-type hn for h = 1 or 3 has been solved except for (h, n) = (3, 4) (for which no such design exists) and possibly for (h, n) ∈{(3, 88), (3,124)}. In this paper, we first complete the case for h = 3 by direct constructions. Then, we start the investigation for the existence of 4-RGDDs of type 2n. We shall show that the necessary conditions for the existence of a 4-RGDD of type 2n, namely, n≥4 and n ≡4 (mod 6) are also sufficient with 2 definite exceptions (n = 4, 10) and 18 possible exceptions with n = 346 being the largest. As a consequence, we have proved that there exists an RP(v, 4) for v≡0 (mod 4) with 3 exceptions (v = 8, 12 or 20) and 18 possible exceptions.

Piecewise Constructions of Bent and Almost Optimal Boolean Functions

Abstract: The first aim of this work was to generalize the techniques used in MacWilliams' and Sloane's presentation of the Kerdock code and develop a theory of piecewise quadratic Boolean functions. This generalization led us to construct large families of potentially new bent and almost optimal functions from quadratic forms in this piecewise fashion. We show how our motivating example, the Kerdock code, fits into this setting. These constructions were further generalized to non-quadratic bent functions. The resulting constructions design n-variable bent (resp. almost optimal) functions from n-variable bent or almost optimal functions.

Extendability of Ternary Linear Codes

Abstract: There are four diversities for which ternary linear codes of dimension k ? 3, minimum distance d with gcd(3,d) = 1 are always extendable. Moreover, three of them yield double extendability when d ? 1 (mod 3). All the diversities are found for ternary linear codes of dimension 3 ? k ? 6. An algorithm how to find an extension from a generator matrix is also given.

Cyclic Difference Packing and Covering Arrays

Abstract: Let n and k be positive integers. Let Cq be a cyclic group of order q. A cyclic difference packing (covering) array, or a CDPA(k, n; q) (CDCA(k, n; q)), is a k × n array (aij) with entries aij (0 ? i ? k?1, 0 ? j ? n?1) from Cq such that, for any two rows t and h (0 ? t < h ? k?1), every element of Cq occurs in the difference list $${\Delta}_{th} = {d_{hj}- d_{tj}: j = 0, 1, \dots, n-1}$$ at most (at least) once. When q is even, then n ? q?1 if a CDPA(k, n; q) with k ? 3 exists, and n ? q+1 if a CDCA(k, n; q) with k ? 3 exists. It is proved that a CDCA(4, q+1; q) exists for any even positive integers, and so does a CDPA(4, q?1; q) or a CDPA(4, q?2; q). The result is established, for the most part, by means of a result on cyclic difference matrices with one hole, which is of interest in its own right.

Double Arrays, Triple Arrays and Balanced Grids

Abstract: Triple arrays are a class of designs introduced by Agrawal in 1966 for two-way elimination of heterogeneity in experiments. In this paper we investigate their existence and their connection to other classes of designs, including balanced incomplete block designs and balanced grids.

Square-Free Non-Cayley Numbers. On Vertex-Transitive Non-Cayley Graphs of Square-Free Order

Abstract: A complete classification is given of finite primitive permutation groups which contain a regular subgroup of square-free order. Then a collection $${\cal P}{\cal N}{\cal C}$$ of square-free numbers n is obtained such that there exists a vertex-primitive non-Cayley graph on n vertices if and only if n is a member of $${\cal P}{\cal N}{\cal C}$$ .

A Computer-Assisted Proof of the Uniqueness of the Perkel Graph

Abstract: The Perkel graph is a distance-regular graph of order 57, degree 6 and diameter 3, with intersection array (6, 5, 2; 1, 1, 3). We describe a computer assisted proof that every graph ? with this intersection array is isomorphic to the Perkel graph. The computer proof relies heavily on the fact that the minimal idempotents for ?, and their submatrices, are positive semidefinite. To minimize the risk of computer errors we have used two different methods to establish the same theorem and as an added precaution large parts of the corresponding programs were written by different authors. The first method generates plausible subgraphs induced by all vertices at distance 3 from a fixed vertex of ? and then tries to extend each of the generated graphs to a full graph with the given intersection array. The second method generates possible neighborhoods for a pentagon in ?. It turns out that every such pentagon can be extended to a Petersen graph in ?. We then prove mathematically that there is, up to isomorphism, only a single graph ? with this property.

A Public Key Cryptosystem Based On A Subgroup Membership Problem

Abstract: We present a novel public key encryption scheme semantically secure in the standard model under the intractability assumption of a subgroup membership problem related to the factorization problem.

On the Number of Trace-One Elements in Polynomial Bases for $$\mathbb{F}_{2^n}$$

Abstract: This paper investigates the number of trace-one elements in a polynomial basis for $$\mathbb{F}_{2^n}$$ . A polynomial basis with a small number of trace-one elements is desirable because it results in an efficient and low cost implementation of the trace function. We focus on the case where the reduction polynomial is a trinomial or a pentanomial, in which case field multiplication can also be efficiently implemented.

Codes from Generalized Hexagons

Abstract: In this paper, we construct some codes that arise from generalized hexagons with small parameters. As our main result we discover two new projective two-weight codes constructed from two-character sets in PG(5,4) and PG(11,2). These in turn are constructed using a new distance-2-ovoid of the classical generalized hexagon H(4). Also the corresponding strongly regular graph is new. The two-character set is the union of two orbits in PG(5,4) under the action of L2(13).