Showing papers in "Journal of Cryptology in 1999"

Parallel Collision Search with Cryptanalytic Applications

Abstract: A simple new technique of parallelizing methods for solving search problems which seek collisions in pseudorandom walks is presented. This technique can be adapted to a wide range of cryptanalytic problems which can be reduced to finding collisions. General constructions are given showing how to adapt the technique to finding discrete logarithms in cyclic groups, finding meaningful collisions in hash functions, and performing meet-in-the-middle attacks such as a known-plaintext attack on double encryption. The new technique greatly extends the reach of practical attacks, providing the most cost-effective means known to date for defeating: the small subgroup used in certain schemes based on discrete logarithms such as Schnorr, DSA, and elliptic curve cryptosystems; hash functions such as MD5, RIPEMD, SHA-1, MDC-2, and MDC-4; and double encryption and three-key triple encryption. The practical significance of the technique is illustrated by giving the design for three $10 million custom machines which could be built with current technology: one finds elliptic curve logarithms in GF(2155) thereby defeating a proposed elliptic curve cryptosystem in expected time 32 days, the second finds MD5 collisions in expected time 21 days, and the last recovers a double-DES key from two known plaintexts in expected time 4 years, which is four orders of magnitude faster than the conventional meet-in-the-middle attack on double-DES. Based on this attack, double-DES offers only 17 more bits of security than single-DES.

The Discrete Logarithm Problem on Elliptic Curves of Trace One

Abstract: In this short note we describe an elementary technique which leads to a linear algorithm for solving the discrete logarithm problem on elliptic curves of trace one. In practice the method described means that when choosing elliptic curves to use in cryptography one has to eliminate all curves whose group orders are equal to the order of the finite field.

On the Construction of Pseudorandom Permutations: Luby--Rackoff Revisited

Abstract: Luby and Rackoff [26] showed a method for constructing a pseudorandom permutation from a pseudorandom function. The method is based on composing four (or three for weakened security) so-called Feistel permutations, each of which requires the evaluation of a pseudorandom function. We reduce somewhat the complexity of the construction and simplify its proof of security by showing that two Feistel permutations are sufficient together with initial and final pairwise independent permutations. The revised construction and proof provide a framework in which similar constructions may be brought up and their security can be easily proved. We demonstrate this by presenting some additional adjustments of the construction that achieve the following: ? Reduce the success probability of the adversary. ? Provide a construction of pseudorandom permutations with large input-length using pseudorandom functions with small input-length.

On the Contrast in Visual Cryptography Schemes

Abstract: A visual cryptography scheme is a method to encode a secret image SI into shadow images called shares such that certain qualified subsets of shares enable the ``visual'' recovery of the secret image. The ``visual'' recovery consists of xeroxing the shares onto transparencies, and then stacking them. The shares of a qualified set will reveal the secret image without any cryptographic computation. In this paper we analyze the contrast of the reconstructed image in k out of n visual cryptography schemes. (In such a scheme any k shares will reveal the image, but no set of k-1 shares gives any information about the image.) In the case of 2 out of n threshold schemes we give a complete characterization of schemes having optimal contrast and minimum pixel expansion in terms of certain balanced incomplete block designs. In the case of k out of n threshold schemes with $k\geq 3$ we obtain upper and lower bounds on the optimal contrast.

Chinese Remaindering Based Cryptosystems in the Presence of Faults

Abstract: We present some observations on public-key cryptosystems that use the Chinese remaindering algorithm. Our results imply that careless implementations of such systems could be vulnerable. Only one faulty signature, in some explained context, is enough to recover the secret key.

Bucket Hashing and Its Application to Fast Message Authentication

Abstract: We introduce a new technique for constructing a family of universal hash functions. At its center is a simple metaphor: to hash a string x , cast each of its words into a small number of buckets; xor the contents of each bucket; then collect up all the buckets' contents. Used in the context of Wegman--Carter authentication, this style of hash function provides a fast approach for software message authentication.

Elliptic Curve Cryptosystems over Small Fields of Odd Characteristic

Abstract: In this paper it is shown how to speed up the multiplication step on elliptic curves defined over small odd characteristic finite fields. The method used is a generalization of a recent method of Muller and Solinas. Various implementation issues are discussed and described with the use of timings from an implementation of the methods.

How to Stretch Random Functions: The Security of Protected Counter Sums

Abstract: Let f be an unpredictable random function taking (b+c) -bit inputs to b -bit outputs This paper presents an unpredictable random function f' taking variable-length inputs to b -bit outputs This construction has several advantages over chaining, which was proven unpredictable by Bellare, Kilian, and Rogaway, and cascading, which was proven unpredictable by Bellare, Canetti, and Krawczyk The highlight here is a very simple proof of security

On the Security of a Practical Identification Scheme

Abstract: We analyze the security of an interactive identification scheme. The scheme is the obvious extension of the original square root scheme of Goldwasser, Micali, and Rackoff to 2 m th roots. This scheme is quite practical, especially in terms of storage and communication complexity. Although this scheme is certainly not new, its security was apparently not fully understood. We prove that this scheme is secure if factoring integers is hard, even against active attacks where the adversary is first allowed to pose as a verifier before attempting impersonation.

Cryptanalysis of Triple Modes of Operation

Abstract: Multiple modes of operation and, in particular, triple modes of operation were proposed as a simple method to improve the strength of blockciphers, and in particular of DES. Developments in the cryptanalysis of DES in recent years have popularized the triple modes of DES, and such modes are now considered for ANSI standards. In a previous paper we analyzed multiple modes of operation and showed that the security of many multiple modes is significantly smaller than expected. In this paper we extend these results, with new cryptanalytic techniques, and show that all the (cascaded) triple modes of operation are not much more secure than a single encryption--in the case of DES they can be attacked with up to an order of 2 56 --2 66 chosen plaintexts or ciphertexts and complexity of analysis. We then propose several candidates for more secure modes.

Translucent Cryptography -- An Alternative to Key Escrow and its Implementation via Fractional Oblivious Transfer

Abstract: We present an alternative to the controversial ``key escrow'''' techniques for enabling law-enforcement and national security access to encrypted communications. Our proposal allows such access with probability $p$ for each message, for a parameter $p$ between $0$ and $1$ to be chosen (say, by Congress) to provide an appropriate balance between concerns for individual privacy, on the one hand, and the need for such access by law-enforcement and national security, on the other. For example, with $p=0.4$, a law-enforcement agency conducting an authorized wiretap which records 100 encrypted conversations would expect to be able to decrypt (approximately) 40 of these conversations; the agency would not be able to decrypt the remaining 60 conversations at all. Different values of $p$ can be chosen for different situations, such as for export. Our proposal can be combined with other ideas, such as secret-sharing, to provide additional flexibility. Our scheme is remarkably simple to implement, as it requires no prior escrowing of keys. We provide an efficient implementation of translucent cryptography. It is based on non-interactive oblivious transfer, as pioneered by Bellare and Micali \cite{BellareMi90a}, who showed how to transfer a message with probability $1/2$. We provide means for non-interactive fractional oblivious transfer, which allows a message to be transmitted with any given probability $p$. Our protocol is based on the Diffie-Hellman assumption and uses just one El Gamal encryption (two exponentiations), regardless of the value of the transfer probability $p$. This makes the implementation of translucent cryptography competitive, in efficiency of encryption, with current suggestions for software key escrow such as the fair Diffie-Hellman system \cite{Micali92}, so that efficiency, at least, is not a barrier to its consideration.

A Fast Diffie--Hellman Protocol in Genus 2

Abstract: In this paper it is shown how the multiplication by M map on the Kummer surface of a curve of genus 2 defined over $ {\Bbb F}_q $ can be used to construct a Diffie--Hellman protocol. We show that this map can be computed using only additions and multiplications in $ {\Bbb F}_q $ . In particular we do not use any divisions, polynomial arithmetic, or square root functions in $ {\Bbb F}_q $ , hence this may be easier to implement than multiplication by M on the Jacobian. In addition we show that using the Kummer surface does not lead to any loss in security.

On a Fallacious Bound for Authentication Codes

Abstract: We show that the lower bound on substitution success probability P S provided by Theorem 38 in De Soete's paper [4], which appeared earlier in this journal, is not correct by exhibiting a counterexample We identify the flaw in the ``proof" of this theorem and we prove a valid lower bound on P S

Bounds for Key Distribution Patterns

Abstract: This paper is concerned with the problem of distributing pieces of information to nodes in a network in such a way that any pair of nodes can compute a secure common key but the amount of information stored at each node is small. It has been proposed that a special type of finite incidence structure, called a key distribution pattern (KDP) , might provide a good solution to this problem. We give various lower bounds on the information storage of KDPs. Our main result shows that in general KDP schemes necessarily have greater information storage at the nodes than the minimum possible. This minimum is achieved by a scheme not based on KDPs.

Efficient Commitment Schemes with Bounded Sender and Unbounded Receiver

Abstract: In this paper we address the problem of constructing commitment schemes where the sender is bounded to polynomial time and the receiver may be all powerful. Many known constructions for such commitment schemes are based on the hardness of factoring large integers. However, these schemes typically use integers of a special form and thus require a rather expensive initialization procedure for establishing these special-form integers. In this paper we present a scheme which is based on the hardness of factoring large integers but avoids the need of a complex initialization procedure.

Divertible and Subliminal-Free Zero-Knowledge Proofs for Languages

Abstract: Divertible proofs are extensions of interactive proofs in which an active eavesdropper, the warden, makes the prover and the verifier untraceable. The warden is transparent to both the prover and the verifier. With subliminal-free proofs the warden controls subliminal messages. In this paper we present divertible and subliminal-free zero-knowledge proofs for various languages. We consider both graph isomorphism and