Showing papers in "Journal of Mathematical Cryptology in 2010"

On secret sharing schemes, matroids and polymatroids

Abstract: The complexity of a secret sharing scheme is defined as the ratio between the maximum length of the shares and the length of the secret. The optimization of this parameter for general access structures is an important and very difficult open problem in secret sharing. We explore in this paper the connections of this open problem with matroids and polymatroids. Matroid ports were introduced by Lehman in 1964. A forbidden minor characterization of matroid ports was given by Seymour in 1976. These results precede the invention of secret sharing by Shamir in 1979. Important connections between ideal secret sharing schemes and matroids were discovered by Brickell and Davenport in 1991. Their results can be restated as follows: every ideal secret sharing scheme defines a matroid, and its access structure is a port of that matroid. Our main result is a lower bound on the optimal complexity of access structures that are not matroid ports. Namely, by using the aforementioned characterization of matroid ports by Seymour, we generalize the result by Brickell and Davenport by proving that, if the length of every share in a secret sharing scheme is less than 3/2 times the length of the secret, then its access structure is a matroid port. This generalizes and explains a phenomenon that was observed in several families of access structures. In addition, we introduce a new parameter to represent the best lower bound on the optimal complexity that can be obtained by taking into account that the joint Shannon entropies of a set of random variables define a polymatroid. We prove that every bound that is obtained by this technique for an access structure applies to its dual as well. Finally, we present a construction of linear secret sharing schemes for the ports of the Vamos and the non-Desargues matroids. In this way new upper bounds on their optimal complexity are obtained, which are a contribution on the search of access structures whose optimal complexity lies between 1 and 3/2.

The power of primes: security of authentication based on a universal hash-function family

Abstract: Message authentication codes (MACs) based on universal hash-function families are be- coming increasingly popular due to their fast implementation. In this paper, we investigate a family of universal hash functions that has been appeared repeatedly in the literature and provide a detailed algebraic analysis for the security of authentication codes based on this universal hash family. In particular, the universal hash family under analysis, as appeared in the literature, uses operation in the finite field Zp. No previous work has studied the extension of such universal hash family when computations are performed modulo a non-prime integer n. In this work, we provide the first such analysis. We investigate the security of authentication when computations are performed over arbi- trary finite integer rings Zn and derive an explicit relation between the prime factorization of n and the bound on the probability of successful forgery. More specifically, we show that the probability of successful forgery against authentication codes based on such a universal hash-function family is bounded by the reciprocal of the smallest prime factor of the modulus n.

Public key cryptosystem MST3: cryptanalysis and realization

Abstract: Abstract A new type of public key cryptosystem, called MST3, has been recently introduced on the basis of covers and logarithmic signatures for non-abelian finite groups. The class of Suzuki 2-groups has been proposed for a possible realization of the generic scheme. Due to their simple structure, the groups enable us to study the security of the system and also provide an efficient implementation. An earlier relevant result of the cryptanalysis has shown that the transversal logarithmic signatures are unfit for use in this realization. In this paper we present a revised version of MST3 for the Suzuki 2-groups and show a thorough study of its security. Using heuristic and algebraic methods we establish strong lower bounds for the workload of conceivable direct attacks on the private key of the scheme. We then develop a powerful chosen plaintext attack which allows us to rule out the usage of a certain class of logarithmic signatures. In addition, we show a class of logarithmic signatures withstanding this attack and thus to our knowledge they could be used in the realization of the scheme. Finally, we describe and discuss the implementation issues of the scheme in detail and include data of its performance obtained from an experimental result.

Multicollision attacks and generalized iterated hash functions

Abstract: Abstract We apply combinatorics on words to develop an approach to multicollisions in generalized iterated hash functions. Our work is based on the discoveries of A. Joux and on generalizations provided by M. Nandi and D. Stinson as well as J. Hoch and A. Shamir. We wish to unify the existing diverse notation in the field, bring basic facts together, reprove some previously published results and produce some new ones. A multicollision attack method informally described by Hoch and Shamir is laid on a sound statistical basis and studied in detail.

The monodromy pairing and discrete logarithm on the Jacobian of finite graphs

Abstract: Every graph has a canonical finite abelian group attached to it. This group has appeared in the literature under a variety of names including the sandpile group, critical group, Jacobian group, and Picard group. The construction of this group closely mirrors the construction of the Jacobian variety of an algebraic curve. Motivated by this analogy, it was recently suggested by Norman Biggs that the critical group of a finite graph is a good candidate for doing discrete logarithm based cryptography. In this paper, we study a bilinear pairing on this group and show how to compute it. Then we use this pairing to find the discrete logarithm efficiently, thus showing that the associated cryptographic schemes are not secure. Our approach resembles the MOV attack on elliptic curves.

Common modulus attacks on small private exponent RSA and some fast variants (in practice)

Abstract: In this work we re-examine two common modulus attacks on RSA. First, we show that Guo’s continued fraction attack works much better in practice than previously expected. Given three instances of RSA with a common modulus N and private exponents each smaller than N the attack can factor the modulus about 93% of the time in practice. The success rate of the attack can be increased up to almost 100% by including a relatively small exhaustive search. Next, we consider Howgrave-Graham and Seifert’s lattice-based attack and show that a second necessary condition for the attack exists that limits the bounds (beyond the original bounds) once n ≥ 7 instances of RSA are used. In particular, by construction, the attack can only succeed when the private exponents are each smaller than N0.5− , given sufficiently many instances, instead of the original bound of N1− . In addition, we also consider the effectiveness of the attacks when mounted against multi-prime RSA and Tagaki’s variant of RSA. For multi-prime RSA, we show three (or more) instances with a common modulus and private exponents smaller than N1/3− is unsafe. For Takagi’s variant, we show that three or more instances with a common modulus N = pq is unsafe when all the private exponents are smaller than N2/(3(r+1))− . The results, for both variants, is obtained using Guo’s method and are successful almost always with the inclusion of a small exhaustive search. When only two instances are available, Howgrave-Graham and Seifert’s attack can be mounted on multi-prime RSA when the private exponents are smaller than N (3+r)/7r− when there are r primes in the modulus.

Efficient arithmetic on subfield elliptic curves over small finite fields of odd characteristic

Abstract: In elliptic curve cryptosystems, scalar multiplications performed on the curves have much effect on the efficiency of the schemes, and many efficient methods have been proposed. In particular, recoding methods of the scalars play an important role in the performance of the algorithm used. For integer radices, the non-adjacent form (NAF) [21] and its generalizations (e.g., the generalized non-adjacent form (GNAF) [6] and the radix-r non-adjacent form (rNAF) [28]) have been proposed for minimizing the non-zero densities in the representations of the scalars. On the other hand, for subfield elliptic curves, the Frobenius expansions of the scalars can be used for improving efficiency [25]. Unfortunately, there are only a few methods apply the techniques of NAF or its analogue to the Frobenius expansion, namely t -adic NAF techniques on Koblitz curves [16, 27, 3] and hyperelliptic Koblitz curves [10]. In this paper, we try to combine these techniques, namely recoding methods for reducing non-zero density and the Frobenius expansion, and propose two new efficient recoding methods of scalars on more general family of subfield elliptic curves in odd characteristic. We also prove that the non-zero densities for the new methods are same as those for the original GNAF and rNAF. As a result, the speed of the proposed methods improve between 8% and 50% over that for the Frobenius expansion method.

On the asymptotic effectiveness of weil descent attacks

Abstract: In this paper we investigate the asymptotic effectiveness of the Gaudry- Hess-Smart Weil descent attack and its generalization to the discrete logarithm problem for elliptic curves over characteristic-two finite fields. In particular we obtain nontrivial lower and upper bounds on the smallest possible genus to which it can lead.

Mean-set attack: cryptanalysis of Sibert et al. authentication protocol

Abstract: We analyze the Sibert et al. group-based (Feige-Fiat-Shamir type) authentication protocol and show that the protocol is not computationally zero-knowledge. In addition, we provide experimental evidence that our approach is practical and can succeed even for groups with no efficiently computable length function such as braid groups. The novelty of this work is that we are not attacking the protocol by trying to solve an underlying complex algebraic problem, namely, the conjugacy search problem, but use a probabilistic approach, instead.