Showing papers on "Cryptography published in 2000"

Practical techniques for searches on encrypted data

Abstract: It is desirable to store data on data storage servers such as mail servers and file servers in encrypted form to reduce security and privacy risks. But this usually implies that one has to sacrifice functionality for security. For example, if a client wishes to retrieve only documents containing certain words, it was not previously known how to let the data storage server perform the search and answer the query, without loss of data confidentiality. We describe our cryptographic schemes for the problem of searching on encrypted data and provide proofs of security for the resulting crypto systems. Our techniques have a number of crucial advantages. They are provably secure: they provide provable secrecy for encryption, in the sense that the untrusted server cannot learn anything about the plaintext when only given the ciphertext; they provide query isolation for searches, meaning that the untrusted server cannot learn anything more about the plaintext than the search result; they provide controlled searching, so that the untrusted server cannot search for an arbitrary word without the user's authorization; they also support hidden queries, so that the user may ask the untrusted server to search for a secret word without revealing the word to the server. The algorithms presented are simple, fast (for a document of length n, the encryption and search algorithms only need O(n) stream cipher and block cipher operations), and introduce almost no space and communication overhead, and hence are practical to use today.

Security and Composition of Multiparty Cryptographic Protocols

Abstract: We present general definitions of security for multiparty cryptographic protocols, with focus on the task of evaluating a probabilistic function of the parties' inputs. We show that, with respect to these definitions, security is preserved under a natural composition operation. The definitions follow the general paradigm of known definitions; yet some substantial modifications and simplifications are introduced. The composition operation is the natural ``subroutine substitution'' operation, formalized by Micali and Rogaway. We consider several standard settings for multiparty protocols, including the cases of eavesdropping, Byzantine, nonadaptive and adaptive adversaries, as well as the information-theoretic and the computational models. In particular, in the computational model we provide the first definition of security of protocols that is shown to be preserved under composition.

Secure group communications using key graphs

Abstract: Many emerging network applications are based upon a group communications model. As a result, securing group communications, i.e., providing confidentiality, authenticity, and integrity of messages delivered between group members, will become a critical networking issue. We present, in this paper, a novel solution to the scalability problem of group/multicast key management. We formalize the notion of a secure group as a triple (U,K,R) where U denotes a set of users, K a set of keys held by the users, and R a user-key relation. We then introduce key graphs to specify secure groups. For a special class of key graphs, we present three strategies for securely distributing rekey messages after a join/leave and specify protocols for joining and leaving a secure group. The rekeying strategies and join/leave protocols are implemented in a prototype key server we have built. We present measurement results from experiments and discuss performance comparisons. We show that our group key management service, using any of the three rekeying strategies, is scalable to large groups with frequent joins and leaves. In particular, the average measured processing time per join/leave increases linearly with the logarithm of group size.

Foundations of Cryptography: Basic Tools

Abstract: From the Publisher: This book presents a rigorous and systematic treatment of the foundational issues of cryptography: defining cryptographic tasks and solving new cryptographic problems using existing tools It focuses on the basic mathematical tools: computational difficulty (one-way functions), pseudorandomness and zero-knowledge proofs Rather than describing ad?hoc approaches, this book emphasizes the clarification of fundamental concepts and the demonstration of the feasibility of solving cryptographic problems

Secrets and Lies: Digital Security in a Networked World

Abstract: From the Book: I have written this book partly to correct a mistake. Seven years ago I wrote another book: Applied Cryptography. In it, I described a mathematical utopia: algorithms that would keep your deepest secrets safe for millennia, protocols that could perform the most fantastical electronic interactions-unregulated gambling, undetectable authentication, anonymous cash-safely and securely. In my vision cryptography was the great technological equalizer; anyone with a cheap (and getting cheaper every year) computer could have the same security as the largest government. In the second edition of the same book, written two years later, I went so far as to write: "It is insufficient to protect ourselves with laws; we need to protect ourselves with mathematics." It's just not true. Cryptography can't do any of that. It's not that cryptography has gotten weaker since 1994, or that the things I described in that book are no longer true; it's that cryptography doesn't exist in a vacuum. Cryptography is a branch of mathematics. And like all mathematics, it involves numbers, equations, and logic. Security, palpable security that you or I might find useful in our lives, involves people: things people know, relationships between people, people and how they relate to machines. Digital security involves computers: complex, unstable, buggy computers. Mathematics is perfect; reality is subjective. Mathematics is defined; computers are ornery. Mathematics is logical; people are erratic, capricious, and barely comprehensible. The error of Applied Cryptography is that I didn't talk at all about the context. I talked about cryptography as if it were The Answer. I was pretty naive. Theresult wasn't pretty. Readers believed that cryptography was a kind of magic security dust that they could sprinkle over their software and make it secure. That they could invoke magic spells like "128-bit key" and "public-key infrastructure." A colleague once told me that the world was full of bad security systems designed by people who read Applied Cryptography. Since writing the book, I have made a living as a cryptography consultant: designing and analyzing security systems. To my initial surprise, I found that the weak points had nothing to do with the mathematics. They were in the hardware, the software, the networks, and the people. Beautiful pieces of mathematics were made irrelevant through bad programming, a lousy operating system, or someone's bad password choice. I learned to look beyond the cryptography, at the entire system, to find weaknesses. I started repeating a couple of sentiments you'll find throughout this book: "Security is a chain; it's only as secure as the weakest link." "Security is a process, not a product." Any real-world system is a complicated series of interconnections. Security must permeate the system: its components and connections. And in this book I argue that modern systems have so many components and connections-some of them not even known by the systems' designers, implementers, or users-that insecurities always remain. No system is perfect; no technology is The Answer. This is obvious to anyone involved in real-world security. In the real world, security involves processes. It involves preventative technologies, but also detection and reaction processes, and an entire forensics system to hunt down and prosecute the guilty. Security is not a product; it itself is a process. And if we're ever going to make our digital systems secure, we're going to have to start building processes. A few years ago I heard a quotation, and I am going to modify it here: If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology. This book is about those security problems, the limitations of technology, and the solutions. Read this book in order, from beginning to end. No, really. Many technical books are meant to skim, bounce around in, and use as a reference. This book isn't. This book has a plot; it tells a story. And like any good story, it makes less sense telling it out of order. The chapters build on each other, and you won't buy the ending if you haven't come along on the journey. Actually, I want you to read the book through once, and then read it through a second time. This book argues that in order to understand the security of a system, you need to look at the entire system-and not at any particular technologies. Security itself is an interconnected system, and it helps to have cursory knowledge of everything before learning more about anything. But two readings is probably too much to ask; forget I mentioned it. This book has three parts. Part 1 is "The Landscape," and gives context to the rest of the book: who the attackers are, what they want, and what we need to deal with the threats. Part 2 is "Technologies," basically a bunch of chapters describing different security technologies and their limitations. Part 3 is "Strategies": Given the requirements of the landscape and the limitations of the technologies, what do we do now? I think digital security is about the coolest thing you can work on today, and this book reflects that feeling. It's serious, but fun, too. Enjoy the read.

The Random Oracle Methodology, Revisited

Abstract: We take a critical look at the relationship between the security of cryptographic schemes in the Random Oracle Model, and the security of the schemes that result from implementing the random oracle by so called "cryptographic hash functions". The main result of this paper is a negative one: There exist signature and encryption schemes that are secure in the Random Oracle Model, but for which any implementation of the random oracle results in insecure schemes. In the process of devising the above schemes, we consider possible definitions for the notion of a "good implementation" of a random oracle, pointing out limitations and challenges.

Privacy Preserving Data Mining

Abstract: In this paper we introduce the concept of privacy preserving data mining. In our model, two parties owning confidential databases wish to run a data mining algorithm on the union of their databases, without revealing any unnecessary information. This problem has many practical and important applications, such as in medical research with confidential patient records. Data mining algorithms are usually complex, especially as the size of the input is measured in megabytes, if not gigabytes. A generic secure multi-party computation solution, based on evaluation of a circuit computing the algorithm on the entire input, is therefore of no practical use. We focus on the problem of decision tree learning and use ID3, a popular and widely used algorithm for this problem. We present a solution that is considerably more efficient than generic solutions. It demands very few rounds of communication and reasonable bandwidth. In our solution, each party performs by itself a computation of the same order as computing the ID3 algorithm for its own database. The results are then combined using efficient cryptographic protocols, whose overhead is only logarithmic in the number of transactions in the databases. We feel that our result is a substantial contribution, demonstrating that secure multi-party computation can be made practical, even for complex problems and large inputs.

Nonmalleable Cryptography

Abstract: The notion of nonmalleable cryptography, an extension of semantically secure cryptography, is defined. Informally, in the context of encryption the additional requirement is that given the ciphertext it is impossible to generate a different ciphertext so that the respective plaintexts are related. The same concept makes sense in the contexts of string commitment and zero-knowledge proofs of possession of knowledge. Nonmalleable schemes for each of these three problems are presented. The schemes do not assume a trusted center; a user need not know anything about the number or identity of other system users. Our cryptosystem is the first proven to be secure against a strong type of chosen ciphertext attack proposed by Rackoff and Simon, in which the attacker knows the ciphertext she wishes to break and can query the decryption oracle on any ciphertext other than the target.

A Practical and Provably Secure Coalition-Resistant Group Signature Scheme

Abstract: A group signature scheme allows a group member to sign messages anonymously on behalf of the group However, in the case of a dispute, the identity of a signature's originator can be revealed (only) by a designated entity The interactive counterparts of group signatures are identity escrow schemes or group identification scheme with revocable anonymity This work introduces a new provably secure group signature and a companion identity escrow scheme that are significantly more efficient than the state of the art In its interactive, identity escrow form, our scheme is proven secure and coalition-resistant under the strong RSA and the decisional Diffie-Hellman assumptions The security of the noninteractive variant, ie, the group signature scheme, relies additionally on the Fiat-Shamir heuristic (also known as the random oracle model)

A practical and provably secure coalition-resistant group signature scheme

Abstract: A group signature scheme allows a group member to sign messages anonymously on behalf of the group. However, in the case of a dispute, the identity of a signature's originator can be revealed (only) by a designated entity. The interactive counterparts of group signatures are identity escrow schemes or group identification scheme with revocable anonymity. This work introduces a new provably secure group signature and a companion identity escrow scheme that are significantly more efficient than the state of the art. In its interactive, identity escrow form, our scheme is proven secure and coalition-resistant under the strong RSA and the decisional Diffie-Hellman assumptions. The security of the non-interactive variant, i.e., the group signature scheme, relies additionally on the Fiat-Shamir heuristic (also known as the random oracle model).

Privacy preserving data mining

Abstract: In this paper we introduce the concept of privacy preserving data mining. In our model, two parties owning confidential databases wish to run a data mining algorithm on the union of their databases, without revealing any unnecessary information. This problem has many practical and important applications, such as in medical research with confidential patient records. Data mining algorithms are usually complex, especially as the size of the input is measured in megabytes, if not gigabytes. A generic secure multi-party computation solution, based on evaluation of a circuit computing the algorithm on the entire input, is therefore of no practical use. We focus on the problem of decision tree learning and use ID3, a popular and widely used algorithm for this problem. We present a solution that is considerably more efficient than generic solutions. It demands very few rounds of communication and reasonable bandwidth. In our solution, each party performs by itself a computation of the same order as computing the ID3 algorithm for its own database. The results are then combined using efficient cryptographic protocols, whose overhead is only logarithmic in the number of transactions in the databases. We feel that our result is a substantial contribution, demonstrating that secure multi-party computation can be made practical, even for complex problems and large inputs.

Key agreement in dynamic peer groups

Abstract: As a result of the increased popularity of group-oriented applications and protocols, group communication occurs in many different settings: from network multicasting to application layer tele- and videoconferencing. Regardless of the application environment, security services are necessary to provide communication privacy and integrity. This paper considers the problem of key agreement in dynamic peer groups. (Key agreement, especially in a group setting, is the stepping stone for all other security services.) Dynamic peer groups require not only initial key agreement (IKA) but also auxiliary key agreement (AKA) operations, such as member addition, member deletion, and group fusion. We discuss all group key agreement operations and present a concrete protocol suite, CLIQUES, which offers complete key agreement services. CLIQUES is based on multiparty extensions of the well-known Diffie-Hellman key exchange method. The protocols are efficient and provably secure against passive adversaries.

Information-theoretic key agreement: from weak to strong secrecy for free

Abstract: One of the basic problems in cryptography is the generation of a common secret key between two parties, for instance in order to communicate privately. In this paper we consider information-theoretically secure key agreement. Wyner and subsequently Csiszar and Korner described and analyzed settings for secret-key agreement based on noisy communication channels. Maurer as well as Ahlswede and Csiszar generalized these models to a scenario based on correlated randomness and public discussion. In all these settings, the secrecy capacity and the secret-key rate, respectively, have been defined as the maximal achievable rates at which a highly-secret key can be generated by the legitimate partners. However, the privacy requirements were too weak in all these definitions, requiring only the ratio between the adversary's information and the length of the key to be negligible, but hence tolerating her to obtain a possibly substantial amount of information about the resulting key in an absolute sense. We give natural stronger definitions of secrecy capacity and secret-key rate, requiring that the adversary obtains virtually no information about the entire key. We show that not only secret-key agreement satisfying the strong secrecy condition is possible, but even that the achievable key-generation rates are equal to the previous weak notions of secrecy capacity and secret-key rate. Hence the unsatisfactory old definitions can be completely replaced by the new ones. We prove these results by a generic reduction of strong to weak key agreement. The reduction makes use of extractors, which allow to keep the required amount of communication negligible as compared to the length of the resulting key.

Partial encryption of compressed images and videos

Abstract: The increased popularity of multimedia applications places a great demand on efficient data storage and transmission techniques. Network communication, especially over a wireless network, can easily be intercepted and must be protected from eavesdroppers. Unfortunately, encryption and decryption are slow, and it is often difficult, if not impossible, to carry out real-time secure image and video communication and processing. Methods have been proposed to combine compression and encryption together to reduce the overall processing time, but they are either insecure or too computationally intensive. We propose a novel solution called partial encryption, in which a secure encryption algorithm is used to encrypt only part of the compressed data. Partial encryption is applied to several image and video compression algorithms in this paper. Only 13-27% of the output from quadtree compression algorithms is encrypted for typical images, and less than 2% is encrypted for 512/spl times/512 images compressed by the set partitioning in hierarchical trees (SPIHT) algorithm. The results are similar for video compression, resulting in a significant reduction in encryption and decryption time. The proposed partial encryption schemes are fast, secure, and do not reduce the compression performance of the underlying compression algorithm.

Robust image hashing

Abstract: The proliferation of digital images creates problems for managing large image databases, indexing individual images, and protecting intellectual property. This paper introduces a novel image indexing technique that may be called an image hash function. The algorithm uses randomized signal processing strategies for a non-reversible compression of images into random binary strings, and is shown to be robust against image changes due to compression, geometric distortions, and other attacks. This algorithm brings to images a direct analog of message authentication codes (MACs) from cryptography, in which a main goal is to make hash values on a set of distinct inputs pairwise independent. This minimizes the probability that two hash values collide, even, when inputs are generated by an adversary.

Real Time Cryptanalysis of A5/1 on a PC

Abstract: A5/1 is the strong version of the encryption algorithm used by about 130 million GSM customers in Europe to protect the over-the-air privacy of their cellular voice and data communication. The best published attacks against it require between 240 and 245 steps. This level of security makes it vulnerable to hardware-based attacks by large organizations, but not to software-based attacks on multiple targets by hackers. In this paper we describe new attacks on A5/1, which are based on subtle flaws in the tap structure of the registers, their noninvertible clocking mechanism, and their frequent resets. After a 248 parallelizable data preparation stage (which has to be carried out only once), the actual attacks can be carried out in real time on a single PC. The first attack requires the output of the A5/1 algorithm during the first two minutes of the conversation, and computes the key in about one second. The second attack requires the output of the A5/1 algorithm during about two seconds of the conversation, and computes the key in several minutes. The two attacks are related, but use different types of time-memory tradeoffs. The attacks were verified with actual implementations, except for the preprocessing stage which was extensively sampled rather than completely executed. REMARK: We based our attack on the version of the algorithm which was derived by reverse engineering an actual GSM telephone and published at http://www.scard.org. We would like to thank the GSM organization for graciously confirming to us the correctness of this unofficial description. In addition, we would like to stress that this paper considers the narrow issue of the cryptographic strength of A5/1, and not the broader issue of the practical security of fielded GSM systems, about which we make no claims.

Quantum cryptography with 3-state systems.

Abstract: We consider quantum cryptographic schemes where the carriers of information are 3-state particles. One protocol uses four mutually unbiased bases and appears to provide better security than obtainable with 2-state carriers. Another possible method allows quantum states to belong to more than one basis. Security is not better, but many curious features arise.

New Public-Key Cryptosystem Using Braid Groups

Abstract: The braid groups are infinite non-commutative groups naturally arising from geometric braids The aim of this article is twofold One is to show that the braid groups can serve as a good source to enrich cryptography The feature that makes the braid groups useful to cryptography includes the followings: (i) The word problem is solved via a fast algorithm which computes the canonical form which can be efficiently manipulated by computers (ii) The group operations can be performed efficiently (iii) The braid groups have many mathematically hard problems that can be utilized to design cryptographic primitives The other is to propose and implement a new key agreement scheme and public key cryptosystem based on these primitives in the braid groups The efficiency of our systems is demonstrated by their speed and information rate The security of our systems is based on topological, combinatorial and group-theoretical problems that are intractible according to our current mathematical knowledge The foundation of our systems is quite different from widely used cryptosystems based on number theory, but there are some similarities in design

On the exact security of Full Domain Hash

Abstract: The Full Domain Hash (FDH) scheme is a RSA-based signature scheme in which the message is hashed onto the full domain of the RSA function. The FDH scheme is provably secure in the random oracle model, assuming that inverting RSA is hard. In this paper we exhibit a slightly different proof which provides a tighter security reduction. This in turn improves the efficiency of the scheme since smaller RSA moduli can be used for the same level of security. The same method can be used to obtain a tighter security reduction for Rabin signature scheme, Paillier signature scheme, and the Gennaro-Halevi-Rabin signature scheme.

SSL and TLS: Designing and Building Secure Systems

Abstract: Preface. 1. Security Concepts. Introduction. The Internet Threat Model. The Players. The Goals of Security. Tools of the Trade. Putting It All Together. A Simple Secure Messaging System. A Simple Secure Channel. The Export Situation. Real Cryptographic Algorithms. Symmetric Encryption: Stream Ciphers. Symmetric Encryption: Block Ciphers. Digest Algorithms. Key Establishment. Digital Signature. MACs. Key Length. Summary. 2. Introduction to SSL. Introduction. Standards and Standards Bodies. SSL Over view. SSL/TLS Design Goals. SSL and the TCP/IP Suite. SSL History. SSL for the Web. Everything over SSL. Getting SSL. Summary. 3. Basic SSL. Introduction. SSL Over view. Handshake. SSL Record Protocol. Putting the Pieces Together. A Real Connection. Some More Connection Details. SSL Specification Language. Handshake Message Structure. Handshake Messages. Key Derivation. Record Protocol. Alerts and Closure. Summary. 4. Advanced SSL. Introduction. Session Resumption. Client Authentication. Ephemeral RSA. Rehandshake. Server Gated Cryptography. DSS and DH. Elliptic Curve Cipher Suites. Kerberos. FORTEZZA. The Story So Far. Session Resumption Details. Client Authentication Details. Ephemeral RSA Details. SGC Details. DH/DSS Details. FORTEZZA Details. Error Alerts. SSLv2 Backward Compatibility. Summary. 5. SSL Security. Introduction. What SSL Provides. Protect the master_secret. Protect the Server's Private Key. Use Good Randomness. Check the Certificate Chain. Algorithm Selection. The Story So Far. Compromise of the master_secret. Protecting Secrets in Memory. Securing the Server's Private Key. Random Number Generation. Certificate Chain Verification. Partial Compromise. Known Attacks. Timing Cryptanalysis. Million Message Attack. Small-Subgroup Attack. Downgrade to Export. Summary. 6. SSL Performance. Introduction. SSL Is Slow. Performance Principles. Cryptography Is Expensive. Session Resumption. Handshake Algorithm and Key Choice. Bulk Data Transfer. Basic SSL Performance Rules. The Story So Far. Handshake Time Allocation. Normal RSA Mode. RSA with Client Authentication. Ephemeral RSA. DSS/DHE. DSS/DHE with Client Authentication. Performance Improvements with DH. Record Processing. Java. SSL Servers under Load. Hardware Acceleration. Inline Hardware Accelerators. Network Latency. The Nagle Algorithm. Handshake Buffering. Advanced SSL Performance Rules. Summary. 7. Designing with SSL. Introduction. Know What You Want to Secure. Client Authentication Options. Reference Integrity. Inappropriate Tasks. Protocol Selection. Reducing Handshake Overhead. Design Strategy. The Story So Far. Separate Ports. Upward Negotiation. Downgrade Attacks. Reference Integrity. Username/Password Authentication. SSL Client Authentication. Mutual Username/Password Authentication. Rehandshake. Secondary Channels. Closure. Summary. 8. Coding with SSL. Introduction. SSL Implementations. Sample Programs. Context Initialization. Client Connect. Server Accept. Simple I/O Handling. Multiplexed I/O Using Threads. Multiplexed I/O with select(). Closure. Session Resumption. What's Missing? Summary. 9. HTTP over SSL. Introduction. Securing the Web. HTTP. HTML. URLs. HTTP Connection Behavior. Proxies. Virtual Hosts. Protocol Selection. Client Authentication. Reference Integrity. HTTPS. HTTPS Overview. URLs and Reference Integrity. Connection Closure. Proxies. Virtual Hosts. Client Authentication. Referrer. Substitution Attacks. Upgrade. Programming Issues. Proxy CONNECT. Handling Multiple Clients. Summary. 10. SMTP over TLS. Introduction. Internet Mail Security. Internet Messaging Overview. SMTP. RFC 822 and MIME. E-Mail Addresses. Mail Relaying. Virtual Hosts. MX Records. Client Mail Access. Protocol Selection. Client Authentication. Reference Integrity. Connection Semantics. STARTTLS. STARTTLS Overview. Connection Closure. Requiring TLS. Virtual Hosts. Security Indicators. Authenticated Relaying. Originator Authentication. Reference Integrity Details. Why Not CONNECT? What's STARTTLS Good For? Programming Issues. Implementing STARTTLS. Server Startup. Summary. 11. Contrasting Approaches. Introduction. The End-to-End Argument. The End-to-End Argument and SMTP. Other Protocols. IPsec. Security Associations. ISAKMP and IKE. AH and ESP. Putting It All Together: IPsec. IPsec versus SSL. Secure HTTP. CMS. Message Format. Cryptographic Options. Putting It All Together: S-HTTP. S-HTTP versus HTTPS. S/MIME. Basic S/MIME Formatting. Signing Only. Algorithm Choice. Putting It All Together: S/MIME. Implementation Barriers. S/MIME versus SMTP/TLS. Choosing the Appropriate Solution. Summary. Appendix A: Example Code. Chapter 8. Examples. Java Examples. Chapter 9. HTTPS Examples. mod_ssl Session Caching. Appendix B: SSLv2. Introduction. SSLv2 Overview. Missing Features. Security Problems. PCT. What about SSLv1? Bibliography. Index. 0201615983T04062001

DOS-Resistant Authentication with Client Puzzles

Abstract: Denial of service by server resource exhaustion has become a major security threat in open communications networks. Public-key authentication does not completely protect against the attacks because the authentication protocols often leave ways for an unauthenticated client to consume a server's memory space and computational resources by initiating a large number of protocol runs and inducing the server to perform expensive cryptographic computations. We show how stateless authentication protocols and the client puzzles of Juels and Brainard can be used to prevent such attacks.

An efficient remote use authentication scheme using smart cards

Abstract: Based on the discrete logarithm problem, Hwang and Li (see ibid., vol.46, no.1, p.28-30, Feb. 2000) proposed a remote user authentication scheme using smart cards. Their scheme is very novel because no password table is required to keep in a system. In this paper, we further propose an efficient and practical remote user authentication scheme using smart cards. The proposed scheme not only provides the same advantages as that of Hwang and Li's scheme, but also significantly reduces the communication and computation costs.

Reconciling Two Views of Cryptography (The Computational Soundness of Formal Encryption)

Abstract: Two distinct, rigorous views of cryptography have developed over the years, in two mostly separate communities. One of the views relies on a simple but effective formal approach; the other, on a detailed computational model that considers issues of complexity and probability. There is an uncomfortable and interesting gap between these two approaches to cryptography. This paper starts to bridge the gap, by providing a computational justification for a formal treatment of encryption.

Composition and integrity preservation of secure reactive systems

Abstract: We consider compositional properties of reactive systems that are secure in a cryptographic sense. We follow the wellknown simulatability approach, i.e., the specification is an ideal system and a real system should in some sense simulate it. We recently presented the first detailed general definition of this concept for reactive systems that allows abstraction and enables proofs of efficient real-life systems like secure channels or certified mail. We prove two important properties of this definition, preservation of integrity and secure composition: First, a secure real system satisfies all integrity requirements (e.g., safety requirements expressed in temporal logic) that are satisfied by the ideal system. Secondly, if a composed system is designed using an ideal subsystem, it will remain secure if a secure real subsystem is used instead. Such a property was so far only known for non-reactive simulatability. Both properties are important for putting formal verification methods for systems using cryptography on a sound basis.

Sharing Decryption in the Context of Voting or Lotteries

Abstract: Several public key cryptosystems with additional homomorphic properties have been proposed so far. They allow to perform computation with encrypted data without the knowledge of any secret information. In many applications, the ability to perform decryption, i.e. the knowledge of the secret key, gives a huge power. A classical way to reduce the trust in such a secret owner, and consequently to increase the security, is to share the secret between many entities in such a way that cooperation between them is necessary to decrypt. In this paper, we propose a distributed version of the Paillier cryptosystem presented at Eurocrypt '99. This shared scheme can for example be used in an electronic voting scheme or in a lottery where a random number related to the winning ticket has to be jointly chosen by all participants.

New multiparty authentication services and key agreement protocols

Abstract: Many modern computing environments involve dynamic peer groups. Distributed simulation, multiuser games, conferencing applications, and replicated servers are just a few examples. Given the openness of today's networks, communication among peers (group members) must be secure and, at the same time, efficient. This paper studies the problem of authenticated key agreement in dynamic peer groups with the emphasis on efficient and provably secure key authentication, key confirmation, and integrity. It begins by considering two-party authenticated key agreement and extends the results to group Diffie-Hellman (1976) key agreement. In the process, some new security properties (unique to groups) are encountered and discussed.

An Introduction to Cryptography

Abstract: From the Publisher: An Introduction to Cryptography is intended for the person wanting an introduction to the subject of cryptography, however, it contains enough advanced, optional material to challenge even the informed reader." "Beginning with an overview of the history of cryptography, the author then covers the basics of computer arithmetic and explores complexity. The author then presents comprehensive information on symmetric-key cryptosystems, public-key cryptosystems, and primality testing. He illustrates all methods with worked examples and includes a full description of the numerous cryptographic applications.

Differential Fault Attacks on Elliptic Curve Cryptosystems

Abstract: In this paper we extend the ideas for differential fault attacks on the RSA cryptosystem (see) to schemes using elliptic curves. We present three different types of attacks that can be used to derive information about the secret key if bit errors can be inserted into the elliptic curve computations in a tamper-proof device. The effectiveness of the attacks was proven in a software simulation of the described ideas.

A new chaotic key-based design for image encryption and decryption

Abstract: In this paper, an image encryption/decryption algorithm and its VLSI architecture are proposed. According to a chaotic binary sequence, the gray level of each pixel is XORed or XNORed bit-by-bit to one of the two predetermined keys. Its features are as follows: (1) low computational complexity, (2) high security, and (3) no distortion. In order to implement the algorithm, its VLSI architecture with low hardware cost, high computing speed, and high hardware utilization efficiency is also designed. Moreover, the architecture of integrating the scheme with MPEG2 is proposed. Finally, simulation results are included to demonstrate its effectiveness.

Cryptography with DNA binary strands

Abstract: Biotechnological methods can be used for cryptography. Here two different cryptographic approaches based on DNA binary strands are shown. The first approach shows how DNA binary strands can be used for steganography, a technique of encryption by information hiding, to provide rapid encryption and decryption. It is shown that DNA steganography based on DNA binary strands is secure under the assumption that an interceptor has the same technological capabilities as sender and receiver of encrypted messages. The second approach shown here is based on steganography and a method of graphical subtraction of binary gel-images. It can be used to constitute a molecular checksum and can be combined with the first approach to support encryption. DNA cryptography might become of practical relevance in the context of labelling organic and inorganic materials with DNA ‘barcodes’. © 2000 Elsevier Science Ireland Ltd. All rights reserved.