Showing papers on "Differential cryptanalysis published in 1998"
Book•
04 May 1998
TL;DR: This book discusses cyclotomic numbers, primes, Primitive Roots and Sequences, and group characters and Cryptography, as well as some of the algorithms used in stream ciphering, among other things.
Abstract: Preface. Introduction. Applications of number theory. An outline of this book. Stream Ciphers. Stream cipher systems. Additive synchronous stream ciphers. Nonadditive synchronous stream ciphers. Stream ciphering with block ciphers. Cooperative distributed ciphering. Some keystream generators. Generators based on counters. Some number-theoretic generators. Cryptographic aspects of sequences. Minimal polynominal and linear complexity. Pattern distribution of key streams. Correlation functions. Sphere complexity and linear cryptanalysis. Higher order complexities. Harmony on binary NSGs. Security attacks. Primes, Primitive Roots and Sequences. Cyclotomic polynominals. Two basic problems from stream ciphers. A basic theorem and main bridge. Primes, primitive roots and binary sequences. Primes, primitive roots and ternary sequences. Primes, negord and sequences. Prime powers, primitive roots and sequences. Prime products and sequences. Binary sequences and primes. Ternary sequences and primes. On cryptographic primitive roots. Linear complexity of sequences over Z m . Period and its cryptographic importance. Cyclotomy and Cryptographic Functions. Cyclotomic numbers. Cyclotomy and cryptography. Cyclotomy and difference parameters. Cyclotomy and the differential cryptanalysis. Cryptographic cyclotomic numbers. Cryptographic functions from Z p to Z d . The case d = 2. The case d = 3. The case d = 4. The case d = 5. The case d = 6. The case d = 8. The case d = 10. The case d = 12. Cryptographic functions from Z pq to Z d . Whiteman's generalized cyclotomy and cryptography. Cryptographic functions from Z pq to Z 2 . Cryptographic functions from Z pq to Z 4 . Cryptographic functions from Z p2 to Z 2 . Cryptographic functions defined on GF(p m ) . The origin of cyclotomic numbers. Special Primes and Sequences. Sophie Germain primes and sequences. Their importance in stream ciphers. Their relations with other number-theoretic problems. The existence problem. A search for cryptographic Sophie Germain primes. Tchebychef primes and sequences. Their cryptographic significance. Existence and search problem. Other primes of form k x 2 n + 1 and sequences. Primes of form ( a n - 1)/( a - 1) and sequences. Mersenne primes and sequences. Cryptographic primes of form ((4 u ) n - 1)/(4 u - 1). Prime repunits and their cryptographic values. n ! +/- 1 and p# +/- 1 Primes and sequences. Twin primes and sequences over GF (2). The significance of twins and their sexes. Cryptographic twins and the sex distribution. Twin primes and sequences over GF (3). Other special primes and sequences. Prime distribution and their significance. Primes for stream ciphers and for RSA. Difference Sets and Cryptographic Functions. Rudiments of difference sets. Difference sets and autocorrelation functions. Differece sets and nonlinearity. Difference sets and information stability. Difference sets and linear approximation. Almost difference sets.
329 citations
Journal Article•
TL;DR: In this paper, the authors presented a method for finding collisions in SHA-0 which is related to differential cryptanalysis of block ciphers and obtained a theoretical attack on the compression function SHA-O with complexity 2 61, which is thus better than the birthday paradox attack.
Abstract: In this paper we present a method for finding collisions in SHA-0 which is related to differential cryptanalysis of block ciphers. Using this method, we obtain a theoretical attack on the compression function SHA-O with complexity 2 61 , which is thus better than the birthday paradox attack. In the case of SHA-1, this method is unable to find collisions faster than the birthday paradox. This is a strong evidence that the transition to version 1 indeed raised the level of security of SHA.
267 citations
16 Sep 1998
TL;DR: The notion of side-channel cryptanalysis: cryptanalysis using implementation data is introduced andSide-channel attacks against three product ciphers are demonstrated and generalized to other cryptosystems are generalized.
Abstract: Building on the work of Kocher [Koc96], we introduce the notion of side-channel cryptanalysis: cryptanalysis using implementation data. We discuss the notion of side-channel attacks and the vulnerabilities they introduce, demonstrate side-channel attacks against three product ciphers-timing attack against IDEA, processor-flag attack against RC5, and Hamming weight attack against DES-and then generalize our research to other cryptosystems.
254 citations
23 Aug 1998
TL;DR: A theoretical attack on the compression function SHA-O with complexity 2 61 is obtained, which is thus better than the birthday paradox attack and is a strong evidence that the transition to version 1 indeed raised the level of security of SHA.
Abstract: In this paper we present a method for finding collisions in SHA-0 which is related to differential cryptanalysis of block ciphers. Using this method, we obtain a theoretical attack on the compression function SHA-0 with complexity 261, which is thus better than the birthday paradox attack. In the case of SHA-1, this method is unable to find collisions faster than the birthday paradox. This is a strong evidence that the transition to version 1 indeed raised the level of security of SHA.
185 citations
25 Feb 1998
TL;DR: A new way of protecting block ciphers against classes of attacks (including differential and linear crypt-analysis) which is based on the notion of decorrelation which is fairly connected to Carter-Wegman's notion of universal functions is investigated.
Abstract: In this presentation we investigate a new way of protecting block ciphers against classes of attacks (including differential and linear crypt-analysis) which is based on the notion of decorrelation which is fairly connected to Carter-Wegman's notion of universal functions. This defines a simple and friendly combinatorial measurement which enables to quantify the security. We show that we can mix provable protections and heuristic protections. We finally propose two new block ciphers family we call COCONUT and PEANUT, which implement these ideas and achieve quite reasonable performances for real-life applications.
119 citations
17 Aug 1998
TL;DR: This analysis shows that, although the full-size RC4 remains secure against known attacks, keystreams are distinguishable from randomly generated bit streams, and the RC4 key can be recovered if a significant fraction of the full cycle of keystream bits is generated.
Abstract: RC4, a stream cipher designed by Rivest for RSA Data Security Inc., has found several commercial applications, but little public analysis has been done to date. In this paper, alleged RC4 (hereafter called RC4) is described and existing analysis outlined. The properties of RC4, and in particular its cycle structure, are discussed. Several variants of a basic "tracking" attack are described, and we provide experimental results on their success for scaled-down versions of RC4. This analysis shows that, although the full-size RC4 remains secure against known attacks, keystreams are distinguishable from randomly generated bit streams, and the RC4 key can be recovered if a significant fraction of the full cycle of keystream bits is generated (while recognizing that for a full-size system, the cycle length is too large for this to be practical). The tracking attacks discussed provide a significant improvement over the exhaustive search of the full RC4 keyspace. For example, the state of a 5 bit RC4-like cipher can be obtained from a portion of the keystream using 242 steps, while the nominal keyspace of the system is 2160. More work is necessary to improve these attacks in the case where a reduced keyspace is used.
101 citations
31 May 1998
TL;DR: This paper shows a drastic improvement of the results of several previous attempts of cryptanalysis of RC5 due to a novel partial differential approach and shows that the 64 bit word version of this cipher is also much weaker than it was expected.
Abstract: RC5 is a fast block cipher designed by Ron Rivest in 1994. Since then several attempts of cryptanalysis of this cipher were published. The best previously known attack requires 254 chosen plaintexts in order to derive the full set of 25 subkeys for the 12 round RC5 with 32 bit words. In this paper we show a drastic improvement of these results due to a novel partial differential approach. Our attack requires 244 chosen plaintexts. We show that the 64 bit word version of RC5 is also much weaker than it was expected.
98 citations
23 Aug 1998
TL;DR: Using recent results from coding theory, it is shown how to break block ciphers operating on GF(q) where the ciphertext is expressible as evaluations of an unknown univariate polynomial of low degree m over the plaintext with a typically low but non-negligible, probability Μ.
Abstract: Using recent results from coding theory, it is shown how to break block ciphers operating on GF(q) where the ciphertext is expressible as evaluations of an unknown univariate polynomial of low degree m over the plaintext with a typically low but non-negligible, probability Μ. The method employed is essentially Sudan's algorithm for decoding Reed-Solomon codes beyond the error-correction diameter. The known-plaintext attack needs n = 2m/Μ 2 plaintext/ciphertext pairs and the running time is polynomial in n. Furthermore, it is shown how to discover more general non-linear relations p(x, y)= 0 between plaintext x and ciphertext y that hold with small probability Μ. The second attack needs access to n = (2m/Μ)2 plaintext/ciphertext pairs where m = degp and its running time is also polynomial in n. As a demonstration, we break up to 10 rounds of a cipher constructed by Nyberg and Knudsen provably secure against differential and linear cryptanalysis.
73 citations
Dissertation•
01 Jan 1998
TL;DR: Various optimisation heuristics were found to provide a successful method of automated cryptanalysis of a variety of the classical ciphers and to enhance existing fast correlation attacks on certain streamciphers.
Abstract: The aim of the research presented in this thesis is to investigate the use of various optimisation heuristics in the fields of automated cryptanalysis and automated cryptographic function generation. These techniques were found to provide a successful method of automated cryptanalysis of a variety of the classical ciphers. Also, they were found to enhance existing fast correlation attacks on certain stream ciphers. A previously proposed attack of the knapsack cipher is shown to be flawed due to the absence of a suitable solution evaluation mechanism. Finally, a new approach for finding highly nonlinear Boolean functions is introduced.
57 citations
17 Aug 1998
TL;DR: A search algorithm is proposed for constructing the optimal linear transformation layer by using the matrix representation in order to minimize probabilities p, q as much possible and determines the optimallinear transformation layer that provides p ≤ ps5, q ≤ qs5 in the case of n = 8.
Abstract: In this paper, we study a strategy for constructing fast and practically secure round functions that yield sufficiently small values of the maximum Differential and linear probabilities p, q We consider mn- bit round functions with 2-round SPN structure for Feistel ciphers
In this strategy, we regard a linear transformation layer as an n × n matrix P over {0,1} We describe the relationship between the matrix representation and the actual construction of the linear transformation layer We propose a search algorithm for constructing the optimal linear transformation layer by using the matrix representation in order to minimize probabilities p, q as much possible Furthermore, by this algorithm, we determine the optimal linear transformation layer that provides p ≤ ps5, q ≤ qs5 in the case of n = 8, where ps, qs denote the maximum differential and linear probabilities of s-box
49 citations
23 Mar 1998
TL;DR: The block cipher RC2 was designed in 1989 by Ron Rivest for RSA Data Security Inc. as mentioned in this paper, and preliminary attempts to use both differential and linear cryptanalysis have been made.
Abstract: The block cipher RC2 was designed in 1989 by Ron Rivest for RSA Data Security Inc. In this paper we describe both the cipher and preliminary attempts to use both differential and linear cryptanalysis.
23 Aug 1998
TL;DR: In this article, the authors present a method for efficient conversion of chosen plaintext attacks into the more practical known plaintext and ciphertext-only attacks, and demonstrate the effectiveness of their method by practical attacks on the block-cipher Madryga and on round-reduced versions of RC5 and DES.
Abstract: We present a method for efficient conversion of differential (chosen plaintext) attacks into the more practical known plaintext and ciphertext-only attacks. Our observation may save up to a factor of 220 in data over the known methods, assuming that plaintext is ASCII encoded English (or some other types of highly redundant data). We demonstrate the effectiveness of our method by practical attacks on the block-cipher Madryga and on round-reduced versions of RC5 and DES.
Patent•
11 Jun 1998TL;DR: In this article, the authors proposed a block cipher algorithm based on the prior Feistel type block cipher (or similar to DES algorithm) algorithm, in which the round input data block is divided into 8-bit blocks and the divided sub-blocks are fed, with the combined output data of the previous S-box, into 256×8 Sbox, except for the first input sub-data block.
Abstract: The present invention relates to the block cipher algorithm based on the prior Feistel type block cipher algorithm (or similar to DES algorithm). Usually the security of Feistel type block cipher algorithm depends on the structure of its round function. More specifically, the present invention relates to the round function structure of the Feistel type block cipher algorithm, in the instance that the round input data block is divided into 8-bit blocks and the divided sub-blocks are fed, with the combined output data of the previous S-box, into 256×8 S-box, except for the first input sub-data block. The first sub-data block one is directly fed into the first S-box. The total output data block, after these steps, is rotated by 8-bits and this rotated result is the output of the current round function.
01 Jan 1998
TL;DR: The proposed candidate - called DFC as for "Decorrelated Fast Cipher" - is based on the recent decorrelation technique and provides provable security against several classes of attacks which include Differential Cryptanalysis and Linear Cryptanalysis.
Abstract: This report presents a response to the call for candidates issued by the National Institute for Standards and Technologies (the Advanced Encryption Standard project). The proposed candidate - called DFC as for "Decorrelated Fast Cipher" - is based on the recent decorrelation technique. This provides provable security against several classes of attacks which include Differential Cryptanalysis and Linear Cryptanalysis.
Journal Article•
TL;DR: The effectiveness of the method for efficient conversion of differential (chosen plaintext) attacks into the more practical known plaintext and ciphertext-only attacks is demonstrated.
Abstract: We present a method for efficient conversion of differential (chosen plaintext) attacks into the more practical known plaintext and ciphertext-only attacks. Our observation may save up to a factor of 2 20 in data over the known methods, assuming that plaintext is ASCII encoded English (or some other types of highly redundant data). We demonstrate the effectiveness of our method by practical attacks on the block-cipher Madryga and on round-reduced versions of RC5 and DES.
17 Aug 1998
TL;DR: This paper shows how to achieve similar decorrelation with a prime p = 2n(1 - δ) and proposes a new practical block cipher which is provably resistant against Differential and linear cryptanalysis.
Abstract: Recently, we showed how to strengthen block ciphers by decorrelation techniques. In particular, we proposed two practical block ciphers, one based on the GF(2n)-arithmetics, the other based on the x mod p mod 2n primitive with a prime p = 2n(1 + δ). In this paper we show how to achieve similar decorrelation with a prime p = 2n(1 - δ). For this we have to change the choice of the norm in the decorrelation theory and replace the L∞ norm by the L2 norm. We propose a new practical block cipher which is provably resistant against Differential and linear cryptanalysis.
Journal Article•
TL;DR: This paper gives a short overview of the state of the art of secret key block ciphers, namely for encryption, and focuses on the main application of block cips for encryption.
Abstract: In this paper we give a short overview of the state of the art of secret key block ciphers. We focus on the main application of block ciphers, namely for encryption. The most important known attacks on block ciphers are linear cryptanalysis and differential cryptanalysis. Linear cryptanalysis makes use of so-called linear hulls i.e., the parity of a subset of ciphertext bits with a probability sufficiently far away from one half. Differential cryptanalysis makes use of so-called differentials (A, B),i.e., a pair of plaintexts with difference A, which after a certain number of rounds result in a difference B with a high probability. The hulls and differentials can be used to derive (parts of) the secret key.
Journal Article•
Journal Article•
TL;DR: A new block cipher is proposed that is almost as fast as DES on a wide range of platforms, yet conjectured to be at least as secure as three-key triple-DES.
Abstract: We propose a new block cipher as a candidate for the Advanced Encryption Standard. Its design is highly conservative, yet still allows a very efficient implementation. It uses the well-understood DES S-boxes in a new structure that simultaneously allows a more rapid avalanche, a more efficient bitslice implementation, and an easy analysis that enables us to demonstrate its security against all known types of attack. With a 128-bit block size and a 256-bit key, it is almost as fast as DES on a wide range of platforms, yet conjectured to be at least as secure as three-key triple-DES.
Journal Article•
TL;DR: In this paper, the authors improved this attack to reduce both of the required chosen plaintexts and running time, and applied it to the cryptanalysis of the KN' cipher.
Abstract: Since the proposal of differential cryptanalysis and linear cryptanalysis in 1991 and 1993, respectively, the resistance to these cryptanalyses have been studied for many cryptosystems. Moreover, some block ciphers with provable security against differential and linear cryptanalysis have been proposed. One of them is the KN cipher proposed by Knudsen and Nyberg. The KN cipher is a prototype cipher with provable security against ordinary differential cryptanalysis, and has been proved to be secure against linear cryptanalysis, too. Recently a new method of attacking block ciphers, the higher order differential attack, was proposed, and Jakobsen and Knudsen showed that the KN cipher can be attacked by this method in FSE4. In this paper, we improve this attack to reduce both of the required chosen plaintexts and running time, and apply it to the cryptanalysis of the KN' cipher. We show that, for the attacking of the KN cipher with 6 rounds, the number of required chosen plaintexts can be reduced by half and running time reduced from 2 41 to 2 14 , and that all round keys can be derived in only 0.02 seconds on a Sun Ultra (UltraSPARC 170MHz).
17 Aug 1998
TL;DR: It is shown that a CAST cipher with 5 rounds is breakable with 216 plaintexts and < 224 times the computation of the round function, which half the values reported in Fast Software Encryption Workshop'98.
Abstract: This paper introduces an improved higher order differential attack using chosen higher order differences. We can find a lower order of the higher order differential by choosing higher order differences. It follows that the designers of a block cipher can evaluate the lower bound of the number of chosen plaintexts and the complexity required for the higher order differential attack. We demonstrate an improved higher order Differential attack of a CAST cipher with 5 rounds using chosen higher order differences with fewer chosen plaintexts and less complexity. Concretely, we show that a CAST cipher with 5 rounds is breakable with 216 plaintexts and < 224 times the computation of the round function, which half the values reported in Fast Software Encryption Workshop'98. We also show that it is breakable with 213 plaintexts and about 244 times the computation of the round function, which are 1/16 -th of those reported in Fast Software Encryption Workshop'97.
23 Mar 1998
TL;DR: It is shown that low Hamming weighted differences can be used to perform a practical, key dependent, differential attack on ICE, finding that the keyed permutation is not as effective as it was conjectured to be.
Abstract: ICE is a 64-bit block cipher presented at the Fast Software Encryption Workshop in January 1997. It introduced the concept of a keyed permutation to improve the resistance against differential and linear cryptanalysis. In this paper we will show however that we can use low Hamming weighted differences to perform a practical, key dependent, differential attack on ICE. The main conclusion is that the keyed permutation is not as effective as it was conjectured to be.
Journal Article•
TL;DR: In this article, it was shown that the keyed permutation is not as effective as it was conjectured to be and that low Hamming weighted differences can be used to perform a key dependent, differential attack on ICE.
Abstract: ICE is a 64-bit block cipher presented at the Fast Software Encryption Workshop in January 1997. It introduced the concept of a keyed permutation to improve the resistance against differential and linear cryptanalysis. In this paper we will show however that we can use low Hamming weighted differences to perform a practical, key dependent, differential attack on ICE. The main conclusion is that the keyed permutation is not as effective as it was conjectured to be.
01 Jul 1998
TL;DR: A secure method for subkey selection based on the use of a one-way function is presented and this technique is analysed as a method for generating subkeys for the DES algorithm.
Abstract: In this paper a framework for classifying iterative symmetric block ciphers based on key schedules is provided We use this framework to classify most of the standard iterative block ciphers A secure method for subkey selection based on the use of a one-way function is presented This technique is analysed as a method for generating subkeys for the DES algorithm
01 Jan 1998
TL;DR: The proposed candidate - called DFC as for "Decorrelated Fast Cipher" - is based on the recent decorrelation technique and provides provable security against several classes of attacks which include Differential Cryptanalysis and Linear Cryptanalysis.
Abstract: This report presents a response to the call for candidates issued by the National Institute for Standards and Technologies (the Advanced Encryption Standard project). The proposed candidate - called DFC as for "Decorrelated Fast Cipher" - is based on the recent decorrelation technique. This provides provable security against several classes of attacks which include Differential Cryptanalysis and Linear Cryptanalysis.
18 Oct 1998
TL;DR: Using the discrete Fourier transform, this work presents here a quantitative criterion of security against the Davies and Murphy attack.
Abstract: In recent years, three main types of attacks have been developed against Feistel-based ciphers, such as DES[1]; these attacks are linear cryptanalysis[2], differential cryptanalysis[3], and the Davies and Murphy attack[4]. Using the discrete Fourier transform, we present here a quantitative criterion of security against the Davies and Murphy attack. Similar work has been done on linear and differential cryptanalysis[5,11].
01 Jan 1998
TL;DR: This thesis derives expressions for the expected size of the maximum XOR table entry and the maximum Linear Approximation Table entry for some combinatorial structures of interest such as regular (balanced) mappings, and injective mappings and relates different forms of information leakage to the spectral properties of the function.
Abstract: In this thesis we study various cryptographic properties of boolean mappings from n bits to m bits. In particular, we derive expressions for the expected size of the maximum XOR table entry and the maximum Linear Approximation Table entry for some combinatorial structures of interest such as regular (balanced) mappings, and injective mappings. We derive similar expressions for the expected value of different forms of information leakage and relate different forms of information leakage to the spectral properties of the function. We also extend the definitions of many cryptographic criteria to multi-ouput boolean functions and study the relationship between the Walsh-Hadamard transform and various types of information leakage.
A new construction method for highly nonlinear injective s-boxes is presented. It is shown that the resistance of CAST-like encryption algorithms (based on randomly selected substitution boxes) to the basic linear cryptanalysis was underestimated in previous work.
We introduce a new class of Substitution Permutation Networks (SPNs) with the advantage that the same network can be used to perform both the encryption and the decryption operations. Different cryptographic properties of this class such as resistance to both linear and differential cryptanalysis are examined. We also present two construction methods for involution linear transformations for SPNs based on Maximum Distance Separable codes.
An analytical model for the avalanche characteristics of SPNs with different linear transformation layers is developed. We also prove a conjecture by Cusick regarding the number of functions satisfying the Strict Avalanche Criterion.
14 Sep 1998
TL;DR: The implementation of DFC as for “Decorrelated Fast Cipher” is made on a very low cost smart card based on the Motorola 6805 processor and the performances obtained prove that DFC is also well suited for low cost devices applications.
Abstract: In response to the call for candidates issued by the National Institute for Standards and Technologies (the Advanced Encryption Standard project) the Ecole Normale Superieure proposed a candidate called DFC as for “Decorrelated Fast Cipher”, based on the decorrelation technique that provides provable security against several classes of attacks (in particular the basic version of Biham and Shamir’s Differential Cryptanalysis as well as Matsui’s Linear Cryptanalysis). From a practical point of view, this algorithm is naturally very efficient when it is implemented on 64-bit processors. In this paper, we describe the implementation we made of DFC on a very low cost smart card based on the Motorola 6805 processor. The performances we obtain prove that DFC is also well suited for low cost devices applications.
17 Aug 1998
TL;DR: The method discussed uses bits of the primary key to directly manipulate the s-boxes in such a way that their contents are changed but their cryptographic properties are preserved, so a stronger cipher with identical encryption / decryption performance characteristics may be constructed with little additional overhead or computational complexity.
Abstract: This paper discusses a method of enhancing the security of block ciphers which use s-boxes, a group which includes the ciphers DES, CAST-128, and Blowfish We focus on CAST-128 and consider Blowfish; Biham and Biryukov [2] have made some similar proposals for DES
The method discussed uses bits of the primary key to directly manipulate the s-boxes in such a way that their contents are changed but their cryptographic properties are preserved Such a strategy appears to significantly strengthen the cipher against certain attacks, at the expense of a relatively modest one-time computational procedure during the set-up phase Thus, a stronger cipher with identical encryption / decryption performance characteristics may be constructed with little additional overhead or computational complexity
Book•
18 Sep 1998
TL;DR: A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack and novel protocols for verifiable signature sharing and other applications are presented.
Abstract: Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1.- A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack.- Relations among notions of security for public-key encryption schemes.- Cryptography and the internet.- Differential collisions in SHA-0.- From differential cryptanalysis to ciphertext-only attacks.- A simplified approach to threshold and proactive RSA.- New efficient and secure protocols for verifiable signature sharing and other applications.- Trading correctness for privacy in unconditional multi-party computation.- Fast digital identity revocation.- Self-delegation with controlled propagation - or - What if you lose your laptop.- Identity escrow.- Generalized birthday attacks on unbalanced Feistel networks.- Quadratic relation of S-box and its application to the linear attack of full round DES.- Cryptanalysis of block ciphers with probabilistic non-linear relations of low degree.- Cryptanalysis of the Ajtai-Dwork cryptosystem.- Cryptanalysis of the Chor-Rivest cryptosystem.- Cryptanalysis of the oil and vinegar signature scheme.- From unpredictability to indistinguishability: A simple construction of pseudo-random functions from MACs.- Many-to-one trapdoor functions and their relation to public-key cryptosystems.- Authentication, enhanced security and error correcting codes.- An efficient discrete log pseudo random generator.- Fast RSA-type cryptosystem modulo p k q.- An elliptic curve implementation of the finite field digital signature algorithm.- Quantum bit commitment from a physical assumption.- On concrete security treatment of signatures derived from identification.- Building PRFs from PRPs.- Security amplification by composition: The case of doubly-iterated, ideal ciphers.- On the existence of 3-round zero-knowledge protocols.- Zero-knowledge proofs for finite field arithmetic, or: Can zero-knowledge be for free?.- Concurrent zero-knowledge: Reducing the need for timing constraints.- The solution of McCurley's discrete log challenge.- Optimal extension fields for fast arithmetic in public-key algorithms.- Time-stamping with binary linking schemes.- Threshold traitor tracing.