Results 1  10
of
26
Short signatures from the Weil pairing
, 2001
"... Abstract. We introduce a short signature scheme based on the Computational DiffieHellman assumption on certain elliptic and hyperelliptic curves. The signature length is half the size of a DSA signature for a similar level of security. Our short signature scheme is designed for systems where signa ..."
Abstract

Cited by 743 (28 self)
 Add to MetaCart
(Show Context)
Abstract. We introduce a short signature scheme based on the Computational DiffieHellman assumption on certain elliptic and hyperelliptic curves. The signature length is half the size of a DSA signature for a similar level of security. Our short signature scheme is designed for systems where signatures are typed in by a human or signatures are sent over a lowbandwidth channel. 1
Squealing Euros: Privacy Protection in RFIDEnabled Banknotes
 Financial Cryptography ’03
, 2002
"... Thanks to their broad international acceptance and availability in high denominations, there is widespread concern that Euro banknotes may provide an attractive new currency for criminal transactions. ..."
Abstract

Cited by 107 (13 self)
 Add to MetaCart
Thanks to their broad international acceptance and availability in high denominations, there is widespread concern that Euro banknotes may provide an attractive new currency for criminal transactions.
Essential algebraic structure within the AES
, 2002
"... Abstract. One difficulty in the cryptanalysis of the Advanced Encryption Standard AES is the tension between operations in the two fields GF (2 8) and GF (2). This paper outlines a new approach that avoids this conflict. We define a new block cipher, the BES, that uses only simple algebraic operatio ..."
Abstract

Cited by 76 (7 self)
 Add to MetaCart
(Show Context)
Abstract. One difficulty in the cryptanalysis of the Advanced Encryption Standard AES is the tension between operations in the two fields GF (2 8) and GF (2). This paper outlines a new approach that avoids this conflict. We define a new block cipher, the BES, that uses only simple algebraic operations in GF (2 8). Yet the AES can be regarded as being identical to the BES with a restricted message space and key space, thus enabling the AES to be realised solely using simple algebraic operations in one field GF (2 8). This permits the exploration of the AES within a broad and rich setting. One consequence is that AES encryption can be described by an extremely sparse overdetermined multivariate quadratic system over GF (2 8), whose solution would recover an AES key.
The security of Hidden Field Equations (HFE
 In The Cryptographer’s Track at RSA Conference 2001, volume 2020 of Lecture Notes in Computer Science
, 2001
"... Abstract. We consider the basic version of the asymmetric cryptosystem HFE from Eurocrypt 96. We propose a notion of nontrivial equations as a tentative to account for a large class of attacks on oneway functions. We found equations that give experimental evidence that basic HFE can be broken in e ..."
Abstract

Cited by 31 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We consider the basic version of the asymmetric cryptosystem HFE from Eurocrypt 96. We propose a notion of nontrivial equations as a tentative to account for a large class of attacks on oneway functions. We found equations that give experimental evidence that basic HFE can be broken in expected polynomial time for any constant degree d. It has been independently proven by Shamir and Kipnis [Crypto’99]. We designed and implemented a series of new advanced attacks that are much more efficient that the ShamirKipnis attack. They are practical for HFE degree d ≤ 24 and realistic up to d = 128. The 80bit, 500$ Patarin’s 1st challenge on HFE can be broken in about 2 62. Our attack is subexponential and requires n 3 2 log d computations. The original ShamirKipnis attack was in at least n log2 d. We show how to improve the ShamirKipnis attack, by using a better method of solving the involved algebraical problem MinRank. It becomes then in n 3 log d+O(1). All attacks fail for modified versions of HFE: HFE − (Asiacrypt’98), HFEv (Eurocrypt’99), Quartz (RSA’2000) and even for Flash (RSA’2000).
On the security of HFE, HFEv and Quartz
 In Proceedings of PKC 2003, volume 2567 of LNCS
, 2003
"... Abstract. Quartz is a signature scheme based on an HFEv trapdoor ..."
Abstract

Cited by 19 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Quartz is a signature scheme based on an HFEv trapdoor
Efficient Zeroknowledge Authentication Based on a Linear Algebra Problem MiniRank
 ADVANCES IN CRYPTOLOGY – ASIACRYPT 2001, VOLUME 2248 OF LECTURE NOTES IN COMPUTER SCIENCE
, 2001
"... A Zeroknowledge protocol provides provably secure entity authentication based on a hard computational problem. Among many schemes proposed since 1984, the most practical rely on factoring and discrete log, but still they are practical schemes based on NPhard problems. Among them, ..."
Abstract

Cited by 14 (0 self)
 Add to MetaCart
A Zeroknowledge protocol provides provably secure entity authentication based on a hard computational problem. Among many schemes proposed since 1984, the most practical rely on factoring and discrete log, but still they are practical schemes based on NPhard problems. Among them,
Short Signatures, Provable Security and Generic Attacks for Multivariate Polynomial Schemes such as HFE, Quartz and Sflash
 Polynomial Schemes such as HFE, Quartz and Sflash.” IACR Eprint
, 2004
"... The object of this paper is the concrete security of recent multivariate signature schemes. A major challenge is to reconcile some "tricky" adhoc constructions that allow to make short signatures, with regular provable security. The paper is composed of two parts. ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
The object of this paper is the concrete security of recent multivariate signature schemes. A major challenge is to reconcile some "tricky" adhoc constructions that allow to make short signatures, with regular provable security. The paper is composed of two parts.
New Paradigms in Signature Schemes
, 2005
"... Digital signatures provide authenticity and nonrepudiation. They are a standard cryptographic primitive with many applications in higherlevel protocols. Groups featuring a computable bilinear map are particularly well suited for signaturerelated primitives. For some signature variants the only con ..."
Abstract

Cited by 9 (1 self)
 Add to MetaCart
(Show Context)
Digital signatures provide authenticity and nonrepudiation. They are a standard cryptographic primitive with many applications in higherlevel protocols. Groups featuring a computable bilinear map are particularly well suited for signaturerelated primitives. For some signature variants the only construction known uses bilinear maps. Where constructions based on, e.g., RSA are known, bilinearmap–based constructions are simpler, more efficient, and yield shorter signatures. We describe several constructions that support this claim. First, we present the BonehLynnShacham (BLS) short signature scheme. BLS signatures with 1024bit security are 160 bits long, the shortest of any scheme based on standard assumptions. Second, we present BonehGentryLynnShacham (BGLS) aggregate signatures. In an aggregate signature scheme it is possible to combine n signatures on n distinct messages from n distinct users into a single aggregate that provides nonrepudiation for all of them. BGLS aggregates are 160 bits long, regardless of how many signatures are aggregated. No construction is known for aggregate signatures that does not employ bilinear maps. BGLS aggregates give rise to verifiably encrypted signatures, a signature variant with applications in contract signing.
Algebraic attacks over GF (2 k ), application to HFE challenge 2 and Sflashv2
 PKC 2004. LNCS
, 2004
"... Abstract. The problem MQ of solving a system of multivariate quadratic equations over a finite field is relevant to the security of AES and for several public key cryptosystems. For example Sflash, the fastest known signature scheme (cf. [1]), is based on MQ equations over GF (2 7), and Patarin’s 50 ..."
Abstract

Cited by 9 (1 self)
 Add to MetaCart
(Show Context)
Abstract. The problem MQ of solving a system of multivariate quadratic equations over a finite field is relevant to the security of AES and for several public key cryptosystems. For example Sflash, the fastest known signature scheme (cf. [1]), is based on MQ equations over GF (2 7), and Patarin’s 500 $ HFE Challenge 2 is over GF (2 4). Similarly, the fastest alleged algebraic attack on AES due to Courtois, Pieprzyk, Murphy and Robshaw uses a MQ system over GF (2 8). At present very little is known about practical solvability of such systems of equations over GF (2 k). The XL algorithm for Eurocrypt 2000 was initially studied over GF (p), and only recently in two papers presented at CTRSA’02 and ICISC’02 the behaviour of XL is studied for systems of equations over GF (2). In this paper we show (as expected) that XL over GF (2 k), k> 1 (never studied so far) does not always work very well. The reason is the existence of additional roots to the system in the extension field, which is closely related to the remark made by Moh, claiming that the XSL attack on AES cannot work. However, we explain that, the specific set of equations proposed by Murphy and Robshaw already contains a structure that removes the problem. From this, we deduce a method to modify XL so that it works much better over GF (2 k). In addition we show how to break the signature scheme Sflashv2 recently selected by the European consortium Nessie, by three different methods derived from XL. Our fastest attack is in 2 58. All the three attacks apply also to HFE Challenge 2, and our best attack is in 2 63. Key Words: Multivariate quadratic equations, MQ problem, overdefined systems of multivariate equations, XL algorithm, Gröbner bases, algebraic
Fast Exhaustive Search for Polynomial Systems in F2
"... Abstract. We analyze how fast we can solve general systems of multivariate equations of various low degrees over F2; this is a well known hard problem which is important both in itself and as part of many types of algebraic cryptanalysis. Compared to the standard exhaustive search technique, our imp ..."
Abstract

Cited by 8 (4 self)
 Add to MetaCart
(Show Context)
Abstract. We analyze how fast we can solve general systems of multivariate equations of various low degrees over F2; this is a well known hard problem which is important both in itself and as part of many types of algebraic cryptanalysis. Compared to the standard exhaustive search technique, our improved approach is more efficient both asymptotically and practically. We implemented several optimized versions of our techniques on CPUs and GPUs. Our technique runs more than 10 times faster on modern graphic cards than on the most powerful CPU available. Today, we can solve 48+ quadratic equations in 48 binary variables on a 500dollar NVIDIA GTX 295 graphics card in 21 minutes. With this level of performance, solving systems of equations supposed to ensure a security level of 64 bits turns out to be feasible in practice with a modest budget. This is a clear demonstration of the computational power of GPUs in solving many types of combinatorial and cryptanalytic problems.