In the last few years, there have been several attempts to build identification protocols that do not rely on arithmetical operations with large numbers but only use simple operations (see [10, 8]). One was presented at the CRYPTO 89 rump session ([8]) and depends on the so-called Permuted Kernel problem (PKP). Another appeared in the CRYPTO 93 proceedings and is based on the syndrome decoding problem (SD) form the theory of error correcting codes ([11]). In this paper, we introduce a new scheme of the same family with the distinctive character that both the secret key and the public identification key can be taken to be of short length. By short, we basically mean the usual size of conventional symmetric cryptosystems. As is known, the possibility of using short keys has been a challenge in public key cryptography and has practical applications. Our scheme relies on a combinatorial problem which we call Constrained Linear Equations (CLE in short) and which consists of solving a set of linear equations modulo some small prime q, the unknowns being subject to belong to a specific subset of the integers mod q. Thus, we enlarge the set of tools that can be used in cryptography.

. Human-machine identification is an important problem in cryptography that has applications in network access, electronic commerce, and smart-card design. It is a hard problem largely because human users have a very limited capacity in memorizing secrets and in performing protocols. Therefore, in addition to the requirement that a human-machine identification scheme must be provably secure, the scheme has to be practical in the sense that it must be feasible for a human user to participate. In this paper, we develop a new scheme for this problem. Our scheme improves upon some of the previously proposed human-machine identification schemes. We present a vigorous security analysis of our scheme. We also present some attacks to show previously proposed schemes could be vulnerable. Keywords: cryptography, human-machine identification, network security. 1. Introduction In several practical applications, it is necessary to "prove" one's identity. There are two interesting cases. (1) a comp...

. In this paper, we analyze the security of two zero-knowledge identification schemes based on combinatorial NP-complete problems, PKP (Shamir [8]) and CLE (Stern [10]). We use two different approaches in order to determine, on one hand, the theoretical limit to the efficiency of the known attacks and, on the other hand, the practical results they permit. Accordingly, we obtain a precise evaluation of which parameters should be chosen today for a secure use of these protocols. 1 Introduction With the advent of zero-knowledge proofs in 1985 (see [5]), several interactive identification schemes have been proposed. The first ones, like the Fiat-Shamir scheme [3], were based on number theoretical problems and used arithmetical operations with large numbers. In 1989, Shamir proposed a protocol of a new nature, PKP (Permuted Kernels Problem [8]), based on an NP-complete problem. The distinctive character of this scheme is its use of small integers and its low requirement in memory and proc...

We outline constructions for both pseudo-random generators and one-way hash functions. These constructions are based on the exact TSP (XTSP), a special variant of the well known traveling salesperson problem. We prove that these constructions are secure if the XTSP is infeasible. Our constructions are easy to implement, appear to be fast, but require a large amount of memory.

Abstract. Quite recently, in [4], a new time-memory tradeoff algorithm was presented. The original goal of this algorithm was to count the number of points on an elliptic curve, however, the authors claimed that their approach could be applied to other problems. In this paper, we describe such an application and show a new way to attack the Permuted Kernel Problem. This new method is faster than any previously known technique but still requires exponential time. In practice, we find that attacking PKP for the original size proposed by Shamir in [6] could be done on a single PC in 125 years. 1

Cryptology is a thriving research area of great practical importance. It is a fundamental building block of communications security. Metaheuristic optimisation techniques such as simulated annealing and genetic algorithms have found successful application in a huge number of fields. However, their application to leading edge industrial-strength cryptology has been slight. The power of metaheuristic search is, however, greatly under-estimated. The research reported here shows how a range of modern-day cryptological problems can be attacked successfully using metaheuristic search. Along the way, the work provides the cryptological researcher with many new approaches to applying metaheuristic search techniques. i Acknowledgements The author would like to thank Dr Jeremy Jacob for his support and encouragement to complete this thesis and to the Department of Computer Science for the sabbatical during which much of the groundwork was laid. I should like to thank Professor Colin Runciman for advice given in his role as assessor; this had a significant impact on my actually completing a thesis. I should like to thank: Dr Subhamoy Maitra for providing advice on correlation immune functions (and change of basis in particular); Dr William Millan for information on best achieved correlation immunity results to date, for providing fast ANF code and for alerting me to leading-edge literature on Boolean functions (and indeed for carrying out much of the work that interested me in this field in the first place); and DERA for sponsoring work that led to the heuristic evolution of security protocols. Thanks must also go to IBM Hursley, DERA, the UK Civil Service, the EPSRC's SEMINAL network and the Security Research Centre in Brisbane for invitations to speak on cryptology and metaheu...

Abstract. The appearance of the theory of zero-knowledge, presented by Goldwasser, Micali and Rackoff in 1985, opened a way to secure identification schemes. The first application was the famous Fiat-Shamir scheme based on the problem of modular square roots extraction. In the following years, many other schemes have been proposed, some Fiat-Shamir extensions but also new discrete logarithm based schemes. Therefore, all of them were based on problems from number theory. Their main common drawback is high computational load because of arithmetical operations modulo large integers. Implementation on low-cost smart cards was made difficult and inefficient. With the Permuted Kernels Problem (PKP), Shamir proposed the first efficient scheme allowing for an implementation on such low-cost smart cards, but very few others have afterwards been suggested. In this paper, we present an efficient identification scheme based on a combinatorial N P-complete problem: the Permuted Perceptrons Problem (PPP). This problem seems hard enough to be unsolvable even with very small parameters, and some recent cryptanalysis studies confirm that position. Furthermore, it admits efficient zero-knowledge proofs of knowledge and so it is well-suited for cryptographic purposes. An actual implementation completes the optimistic opinion about efficiency and practicability on low-cost smart cards, and namely with less than 2KB of EEPROM and just 100 Bytes of RAM and 6.4 KB of communication.