We present and analyze a new algorithm for establishing shared cryptographic keys in large, dynamically changing groups. Our algorithm is based on a novel application of one-way function trees. In comparison with previously published methods, our algorithm achieves a new minimum in the number of bits that need to be broadcast to members in order to re-key after a member is added or evicted. The number of keys stored by group members, the number of keys broadcast to the group when new members are added or evicted, and the computational efforts of group members, are logarithmic in the number of group members. Our algorithm provides complete forward and backwards security: newly admitted group members cannot read previous messages, and evicted members cannot read future messages, even with collusion by arbitrarily many evicted members. This algorithm offers a new scalable method for establishing group session keys for secure large-group applications such as electronic conferences, multica...

Abstract not found

A resource may be abused if its users incur little or no cost. For example, e-mail abuse is rampant because sending an e-mail has negligible cost for the sender. It has been suggested that such abuse may be discouraged by introducing an artificial cost in the form of a moderately expensive computation. Thus, the sender of an e-mail might be required to pay by computing for a few seconds before the e-mail is accepted. Unfortunately, because of sharp disparities across computer systems, this approach may be ineffective against malicious users with high-end systems, prohibitively slow for legitimate users with low-end systems, or both. Starting from this observation, we research moderately hard functions that most recent systems will evaluate at about the same speed. For this purpose, we rely on memory-bound computations. We describe and analyze a family of moderately hard, memory-bound functions, and we explain how to use them for protecting against abuses. 1.

This article proposes a surprisingly simple framework for the random generation of combinatorial configurations based on what we call Boltzmann models. The idea is to perform random generation of possibly complex structured objects by placing an appropriate measure spread over the whole of a combinatorial class -- an object receives a probability essentially proportional to an exponential of its size. As demonstrated here, the resulting algorithms based on real-arithmetic operations often operate in linear time. They can be implemented easily, be analysed mathematically with great precision, and, when suitably tuned, tend to be very efficient in practice.

This paper is a sequel to our paper [17] where we derived a general central limit theorem for probabilities of large deviations applicable to many classes of combinatorial structures and arithmetic functions; we consider corresponding local limit theorems in this paper. More precisely, given a sequence of integral random variables n#1 each of maximal span 1 (see below for definition), we are interested in the asymptotic behavior of the probabilities n = m} (m N, m = n x n # n , n := n , # n := n ), ##, where x n can tend to with n at a rate that is restricted to O(# n ). Our interest here is not to derive asymptotic expression for n = m} valid for the widest possible range of m, but to show that for m lying in the interval n O(# n ), very precise asymptotic formulae can be obtained. These formulae are in close connection with our results in [17]. Although local limit theorems receive a constant research interest [2, 3, 7, 14, 13, 24], our approach and results, especially Theorem 1, seem rarely discussed in a systematic manner. Recall that a lattice random variable X is said to be of maximal span h if X takes only values of the form b + hk, k Z, for some constants b and h > 0; and there does not exist b # and h # > h such that X takes only values of the form b # + h # k

We show how to speed up the discrete log computations on curves having automorphisms of large order, thus generalizing the attacks on ABC elliptic curves. This includes the first known attack on CM (hyper)elliptic curves, as well as most of the hyperelliptic curves described in the literature.

This paper presents moment analyses and characterizations of limit distributions for the construction cost of hash tables under the linear probing strategy. Two models are considered, that of full tables and that of sparse tables with a fixed filling ratio strictly smaller than one. For full tables, the construction cost has expectation O(n3/2), the standard deviation is of the same order, and a limit law of the Airy type holds. (The Airy distribution is a semiclassical distribution that is defined in terms of the usual Airy functions or equivalently in terms of Bessel functions of indices − 1 2 3, 3.) For sparse tables, the construction cost has expectation O(n), standard deviation O ( √ n), and a limit law of the Gaussian type. Combinatorial relations with other problems leading to Airy phenomena (like graph connectivity, tree inversions, tree path length, or area under excursions) are also briefly discussed.

Abstract. Meet-in-the-middle attacks, where problems and the secrets being sought are decomposed into two pieces, have many applications in cryptanalysis. A well-known such attack on double-DES requires 2 56 time and memory; a naive key search would take 2112 time. However, when the attacker is limited to a practical amount of memory, the time savings are much less dramatic. For n the cardinality of the space that each half of the secret is chosen from (n=2 56 for double-DES), and w the number of words of memory available for an attack, a technique based on parallel collision search is described which requires O ( ) times fewer operations and O ( ) times fewer memory accesses than previous approaches to meet-in-the-middle attacks. For the example of double-DES, an attacker with 16 Gbytes of memory could recover a pair of DES keys in a knownplaintext attack with 570 times fewer encryptions and 3.7×106 n ⁄ w n ⁄ w times fewer memory accesses compared to previous techniques using the same amount of memory. Key words. Meet-in-the-middle attack, parallel collision search, cryptanalysis, DES, low Hamming weight exponents.

This report is part of a series whose aim is to present in a synthetic way the major methods of "analytic combinatorics" needed in the average-case analysis of algorithms. It develops a general approach to the distributional analysis of parameters of elementary combinatorial structures like strings, trees, graphs, permutations, and so on. The methods are essentially analytic and relie on multivariate generating functions, singularity analysis, and continuity theorems. The limit laws that are derived mostly belong to the Gaussian, Poisson, or geometric type.

. The aim of this paper is to design a proof of knowledge for the factorization of an integer n. We propose a statistical zero-knowledge protocol similar to proofs of knowledge of discrete logarithm a la Schnorr. The efficiency improvement in comparison with the previously known schemes can be compared with the difference between the Fiat-Shamir scheme and the Schnorr one. Furthermore, the proof can be made noninteractive. From a practical point of view, the improvement is dramatic: the size of such a non-interactive proof is comparable to the size of the integer n and the computational resources needed can be kept low; three modular exponentiations both for the prover and the verifier are enough to reach a high level of security. This paper appears in the proceedings of PKC2000, LNCS , Springer Verlag, 2000 1 Introduction Zero-knowledge (ZK) proofs have first been proposed in 1985 by Goldwasser, Micali and Rackoff [14]. Those proofs are interactive protocols between a prover who wan...