The Advanced Encryption Standard (AES) provides three levels of security: 128, 192, and 256 bits. Given a desired level of security for the AES, this paper discusses matching public key sizes for RSA and the ElGamal family of protocols. For the latter both traditional multiplicative groups of finite fields and elliptic curve groups are considered. The practicality of the resulting systems is commented upon. Despite the conclusions, this paper should not be interpreted as an endorsement of any particular public key system in favor of any other.

When using Built-In Self Test (BIST) for testing VLSI circuits, a major concern is the generation of proper test patterns that detect the faults of interest. Usually a linear feedback shift register (LFSR) is used to generate test patterns. We first analyze the probability that an arbitrary pseudo-random test sequence of short length detects all faults. The term short is relative to the probability of detecting the fault with the fewest test patterns. We then show how to guide the search for an initial state (seed) for a LFSR with a given primitive feedback polynomial so that all the faults of interest are detected by a minimum length test sequence. Our algorithm is based on finding the location of test patterns in the sequence generated by this LFSR. This is accomplished using the theory of discrete logarithms. We then select the shortest subsequence that includes test patterns for all the faults of interest, hence resulting in 100% fault coverage.

Abstract not found

Abstract. In this paper, we describe many improvements to the number field sieve. Our main contribution consists of a new way to compute individual logarithms with the number field sieve without solving a very large linear system for each logarithm. We show that, with these improvements, the number field sieve outperforms the gaussian integer method in the hundred digit range. We also illustrate our results by successfully computing discrete logarithms with GNFS in a large prime field. 1.

We formalize the notion of a cryptographic counter, which allows a group of participants to increment and decrement a cryptographic representation of a (hidden) numerical value privately and robustly.

Abstract. We introduce a compact and efficient representation of elements of the algebraic torus. This allows us to design a new discretelog based public-key system achieving the optimal communication rate, partially answering the conjecture in [4]. For n the product of distinct primes, we construct efficient ElGamal signature and encryption schemes in a subgroup of F ∗ qn in which the number of bits exchanged is only a φ(n)/n fraction of that required in traditional schemes, while the security offered remains the same. We also present a Diffie-Hellman key exchange protocol averaging only φ(n) log2 q bits of communication per key. For the cryptographically important cases of n = 30 and n = 210, we transmit a 4/5 and a 24/35 fraction, respectively, of the number of bits required in XTR [14] and recent CEILIDH [24] cryptosystems. 1

Abstract. We propose new schemes for Certificates of Recoverability (CRs). These consist of a user’s public key and attributes, its private key encrypted in such a way that it is recoverable by one or more Key Recovery Agents (KRAs), plus a publicly verifiable proof of this (the CR). In the original schemes, the level of cryptographic security employed by the KRA and the users is necessarily the same. In our schemes the level of cryptographic security employed by the KRA can be set higher, in a scalable fashion, than that being employed by the users. Among the other improvements of our schemes are its applicability to create CRs for cryptosystems based on the Discrete Log problem in small subgroups, most notably the Digital Signature Standard and Elliptic Curve Crypto systems. Also, the size of the constructed proofs of knowledge can be taken smaller than in the original schemes. We also present several new constructions and results on the hardness of small parts, in the setting of Diffie-Hellman keys in extension fields. 1

In their seminal paper, Miyaji, Nakabayashi and Takano [12] describe a simple method for the creation of elliptic curves of prime order with embedding degree 3, 4, or 6. Such curves are important for the realisation of pairing-based cryptosystems on ordinary (non-supersingular) elliptic curves. We provide an alternative derivation of their results, and extend them to allow for the generation of many more suitable curves.

Digital signatures provide authenticity and nonrepudiation. They are a standard cryptographic primitive with many applications in higher-level protocols. Groups featuring a computable bilinear map are particularly well suited for signature-related primitives. For some signature variants the only construction known uses bilinear maps. Where constructions based on, e.g., RSA are known, bilinear-map–based constructions are simpler, more efficient, and yield shorter signatures. We describe several constructions that support this claim. First, we present the Boneh-Lynn-Shacham (BLS) short signature scheme. BLS signatures with 1024-bit security are 160 bits long, the shortest of any scheme based on standard assumptions. Second, we present Boneh-Gentry-Lynn-Shacham (BGLS) aggregate signatures. In an aggregate signature scheme it is possible to combine n signatures on n distinct messages from n distinct users into a single aggregate that provides nonrepudiation for all of them. BGLS aggregates are 160 bits long, regardless of how many signatures are aggregated. No construction is known for aggregate signatures that does not employ bilinear maps. BGLS aggregates give rise to verifiably encrypted signatures, a signature variant with applications in contract signing.

The paper describes an implementation of Shamir secret sharing schemes based on exponentiation in Galois fields. It is shown how to generate shares so the scheme has the disenrollment capability. Next a family of conditionally secure Shamir schemes is defined and the disenrollment capability is investigated for the family. The paper also examines a problem of covert channels which are present in any secret sharing scheme. Keywords: Computer Security, Cryptography, Group Oriented Cryptography, Secret Sharing, Threshold Schemes. 1 Introduction A secret sharing scheme allows authorized groups of users to recreate a secret key by pooling their shares (shadows) of the key, but single users or unauthorized groups are unable to recreate the key. The first secret sharing schemes (called threshold schemes) were invented independently by Shamir [17] and Blakley[2]). Secret sharing schemes should be designed so that if some of the shares of the key are lost or stolen -- invalidated, the remaini...