Results 11  20
of
31
Predicting Nonlinear Pseudorandom Number Generators
 MATH. COMPUTATION
, 2004
"... Let p be a prime and let a and b be elements of the finite field Fp of p elements. The inversive congruential generator (ICG) is a sequence (un) of pseudorandom numbers defined by the relation un+1 ≡ au−1 n +b mod p. We show that if sufficiently many of the most significant bits of several consecut ..."
Abstract

Cited by 8 (5 self)
 Add to MetaCart
Let p be a prime and let a and b be elements of the finite field Fp of p elements. The inversive congruential generator (ICG) is a sequence (un) of pseudorandom numbers defined by the relation un+1 ≡ au−1 n +b mod p. We show that if sufficiently many of the most significant bits of several consecutive values un of the ICG are given, one can recover the initial value u0 (even in the case where the coefficients a and b are not known). We also obtain similar results for the quadratic congruential generator (QCG), vn+1 ≡ f(vn) modp, where f ∈ Fp[X]. This suggests that for cryptographic applications ICG and QCG should be used with great care. Our results are somewhat similar to those known for the linear congruential generator (LCG), xn+1 ≡ axn + b mod p, but they apply only to much longer bit strings. We also estimate limits of some heuristic approaches, which still remain much weaker than those known for LCG.
Hidden Field Equations HFE and Isomorphisms of Polynomials IP: two new Families of Asymmetric Algorithms
, 1996
"... In #11# T. Matsumoto and H. Imai described a new asymmetric algorithm based on multivariate polynomials of degree twoover a #nite #eld. Then in #14# this algorithm was broken. The aim of this paper is to show that despite this result it is probably possible to use multivariate polynomials of degree ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
In #11# T. Matsumoto and H. Imai described a new asymmetric algorithm based on multivariate polynomials of degree twoover a #nite #eld. Then in #14# this algorithm was broken. The aim of this paper is to show that despite this result it is probably possible to use multivariate polynomials of degree two in carefully designed algorithms for asymmetric cryptography. In this paper we will give some examples of suchschemes. All the examples that we will give, belong to two large family of schemes: HFE and IP. With HFE we will be able to do encryption, signatures or authentication in an asymmetric way. Moreover HFE #with properly chosen parameters# resist to all known attacks and can be used in order to givevery short asymmetric signatures or very short encrypted messages #of length 128 bits or 64 bits for example#. IP can be used for asymmetric authentications or signatures. IP authentications are zero knowledge. Note 1 : Another title for this paper could be #How to repair MatsumotoImai algorithm with the same kind of public polynomials". Note 2 : This paper is the extended version of the paper with the same title published at Eurocrypt '96. 1
A Taxonomy of Attacks on Secure Devices
 Proceedings of the Australia Information Warfare and Security Conference 2003. 2021 November 2003
, 2003
"... Evaluating the security of hardware devices requires an organised assessment of which attacks the device might be exposed to. This in turn requires a structured body of knowledge about such attacks, classified in such a way that an evaluator can easily determine which attacks are applicable to a par ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
Evaluating the security of hardware devices requires an organised assessment of which attacks the device might be exposed to. This in turn requires a structured body of knowledge about such attacks, classified in such a way that an evaluator can easily determine which attacks are applicable to a particular device. This paper presents such a collection, organised as a taxonomy of attacks on secure devices. The taxonomy covers many attacks applicable to hardware which are frequently overlooked in a software or protocolcentric evaluation.
Cryptographic functions from worstcase complexity assumptions
, 2007
"... Lattice problems have been suggested as a potential source of computational hardness to beused in the construction of cryptographic functions that are provably hard to break. A remarkable feature of latticebased cryptographic functions is that they can be proved secure (that is,hard to break on t ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
Lattice problems have been suggested as a potential source of computational hardness to beused in the construction of cryptographic functions that are provably hard to break. A remarkable feature of latticebased cryptographic functions is that they can be proved secure (that is,hard to break on the average) based on the assumption that the underlying lattice problems are computationally hard in the worstcase. In this paper we give a survey of the constructions andproof techniques used in this area, explain the importance of basing cryptographic functions on the worstcase complexity of lattice problems, and discuss how this affects the traditionalapproach to cryptanalysis based on random challenges.
Improvements of the Attacks on Cryptosystems Based on ErrorCorrecting Codes
, 1995
"... Many publickey cryptosystems and identification schemes based on errorcorrecting codes have been proposed as an alternative to the common cryptographic algorithms based on number theory. They rely on the NPhardness of finding a fixedweight word in a coset of a linear binary code. We here improv ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
Many publickey cryptosystems and identification schemes based on errorcorrecting codes have been proposed as an alternative to the common cryptographic algorithms based on number theory. They rely on the NPhardness of finding a fixedweight word in a coset of a linear binary code. We here improve the previous attacks on these systems; this notably enables us to reduce the work factor involved in breaking McEliece's cryptosystem since our algorithm requires 2 64:2 operations that is 2 7 times less than LeeBrickell's attack.
A New Privacy Homomorphism and Applications
 Information Processing Letters
, 1996
"... An additive and multiplicative privacy homomorphism is an encryption function mapping addition and multiplication of cleartext data into two operations on encrypted data. One such privacy homomorphism is introduced which has the novel property of seeming secure against a knowncleartext attack. An a ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
An additive and multiplicative privacy homomorphism is an encryption function mapping addition and multiplication of cleartext data into two operations on encrypted data. One such privacy homomorphism is introduced which has the novel property of seeming secure against a knowncleartext attack. An application to multilevel statistical computation is presented, namely classified retrieval of exact statistics from unclassified computation on disclosureprotected (perturbed) data. Keywords: Privacy homomorphisms, statistical confidentiality, safety/security in digital systems. 1 Introduction Privacy homomorphisms (PHs from now on) were formally introduced in [5] as a tool for processing encrypted data. Basically, they are encryption functions E k : T \Gamma! T 0 which allow to perform a set F 0 of operations on encrypted data without knowledge of the decryption function D k . Knowledge of D k allows to recover the outcome of the corresponding set F of operations on clear data. The s...
Evaluation of security level of cryptography: ESIGN signature scheme
 CRYPTREC Project
, 2001
"... to be existentially unforgeable against chosenmessage attacks assuming that the approximate eth root (AER) problem is hard and that the employed hash function is a random function. While the AER problem has been studied by some researchers, it has not received as much attention as the integer fact ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
to be existentially unforgeable against chosenmessage attacks assuming that the approximate eth root (AER) problem is hard and that the employed hash function is a random function. While the AER problem has been studied by some researchers, it has not received as much attention as the integer factorization problem or the discrete logarithm problem. One way to p solve the AER problem is to factor the integer n, where n 2 q and p and q are primes of the same bitlength. The parameters recommended ensure that ESIGN resists all known attacks for factoring integers of this form. 2 Protocol specification 2.1 ESIGN key pairs For the security parameter pLen, k each entity does the following: 1. Randomly select two distinct primes, p, q, each of bitsize k and compute p n 2. Select an integer 4. 3. A’s public key is¢n£e£k¤; A’s private key is¢p£q¤. e¡ In addition, one needs to specify a hash function H¥whose output length is k bits. 2.2 ESIGN signature generation To sign a message m, an entity A with the private key¢p£q¤does the following: 1. Compute H¥¦¢m¤,and let be bit. H¢m¤ obtained from by H¥¦¢m¤ 2 q. deleting the most significant 2. Pick r uniformly from§r ¨ at random gcd¢r£p ¤ Zpq: 1©.
On Strengthening Authentication Protocols to Foil Cryptanalysis
"... . Cryptographic protocols have usually been designed at an abstract level without concern for the cryptographic algorithms used in implementation. In this paper it is shown that the abstract protocol definition can have an important effect on the ability of an attacker to mount a successful attack o ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
. Cryptographic protocols have usually been designed at an abstract level without concern for the cryptographic algorithms used in implementation. In this paper it is shown that the abstract protocol definition can have an important effect on the ability of an attacker to mount a successful attack on an implementation. In particular, it will be determined whether an adversary is able to generate corresponding pairs of plaintext and ciphertext to use as a lever in compromising secret keys. The ideas are illustrated by analysis of two wellknown authentication systems which have been used in practice. They are Kerberos and KryptoKnight. It is shown that for the Kerberos protocol, an adversary can acquire at will an unlimited number of known plaintextciphertext pairs. Similarly, an adversary in the KryptoKnight system can acquire an unlimited number of data pairs which, by a less direct means, can be seen to be cryptanalytically equivalent to known plaintextciphertext pairs. We propose ...