Let p be a prime and let a and b be elements of the finite field Fp of p elements. The inversive congruential generator (ICG) is a sequence (un) of pseudorandom numbers defined by the relation un+1 ≡ au−1 n +b mod p. We show that if sufficiently many of the most significant bits of several consecutive values un of the ICG are given, one can recover the initial value u0 (even in the case where the coefficients a and b are not known). We also obtain similar results for the quadratic congruential generator (QCG), vn+1 ≡ f(vn) modp, where f ∈ Fp[X]. This suggests that for cryptographic applications ICG and QCG should be used with great care. Our results are somewhat similar to those known for the linear congruential generator (LCG), xn+1 ≡ axn + b mod p, but they apply only to much longer bit strings. We also estimate limits of some heuristic approaches, which still remain much weaker than those known for LCG.

In #11# T. Matsumoto and H. Imai described a new asymmetric algorithm based on multivariate polynomials of degree twoover a #nite #eld. Then in #14# this algorithm was broken. The aim of this paper is to show that despite this result it is probably possible to use multivariate polynomials of degree two in carefully designed algorithms for asymmetric cryptography. In this paper we will give some examples of suchschemes. All the examples that we will give, belong to two large family of schemes: HFE and IP. With HFE we will be able to do encryption, signatures or authentication in an asymmetric way. Moreover HFE #with properly chosen parameters# resist to all known attacks and can be used in order to givevery short asymmetric signatures or very short encrypted messages #of length 128 bits or 64 bits for example#. IP can be used for asymmetric authentications or signatures. IP authentications are zero knowledge. Note 1 : Another title for this paper could be #How to repair Matsumoto-Imai algorithm with the same kind of public polynomials". Note 2 : This paper is the extended version of the paper with the same title published at Eurocrypt '96. 1

Abstract not found

Lattice problems have been suggested as a potential source of computational hardness to beused in the construction of cryptographic functions that are provably hard to break. A remarkable feature of lattice-based cryptographic functions is that they can be proved secure (that is,hard to break on the average) based on the assumption that the underlying lattice problems are computationally hard in the worst-case. In this paper we give a survey of the constructions andproof techniques used in this area, explain the importance of basing cryptographic functions on the worst-case complexity of lattice problems, and discuss how this affects the traditionalapproach to cryptanalysis based on random challenges.

An additive and multiplicative privacy homomorphism is an encryption function mapping addition and multiplication of cleartext data into two operations on encrypted data. One such privacy homomorphism is introduced which has the novel property of seeming secure against a known-cleartext attack. An application to multilevel statistical computation is presented, namely classified retrieval of exact statistics from unclassified computation on disclosure-protected (perturbed) data. Keywords: Privacy homomorphisms, statistical confidentiality, safety/security in digital systems. 1 Introduction Privacy homomorphisms (PHs from now on) were formally introduced in [5] as a tool for processing encrypted data. Basically, they are encryption functions E k : T \Gamma! T 0 which allow to perform a set F 0 of operations on encrypted data without knowledge of the decryption function D k . Knowledge of D k allows to recover the outcome of the corresponding set F of operations on clear data. The s...

to be existentially unforgeable against chosen-message attacks assuming that the approximate e-th root (AER) problem is hard and that the employed hash function is a random function. While the AER problem has been studied by some researchers, it has not received as much attention as the integer factorization problem or the discrete logarithm problem. One way to p solve the AER problem is to factor the integer n, where n 2 q and p and q are primes of the same bitlength. The parameters recommended ensure that ESIGN resists all known attacks for factoring integers of this form. 2 Protocol specification 2.1 ESIGN key pairs For the security parameter pLen, k each entity does the following: 1. Randomly select two distinct primes, p, q, each of bitsize k and compute p n 2. Select an integer 4. 3. A’s public key is¢n£e£k¤; A’s private key is¢p£q¤. e¡ In addition, one needs to specify a hash function H¥whose output length is k bits. 2.2 ESIGN signature generation To sign a message m, an entity A with the private key¢p£q¤does the following: 1. Compute H¥¦¢m¤,and let be bit. H¢m¤ obtained from by H¥¦¢m¤ 2 q. deleting the most significant 2. Pick r uniformly from§r ¨ at random gcd¢r£p ¤ Zpq: 1©.

. Cryptographic protocols have usually been designed at an abstract level without concern for the cryptographic algorithms used in implementation. In this paper it is shown that the abstract protocol definition can have an important effect on the ability of an attacker to mount a successful attack on an implementation. In particular, it will be determined whether an adversary is able to generate corresponding pairs of plaintext and ciphertext to use as a lever in compromising secret keys. The ideas are illustrated by analysis of two well-known authentication systems which have been used in practice. They are Kerberos and KryptoKnight. It is shown that for the Kerberos protocol, an adversary can acquire at will an unlimited number of known plaintext-ciphertext pairs. Similarly, an adversary in the KryptoKnight system can acquire an unlimited number of data pairs which, by a less direct means, can be seen to be cryptanalytically equivalent to known plaintext-ciphertext pairs. We propose ...

Evaluating the security of hardware devices requires an organised assessment of which attacks the device might be exposed to. This in turn requires a structured body of knowledge about such attacks, classified in such a way that an evaluator can easily determine which attacks are applicable to a particular device. This paper presents such a collection, organised as a taxonomy of attacks on secure devices. The taxonomy covers many attacks applicable to hardware which are frequently overlooked in a software or protocol-centric evaluation.

1.4 Simple XOR

. Recently J. and R.M. Campello de Souza proposed a private-key encryption scheme based on the product codes with the capability of correcting a special type of structured errors. In this paper, we show that J. and R.M. Campello de Souza's scheme is insecure against chosen-plaintext attacks, and consequently propose a secure modified scheme. 1 Introduction In 1978, McEliece [1] proposed a public-key cryptosystem based on algebraic coding theory. The idea of the cryptosystem is based on the fact that the decoding problem of a general linear code is an NP-complete problem. Compared with other public-key cryptosystems [2,3], McEliece's scheme has the advantage of high-speed encryption and decryption. However, the scheme is subjected to some weaknesses [4,5]. Rao and Nam [6,7] modified McEliece's scheme to construct a private-key algebraic-code cryptosystem which allows the use of simpler codes. The Rao-Nam system is still subjected to some chosen-plaintext attacks [7-10], and therefore is...