ebook img

Advances in Cryptology — EUROCRYPT ’90: Workshop on the Theory and Application of Cryptographic Techniques Aarhus, Denmark, May 21–24, 1990 Proceedings PDF

508 Pages·1991·11.016 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Advances in Cryptology — EUROCRYPT ’90: Workshop on the Theory and Application of Cryptographic Techniques Aarhus, Denmark, May 21–24, 1990 Proceedings

Lecture Notes in Computer Science Edited by G. Goos and J. Hartmanis 473 I.B. DamgArd (Ed.) Advances in CrvDtoloav - U J EUROCRYPT 90 Workshop on the Theory and Application of Cryptographi c Techniques Aarhus, Denmark, May 21-24, 1990 Proceedings Sp rin ger-Verlag Berlin Heidelberg New York London Paris Tokyo Hong Kong Barcelona Editorial Board D. Barstow W. Brauer P Brinch Hansen D. Gries D. Luckham C. Moler A. Pnueli G. Seegmuller J. Stoer N.W irth Volume Editor Ivan Bjerre Damg5rd Maternatisk Institut, Arhus Universitet Ny Munkegade, DK-8000 Arhus C, Denmark CR Subject Classification (1987): D.4.6?E .3,H .2.0 ISBN 3-540-53587-XS pringer-Verlag Berlin Heidelberg New York ISBN 0-387-53587-XS pringer-Verlag New York Berlin Heidelberg This work is subject to copyright All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, re use of illustrations, recitation, broadcasting, reproduction on microfilms or in other ways, and storage in data banks Duplication of this publication or parts thereof is only permitted under the provisions of the German Copyright Law of September 9, 1965, in its current verslon, and a copyright fee must always be paid Violations fall under the prosecution act of the German Copyright Law 0 Springer-VerlagB erlin Heidelberg 1991 Printed in Germany Printing and binding Druckhaus Beltz, HemsbachIBergstr 2145/3140-543210 - Printed on acid free paper Preface ELROCRYPTi s a conference devoted to all aspects of cryptologic research, both theoretical and practical. In the last 7 years, the meeting has taken place once a year at various places in Europe. Both these meetings and the annual Crypto meetings in California are sponsored by The International Association for Cryptologic Research (IACR). Most of the proceedings from these meetings are, like this one, published in Springer-Verlag’s Lecrure Notes in Com- puter Science series. EuroCrypt 90 took place on May 21-24 at conference center Scanticon, situated in Arhus, Denmark. There were more than 250 participants from all over the world. It is a pleasure to take this opportunity to thank the general chairman Peter Landrock, Arhus Congress Bureau, Scanticon, and the organizing committee, who all contributed with hard work and dedication to make a well organized and successful conference. A total of 85 papers from all over the world were submitted to the conference. This number marks a continuation of the steady growth of interest in the EuroCrypt meetings. Out of the papers submitted, 41 were rejected, 1 was withdrawn, and 2 papers were asked to merge. This resulted in a set of 42 papers presented at the conference. The submissions were in the form of extended abstracts. All program committee members received a full set of submissions, and each submission was refereed independently by at least two members of the program committee (not including the program chairman). The experiment from Crypto 89 with blind refereeing was continued at this conference, and has now become standard policy at IACR conferences. The final papers appearing in these proceedings were not refereed, and the au- thors retain, of course, full responsibility for the contents. Several of the papers can be expect- ed to appear in various journals in more polished forni. There will a special issue of the Journal of Cryptology containing selected papers from the conference. In addition to the formal contributions, a number of informal talks were given at the tradition- al rump session. These proceedings include short abstracts of some of these impromptu talks. Finally, it is a pleasure to acknowledge all those who contributed to putting together the pro- gram of EuroCrypt 90 and making these proceedings a reality. First of all, thanks to the program committee. All of its members put a tremendous amount of hard work into the refereeing, and many of them even took the time to make detailed comment on other papers than the 20 they were asked to read carefully. Also some of my col- leagues at Arhus University kindly offered their help on various technical questions; among these were Torben Pedersen and J~rgenB randt. Of course, no conference could have taken place without the authors’ contribution. I would like to thank all those who submitted papers, also those whose submissions could not be ac- cepted because of the large number of high quality submissions we received. Many of the au- thors have been extremely cooperative in changing the format of their papers to fit into the proceedings. Were it not for this attitude, these proceedings would have been significantly de- layed. Arhus, September 1990 Ivan Bjerre Damgird EUROCRYP9T0 A conference on the theory and application of cryptology Sponsored by The International Association for Cryptologic Research (IACR) and CRYPTOMATHIC AS, DATACO AS, Den Danske Bank AS, Jutland Telephone Company AS General Chairman: Peter Landrock (Aarhus Ilniversity) Organizing Committee: Jwgen Brandt (Aarhus University) Palle Brandt Jensen (Jutland Telephone Company) Torben Pedersen (Aarhus University) Arhus Congress Bureau Program Chairman: Ivan Damgbd (Aarhus University) Program Committee: Ueli Maurer (ETH, Zurich) Andrew J. Clark (Computer Security Ltd., Brighton) Claude Crkpeau (LRI, Pans) Thomas Siegenthaler (AWK, Zurich) Joan Boyar (Aarhus University) Stig Frode Mjdsnes (ELAB, Trondheim) Marc Girault (SEPT, Caenj Walter Fumy (Siemens AG, Erlangen) Othmar Staffelbach (Gretag, Regensdorf) Contents Session 1: Protocols All languages in NP have divertible zero-knowledge proofs and urguments under cryptographic assumptions M.V.D. Burrnester (University of London) and Y. Desmedt (University of Wisconsin, Milwaukee). .............................................................................................................. 1 On the importance of memory resources in the security of key exchange protocols G. Davida, Y. Desmedt and R. Peralta (University of Wisconsin, Milwaukee) ...................... 11 Provably secure key-updating schemes in identity-based systems, S. Shinozaki, T. Itoh, A. Fujioka and S. Tsujii (Tokyo Institute of Technology) ..................... 16 Oblivious transfer protecting secrecy . . Bert den Boer (Philips Crypto B.V.) ......................................................................................... 31 Public-randomness in public-key cryptogruphy A. De Santis (University of Salerno) and G. Persian0 (Harvard University) ........................... 46 An interactive identification scheme based on discrcte logarithms and factoring E.F. Brickell and K.S. McCurley (Sandia National Laboratories). ........................................... 63 Session 2: Number-Theoretic Algorithms Factoring with two large primes A.K. Lenstra (Bell Corn. Research) and M.S. Manasse (Dig. Equip. Corp.). ........................... 72 Which new RSA signatures can be computed from some given RSA signatures? J.-H. Evertse (University of Leiden) and E. van Heyst (CWI, Amsterdam) 83 Implementation of a key exchange protocol using real quadratic fields R. Scheidler (University of Manitoba), J.A. Buchman (University of Saarland) and H.C. Williams (University of Manitoba). ........................................................................... 98 Distributed primality proving and the primality of (23539+ 1)13 F. Morain (INRIA, Le Chesnay) .......................................................................... Session 3: Boolean Functions Properties of binary functions S. Lloyd (H.P. Laboratories, Bristol) ..................................................................................... 124 How to construct pseudorandom permutations from single pseudorandomf unctions J. Pieprzyk (University of New South Wales) 140 Constructions of bent functions and difference sets K. Nyberg (University of Helsinki) ........................................................................................ 151 Propagation characteristics of boolean functions B. Preneel, W. V ekwijk, L. Van Linden, R. Govaerts and J. Vandewalle ............................................................................................................ 161 VI Session 4: Binary Sequences The linear complexity profile and the jump complexity of keystream sequences H. Niederreiter (Ausman Academy of Sciences). ................................................................... 174 Lower bounds for the linear complexity of sequences over residue rings Z. Dai (University of Linkoping), T. Beth and D. Gollmann (University of Karlsruhe) ........................................................................................................................... 189 On the construction of run permuted sequences C.J.A. Jansen (Philips Crypto B.V.) ........................................................................................ 196 Correlation properties of combiners with memory in stream ciphers W. Meier (HTL Brugg-Windisch) and 0. Staffelbach (Gretag). ........................................... 204 Correlation functions of geometric sequences A.H. Chan, M. Goresky and A. Klapper (Northeastern University) ....................................... 214 Session 5: Implementations Exponentiating faster with addition chains Y. Yacobi (Bellcore) ............................................................ ..................... 222 A cryptographic library for the Motorola DSP 56000 S.R. Dusse and B.S. Kaliski Jr. (RSA Data Security Inc.).. ...., 230 VICTOR - an eflcient RSA hardware implementation H. Orup, E. Svendsen and E. Andreasen (Aarhus University) ................................................ 245 Experimental quantum cryptography C.H. Bennett (IBM Yorktown) F. Bessette, G. Brassard, L. Savail (University of Montreal) and J. Smolin (UCLA). ...................................................................................... 253 Session 6: Combinatorial Schemes A protocol to set up shared secrer schemes without the assistance of a mutually trusted party I. Ingemarsson (Linkoping University) and G. J. Simmons (Sandia Nat. Labs.) ................... 266 Lower bounds for authentication codes with splitting A. Sgarro (University of Udine) .............................................................................................. 283 Essentially l-fold secure authentication systems A. Beutelspacher (University of GieBen) and U. Rosenbaum (Siemens AG) ........................ 294 On the construction of authentication codes with secrecy and codes whithstanding spoofing attacks of order L22 B. Smeets, P. Vanrose and Z. Wan (University of Lund) ....................................................... 306 VII Session 7: Cryptanalysis Cryptanalysis of a public-key cryptosystem based on approximations by rational numbers J. Stern (University of Paris) and P. Toffin (University of Caen) ........................................... 313 A known-plaintext attack on two-key triple encryption P.C. van Oorschot and M.J. Wiener (BNR, Ottawa) .............................................................. 318 Confirmation that some hash functions are not collision free S. Miyaguchi, K. Ohta and M. Iwata (NTT Labs). ................................................................. 326 inverting the pseudo exponentiation F. BauspielJ, H.-J. Knobloch and P. Wichmann (University of Karlsruhe) ............................ 344 Session 8: New Cryptosystems Crypt osystemf or 8 ro up oriented cryptography . . T. Hwang (Nat. Cheng Kung University) .............................................................. 352 A provably-secure strongly-randomized cipher U. Maurer (Swiss Fed. lnst. of Tech.). ................................................................................... 361 General public key residue cryptoqstems and mental poker protocols K. Kurosawa, Y. Katayama, W.Ogata and S. Tsujii (Tokyo Inst. of Tech.). .......................... 374 A proposal for a new block encryption standurd X. Lai and J. Massey (Swiss Fed. Inst. of Tech.) .................................................................... 389 A new trapdoor in knapsacks V. Niemi (University of Turku) ..................... ................................................. ,405 Session 9: Signatures and Authentication On the design of provably secure cryptographic hash functions A. De Santis (University of Salerno) and M. Yung (IBM Yorktown) .................................... 412 Fast signature generation with a Fiat Shamir-like scheme H. Ong (Deutsche Bank AG) and C.P. Schnorr (University of Frankfurt) ............................. 432 A remark on a signature scheme where forgery can be proved G. Bleumer, B. Pfitzmann and M. Waidner (University of Karlsruhe) ............................ 441 Membership authenticationf or hierarchical multigroups using the extended Fiat-Shamir scheme K. Ohta, T. Okamoto and K. Koyama (NTT Laboratories) .............. ....... ... ,446 Zero-knowledge undeniable signatures D. Chaum (CWI, Amsterdam). ....................................................................... 45 8 Precautions taken against various potential attacks in ISOIIEC DIS 9796 L. C. Guillou (CCETT), J.-J. Quisquater (Philips Research), M. Walker (Racal Research), P. Landrock (Aarhus University) and C. Shaer (Racal Research) .............4 65 Vlll Rump Session: Impromptu Talks Software run-time protection: A cryptographic issue J. Domingo-Ferrer (University of Barcelona) ............................................. ..474 An identiv-based identification scheme based on discrete logarithms modulo a composite number M. Girault (SEPT) ............................................................................................ 481 A noisy clock-controlled shift register cryptanalysis concept based on sequence comparison approach J.D. Colic and M.J. Mihaljevic (University of Belgrade) ................................................ 487 The MD4 message digest algorithm B.S. Kaliski Jr. (RSA Data Sec. Inc.) ................................................................................ A remark on the efliciency of identification schemes M. Burmester (University of London). ................................................................................... 493 On an implementation of the Mohun-Adigu ulgorithm Gisela Meister (GAO). ............................................................................................................ 496 ALL LANGUAGES IN NP HAVE DIVERTIBLE ZERO-KNOWLEDGE PROOFS AND ARGUMENTS UNDER . CRYPTOGRAPHIC ASSUMPTIONS· (Extended Abstract) Mike V. D. Burmester t Yvo Desmedt t Dept. of Mathematics Dept. EE & CS RHBNC - University of London Univ. of Wisconsin - Milwaukee Egham, Surrey TW20 OEX P.O. Box 784 U.K. WI 53201 Milwaukee U.S.A. Abstract We present a divertible zero-knowledge proof (argument) for SAT under the as sumption that probabilistic encryption homomorphisms exist. Our protocol uses a simple 'swapping' technique which can be applied to many zero knowledge proofs (arguments). In particular we obtain a divertible zero-knowledge proof for graph isomorphism. The consequences for abuse-free zero-knowledge proofs are also con sidered. I. Introduction Okamoto-Ohta defined divertible zero-knowledge proofs in [0089] and showed that com mutative random self-reducible relations have such proofs, provided certain conditions are satisfied. The first divertible zero-knowledge proof was given in [DGB88, pp. 37-38] in the context of an abuse-free zero-knowledge proof. In this paper we generalize this result to all problems in NP under cryptographic assumptions and consider the consequences for abuse-free proofs. We also remark that most divertible zero-knowledge proofs of membership presented here will not convince unconditionally two (independent) verifiers simultaneously. So the framework of divertible zero-knowledge has to be modified if it is to be used for this purpose. This paper is organized as follows. We first state our results. Then we present the protocol and finally we sketch the proofs. "Research done while visiting the EISS, University of Karlsruhe, West Germany. tResearch partially supported by SERC Grant GR/F 5700. tResearch is being supported by NSF Grant NCR-9004879. I.B. Damgard (Ed.): Advances in Cryptology -EUROCRYPT '90, LNCS 473, pp. 1-10, 1991. © Springer-Verlag Berlin Heidelberg 1991 2 II. Main results 11.1. Notation and Definitions (A, B, C) is a divertible interactive triple of Turing machin~ [0089). For the definition of divertible proofs and abuse-free systems see [0089,Des90]; for the SAT proo~ (argument) see [BCC88,BC89]. A probabilistic encryption function f.(.) satisfies the properties that fr(b) can be computed in polynomial time when r, b are given, and that frCb) = fTI(b') => = b b'. Here r, r' are any random bit strings and b, b' are bits. f is a probabilistic l homomorphism if frCb) . frl(b ) = frll(b 6) b'), where r'1 can be computed from r, r', band 11 in polynomial time, and $ is exclusive-or. A well-known example of an encryption homomorphism [GM84} is given by fT(b) == sbr2(modn), where n is a Blum integer and s is an appropriate quadratic non-residue. (It is instructive to compute r" in this case, given s, n, and r, r', b = b' = 1.) The modulus nand s parameterize f. We shall assume that all the probabilistic encryption functions considered in this paper are parameterized, but for simplicity we ignore this in our notation. We denote by {z} a string which is a concatenation of strings of type z with delimiters. II.2. Theorems and implications for abuse-free proofs Theorem 1 If probabilistic encryption homomorphisms exist and are provided by an or acle, then all languages in NP have divertible zero-knowledge proofs. Corollary 1 If probabilistic encryption homomorphisms exist then all languages in NP have conditional abuse-free zero-knowledge proofs. Theorem 2 If probabilistic encryption functions exist then all languages in NP have unconditional abuse-free zero-knowledge proofs. Theorem 3 Given an oracle similar to the one in Theorem 1: If factoring is hard then all languages in NP have divertible statistical zero-knowledge arguments. Corollary 2 If probabilistic blob functions exist then all languages in NP have abuse-free zero-knowledge arguments. Theorem 4 There exists an 'unconditional' 1 divertible zero-knowledge proof for graph isomorphism. Remarks: We will describe a protocol which ca.n be used for many zero-knowledge proofs with slight modifications. This protocol does not require tha.t the structures in volved are commutative. Furthermore it can easily be adapted to make the authentication system [Des88} unconditionally divertible (so that two or more independent wardens can be used). lThe quotation marks are due to the unnatural condition (iii) of Definition 1 in [0089], which implies that the protocol is only divertible when graph isomorphism is not decidable in probabilistic polynomial time. In the final paper we will restate this definition but without this property.

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.