Browse Proceedings

This paper introduces the XTR public key system. XTR is based on a new method to represent elements of a subgroup of a multiplicative group of a finite field. Application of XTR in cryptographic protocols leads to substantial savings both in ...

We present a chosen-ciphertext attack against the public key cryptosystem called NTRU. This cryptosystem is based on polynomial algebra. Its security comes from the interaction of the polynomial mixing system with the independence of reduction modulo ...

In this paper we introduce the concept of privacy preserving data mining. In our model, two parties owning confidential databases wish to run a data mining algorithm on the union of their databases, without revealing any unnecessary information. This ...

Private information retrieval (PIR) enables a user to retrieve a specific data item from a database, replicated among one or more servers, while hiding from each server the identity of the retrieved item. This problem was suggested by Chor et al., and ...

Secure Function Evaluation (SFE) protocols are very hard to design, and reducibility has been recognized as a highly desirable property of SFE protocols. Informally speaking, reducibility (sometimes called modular composition) is the automatic ability ...

We present an efficient and fair protocol for secure two-party computation in the optimistic model, where a partially trusted third party T is available, but not involved in normal protocol executions. T is needed only if communication is disrupted or ...

In this work we use cryptography to solve a game-theoretic problem which arises naturally in the area of two party strategic games. The standard game-theoretic solution concept for such games is that of an equilibrium, which is a pair of "self-enforcing"...

In this paper we extend the ideas for differential fault attacks on the RSA cryptosystem (see) to schemes using elliptic curves. We present three different types of attacks that can be used to derive information about the secret key if bit errors can be ...

This paper presents a new paradigm of cryptography, quantum public-key cryptosystems. In quantum public-key cryptosystems, all parties including senders, receivers and adversaries are modeled as quantum (probabilistic) poly-time Turing (QPT) machines ...

The braid groups are infinite non-commutative groups naturally arising from geometric braids. The aim of this article is twofold. One is to show that the braid groups can serve as a good source to enrich cryptography. The feature that makes the braid ...

We describe a series of new attacks on a CBC-MAC algorithm due to Knudsen and Preneel including two key recovery attacks and a forgery attack. Unlike previous attacks, these techniques will work when the MAC calculation involves prefixing the data to be ...

We suggest some simple variants of the CBC MAC that let you efficiently MAC messages of arbitrary lengths. Our constructions use three keys, K1, K2, K3, to avoid unnecessary padding and MAC any message M ∈ {0, 1}* using max{1,«|M|/n»} applications of ...

In order to avoid birthday attacks on message authentication schemes, it has been suggested that one add randomness to the scheme. One must be careful about how randomness is added, however. This paper shows that prefixing randomness to a message before ...

The Full Domain Hash (FDH) scheme is a RSA-based signature scheme in which the message is hashed onto the full domain of the RSA function. The FDH scheme is provably secure in the random oracle model, assuming that inverting RSA is hard. In this paper ...

We introduce and construct timed commitment schemes, an extension to the standard notion of commitments in which a potential forced opening phase permits the receiver to recover (with effort) the committed value without the help of the committer. An ...

A group signature scheme allows a group member to sign messages anonymously on behalf of the group. However, in the case of a dispute, the identity of a signature's originator can be revealed (only) by a designated entity. The interactive counterparts ...

Partially blind signature schemes are an extension of blind signature schemes that allow a signer to explicitly include necessary information (expiration date, collateral conditions, or whatever) in the resulting signatures under some agreement with the ...

We show that for various choices of the parameters in the SL₂(IF₂ⁿ) hashing scheme, suggested by Tillich and ZÉmor, messages can be modified without changing the hash value. Moreover, examples of hash functions "with a trapdoor" within this family are ...

The task of a fast correlation attack is to efficiently restore the initial content of a linear feedback shift register in a stream cipher using a detected correlation with the output sequence. We show that by modeling this problem as the problem of ...

Traceability schemes allow detection of at least one traitor when a group of colluders attempt to construct a pirate decoder and gain illegal access to digital content.Fiat and Tassa proposed dynamic traitor tracing schemes that can detect all traitors ...

In a broadcast encryption scheme, digital content is encrypted to ensure that only privileged users can recover the content from the encrypted broadcast. Key material is usually held in a "tamper-resistant," replaceable, smartcard. A coalition of users ...

While there is a great deal of sophistication in modern cryptology, simple (and simplistic) explanations of cryptography remain useful and perhaps necessary. Many of the explanations are informal; others are embodied in formal methods, particularly in ...

We investigate the all-or-nothing encryption paradigm which was introduced by Rivest as a new mode of operation for block ciphers. The paradigm involves composing an all-or-nothing transform (AONT) with an ordinary encryption mode. The goal is to have ...

We put forward a new model for understanding the security of symmetric-key primitives, such as block ciphers. The model captures the fact that many such primitives often consist of iterating simpler constructs for a number of rounds, and may provide ...

The paradigms currently used to realize symmetric encryption schemes secure against adaptive chosen ciphertext attack (CCA) try to make it infeasible for an attacker to forge "valid" ciphertexts. This is achieved by either encoding the plaintext with ...

We present efficient non-malleable commitment schemes based on standard assumptions such as RSA and Discrete-Log, and under the condition that the network provides publicly available RSA or Discrete-Log parameters generated by a trusted party. Our ...

Non-committing encryption enables the construction of multiparty computation protocols secure against an adaptive adversary in the computational setting where private channels between players are not assumed. While any non-committing encryption scheme ...

We present a lower bound on the number of rounds required by Concurrent Zero-Knowledge proofs for languages in NP. It is shown that in the context of Concurrent Zero-Knowledge, at least eight rounds of interaction are essential for black-box simulation ...

Under the assumption that solving the discrete logarithm problem modulo an n-bit prime p is hard even when the exponent is a small c-bit number, we construct a new and improved pseudo-random bit generator. This new generator outputs n-c-1 bits per ...

After carrying out a protocol for quantum key agreement over a noisy quantum channel, the parties Alice and Bob must process the raw key in order to end up with identical keys about which the adversary has virtually no information. In principle, both ...