main-content

## Über dieses Buch

EUROCRYPT 2001, the 20th annual Eurocrypt conference, was sponsored by the IACR, the International Association for Cryptologic Research, see http://www. iacr. org/, this year in cooperation with the Austrian Computer - ciety (OCG). The General Chair, Reinhard Posch, was responsible for local or- nization, and registration was handled by the IACR Secretariat at the University of California, Santa Barbara. In addition to the papers contained in these proceedings, we were pleased that the conference program also included a presentation by the 2001 IACR d- tinguished lecturer, Andrew Odlyzko, on “Economics and Cryptography” and an invited talk by Silvio Micali, “Zero Knowledge Has Come of Age. ” Furthermore, there was the rump session for presentations of recent results and other (p- sibly satirical) topics of interest to the crypto community, which Jean-Jacques Quisquater kindly agreed to run. The Program Committee received 155 submissions and selected 33 papers for presentation; one of them was withdrawn by the authors. The review process was therefore a delicate and challenging task for the committee members, and I wish to thank them for all the e?ort they spent on it. Each committee member was responsible for the review of at least 20 submissions, so each paper was carefully evaluated by at least three reviewers, and submissions with a program committee member as a (co-)author by at least six.

## Inhaltsverzeichnis

### A Memory Efficient Version of Satoh’s Algorithm

In this paper we present an algorithm for counting points on elliptic curves over a finite field $$\mathbb{F}_{p^n }$$ of small characteristic, based on Satoh's algorithm. The memory requirement of our algorithm is O(n2), where Satoh's original algorithm needs O(n3) memory. Furthermore, our version has the same run time complexity of O(nn+ε) bit operations, but is faster by a constant factor. We give a detailed description of the algorithm in characteristic 2 and show that the amount of memory needed for the generation of a secure 200-bit elliptic curve is within the range of current smart card technology.

Frederik Vercauteren, Bart Preneel, Joos Vandewalle

### Finding Secure Curves with the Satoh-FGH Algorithm and an Early-Abort Strategy

The use of elliptic curves in cryptography relies on the ability to count the number of points on a given curve. Before 1999, the SEA algorithm was the only efficient method known for random curves. Then Satoh proposed a new algorithm based on the canonical p-adic lift of the curve for p ≥ 5. In an earlier paper, the authors extended Satoh's method to the case of characteristics two and three. This paper presents an implementation of the Satoh-FGH algorithm and its application to the problem of findingcurv es suitable for cryptography. By combining Satoh-FGH and an early-abort strategy based on SEA, we are able to find secure random curves in characteristic two in much less time than previously reported. In particular we can generate curves widely considered to be as secure as RSA-1024 in less than one minute each on a fast workstation.

Mireille Fouquet, Pierrick Gaudry, Robert Harley

### How Secure Are Elliptic Curves over Composite Extension Fields?

We compare the method of Weil descent for solving the ECDLP, over extensions fields of composite degree in characteristic two, against the standard method of parallelised Pollard rho. We give details of a theoretical and practical comparison and then use this to analyse the difficulty of actually solving the ECDLP for curves of the size needed in practical cryptographic systems. We show that composite degree extensions of degree divisible by four should be avoided. We also examine the elliptic curves proposed in the Oakley key determination protocol and show that with current technology they remain secure.

Nigel P. Smart

### Efficient and Non-interactive Non-malleable Commitment

We present new constructions of non-malleable commitment schemes, in the public parameter model (where a trusted party makes parameters available to all parties), based on the discrete logarithm or RSA assumptions. The main features of our schemes are: they achieve near-optimal communication for arbitrarily-large messages and are non-interactive. Previous schemes either required (several rounds of) interaction or focused on achieving non-malleable commitment based on general assumptions and were thus efficient only when committing to a single bit. Although our main constructions are for the case of perfectly-hiding commitment, we also present a communication-efficient, non-interactive commitment scheme (based on general assumptions) that is perfectly binding.

Giovanni Di Crescenzo, Jonathan Katz, Rafail Ostrovsky, Adam Smith

### How to Convert the Flavor of a Quantum Bit Commitment

In this paper we show how to convert a statistically binding but computationally concealing quantum bit commitment scheme into a computationally binding but statistically concealing qbc scheme. For a security parameter n, the construction of the statistically concealing scheme requires O(n2) executions of the statistically binding scheme. As a consequence, statistically concealing but computationally binding quantum bit commitments can be based upon any family of quantum one-way functions. Such a construction is not known to exist in the classical world.

Claude Crépeau, Frédéric Légaré, Louis Salvail

### Cryptographic Counters and Applications to Electronic Voting

We formalize the notion of a cryptographic counter, which allows a group of participants to increment and decrement a cryptographic representation of a (hidden) numerical value privately and robustly. The value of the counter can only be determined by a trusted authority (or group of authorities, which may include participants themselves), and participants cannot determine any information about the increment/decrement operations performed by other parties.Previous efficient implementations of such counters have relied on fully-homomorphic encryption schemes; this is a relatively strong requirement which not all encryption schemes satisfy. We provide an alternate approach, starting with any encryption scheme homomorphic over the additive group ℤ2 (i.e., 1-bit XOR). As our main result, we show a general and efficient reduction from any such encryption scheme to a general cryptographic counter. Our main reduction does not use additional assumptions, is efficient, and gives a novel implementation of a general counter. The result can also be viewed as an efficient construction of a general n-bit cryptographic counter from any 1-bit counter which has the additional property that counters can be added securely.As an example of the applicability of our construction, we present a cryptographic counter based on the quadratic residuosity assumption and use it to construct an efficient voting scheme which satisfies universal verifiability, privacy, and robustness.

Jonathan Katz, Steven Myers, Rafail Ostrovsky

### An Efficient System for Non-transferable Anonymous Credentials with Optional Anonymity Revocation

A credential system is a system in which users can obtain credentials from organizations and demonstrate possession of these credentials. Such a system is anonymous when transactions carried out by the same user cannot be linked. An anonymous credential system is of significant practical relevance because it is the best means of providing privacy for users. In this paper we propose a practical anonymous credential system that is based on the strong RSA assumption and the decisional Diffie-Hellman assumption modulo a safe prime product and is considerably superior to existing ones: (1) We give the first practical solution that allows a user to unlinkably demonstrate possession of a credential as many times as necessary without involving the issuing organization. (2) To prevent misuse of anonymity, our scheme is the first to offer optional anonymity revocation for particular transactions. (3) Our scheme offers separability: all organizations can choose their cryptographic keys independently of each other. Moreover, we suggest more effective means of preventing users from sharing their credentials, by introducing all-or-nothing sharing: a user who allows a friend to use one of her credentials once, gives him the ability to use all of her credentials, i.e., taking over her identity. This is implemented by a new primitive, called circular encryption, which is of independent interest, and can be realized from any semantically secure cryptosystem in the random oracle model.

Jan Camenisch, Anna Lysyanskaya

### Priced Oblivious Transfer: How to Sell Digital Goods

We consider the question of protecting the privacy of customers buying digital goods. More specifically, our goal is to allow a buyer to purchase digital goods from a vendor without letting the vendor learn what, and to the extent possible also when and how much, it is buying. We propose solutions which allow the buyer, after making an initial deposit, to engage in an unlimited number of priced oblivious-transfer protocols, satisfying the following requirements: As long as the buyer's balance contains sufficient funds, it will successfully retrieve the selected item and its balance will be debited by the item's price. However, the buyer should be unable to retrieve an item whose cost exceeds its remaining balance. The vendor should learn nothing except what must inevitably be learned, namely, the amount of interaction and the initial deposit amount (which imply upper bounds on the quantity and total price of all information obtained by the buyer). In particular, the vendor should be unable to learn what the buyer's current balance is or when it actually runs out of its funds.The technical tools we develop, in the process of solving this problem, seem to be of independent interest. In particular, we present the first one-round (two-pass) protocol for oblivious transfer that does not rely on the random oracle model (a very similar protocol was independently proposed by Naor and Pinkas [21]). This protocol is a special case of a more general “conditional disclosure” methodology, which extends a previous approach from [11] and adapts it to the 2-party setting.

Bill Aiello, Yuval Ishai, Omer Reingold

### A Secure Three-Move Blind Signature Scheme for Polynomially Many Signatures

Known practical blind signature schemes whose security against adaptive and parallel attacks can be proven in the random oracle model either need five data exchanges between the signer and the user or are limited to issue only logarithmically many signatures in terms of a security parameter. This paper presents an efficient blind signature scheme that allows a polynomial number of signatures to be securely issued while only three data exchanges are needed. Its security is proven in the random oracle model. As an application, a provably secure solution for double-spender-traceable e-cash is presented.at]

Masayuki Abe

### Practical Threshold RSA Signatures without a Trusted Dealer

We propose a threshold RSA scheme which is as efficient as the fastest previous threshold RSA scheme (by Shoup), but where two assumptions needed in Shoup's and in previous schemes can be dropped, namely that the modulus must be a product of safe primes and that a trusted dealer generates the keys. The robustness (but not the unforgeability) of our scheme depends on a new intractability assumption, in addition to security of the underlying standard RSA scheme.

Ivan Damgård, Maciej Koprowski

### Hash Functions: From Merkle-Damgård to Shoup

In this paper we study two possible approaches to improving existing schemes for constructing hash functions that hash arbitrary long messages. First, we introduce a continuum of function classes that lie between universal one-way hash functions and collision-resistant functions. For some of these classes efficient (yielding short keys) composite schemes exist. Second, we prove that the schedule of the Shoup construction, which is the most efficient composition scheme for universal one-way hash functions known so far, is optimal.

Ilya Mironov

### Key Recovery and Message Attacks on NTRU-Composite

NTRU is a fast public key cryptosystem presented in 1996 by Hoffstein, Pipher and Silverman ofBro wn University. It operates in the ring ofp olynomials ℤ[X]/(XN − 1), where the domain parameter N largely determines the security ofthe system. Although N is typically chosen to be prime, Silverman proposes taking N to be a power of two to enable the use of Fast Fourier Transforms. We break this scheme for the specified parameters by reducing lattices ofmanageably small dimension to recover partial information about the private key. We then use this partial information to recover partial information about the message or to recover the private key in its entirety.

Craig Gentry

### Evidence that XTR Is More Secure than Supersingular Elliptic Curve Cryptosystems

We show that finding an efficiently computable injective homomorphism from the XTR subgroup into the group of points over GF(p2) of a particular type of supersingular elliptic curve is at least as hard as solving the Diffie-Hellman problem in the XTR subgroup. This provides strong evidence for a negative answer to the question posed by S. Vanstone and A. Menezes at the Crypto 2000 Rump Session on the possibility of efficiently inverting the MOV embedding into the XTR subgroup. As a side result we show that the Decision Diffie-Hellman problem in the group of points on this type of supersingular elliptic curves is efficiently computable, which provides an example of a group where the Decision Diffie-Hellman problem is simple, while the Diffie-Hellman and discrete logarithm problem are presumably not. The cryptanalytical tools we use also lead to cryptographic applications of independent interest. These applications are an improvement of Joux's one round protocol for tripartite Diffie-Hellman key exchange and a non refutable digital signature scheme that supports escrowable encryption. We also discuss the applicability of our methods to general elliptic curves defined over finite fields.

Eric R. Verheul

### NSS: An NTRU Lattice-Based Signature Scheme

A new authentication and digital signature scheme called the NTRU Signature Scheme (NSS) is introduced. NSS provides an authentication/signature method complementary to the NTRU public key cryptosystem. The hard lattice problem underlying NSS is similar to the hard problem underlying NTRU, and NSS similarly features high speed, low footprint, and easy key creation.

Jeffrey Hoffstein, Jill Pipher, Joseph H. Silverman

### The Bit Security of Paillier’s Encryption Scheme and Its Applications

At EuroCrypt'99, Paillier proposed a new encryption scheme based on higher residuosity classes. The new scheme was proven to be one-way under the assumption that computing N-residuosity classes in Z*N2 is hard. Similarly the scheme can be proven to be semantically secure under a much stronger decisional assumption: given w ∈ Z*N2 it is hard to decide if w is an N-residue or not.In this paper we examine the bit security of Paillier’s scheme. We prove that, if computing residuosity classes is hard, then given a random w it is impossible to predict the least significant bit of its class significantly better than at random. This immediately yields a way to obtain semantic security without relying on the decisional assumption (at the cost of several invocations of Paillier's original function).In order to improve efficiency we then turn to the problem of simultaneous security of many bits. We prove that Paillier's scheme hides n − b (up to O(n)) bits if one assumes that computing the class c of a random w remains hard even when we are told that c < 2b. We thoroughly examine the security of this stronger version of the intractability of the class problem.An important theoretical implication of our result is the construction of the first trapdoor function that hides super-logarithmically (up to O(n)) many bits. We generalize our techniques to provide sufficient conditions for a trapdoor function to have this property.

Dario Catalano, Rosario Gennaro, Nick Howgrave-Graham

### Assumptions Related to Discrete Logarithms: Why Subtleties Make a Real Difference

The security of many cryptographic constructions relies on assumptions related to Discrete Logarithms (DL), e.g., the Diffie-Hellman, Square Exponent, Inverse Exponent or Representation Problem assumptions. In the concrete formalizations of these assumptions one has some degrees of freedom offered by parameters such as computational model, the problem type (computational, decisional) or success probability of adversary. However, these parameters and their impact are often not properly considered or are simply overlooked in the existing literature. In this paper we identify parameters relevant to cryptographic applications and describe a formal framework for defining DL-related assumptions. This enables us to precisely and systematically classify these assumptions.In particular, we identify a parameter, termed granularity, which describes the underlying probability space in an assumption. Varying granularity we discover the following surprising result:We prove that two DL-related assumptions can be reduced to each other for medium granularity but we also show that they are provably not reducible with generic algorithms for high granularity. Further we show that reductions for medium granularity can achieve much better concrete security than equivalent high-granularity reductions.

### Multiparty Protocols

Ran Canetti, Ivan Damgaard, Stefan Dziembowski, Yuval Ishai, Tal Malkin

### Multiparty Computation from Threshold Homomorphic Encryption

We introduce a new approach to multiparty computation (MPC) basing it on homomorphic threshold crypto-systems. We show that given keys for any sufficiently efficient system of this type,general MPC protocols for n parties can be devised which are secure against an active adversary that corrupts any minority of the parties. The total number of bits broadcast is O(nk|C|),where k is the security parameter and |C| is the size of a (Boolean) circuit computing the function to be securely evaluated. An earlier proposal by Franklin and Haber with the same complexity was only secure for passive adversaries,while all earlier protocols with active security had complexity at least quadratic in n. We give two examples of threshold cryptosystems that can support our construction and lead to the claimed complexities.

Ronald Cramer, Ivan Damgård, Jesper B. Nielsen

### On Perfect and Adaptive Security in Exposure-Resilient Cryptography

Yevgeniy Dodis, Amit Sahai, Adam Smith

### Cryptanalysis of Reduced-Round MISTY

The block ciphers MISTY1and MISTY2 proposed by Matsui are based on the principle of provable security against differential and linear cryptanalysis. This paper presents attacks on reduced-round variants of both ciphers, without as well as with the key-dependent linear functions FL. The attacks employ collision-searching techniques and impossible differentials. KASUMI, a MISTY variant to be used in next generation cellular phones, can be attacked with the latter method faster than brute force when reduced to six sounds.

Ulrich Kühn

### The Rectangle Attack — Rectangling the Serpent

Serpent is one of the 5 AES finalists. The best attack published so far analyzes up to 9 rounds. In this paper we present attacks on 7-round, 8-round, and 10-round variants of Serpent. We attack a 7-round variant with all key lengths, and 8- and 10-round variants with 256-bit keys. The 10-round attack on the 256-bit keys variants is the best published attack on the cipher. The attack enhances the amplified boomerang attack and uses better differentials. We also present the best 3-round, 4-round, 5-round and 6-round differential characteristics of Serpent.

Eli Biham, Orr Dunkelman, Nathan Keller

### Efficient Amplification of the Security of Weak Pseudo-random Function Generators

We show that given a PRFG (pseudo-random function generator) G which is $$\frac{1} {c} -$$ partially secure, the construction $$\frac{1} {c} -$$$$\frac{1} {c} -$$ produces a strongly secure PRFG, where g i ∈ G and r i are strings of random bits. Thus we present the first “natural” construction of a (totally secure) PRFG from a partially secure PRFG. Using results of Luby and Rackoff, this result also demonstrates how to “naturally” construct a PRPG from partially secure PRPG.

Steven Myers

### Min-round Resettable Zero-Knowledge in the Public-Key Model

In STOC 2000, Canetti, Goldreich, Goldwasser, and Micali put forward the strongest notion of zero-knowledge to date, resettable zero-knowledge (RZK) and implemented it in constant rounds in a new model, where the verifier simply has a public key registered before any interaction with the prover.To achieve ultimate round efficiency, we advocate a slightly stronger model. Informally, we show that, as long as the honest verifier does not use a given public key more than a fixed-polynomial number of times, there exist 3-round (which we prove optimal) RZK protocols for all of NP.

Silvio Micali, Leonid Reyzin

### Structural Cryptanalysis of SASAS

In this paper we consider the security ofblo ck ciphers which contain alternate layers of invertible S-boxes and affine mappings (there are many popular cryptosystems which use this structure, including the winner of the AES competition, Rijndael). We show that a five layer scheme with 128 bit plaintexts and 8 bit S-boxes is surprisingly weak even when all the S-boxes and affine mappings are key dependent (and thus completely unknown to the attacker). We tested the attack with an actual implementation, which required just 216 chosen plaintexts and a few seconds on a single PC to find the 217 bits of information in all the unknown elements of the scheme.

### Hyper-bent Functions

Bent functions have maximal minimum distance to the set of affine functions. In other words, they achieve the maximal minimum distance to all the coordinate functions of affine monomials. In this paper we introduce a new class of bent functions which we call hyper-bent functions. Functions within this class achieve the maximal minimum distance to all the coordinate functions of all bijective monomials. We provide an explicit construction for such functions. We also extend our results to vectorial hyper-bent functions.

Amr M. Youssef, Guang Gong

### New Method for Upper Bounding the Maximum Average Linear Hull Probability for SPNs

We present a new algorithm for upper bounding the maximum average linear hull probability for SPNs, a value required to determine provable security against linear cryptanalysis. The best previous result (Hong et al. [9]) applies only when the linear transformation branch number (B) is M or (M + 1) (maximal case), where M is the number of s-boxes per round. In contrast, our upper bound can be computed for any value of B. Moreover, the new upper bound is a function of the number of rounds (other upper bounds known to the authors are not). When B = M, our upper bound is consistently superior to [9]. When B = (M + 1), our upper bound does not appear to improve on [9]. On application to Rijndael (128-bit block size, 10 rounds), we obtain the upper bound UB = 2−75, corresponding to a lower bound on the data complexity of $$\frac{8} {{UB}} = {\text{2}}^{{\text{78}}}$$ (for 96.7% success rate). Note that this does not demonstrate the existence of a such an attack, but is, to our knowledge, the first such lower bound.

Liam Keliher, Henk Meijer, Stafford Tavares

### Lower Bounds for Multicast Message Authentication

Message integrity from one sender to one receiver is typically achieved by having the two parties share a secret key to compute a Message Authentication Code (MAC). We consider the “multicast MAC”, which is a natural generalization to multiple receivers. We prove that one cannot build a short and efficient collusion resistant multicast MAC without a new advance in digital signature design.

Dan Boneh, Glenn Durfee, Matt Franklin

### Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels

We present a formalism for the analysis of key-exchange protocols that combines previous definitional approaches and results in a definition of security that enjoys some important analytical benefits: (i) any key-exchange protocol that satisfies the security definition can be composed with symmetric encryption and authentication functions to provide provably secure communication channels (as defined here); and (ii) the definition allows for simple modular proofs of security: one can design and prove security of key-exchange protocols in an idealized model where the communication links are perfectly authenticated, and then translate them using general tools to obtain security in the realistic setting of adversary-controlled links.We exemplify the usability of our results by applying them to obtain the proof of two classes of key-exchange protocols, Diffie-Hellman and key-transport, authenticated via symmetric or asymmetric techniques.

Ran Canetti, Hugo Krawczyk

There has been much interest in password-authenticated keyexchange protocols which remain secure even when users choose passwords from a very small space of possible passwords (say, a dictionary of English words). Under this assumption, one must be careful to design protocols which cannot be broken using off-line dictionary attacks in which an adversary enumerates all possible passwords in an attempt to determine the correct one. Many heuristic protocols have been proposed to solve this important problem. Only recently have formal validations of security (namely, proofs in the idealized random oracle and ideal cipher models) been given for specific constructions [3,10,22].Very recently, a construction based on general assumptions, secure in the standard model with human-memorable passwords, has been proposed by Goldreich and Lindell [17]. Their protocol requires no public parameters; unfortunately, it requires techniques from general multi-party computation which make it impractical. Thus, [17] only proves that solutions are possible “in principal”. The main question left open by their work was finding an efficient solution to this fundamental problem.We showan efficient, 3-round, password-authenticated key exchange protocol with human-memorable passwords which is provably secure under the Decisional Diffie-Hellman assumption, yet requires only (roughly) 8 times more computation than “standard” Diffie-Hellman key exchange [14] (which provides no authentication at all). We assume public parameters available to all parties. We stress that we work in the standard model only, and do not require a “random oracle” assumption.

Jonathan Katz, Rafail Ostrovsky, Moti Yung

### Identification Protocols Secure against Reset Attacks

We provide identification protocols that are secure even when the adversary can reset the internal state and/or randomization source of the user identifying itself, and when executed in an asynchronous environment like the Internet that gives the adversary concurrent access to instances of the user. These protocols are suitable for use by devices (like smartcards) which when under adversary control may not be able to reliably maintain their internal state between invocations.

Mihir Bellare, Marc Fischlin, Shafi Goldwasser, Silvio Micali

### Does Encryption with Redundancy Provide Authenticity?

A popular paradigm for achieving privacy plus authenticity is to append some “redundancy” to the data before encrypting. We investigate the security of this paradigm at both a general and a specific level. We consider various possible notions of privacy for the base encryption scheme, and for each such notion we provide a condition on the redundancy function that is necessary and sufficient to ensure authenticity of the encryption-with-redundancy scheme. We then consider the case where the base encryption scheme is a variant of CBC called NCBC, and find sufficient conditions on the redundancy functions for NCBC encryption-with-redundancy to provide authenticity. Our results highlight an important distinction between public redundancy functions, meaning those that the adversary can compute, and secret ones, meaning those that depend on the shared key between the legitimate parties.

Jee Hea An, Mihir Bellare

### Encryption Modes with Almost Free Message Integrity

We define a new mode of operation for block encryption which in addition to assuring confidentiality also assures message integrity. In contrast, previously for message integrity a separate pass was required to compute a cryptographic message authentication code (MAC). The new mode of operation, called Integrity Aware CBC (IACBC) requires a total of m + 2 block encryptions on a plain-text of length m blocks. The well known CBC (cipher block chaining) mode requires m block encryptions. The second pass of computing the CBCMAC essentially requires additional m block encryptions. A new highly parallelizable mode (IAPM) is also shown to be secure for both encryption and message integrity.

Charanjit S. Jutla

### Backmatter

Weitere Informationen