Agnes Hui Chan

Easy come — Easy go divisible cash

Recently, there has been an interest in making electronic cash protocols more practical for electronic commerce by developing e-cash which is divisible (e.g., a coin which can be spent incrementally but total purchases are limited to the monetary value of the coin). In Crypto`95, T. Okamoto presented the first practical divisible, untraceable, off-line e-cash scheme, which requires only O(log N) computations for each of the withdrawal, payment and deposit procedures, where N = (total coin value)/(smallest divisible unit). However, Okamoto`s set-up procedure is quite inefficient (on the order of 4,000 multi-exponentiations and depending on the size of the RSA modulus). The authors formalize the notion of range-bounded commitment, originally used in Okamoto`s account establishment protocol, and present a very efficient instantiation which allows one to construct the first truly efficient divisible e-cash system. The scheme only requires the equivalent of one (1) exponentiation for set-up, less than 2 exponentiations for withdrawal and around 20 for payment, while the size of the coin remains about 300 Bytes. Hence, the withdrawal protocol is 3 orders of magnitude faster than Okamoto`s, while the rest of the system remains equally efficient, allowing for implementation in smart-cards. Similar to Okamoto`s, the scheme is based on proofs whose cryptographic security assumptions are theoretically clarified.

A fast algorithm for determining the complexity of a binary sequence with period 2^n (Corresp.)

The complexity of a periodic sequence (s) is defined to be the least number of stages in a linear feedback shift register that generates (s) .

Efficient and Mutually Authenticated Key Exchange for Low Power Computing Devices

In this paper, we consider the problem of mutually authenticated key exchanges between a low-power client and a powerful server. We show how the Jakobsson-Pointcheval scheme proposed recently [15] can be compromised using a variant of interleaving attacks. We also propose a new scheme for achieving mutually authenticated key exchanges. The protocol is proven correct within a variant of Bellare-Rogaway model [3,4]. This protocol gives the same scalability as other publickey based authenticated key exchange protocols but with much higher efficiency and fewer messages. It only takes 20 msec total computation time on a PalmPilot and has only three short messages exchanged during the protocol.

Threshold Schemes with Disenrollment

When a shadow of a threshold scheme is publicized, new shadows have to be reconstructed and redistributed in order to maintain the same level of security. In this paper we consider threshold schemes with disenrollment capabilities where the new shadows can be created by broadcasts through a public channel. We establish a lower bound on the size of each shadow in a scheme that allows L disenrollments. We exhibit three systems that achieve the lower bound on shadow size.

The performance measurement of cryptographic primitives on palm devices

We developed and evaluated several cryptographic system libraries for Palm OS(R) which include stream and block ciphers, hash functions and multiple-precision integer arithmetic operations. We noted that the encryption speed of SSC2 outperforms both ARC4 (Alleged RC4) and SEAL 3.0 if the plaintext is small. On the other hand, SEAL 3.0 almost doubles the speed of SSC2 when the plaintext is very large. We also observed that the optimized Rijndael with 8KB of lookup tables is 4 times faster than DES. In addition, our results show that implementing the cryptographic algorithms as system libraries does not degrade their performance significantly. Instead, they provide great flexibility and code management to the algorithms. Furthermore, the test results presented provide a basis for performance estimation of cryptosystems implemented on the PalmPilot/sup TM/.

Mutual authentication and key exchange for low power wireless communications

We propose two efficient mutual authentication and key exchange protocols (MAKEPs) namely (1) server-specific and (2) linear MAKEPs. They are suitable for establishing secure communications between a low-power wireless device (client) and a powerful base station (server) under different system requirements. These protocols reduce the computational burden of the client while still maintaining a required level of security and a good amount of scalability for most wireless communications applications. We discuss their security and also demonstrate that they can be implemented efficiently.

Cascaded GMW sequences

Pseudorandom binary sequences with high linear complexity and low correlation function values are sought in many applications of modern communication systems. A new family of pseudorandom binary sequences, cascaded GMW sequences, is constructed. These sequences are shown to share many desirable correlation properties with the GMW sequences of B. Gordon, W.A. Mills, and L.R. Welch (1962)-for example, high-shifted autocorrelation values and, in many cases, three-valued cross-correlation values with m-sequences. It is shown, moreover, that in many cases the linear complexities of cascaded GMW sequences are far greater than those of GMW sequences. >

Password Authenticated Key Exchange Based on RSA for Imbalanced Wireless Networks

We consider an imbalanced wireless network setup in which a low-power client communicates with a powerful server. We assume that public key cryptographic operations such as Diffie-Hellman key exchange conducted over a large multiplicative group is too computationally intensive for a low-power client to implement. In this paper, we propose an authenticatedk ey exchange protocol such that it is efficient enough to be implemented on most of the target low-power devices such as devices in sensor networks, smart cards and low-power Personal Digital Assistants. In addition, it is secure against dictionary attacks. Our scheme requires less than 2.5 seconds of pure computation on a 16MHz Palm V andab out 1 secondfor data transmission if the throughput of a network is 8 kbps. The computation time can be improvedto 300 msec and the transmision time can also be reduced to 300 msec if caching is allowed.

Maximum Correlation Analysis of Nonlinear S-boxes in Stream Ciphers

This paper investigates the design of S-boxes used for combining linear feedback shift register (LFSR) sequences in combination generators. Such combination generators have higher throughput than those using Boolean functions as the combining functions. However, S-boxes tend to leak more information about the LFSR sequences than Boolean functions. To study the information leakage, the notion of maximum correlation is introduced, which is based on the correlation between linear functions of the input and all the Boolean functions (linear and nonlinear) of the output of an S-box. Using Walsh transform, a spectral characterization of the maximum correlation coefficients, together with their upper and lower bounds, are established. For the perfect nonlinear S-boxes designed for block ciphers, an upper bound on the maximum correlation coefficients is presented.

The Software-Oriented Stream Cipher SSC2

SSC2 is a fast software stream cipher designed for wireless handsets with limited computational capabilities. It supports various private key sizes from 4 bytes to 16 bytes. All operations in SSC2 are word-oriented, no complex operations such as multiplication, division, and exponentiation are involved. SSC2 has a very compact structure that makes it easy to implement on 8-,16-, and 32-bit processors. Theoretical analysis demonstrates that the keystream sequences generated by SSC2 have long period, large linear complexity, and good statistical distribution.