Antoon Bosselaers

The ESPRIT Project CAFE - High Security Digital Payment Systems

CAFE (“Conditional Access for Europe”) is an ongoing project in the European Communitys ESPRIT program. The goal of CAFE is to develop innovative systems for conditional access, and in particular, digital payment systems. An important aspect of CAFE is high security of all parties concerned, with the least possible requirements that they are forced to trust other parties (so-called multi-party security). This should give legal certainty to everybody at all times. Moreover, both the electronic money issuer and the individual users are less dependent on the tamper-resistance of devices than in usual digital payment systems. Since CAFE aims at the market of small everyday payments that is currently dominated by cash, payments are offline, and privacy is an important issue.

Fast Hashing on the Pentium

With the advent of the Pentium processor parallelization finally bccarne available to Intel based computer systems. One of the design principles of the MD4-family of hash functions (MD4, MD5, SHA-1, FLIPEMD-160) is to be fast on the 32-bit Intel processors. This paper shows that carefully coded implementations of these hash functions are able to exploit the Pentiums superscalar architecture to its maximum effect: the performance with respect to execution on a non-parallel architecture increases by about 60%. This is an important result in view of the recent claims on the limited data bandwidth of these hash functions. Moreover, it is conjectured that these implementations are very close to optimal. It will also be shown that the performance penalty incurred by non-cached data and endianness conversion is limited, and in the order of 10% of running time.

Collision-free hashfunctions based on blockcipher algorithms

The concept of collision free hash functions has been shown to be a useful building block of signature schemes and message authentication schemes. In this paper, a fast and secure proposal is made for a 2n-bit collison free hash function based on an n-bit encryp tion algorithm. In case of the DES, the length of the result is 128 bits, which suffices to thwart a birthday attack.

SHA: a design for parallel architectures?

To enhance system performance computer architectures tend to incorporate an increasing number of parallel execution units. This paper shows that the new generation of MD4-based customized hash functions (RIPEMD-128, RIPEMD-160, SHA-1) contains much more software parallelism than any of these computer architectures is currently able to provide. It is conjectured that the parallelism found in SHA-1 is a design principle. The critical path of SHA-1 is twice as short as that of its closest contender RIPEMD-160, but realizing it would require a 7-way multiple-issue architecture. It will also be shown that, due to the organization of RIPEMD-160 in two independent lines, it will probably be easier for future architectures to exploit its software parallelism.

An Attack on the Last Two Rounds of MD4

In [Rive90] the MD4 message digest algorithm was introduced taking an input message of arbitrary length and producing an output 128-bit message digest. It is conjectured that it is computationally infeasible to produce two messages having the same message digest, or to produce any message having a given prespecified target message. In this paper it is shown that if the three round MD4 algorithm is stripped of its first round, it is possible to find for a given (initial) input value two different messages hashing to the same output. A computer program implementing this attack takes about 1 millisecond on a 16 Mhz IBM PS/2 to find such a collision.

Recent Developments in the Design of Conventional Cryptographic Algorithms

This paper examines proposals for three cryptographic primitives: block ciphers, stream ciphers, and hash functions. It provides an overview of the design principles of a large number of recent proposals, which includes the global structure, the number of rounds, the way of introducing non-linearity and diffusion, and the key schedule. The software performance of about twenty primitives is compared based on highly optimized implementations for the Pentium. The goal of the paper is to provided a technical perspective on the wide variety of primitives that exist today.

Cryptanalysis of a fast cryptographic checksum algorithm

A critical analysis of the modified cryptographic checksum algorithm published by F. Cohen and H.J. Huang points out two major weaknesses in the scheme. The first weakness is a reduced dependency on the beginning of the plaintext. Secondly, the first bits of the key can be derived with an adaptive chosen text attack. With the aid of these bits, the plaintext can be manipulated with a negligible chance of detection.

A Chosen Text Attack on The Modified Cryptographic Checksum Algorithm of Cohen and Huang

A critical analysis of the modified cryptographic checksum algorithm of Cohen and Huang points out some weaknesses in the scheme. We show how to exploit these weaknesses with a chosen text attack to derive the first bits of the key. This information suffices to manipulate blocks with a negligible chance of detection.

Cryptography Within Phase I of the EEC-RACE Programme

In order to pave the way towards commercial use of Integrated Broadband Communications (IBC) in Europe, the Commission of the European Communities has launched the RACE programme. Under this RACE programme pre-competitive and pre-normative work is going on. Most advanced applications in IBC and many services rely on the cost effective provision of integrity mechanisms. Within the first phase of the RACE programme (RACE I) three projects were preoccupied with the provision of these mechanisms in a universal and unified manner to all users of IBC. While project R1025 looked at the overall IBC needs by providing the functional specifications for the global provision of security, projects R1040 and R1047 were providing the necessary technology base.