Eric R. Verheul

Selecting Cryptographic Key Sizes

In this article we give guidelines for the determination of cryptographic key sizes. Our recommendations are based on a set of explicitly formulated hypotheses, combined with existing data points about the cryptosystems. This article is an abbreviated version of [15].

The XTR Public Key System

This paper introduces the XTR public key system. XTR is based on a new method to represent elements of a subgroup of a multiplicative group of a finite field. Application of XTR in cryptographic protocols leads to substantial savings both in communication and computational overhead without compromising security.

Self-Blindable Credential Certificates from the Weil Pairing

We describe two simple, efficient and effective credential pseudonymous certificate systems, which also support anonymity without the need for a trusted third party. The second system provides cryptographic protection against the forgery and transfer of credentials. Both systems are based on a new paradigm, called self-blindable certificates. Such certificates can be constructed using the Weil pairing in supersingular elliptic curves.

Evidence that XTR Is More Secure than Supersingular Elliptic Curve Cryptosystems

Abstract We show that finding an efficiently computable injective homomorphism from the XTR subgroup into the group of points over GF(p2) of a particular type of supersingular elliptic curve is at least as hard as solving the Diffie–Hellman problem in the XTR subgroup. This provides strong evidence for a negative answer to the question posed by Vanstone and Menezes at the Crypto 2000 Rump Session on the possibility of efficiently inverting the MOV embedding into the XTR subgroup. As a side result we show that the Decision Diffie–Hellman problem in the group of points on this type of supersingular elliptic curves is efficiently computable, which provides an example of a group where the Decision Diffie–Hellman problem is simple, while the Diffie–Hellman and discrete logarithm problems are presumably not. So-called distortion maps on groups of points on elliptic curves that play an important role in our cryptanalysis also lead to cryptographic applications of independent interest. These applications are an improvement of Joux’s one round protocol for tripartite Diffie–Hellman key exchange and a non-refutable digital signature scheme that supports escrowable encryption. We also discuss the applicability of our methods to general elliptic curves defined over finite fields which includes a classification of elliptic curve groups where distortion maps exist.

Cryptanalysis of 'less short' RSA secret exponents

Abstract. In some applications of RSA, it is desirable to have a short secret exponent d. Wiener [6], describes a technique to use continued fractions (CF) in a cryptanalytic attack on an RSA cryptosystem having a ‘short’ secret exponent. Let n=p ⋅ q be the modulus of the system. In the typical case that G=gcd(p−1, q−1) is small. Wiener’s method will give the secret exponent d when d does not exceed (approximately) n1/4.Here, we describe a general method to compute the CF-convergents of the continued fraction expansion of the same number as in Wiener (which has denominator d ⋅ G) up to the point where the denominator of the CF-convergent exceeds approximately n1/4. When d<n1/4 this technique determines d, p, and q as does Wiener’s method. For larger values of d there is still information available on the secret key. An estimate is made of the remaining workload to determine d, p and q. Roughly speaking this workload corresponds to an exhaustive search for about 2r+8 bit, where r=ln2 d/n1/4.

Key Improvements to XTR

This paper describes improved methods for XTR key representation and parameter generation (cf. [4]). If the field characteristic is properly chosen, the size of the XTR public key for signature applications can be reduced by a factor of three at the cost of a small one time computation for the recipient of the key. Furthermore, the parameter set-up for an XTR system can be simplified because the trace of a proper subgroup generator can, with very high probability, be computed directly, thus avoiding the probabilistic approach from [4]. These non-trivial extensions further enhance the practical potential of XTR.

Fast Irreducibility and Subgroup Membership Testing in XTR

We describe a new general method to perform part of the setup stage of the XTR system introduced at Crypto 2000, namely finding the trace of a generator of the XTR group. Our method is substantially faster than the general method presented at Asiacrypt 2000. As a side result, we obtain an efficient method to test subgroup membership when

Looking beyond XTR

XTR is a general methodthat can be appliedto discrete logarithm based cryptosystems in extension fields of degree six, providing a compact representation of the elements involved. In this paper we present a precise formulation of the Brouwer-Pellikaan-Verheul conjecture, originally posedin [4], concerning the size of XTR-like representations of elements in extension fields of arbitrary degree. If true this conjecture wouldpro vide even more compact representations of elements than XTR in extension fields of degree thirty. We test the conjecture by experiment, showing that in fact it is unlikely that such a compact representation of elements can be achieved in extension fields of degree thirty.

An analysis of the vector decomposition problem

The vector decomposition problem (VDP) has been proposed as a computational problem on which to base the security of public key cryptosystems. We give a generalisation and simplification of the results of Yoshida on the VDP. We then show that, for the supersingular elliptic curves which can be used in practice, the VDP is equivalent to the computational Diffie-Hellman problem (CDH) in a cyclic group. For the broader class of pairing-friendly elliptic curves we relate VDP to various co-CDH problems and also to a generalised discrete logarithm problem 2-DL which in turn is often related to discrete logarithm problems in cyclic groups.

Certificates of Recoverability with Scale Recovery Agent Security

We propose new schemes for Certificates of Recoverability (CRs). These consist of a user’s public key and attributes, its private key encrypted in such a way that it is recoverable by one or more Key Recovery Agents (KRAs), plus a publicly verifiable proof of this (the actual CR). In the original schemes, the level of cryptographic security employed by the KRA and the users is necessarily the same. In our schemes the level of cryptographic security employed by the KRA can be set higher, in a scalable fashion, than that being employed by the users. Among the other improvements of our schemes are its applicability to create CRs for cryptosystems based on the Discrete Log problem in small subgroups, most notably the Digital Signature Standard and Elliptic Curve Crypto systems. Also, the size of the constructed proofs of knowledge can be taken smaller than in the original schemes. We additionally show several ways to support secret sharing in our scheme. Finally we present several new constructions and results on the hardness of “small parts”, in the setting of Diffie-Hellman keys in extension fields.