Ingrid Biehl

Differential Fault Attacks on Elliptic Curve Cryptosystems

In this paper we extend the ideas for differential fault attacks on the RSA cryptosystem (see) to schemes using elliptic curves. We present three different types of attacks that can be used to derive information about the secret key if bit errors can be inserted into the elliptic curve computations in a tamper-proof device. The effectiveness of the attacks was proven in a software simulation of the described ideas.

LiDIA : a library for computational number theory

In this paper we describe LiDIA, a new library for computational number theory. Why do we work on a new library for computational number theory when such powerful tools as Pari [1], Kant [11], Simath [10] already exist? In fact, those systems are very useful for solving problems for which there exist efficient system routines. For example, using Pari or Kant it is possible to compute invariants of algebraic number fields and Simath can be used to find the rank of an elliptic curve over Q. However, building complicated and efficient software on top of existing systems has in our experience turned out to be very difficult. Therefore, the software of our research group is developed independently of other computer algebra systems.

Ensuring the Integrity of Agent-Based Computations by Short Proofs

Mobile code technology is gaining growing importance for example for electronic commerce applications. To come to a widespread use of mobile agents a lot of security aspects have to be seriously considered and security problems have to be solved to convince potential users of this technology. So fax, most work concerning security in the area of mobile code was done to protect hosts from malicious agents. However, in the very recent literature approaches are discussed which lead to different levels of security for the mobile agent against attacks by dishonest hosts. A central problem consists in the integrity of computation: In order to profit from mobile agent technology, techniques have to be used which guarantee the correctness of the results returned by a mobile agent to its originator. In this paper we explain a general approach to cope with the integrity problem by supplementing computation results with very short proofs of correctness which can a posteriori be checked by the originator of the mobile code to verify whether the result is reliable or not.

Efficient Undeniable Signature Schemes Based on Ideal Arithmetic in Quadratic Orders

In undeniable signature schemes the correctness or incorrectness of a signature of some message cannot be checked without the agreement of and the interaction with the signer. This is a favorable property for some applications. Well-known undeniable signature schemes presented in the literature will cause operations for the signer which take cubic running time. For a real world implementation, e.g., on a chip card or a web server this might be too inefficient.In this paper, we present new efficient undeniable signature schemes which are constructed over an imaginary quadratic field. We compare our schemes to the only really competitive scheme so far, which is based on RSA. In all signature protocols presented here the signers part involving the secret key is always of quadratic complexity, which is much faster in practice than the signers part in the RSA-based undeniable signature protocol.

Traceable visual cryptography

In this paper we present a new k out of n visual cryptography scheme which does not only meet the requirements of a basic visual cryptography scheme defined by Naor and Shamir [5] but is also traceable. A k out of n visual cryptography scheme is a special instance of a k out of n threshold secret sharing scheme [6]. Thus, no information about the original secret can be revealed if less than k share-holders combine their shares. In those systems it is inherently assumed that even if there are k or more share-holders with an interest in the abuse of the secret, then it is almost impossible that they can meet up as an entirety (e.g. because they are to cautious to inform too many others about their intentions) and combine their shares to misuse the secret. But in real scenarios it might not be too unlikely that the betrayers find together in small groups. Even though each one of these groups is too small to compute the original secret, the betrayers of such a group can impose a major security risk on the system by publishing the information about their shares. Suppose for example that k − 1 betrayers find each other and do the publishing. Then all the other n − k + 1 share-holders can potentially reveal the secret without ever meeting up with at least k − 1 other share-holders as is intended by the system. In order to cope with this lack of security, we present in this paper the idea of traceable visual cryptography schemes which allows to track down the publishing saboteurs.

Cryptographic Protocols Based on Discrete Logarithms in Real-quadratic Orders

We generalize and improve the schemes of [4]. We introduce analogues of exponentiation and discrete logarithms in the principle cycle of real quadratic orders. This enables us to implement many cryptographic protocols based on discrete logarithms, e.g. a variant of the signature scheme of ElGamal [8].

A Signature Scheme Based on the Intractability of Computing Roots

We present RDSA, a variant of the DSA signature scheme, whose security is based on the intractability of extracting roots in a finite abelian group. We prove that RDSA is secure against an adaptively chosen message attack in the random oracle model if and only if computing roots in the underlying group is intractable. We report on a very efficient implementation of RDSA in the class group of imaginary quadratic orders. We also show how to construct class groups of algebraic number fields of degree < 2 in which RDSA can be implemented.

Cryptographic protocols based on real-quadratic A-fields (extended abstract)

In [7] and [3] the difficulty of the Discrete-Logarithm problem in the cycle of reduced principal ideals in a real-quadratic number field was used as basis for the construction of secure cryptographic protcols. In [14] a Diffie-Hellman key exchange variant based on a real-quadratic congruence function fields is presented. We generalize and extend these results by investigating real-quadratic A-fields. We define the Distance problem, the Discrete-Logarithm problem and the Diffie-Hellman problem in the cycle of reduced principal ideals in real-quadratic A-fields and discuss their difficulty. We show that with respect to probabilistic polynomial time reductions the Distance problem and the Discrete-Logarithm problem are equivalent and are at least as difficult as the Diffie-Hellman problem. Moreover we introduce the problem of computing square roots of reduced principal ideals in real-quadratic A-fields as another computationally difficult problem. In real-quadratic number fields this again is at least as difficult as the integer factorization problem. In congruence function fields the problem of computing square roots is supposed to be even more difficult than in number fields. We present a secure bit commitment scheme based on the difficulty of the square root problem and an oblivious transfer protocol based on the Diffie-Hellman problem. These protocols are important since they may serve as components for the construction of more sophisticated cryptographic protocols.

A New Distributed Primality Test for Shared RSA Keys Using Quadratic Fields

In the generation method for RSA-moduli proposed by Boneh and Franklin in [BF97] the partial signing servers generate random shares pi, qi and compute as candidate for an RSA-modulus n = pq where p = (?pi) and q = (?qi). Then they perform a time-consuming distributed primality test which simultaneously checks the primality both of p and q by computing g(p-1)(q-1) = 1 mod n. The primality test proposed in [BF97] cannot be generalized to products of more than two primes. A more complicated one for products of three primes was presented in [BH98].In this paper we propose a new distributed primality test, which can independently prove the primality of p or q for the public modulus n = pq and can be easily generalized to products of arbitrarily many factors, i.e., the Multi-Prime RSA of PKCS #1 v2.0 Amendment 1.0 [PKCS]. The proposed scheme can be applied in parallel for each factor p and q. We use properties of the group Cl(-8n2), which is the class group of the quadratic field with discriminant -8n2.As it is the case with the Boneh-Franklin protocol our protocol is ?k-1/2?-private, i.e. less than ?k-1/2? colluding servers cannot learn any information about the primes of the generated modulus. The security of the proposed scheme is based on the intractability of the discrete logarithm problem in Cl(-8n2) and on the intractability of a new number theoretic problem which seems to be intractable too.

Ein sicherer, robuster Zeitstempeldienst auf der Basis verteilter RSA-Signaturen

In diesem Beitrag wird ein auserst zuverlassiger und robuster Zeitstempeldienst vorgestellt. Die verwendeten Kerntechnologien bilden die von Boneh-Franklin [BoFr97] und Frankel-MacKenzie-Yung [FMY98] vorgeschlagenen Protokolle fur eine verteilte RSA-Schlusselerzeugung und ein von Nippon Telegraph and Telephone (NTT) entwickeltes System zur Zeitsynchronisation auf der Basis von ISDN. Dieser Zeitstempeldienst hat besondere Eigenschaften. Er kann durch einen erfolgreichen Angriff auf eine Komponente nicht kompromittiert werden, er arbeitet wahrend der Signierung auch nach dem Versagen einzelner Komponenten korrekt und er besitzt eine sehr zuverlassige Zeitbasis. Im Rahmen eines Gemeinschaftsprojektes zwischen NTT und der Technischen Universitat Darmstadt (TUD) wird dieser Zeitstempeldienst derzeit implementiert.