Kaisa Nyberg

Advances in Cryptology — EUROCRYPT'98

Abstract : The objective of this paper is to discuss the Theory and Application of Cryptographic Techniques used to develop crypt analytic attacks on A5 that can reconstruct the 64-bit secret key in the known plain text scenario with the computational complexity smaller than 264.

Message Recovery for Signature Schemes Based on the Discrete Logarithm Problem

The new signature scheme presented by the authors in [13] is the first signature scheme based on the discrete logarithm problem that gives message recovery. The purpose of this paper is to show that the message recovery feature is independent of the choice of the signature equation and that all ElGamal-type schemes have variants giving message recovery. For each of the six basic ElGamal-type signature equations five variants are presented with different properties regarding message recovery, length of commitment and strong equivalence. Moreover, the six basic signature schemes have different properties regarding security and implementation. It turns out that the scheme proposed in [13] is the only inversionless scheme whereas the message recovery variant of the DSA requires computing of inverses in both generation and verification of signatures. In general, message recovery variants can be given for ElGamal-type signature schemes over any group with large cyclic subgroup as the multiplicative group of GF(2n) or elliptic curve over a finite field.The present paper also shows how to integrate the DLP-based message recovery schemes with secret session key establishment and ElGamal encryption. In particular, it is shown that with DLP-based schemes the same functionality as with RSA can be obtained. However, the schemes are not as elegant as RSA in the sense that the signature (verification) function cannot at the same time be used as the decipherment (encipherment) function.

Perfect nonlinear S-boxes

A perfect nonlinear S-box is a substitution transformation with evenly distributed directional derivatives. Since the method of differential cryptanalysis presented by E. Biham and A. Shamir makes use of nonbalanced directional derivatives, the perfect nonlinear S-boxes are immune to this attack. The main result is that for a perfect nonlinear S-box the number of input variables is at least twice the number of output variables. Also two different construction methods are given. The first one is based on the Maiorana-McFarland construction of bent functions and is easy and efficient to implement. The second method generalizes Dillons construction of difference sets.

A new signature scheme based on the DSA giving message recovery

In this paper we present a modification of the DSA which allows signatures with message recovery. The new public key signature scheme is then applied to create (a) an identity-based public key system without restrictions in trust and (b) a one-pass key exchange protocol with mutual authentication.

Linear approximation of block ciphers

The results of this paper give the theoretical fundaments on which Matsuis linear cryptanalysis of the DES is based. As a result we obtain precise information on the assumptions explicitely or implicitely stated in [2] and show that the success of Algorithm 2 is underestimated in [2]. We also derive a formula for the strength of Algorithm 2 for DES-like ciphers and see what is its dependence on the plaintext distribution. Finally, it is shown how to achieve proven resistance against linear cryptanalysis.

Message recovery for signature schemes based on the discrete logarithm problem

The new signature scheme presented by the authors in [9] is the first signature scheme based on the discrete logarithm problem that gives message recovery. The purpose of this paper is to show that the message recovery feature is independent of the choice of the signature equation and that all ElGamal type schemes have variants giving message recovery and achieve five new signature schemes giving message recovery. These schemes have different properties as to implementation and security. It turns out that the scheme proposed in [9] is the only inversionless scheme whereas the message recovery variant of the DSA requires computing of inverses in both generation and verification of signatures. In [9] two applications of message recovery were proposed. In the present paper it is shown how to combine ElGamal encryption and the message recovery scheme of [9] and how to securely integrate the DSA into Diffie-Hellman key exchange.

Provable security against a differential attack

The purpose of this paper is to show that DES-like iterated ciphers that are provably resistant against differential attacks exist. The main result on the security of a DES-like cipher with independent round keys is Theorem 1, which gives an upper bound to the probability of s-round differentials, as defined in [4], and this upper bound depends only on the round function of the iterated cipher. Moreover, it is shown that functions exist such that the probabilities of differentials are less than or equal to 23−n, where n is the length of the plaintext block. We also show a prototype of an iterated block cipher, which is compatible with DES and has proven security against differential attack.

Provable Security Against Differential Cryptanalysis

The purpose of this paper is to show that there exist DES-like iterated ciphers, which are provably resistant against differential attacks. The main result on the security of a DES-like cipher with independent round keys is Theorem 1, which gives an upper bound to the probability of r-round differentials, as defined in [3] and this upper bound depends only on the round function of the iterated cipher. Moreover, it is shown that there exist functions such that the probabilities of differentials are less than or equal to 22 − n where n is the length of the plaintext block. We also show a prototype of an iterated block cipher, which is compatible with DES and has proven security against differential attacks.

Generalized Feistel Networks

A simple network of small s-boxes can be proven secure against differential and linear cryptanalysis. Upperbounds of the differential probabilities and the linear correlations are derived for a generalized Feistel network having 1, 2, 3 or 4 s-boxes in parallel per round. It is conjectured that the results hold in general.

Efficient mutual data authentication using manually authenticated strings

Solutions for an easy and secure setup of a wireless connection between two devices are urgently needed for WLAN, Wireless USB, Bluetooth and similar standards for short range wireless communication. All such key exchange protocols employ data authentication as an unavoidable subtask. As a solution, we propose an asymptotically optimal protocol family for data authentication that uses short manually authenticated out-of-band messages. Compared to previous articles by Vaudenay and Pasini the results of this paper are more general and based on weaker security assumptions. In addition to providing security proofs for our protocols, we focus also on implementation details and propose practically secure and efficient sub-primitives for applications.