Louis Guillou

A practical zero-knowledge protocol fitted to security microprocessor minimizing both transmission and memory

Zero-knowledge interactive proofs are very promising for the problems related to the verification of identity. After their (mainly theoretical) introduction by S. Goldwasser, S. Micali and C. Rackoff (1985), A. Fiat and A. Shamir (1986) proposed a first practical solution: the scheme of Fiat-Shamir is a trade-off between the number of authentication numbers stored in each security microprocessor and the number of witness numbers to be checked at each verification.This paper proposes a new scheme which requires the storage of only one authentication number in each security microprocessor and the check of only one witness number. The needed computations are only 2 or 3 more than for the scheme of Fiat-Shamir.

Advances in Cryptology — EUROCRYPT ’95

We introduce algorithms for lattice basis reduction that are improvements of the famous L3-algorithm. If a random L3-reduced lattice basis b l , . . . ,b , is given such that the vector of reduced GramSchmidt coefficients ( { , u i , j } 1 < j < i < n) is uniformly distributed in (0,1)(:), then the pruned enumeration finds with positive probability a shortest lattice vector. We demonstrate the power of these algorithms by solving random subset sum problems of arbitrary density with 74 and 82 many weights, by breaking the Chor-Rivest cryptoscheme in dimensions 103 and 151 and by breaking DamgLrds hash function.

How to Explain Zero-Knowledge Protocols to Your Children

Know, oh my children, that very long ago, in the Eastern city of Baghdad, there lived an old man named Ali Baba. Every day Ali Baba would go to the bazaar to buy or sell things. This is a story which is partly about Ali Baba, and partly also about a cave, a strange cave whose secret and wonder exist to this day. But I get ahead of myself ...

Smart cards and conditional access

Smart cards are introduced through chip design, card interface, and card security. Applications are divided in three classes : log books, certified records, key carriers.Conditional acces is analyzed with a clear distinction between entitlement checking and entitlement management. The key carrier CP8 card is then described. Smart card cryptology is examined, and also the probable evolution towards digital signatures.

Encipherment and Conditional Access

This article discusses modeling conditional access in any television environment (terrestrial broadcasting, cable, and satellite). After conditional access has been defined, two models are presented that correspond to two different systems, widespread in Europe: - Distribution of control words. This model is illustrated by a proprietary system of Canal-Plus, used by about 3.5 million subscribers in France. This proprietary system is known as Discret 1. - Distribution of authorizations. This model is illustrated by an open system used by about 1 million receivers throughout Europe: Kinnevik (500,000); FilmNet (250,000); France Telecom (60,000); Canal-Plus (60,000); Polycom; Maxat; KabelKanal, and others. Known as Eurocrypt, this open system is standardized by CEN/CENELEC (Eurocrypt, EN 50094: 1992)

Smart card, a highly reliable and portable security device

At first glance, the smart card looks like an improvement of the traditional credit card.But the smart card is a multi-purpose and tamper-free security device. And behind a standardized interface, the built-in electronics may evolve, in memory size and in processing power. This evolution, while resulting from economic considerations, is in tune with an enhancement of both physical and logical security.Some mechanisms in key-carrier cards are described, thus giving a taste of the state of the art in card operating systems. The underlying reality is an invasion of our lifetime by cryptology and computers. This invasion will have a large influence on security in various fields of applications, not only banking operations, but also data processing, information systems, and communication networks.

Cryptographic authentication protocols for smart cards

Today, cryptology is essential for security of information and communication systems. But 25 years ago, it was a classified and highly confidential activity. Presented here from the point of view of smart cards, this quick evolution of cryptology reflects the revolution of digital information, e.g., mobile phone and MPEG television. The link between smart cards and cryptology is very strong: smart cards efficiently confine keys and algorithms. Their security relies on a specific software, named here secure-ware, which demonstrates the value of the Common Criteria methodology

Precautions taken against various potential attacks

This paper describes a “digital signature scheme giving message recovery” in order to submit it to the public scrutiny of IACR (the International Association for Cryptologic Research). This scheme is currently prepared by Subcommittee SC27, Security Techniques, inside Joint Technical Committee JTC1, Information Technology, established by both ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission).

PUBLIC-KEY TECHNIQUES: RANDOMNESS AND REDUNDANCY

In December 1984, under reference ISO/TC97/SC20/N42, a Technical Report has been published relating the state-of-the-art of public-key cryptosystems: various comments were sent to WG2, the ISO Working Group dedicated to public-keys; major results have since been published. This document is a brief synthesis on this large subject where randomness and redundancy play the major roles, mainly in integrity techniques: identification, authentication and signature.

Efficient Digital Public-Key Signatures with Shadow

This paper describes a strictly deterministic digital signature scheme using public-key cryptosystems. This scheme is in discussion inside a working group of ISO on signature schemes (TC97/SC20/WG2). A working draft has been written and accepted recently (with formal modifications to be added). By this presentation we hope to receive useful remarks for improving this scheme. This scheme is the fastest known scheme for the verification of signature (only one square plus some very easy operations).