Rainer Steinwandt

A Practical Attack on Some Braid Group Based Cryptographic Primitives

A simple heuristic approach to the conjugacy problem in braid groups is described. Although it does not provide a general solution to the latter problem, it demonstrates that various proposed key parameters for braid group based cryptographic primitives do not offer acceptable cryptographic security. We give experimental evidence that it is often feasible to reveal the secret data by means of a normal PC within a few minutes.

An Algebra for Composing Enterprise Privacy Policies

Enterprise privacy enforcement allows enterprises to internally enforce a privacy policy that the enterprise has decided to comply to. To facilitate the compliance with different privacy policies when several parts of an organization or different enterprises cooperate, it is crucial to have tools at hand that allow for a practical management of varying privacy requirements.

Multi-authority attribute-based encryption with honest-but-curious central authority

An attribute-based encryption scheme capable of handling multiple authorities was recently proposed by Chase. The scheme is built upon a single-authority attribute-based encryption scheme presented earlier by Sahai and Waters. Chases construction uses a trusted central authority that is inherently capable of decrypting arbitrary ciphertexts created within the system. We present a multi-authority attribute-based encryption scheme in which only the set of recipients defined by the encrypting party can decrypt a corresponding ciphertext. The central authority is viewed as ‘honest-but-curious’: on the one hand, it honestly follows the protocol, and on the other hand, it is curious to decrypt arbitrary ciphertexts thus violating the intent of the encrypting party. The proposed scheme, which like its predecessors relies on the Bilinear Diffie–Hellman assumption, has a complexity comparable to that of Chases scheme. We prove that our scheme is secure in the selective ID model and can tolerate an honest-but-curious central authority.

Initiator-Resilient Universally Composable Key Exchange

Key exchange protocols in the setting of universal composability are investigated. First we show that the ideal functionality \(\mathcal{F}_{\rm KE}\) of [9] cannot be realized in the presence of adaptive adversaries, thereby disproving a claim in [9]. We proceed to propose a modification \(\mathcal{F}_{\rm KE}^{(i,j)}\), which is proven to be realizable by two natural protocols for key exchange. Furthermore, sufficient conditions for securely realizing this modified functionality are given. Two notions of key exchange are introduced that allow for security statements even when one party is corrupted. Two natural key exchange protocols are proven to fulfill the ”weaker” of these notions, and a construction for deriving protocols that satisfy the ”stronger” notion is given.

(Password) authenticated key establishment: from 2-party to group

A protocol compiler is described, that transforms any provably secure authenticated 2-party key establishment into a provably secure authenticated group key establishment with 2 more rounds of communication. The compiler introduces neither idealizing assumptions nor high-entropy secrets, e. g., for signing. In particular, applying the compiler to a password-authenticated 2-party key establishment without random oracle assumption, yields a password-authenticated group key establishment without random oracle assumption. Our main technical tools are non-interactive and non-malleable commitment schemes that can be implemented in the common reference string (CRS) model.

Attacking the Affine Parts of SFLASH

The signature scheme SFLASH has been accepted as candidate in the NESSIE (New European Scheme for Signatures, Integrity, and Encryption) project. We show that recovering the two secret affine mappings F237 → F237 in SFLASH can easily be reduced to the task of revealing two linear mappings F237 → F237. In particular, the 74 bits representing these affine parts do by no means contribute a factor of 274 to the effort required for mounting an attack against the system. This raises some doubts about the design of this NESSIE candidate.

An attack on the isomorphisms of polynomials problem with one secret

As a possible new mathematical basis for authentication and signature schemes, at EUROCRYPT ’96 J. Patarin introduced the isomorphisms of polynomials (IP) problem [4, 5]. In this contribution, we describe an attack on the secret key of IP with one secret and demonstrate its efficiency through examples with realistic parameter sizes. The attack is carried out by means of a computer algebra system on “ordinary PCs”. Finally, we give a brief discussion of limits of our attack that points out possible directions for solving the mentioned security problems.

Yet Another Sieving Device

A compact mesh architecture for supporting the relation collection step of the number field sieve is described. Differing from TWIRL, only isolated chips without inter-chip communication are used. According to a preliminary analysis for 768-bit numbers, with a 0.13 μm process one mesh-based device fits on a single chip of ≈(4.9 cm)2—the largest proposed chips in the TWIRL cluster for 768-bit occupy ≈(6.7 cm)2.

Deniable group key agreement

Especially for key establishment protocols to be used in internet applications, the (privacy) concern of deniability arises: Can a protocol transcript be used—possibly by a participant—to prove the involvement of another party in the protocol? For two party key establishment protocols, a common technique for achieving deniability is the replacement of signature-based message authentication with authentication based on symmetric keys. We explore the question of deniability in the context of group key establishment : Taking into account malicious insiders, using a common symmetric key for authentication is critical, and the question of how to achieve deniability arises. Building on a model of Bresson et al., we offer a formalization of deniability and present a group key agreement offering provable security in the usual sense, deniability, and security guarantees against malicious insiders. Our approach for achieving deniability through a suitably distributed Schnorr-signature might also be of independent interest.

A Dedicated Sieving Hardware

We describe a hardware device for supporting the sieving step in integer factoring algorithms like the quadratic sieve or the number field sieve. In analogy to Bernsteins proposal for speeding up the linear algebra step, we rely on a mesh of very simple processing units. Manufacturing the device at moderate cost with current hardware technology on standard wafers with 200 mm or 300 mm diameter should not provide any major obstacle.A preliminary analysis of the parameters for factoring a 512-bit number with the number field sieve shows that the design considered here might outperform a TWINKLE device.