Errata of Eurocrypt '96 Proceedings

These are the errata of Advances in Cryptology - EUROCRYPT '96 Proceedings (Lecture Notes in Computer Science, Vol. 1070), ed. Ueli Maurer, Springer Verlag, 1996. Because of serious limitations of HTML support for mathematical symbols, they are also available in postscript.

Low-exponent RSA with related messages (p. 1)
Don Coppersmith, Matthew Franklin, Jacques Patarin and Michael Reiter

2 Footnote: The gcd can in fact be nonlinear. For example, if p = 67, e = 31, m = 29, then gcd (x^e- m^e, (x + 1)^e-(m+1)^e) (mod p) has degree 4. This happens rarely, and will usually give a factorization of N .

Generating ElGamal signatures wihout knowing the secret key (p. 10)
Daniel Bleichenbacher

12 Corollary 2 is not correct for all primes p. If p = 3 (mod 4) then signatures for only half of all messages can be found. A new version of the paper is available from ftp://ftp.inf.ethz.ch/pub/publications/papers/ti/isc/ElGamal.ps.

Hidden fields equations (HFE) and isomorphisms of polynomials (IP): two ... (p. 33)
Jacques Patarin

44 Line 10: like this some equations of total degree three in ..." => like this some equations of total degree two in ...".

Public key encryption and signature schemes based on polynominals over Z_n (p. 60)
Jörg Schwenk and Jörg Eisfeld

64 Paragraph 2: Our argument how to use an oracle to prove the equivalence of the encryption scheme with 'weak redundancy' does not work, since an oracle may output a solution of the RFP only if this solution lies in a transversal where all the elements satisfy the redundancy scheme.
66 Paragraphs 3-4: Similar attacks are possible for other pairs (a_i,s), and can be made impossible by requiring that the a_i fit into a given redundancy scheme.

Short discreet Proofs (p. 131)
Joan Boyar and René Peralta

131 Line -3: A reference is missing when introducing the QRA. The reference should b e to Goldwasser and Micali's JCSS paper "Probabilistic Encryption".
137 Line -4: "section 6" => "section 2".
132 Line 12, page 139 line -6 and page 140 line 4: "1/m^O(m)" => "1/m^O(1)".

Optimum secret sharing scheme secure against cheating (p. 200)
Wakaha Ogata and Kaoru Kurosawa

205 Line 3: "have b" => "have b and v_ik = x".
206 Line 28: "from Laglange formula" => "from Lagrange formula".

The security of the Gabidulin Public Key Cryptosystem (p. 212)
Keith Gibson

215 Section 2.1, paragraph 2. It is not necessary to assume t + 2 less than or equal to k.
222 The matrices R and T referred to between equations 19 and 20 should have sizes k-r × k-r and p-r × p-r respectively.

Construction of t-resilient functions over a finite alphabet (p. 283)
Paul Camion and Anne Canteaut

287 Proposition 6: in the definition of generalized MacWilliams identity, "q" => "q-1".

The exact security of digital signatures - how to sign with RSA and Rabin (p. 399)
Mihir Bellare and Phillip Rogaway

There are a number of typos in sections 4,5,6 of the paper. The reader is referred to a more recent version of the paper available at http://www-cse.ucsd.edu/users/mihir.

Errata of Eurocrypt '96 Proceedings

Low-exponent RSA with related messages (p. 1) Don Coppersmith, Matthew Franklin, Jacques Patarin and Michael Reiter

Generating ElGamal signatures wihout knowing the secret key (p. 10) Daniel Bleichenbacher

Hidden fields equations (HFE) and isomorphisms of polynomials (IP): two ... (p. 33)Jacques Patarin

Public key encryption and signature schemes based on polynominals over Zn (p. 60) Jörg Schwenk and Jörg Eisfeld

Short discreet Proofs (p. 131) Joan Boyar and René Peralta

Optimum secret sharing scheme secure against cheating (p. 200) Wakaha Ogata and Kaoru Kurosawa

The security of the Gabidulin Public Key Cryptosystem (p. 212) Keith Gibson

Construction of t-resilient functions over a finite alphabet (p. 283) Paul Camion and Anne Canteaut

The exact security of digital signatures - how to sign with RSA and Rabin (p. 399) Mihir Bellare and Phillip Rogaway