EUROCRYPT '98
POSTER SESSION - Abstracts
_____________________________________________________________
Poster 1:
"Unconditionally Secure Entity Authentication"
Kaoru Kurosawa
Tokyo Institute of Technology, Japan
Email: kurosawa@ss.titech.ac.jp
URL: http://tsk-www.ss.titech.ac.jp/~kurosawa/
An entity-authentication scheme is a two-party protocol by which a
party in a distributed system confirms the identity of a communication
partner. Bellare and Rogaway formulated this problem using a
complexity theoretic framework.
In this paper, we study entity-authentication in an information
theoretic framework, where adversaries are infinitely powerful. We
first modify the framework given by Bellare and Rogaway to an
unconditionally secure setting. Communication between players is
entirely controlled by an infinitely powerful adversary ${\cal A}$.
The adversary can deliver messages out of order and to unintended
recipients, and can concoct messages of the adversary's own choosing.
What is more, the adversary can control who is attempting to
authenticate whom.
We then present a lower bound on the cheating probability and a lower
bound on the size of keys for unilateral entity authentication
protocols. That is, in each session, $P_i$ authenticates $P_j$ but
$P_j$ does not authenticate $P_i$. Finally, we show an entity
authentication scheme which is proven to be secure and that meets all
the equalities of our bounds.
____________________________________________________________________
Poster 2:
"Edit Probability Correlation Attack on the Alternating Step Generator"
Jovan Dj. Golic
School of Electrical Engineering, University of Belgrade,
Bulevar Revolucije 73, 11001 Belgrade, Yugoslavia
Email: golic@galeb.etf.bg.ac.yu
and
Renato Menicocci
Fondazione Ugo Bordoni, Via B. Castiglione 59, 00142 Roma, Italy
Email: rmenic@fub.it
It is shown that the stop/go clocking in the alternating step
generator can be viewed as a random edit transformation of one input
into one output binary string. The input string corresponds to the
output sequence of one of the clock-controlled LFSRs when regularly
clocked and the output string corresponds to the first binary
derivative of the output sequence of the alternating step
generator. The output sequences of the other clock-controlled LFSR and
the clock-control LFSR are both assumed to be purely random. A related
edit probability for two binary strings of appropriate lengths is then
introduced. This edit probability can be efficiently computed by a
recursive algorithm with time complexity quadratic in the string
length.
It is shown how the defined edit probability can be used to mount a
correlation attack on each of the two clock-controlled LFSRs
individually. The correlation attack requires the computation of the
edit probability for every possible initial state of the considered
LFSR.
For the underlying statistical hypothesis testing problem, the false
alarm probability is estimated by systematic experiments. It is shown
that this probability can be well approximated by an exponentially
decreasing function of the string length. This implies that the
minimum output sequence length required to be known for a successful
attack is linear in the length of the respective shift register. More
precisely, about forty shift register lengths are sufficient for
success. The initial state of the clock-control LFSR can be recovered
from consistent clock-control strings obtained by the corresponding
edit distance method.
Successful experimental attacks on relatively short shift registers
are reported. The results demonstrate that in order to prevent the
initial state reconstruction of each of the clock-controlled LFSRs
individually, the length of each of them should be sufficiently long.
____________________________________________________________
Poster 3:
"New (TWO-TRACK)-MAC based on the two trails of RIPEMD. Efficient,
especially on short messages and for frequent key-changes."
Bert den Boer
debis Information Security Services GmbH, Rabistrasse 8, D-53111 Bonn, Germany
Email: b-denboer@itsec-debis.de
We will present a message authentication code. It is based on
RIPEMD-160 and particularly on the two trail -construction of
RIPEMD. It is in comparison with the MDx-MAC based on RIPEMD, much
more efficient on short messages (that is on messages of 512 or 1024
bits) and percentage-wise a little more efficient on long
messages. Moreover, it handles key-changes very efficiently. This
positive fact remains if we compare our TWO-TRACK-MAC with HMAC based
on RIPEMD.
The unkeyed hash function RIPEMD-160 uses two trails. Our
TWO-TRACK-MAC uses these two trails to produce a 320-bit internal
variable. It starts with a 160-bit key at the initial value
position. The output is 160 bits long, so there will always be 160
bits of secret information in the internal variable. The MAC uses the
basic transformation RIPEMD as often as it would use the basic
transformation to produce the unkeyed hashvalue of a message. And a
key-change is also very easy and does not require an extra call to the
basic transformation of RIPEMD.
______________________________________________________________
Poster 4:
"Unconditionally Secure Identification System"
Jaroslav Hruby
GCUCMP
Email: hruby@gcucmp.cz
Along with the rapid increase in the number of electronic
communications grows the need for secure identification
systems. Nowadays, various identification systems are employed for
financial transactions performed over computer networks, for money
withdrawal from automated teller machines, for diplomatic and military
purposes, and so on. Even the best classical identification systems,
however, do not provide sufficient security with respect to recent
advances in the field of quantum physics. An eavesdropper listening in
on identification acts of legitimate user might later misuse the
overhead information and try to impersonate them.
In this paper a secure identification system is proposed, that
combines a classical three-pass identification procedure and quantum
key distribution (QKD).
________________________________________________________________