EUROCRYPT '98 POSTER SESSION - Abstracts _____________________________________________________________ Poster 1: "Unconditionally Secure Entity Authentication" Kaoru Kurosawa Tokyo Institute of Technology, Japan Email: kurosawa@ss.titech.ac.jp URL: http://tsk-www.ss.titech.ac.jp/~kurosawa/ An entity-authentication scheme is a two-party protocol by which a party in a distributed system confirms the identity of a communication partner. Bellare and Rogaway formulated this problem using a complexity theoretic framework. In this paper, we study entity-authentication in an information theoretic framework, where adversaries are infinitely powerful. We first modify the framework given by Bellare and Rogaway to an unconditionally secure setting. Communication between players is entirely controlled by an infinitely powerful adversary ${\cal A}$. The adversary can deliver messages out of order and to unintended recipients, and can concoct messages of the adversary's own choosing. What is more, the adversary can control who is attempting to authenticate whom. We then present a lower bound on the cheating probability and a lower bound on the size of keys for unilateral entity authentication protocols. That is, in each session, $P_i$ authenticates $P_j$ but $P_j$ does not authenticate $P_i$. Finally, we show an entity authentication scheme which is proven to be secure and that meets all the equalities of our bounds. ____________________________________________________________________ Poster 2: "Edit Probability Correlation Attack on the Alternating Step Generator" Jovan Dj. Golic School of Electrical Engineering, University of Belgrade, Bulevar Revolucije 73, 11001 Belgrade, Yugoslavia Email: golic@galeb.etf.bg.ac.yu and Renato Menicocci Fondazione Ugo Bordoni, Via B. Castiglione 59, 00142 Roma, Italy Email: rmenic@fub.it It is shown that the stop/go clocking in the alternating step generator can be viewed as a random edit transformation of one input into one output binary string. The input string corresponds to the output sequence of one of the clock-controlled LFSRs when regularly clocked and the output string corresponds to the first binary derivative of the output sequence of the alternating step generator. The output sequences of the other clock-controlled LFSR and the clock-control LFSR are both assumed to be purely random. A related edit probability for two binary strings of appropriate lengths is then introduced. This edit probability can be efficiently computed by a recursive algorithm with time complexity quadratic in the string length. It is shown how the defined edit probability can be used to mount a correlation attack on each of the two clock-controlled LFSRs individually. The correlation attack requires the computation of the edit probability for every possible initial state of the considered LFSR. For the underlying statistical hypothesis testing problem, the false alarm probability is estimated by systematic experiments. It is shown that this probability can be well approximated by an exponentially decreasing function of the string length. This implies that the minimum output sequence length required to be known for a successful attack is linear in the length of the respective shift register. More precisely, about forty shift register lengths are sufficient for success. The initial state of the clock-control LFSR can be recovered from consistent clock-control strings obtained by the corresponding edit distance method. Successful experimental attacks on relatively short shift registers are reported. The results demonstrate that in order to prevent the initial state reconstruction of each of the clock-controlled LFSRs individually, the length of each of them should be sufficiently long. ____________________________________________________________ Poster 3: "New (TWO-TRACK)-MAC based on the two trails of RIPEMD. Efficient, especially on short messages and for frequent key-changes." Bert den Boer debis Information Security Services GmbH, Rabistrasse 8, D-53111 Bonn, Germany Email: b-denboer@itsec-debis.de We will present a message authentication code. It is based on RIPEMD-160 and particularly on the two trail -construction of RIPEMD. It is in comparison with the MDx-MAC based on RIPEMD, much more efficient on short messages (that is on messages of 512 or 1024 bits) and percentage-wise a little more efficient on long messages. Moreover, it handles key-changes very efficiently. This positive fact remains if we compare our TWO-TRACK-MAC with HMAC based on RIPEMD. The unkeyed hash function RIPEMD-160 uses two trails. Our TWO-TRACK-MAC uses these two trails to produce a 320-bit internal variable. It starts with a 160-bit key at the initial value position. The output is 160 bits long, so there will always be 160 bits of secret information in the internal variable. The MAC uses the basic transformation RIPEMD as often as it would use the basic transformation to produce the unkeyed hashvalue of a message. And a key-change is also very easy and does not require an extra call to the basic transformation of RIPEMD. ______________________________________________________________ Poster 4: "Unconditionally Secure Identification System" Jaroslav Hruby GCUCMP Email: hruby@gcucmp.cz Along with the rapid increase in the number of electronic communications grows the need for secure identification systems. Nowadays, various identification systems are employed for financial transactions performed over computer networks, for money withdrawal from automated teller machines, for diplomatic and military purposes, and so on. Even the best classical identification systems, however, do not provide sufficient security with respect to recent advances in the field of quantum physics. An eavesdropper listening in on identification acts of legitimate user might later misuse the overhead information and try to impersonate them. In this paper a secure identification system is proposed, that combines a classical three-pass identification procedure and quantum key distribution (QKD). ________________________________________________________________