Cryptography

Minimum Disclosure Proofs by Protocol allow a prover to convince a verifier that the prover knows some verifiable secret information, without allowing the verifier to learn anything about the secret. Quantum Cryptography makes use of the quantum properties of light to allow the prover and the verifier to exchange secret information or to commit to a bit value. The ability to commit to a bit value will be exploited for a minimum disclosure proof by protocol. This thesis unites the two cryptography fields.

Visual cryptography concerns the problem of "hiding" a monochrome image among sets of transparencies, known as shares. These are created in such a fashion that certain sets of shares when superimposed, will reveal the image; while other subsets yield no information. A standard model is the (k, n) scheme, where any k shares will reveal the image, but any k - 1 or fewer shares reveal no information. In this thesis, we explain the basic mechanism for creating shares. We survey the literature and show how to create (k, k) schemes which exist for all k > 2. Then we introduce perfect hash functions, which can be used to construct (k, n) schemes from (k, k) schemes for all 2 < k < n. We introduce generalizations of (k, n) schemes that we call covert cryptographic schemes, and extend this notion to multilevel visual cryptographic schemes. We give conditions for the existence of such schemes, and we conclude with a survey of generalizations.

A zero knowledge identification protocol is an interactive proof system that allows a person to prove that he knows a secret key associated with his identity without revealing the secret key. This type of protocol is the topic of a fairy tale, by Gustavus Simmons called the King's Dilemma, about a king and the problem he has with thieves impersonating his tax collectors. It describes a zero-knowledge identification protocol that will rid the king of his problem. I present this system, the motivation for this thesis, and the transformations from this protocol, that uses lead weights and containers, to protocols that use mathematical elements. The security of these protocols is determined by the complexity of the underlying mathematical problem, such as the knapsack and discrete logarithm problem, and three properties: completeness, soundness, and zero knowledge.

Finding the shortest or a "short enough" vector in an integral lattice of substantial dimension is a difficult problem. The problem is not known to be but most people believe it is [7]. The security of the newly proposed NTRU cryptosystem depends solely on this fact. However, by the definition NTRU lattices possess a certain symmetry. This suggests that there may be a way of taking advantage of this symmetry to enable a new cryptanalytical approach in combination with existing good lattice reduction algorithms. The aim of this work is to exploit the symmetry inherent in NTRU lattices to design a non-deterministic algorithm for improving basis reduction techniques for NTRU lattices. We show how the non-trivial cyclic automorphism of an NTRU lattice enables further reduction. Our approach combines the recently published versions of the famous LLL algorithm for lattice basis reduction with our automorphism utilization techniques.

In this thesis two different types of computer algorithms, Deterministic and Monte Carlo, are illustrated. Implementations of the Berlekamp-Massey algorithm and the Parallelized Pollard Rho Search are described here. The questions of what these two algorithms provide to the field of cryptography and why they have proven themselves important to cryptography are briefly discussed. It is also shown that with a little extra knowledge, the Parallelized Pollard Rho Search may be easily modified to improve its performance.

Today new secure cryptosystems are in great demand. Computers are becoming more powerful and old cryptosystems, such as the Data Encryption Standard (DES), are becoming outdated. This thesis describes a new binary additive strewn cipher (HK cryptosystem) that is based on the logistic map. The logistic map is not random, but works under simple rules to become complex, thus making it ideal for implementation in cryptography. Instead of basing the algorithm on one logistic map, the HK cryptosystem. averages several uncoupled logistic maps. Averaging the maps increases the dimension of such a system, thus providing greater security. This thesis will explore the strengths and weaknesses of the HK cryptosystem and will end by introducing a modified version, called the HK8 cryptosystem that does not have the apparent weakness of the HK system.

This dissertation contains results of the candidate's research on the generalized discrete logarithm problem (GDLP) and its applications to cryptology, in non-abelian groups. The projective special linear groups PSL(2; p), where p is a prime, represented by matrices over the eld of order p, are investigated as potential candidates for implementation of the GDLP. Our results show that the GDLP with respect to specic pairs of PSL(2; p) generators is weak. In such cases the groups PSL(2; p) are not good candidates for cryptographic applications which rely on the hardness of the GDLP. Results are presented on generalizing existing cryptographic primitives and protocols based on the hardness of the GDLP in non-abelian groups. A special instance of a cryptographic primitive dened over the groups SL(2; 2n), the Tillich-Zemor hash function, has been cryptanalyzed. In particular, an algorithm for constructing collisions of short length for any input parameter is presented. A series of mathematical results are developed to support the algorithm and to prove existence of short collisions.

The aim of this work is to investigate an algebraic attack on block ciphers called Multiple Right Hand Sides (MRHS). MRHS models a block cipher as a system of n matrix equations Si := Aix = [Li], where each Li can be expressed as a set of its columns bi1, . . . , bisi . The set of solutions Ti of Si is dened as the union of the solutions of Aix = bij , and the set of solutions of the system S1, . . . , Sn is dened as the intersection of T1, . . . , Tn. Our main contribution is a hardware platform which implements a particular algorithm that solves MRHS systems (and hence block ciphers). The case is made that the platform performs several thousand orders of magnitude faster than software, it costs less than US$1,000,000, and that actual times of block cipher breakage can be calculated once it is known how the corresponding software behaves. Options in MRHS are also explored with a view to increase its efficiency.

The aim of this work is to investigate a security model in which we allow an adversary to have access to functions of the secret key. In recent years, significant progress has been made in understanding the security of encryption schemes in the presence of key-dependent plaintexts or messages (known as KDM). Here, we motivate and explore the security of a setting, where an adversary against a message authentication code (MAC) or signature scheme can access signatures on key-dependent messages. We propose a way to formalize the security of message authentication schemes in the presence of key-dependent MACs (KD-EUF) and of signature schemes in the presence of key-dependent signatures (KDS). An attack on a message recognition protocol involving a MAC is presented. It turns out that the situation is quite different from key-dependent encryption: To achieve KD-EUF-security or KDS-security under non-adaptive chosen message attacks, the use of a stateful signing algorithm is inevitable even in the random oracle model. After discussing the connection between key-dependent signing and forward security, we describe a compiler which lifts any EUF-CMA secure one-time signature scheme to a forward secure signature scheme offering KDS-CMA security. Then, we discuss how aggregate signatures can be used to combine the signatures in the certificate chain used in the compiler. A natural question arises about how to combine the security definitions of KDM and KDS to come up with a signcryption scheme that is secure. We also offer a connection with Leakage-Resilient Signatures, which take into account side-channel attacks. Lastly, we present some open problems for future research.

In the first chapters we will give a short introduction to signature schemes in single and multi-user settings. We give the definition of a signature scheme and explain a group of possible attacks on them. In Chapter 6 we give a construction which derives a subliminal-free RSA public key. In the construction we use a computationally binding and unconditionally hiding commitment scheme. To establish a subliminal-free RSA modulus n, we have to construct the secret primes p and q. To prove p and q are primes we use Lehmann's primality test on the commitments. The chapter is based on the paper, "RSA signature schemes with subliminal-free public key" (Tatra Mountains Mathematical Publications 41 (2008)). In chapter 7 a one-time signature scheme using run-length encoding is presented, which in the random oracle model offers security against chosen-message attacks. For parameters of interest, the proposed scheme enables about 33% faster verification with a comparable signature size than a construction of Merkle and Winternitz. The public key size remains unchanged (1 hash value). The main cost for the faster verification is an increase in the time required for signing messages and for key generation. The chapter is based on the paper "A one-time signature using run-length encoding" (Information Processing Letters Vol. 108, Issue 4, (2008)).