Band 12, Heft 1

The Diffie–Hellman key exchange scheme is one of the earliest and most widely used public-key primitives. Its underlying algebraic structure is a cyclic group and its security is based on the discrete logarithm problem (DLP). The DLP can be solved in polynomial time for any cyclic group in the quantum computation model. Therefore, new key exchange schemes have been sought to prepare for the time when quantum computing becomes a reality. Algebraically, these schemes need to provide some sort of commutativity to enable Alice and Bob to derive a common key on a public channel while keeping it computationally difficult for the adversary to deduce the derived key. We suggest an algebraically generalized Diffie–Hellman scheme (AGDH) that, in general, enables the application of any algebra as the platform for key exchange. We formulate the underlying computational problems in the framework of average-case complexity and show that the scheme is secure if the problem of computing images under an unknown homomorphism is infeasible. We also show that a symmetric encryption scheme possessing homomorphic properties over some algebraic operation can be turned into a public-key primitive with the AGDH, provided that the operation is complex enough. In addition, we present a brief survey on the algebraic properties of existing key exchange schemes and identify the source of commutativity and the family of underlying algebraic structures for each scheme.

The aim of the paper is to present a general construction of strongly aperiodic logarithmic signatures (SALS) for elementary abelian p -groups. Their existence significantly extends the classes of tame logarithmic signatures which are used for the cryptosystem MST3{\mathrm{MST}_{3}}. They have particular characteristics that do not share with the well-known classes of transversal or fused transversal logarithmic signatures, and therefore they will play a vital role for logarithmic signature based cryptosystems in practice. In theory, the construction of SALS is interesting in its own right as well.

In this article, we analyse a block cipher mode of operation for authenticated encryption known as ++AE (plus-plus-AE). We show that this mode has a fundamental flaw: the scheme does not verify the most significant bit of any block in the plaintext message. This flaw can be exploited by choosing a plaintext message and then constructing multiple forged messages in which the most significant bit of certain blocks is flipped. All of these plaintext messages will generate the same authentication tag. This forgery attack is deterministic and guaranteed to pass the ++AE integrity check. The success of the attack is independent of the underlying block cipher, key or public message number. We outline the mathematical proofs for the flaw in the ++AE algorithm. We conclude that ++AE is insecure as an authenticated encryption mode of operation.

RC4 has attracted many cryptologists due to its simple structure. In [9], Paterson, Poettering and Schuldt reported the results of a large scale computation of RC4 biases. Among the biases reported by them, we try to theoretically analyze a few which show very interesting visual patterns. We first study the bias which relates the key stream byte zi{z_{i}} with i-k⁢[0]{i-k[0]}, where k⁢[0]{k[0]} is the first byte of the secret key. We then present a generalization of the Roos bias. In 1995, Roos observed the bias of initial bytes S⁢[i]{S[i]} of the permutation after KSA towards fi=∑r=1ir+∑r=0iK⁢[r]{f_{i}=\sum_{r=1}^{i}r+\sum_{r=0}^{i}K[r]}. Here we study the probability of S⁢[i]{S[i]} equaling fy=∑r=1yr+∑r=0yK⁢[r]{f_{y}=\sum_{r=1}^{y}r+\sum_{r=0}^{y}K[r]} for i≠y{i\neq y}. Our generalization provides a complete correlation between zi{z_{i}} and i-fy{i-f_{y}}. We also analyze the key-keystream relation zi=fi-1{z_{i}=f_{i-1}} which was studied by Maitra and Paul [6] in FSE 2008. We provide more accurate formulas for the probability of both zi=i-fi{z_{i}=i-f_{i}} and zi=fi-1{z_{i}=f_{i-1}} for different i ’s than the existing works.

We consider repairable threshold schemes (RTSs), which are threshold schemes that enable a player to securely reconstruct a lost share with help from their peers. We summarise and, where possible, refine existing RTSs and introduce a new parameter for analysis, called the repair metric. We then explore using secure regenerating codes as RTSs and find them to be immediately applicable. We compare all RTS constructions considered and conclude by presenting the best candidate solutions for when either communication complexity or information rate is prioritised.