Volume 5, Issue 3-4

Abstract. I continue the discussion initiated in part I (published in this journal in 2007) of whether or not computer-assisted proofs are a promising approach to preventing errors in reductionist security arguments. I examine some recent papers that describe automated security proofs for hashed ElGamal encryption, Boneh–Franklin identity-based encryption, and OAEP.

Abstract. In this paper we look at three families of elliptic curves with rational 3-torsion over a finite field. These families include Hessian curves, twisted Hessian curves, and a new family we call generalized DIK curves. We find the number of -isogeny classes of each family, as well as the number of -isomorphism classes of the generalized DIK curves. We also include some formulas for efficient computation on these curves, improving upon known results. In particular, we find better formulas for doubling and addition on the original tripling-oriented DIK curves and also for addition and tripling on elliptic curves with -invariant 0.

Abstract. The HFE (hidden field equations) cryptosystem is one of the most interesting public-key multivariate schemes. It has been proposed more than 10 years ago by Patarin and seems to withstand the attacks that break many other multivariate schemes, since only subexponential ones have been proposed. The public key is a system of quadratic equations in many variables. These equations are generated from the composition of the secret elements: two linear mappings and a polynomial of small degree over an extension field. In this paper we show that there exist weak keys in HFE when the coefficients of the internal polynomial are defined in the ground field. In this case, we reduce the secret key recovery problem to an instance of the Isomorphism of Polynomials (IP) Problem between the equations of the public key and themselves. Even though the hardness of recovering the secret-key of schemes such as SFLASH or relies on the hardness of the IP Problem, this is normally not the case for HFE, since the internal polynomial is kept secret. However, when a weak key is used, we show how to recover all the components of the secret key in practical time, given a solution to an instance of the IP Problem. This breaks in particular a variant of HFE proposed by Patarin to reduce the size of the public key and called the “subfield variant”. Recovering the secret key takes a few minutes.

Abstract. Extended private information retrieval (EPIR) was defined by Bringer, Chabanne, Pointcheval and Tang at CANS 2007 and generalized by Bringer and Chabanne at AFRICACRYPT 2009. In the generalized setting, EPIR allows a user to evaluate a function on a database block such that the database can learn neither which function has been evaluated nor on which block the function has been evaluated and the user learns no more information on the database blocks except for the expected result. An EPIR protocol for evaluating polynomials over a finite field was proposed by Bringer and Chabanne in [Lecture Notes in Comput. Sci. 5580, Springer (2009), 305–322]. We show that the protocol does not satisfy the correctness requirement as they have claimed. In particular, we show that it does not give the user the expected result with large probability if one of the coefficients of the polynomial to be evaluated is primitive in and the others belong to the prime subfield of .