Advances in cryptology-EUROCRYPT 2002 : International Conference on the Theory and Applications of Cryptographic Techniques, Amsterdam, The Netherlands, April 28-May 2, 2002 : proceedings

YouarereadingtheproceedingsofEUROCRYPT2002,the21stannualEu- cryptconference. TheconferencewassponsoredbytheIACR,theInternational AssociationofCryptologicResearch, www. iacr. org,thisyearincooperation withtheCodingandCryptogroupattheTechnicalUniversityofEindhovenin TheNetherlands. TheGeneralChair,BerrySchoenmakers,wasresponsiblefor thelocalorganization,andtheconferenceregistrationwashandledbytheIACR SecretariatattheUniversityofCalifornia,SantaBarbara,USA. IthankBerry Schoenmakersforallhisworkandforthepleasantcollaboration. Atotalof122papersweresubmittedofwhich33wereacceptedforpres- tationattheconference. Oneofthepapersisaresultofamergeroftwosubm- sions. Threeadditionalsubmissionswerewithdrawnbytheauthorsshortlyafter thesubmissiondeadline. TheprogramalsolistsinvitedtalksbyJoanDaemen andVincentRijmen("AESandtheWideTrailStrategy")andStephenKent ("RethinkingPKI:What'sTrustGotToDowithIt?"). Also,therewasarump (recentresults)session,whichHenkvanTilborgkindlyagreedtochair. Thereviewingprocesswasachallengingtaskandmanygoodsubmissionshad toberejected. Eachpaperwasreviewedbyatleastthreemembersoftheprogram committee,andpapersco-authoredbyamemberofthecommitteewerereviewed byatleast?veothermembers. Inmostcasesextensivecommentswerepassed ontotheauthors. Itwasapleasureformetoworkwiththeprogramcommittee, whosemembersallworkedveryhardoverseveralmonths. Thereviewingprocess was?nalizedwithameetinginCopenhagen,onJanuary13th,2002. Iamverygratefultothemanyadditionalreviewerswhocontributedwith theirexpertise:AdamBack,AlfredMenezes,AliceSilverberg,AntonStiglic, AntoonBosselaers,AriJuels,BarryTrager,CarloBlundo,ChanSupPark, ChongHeeKim,ChristianPaquin,ChristopheDeCanni'ere,CraigGentry,Dae HyunYum,DanBernstein,DarioCatalano,DavidPointcheval,DavidWagner, DongJinPark,DorianGoldfeld,ElianeJaulmes,EmmanuelBresson,Florian Hess,FrederikVercauteren,Fr'ed'ericL'egar'e,Fr'ed'ericValette,GlennDurfee, GuillaumePoupard,GwenaelleMartinet,HanPilKim,HeinRoehrig,Hovav Shacham,IlyaMironov,JacquesStern,JaeEunKang,JanCamenisch,Jean- FrancoisRaymond,JensJensen,JesperBuusNielsen,JimHughes,JohnMalone- Lee,JonathanPoritz,JongHoonShin,KatsuyukiTakashima,KazueSako, KennyPaterson,KyungWeonKim,LeoReyzin,LouisGranboulan,LouisS- vail,Markku-JuhaniO. Saarinen,MattRobshaw,MichaelQuisquater,Michael Waidner,MichelMitton,MikeSzydlo,MikeWiener,MotiYung,OlivierB- dron,OmerReingold,PaulDumais,PaulKocher,PhilippeChose,Philippe Golle,Pierre-AlainFouque,RanCanetti,RichardJozsa,RonaldCramer,Sang GyooSim,SangJinLee,SergeFehr,ShirishAltekar,SimonBlackburn,Stefan Wolf,StevenGalbraith,SvetlaNikova,TaeGuKim,TalMalkin,TalRabin, TetsuIwata,ToshioHasegawa,TsuyoshiNishioka,VirgilGligor,WenboMao, YeonKyuPark,YiqunLisaYin,YongHoHwang,YuvalIshai. VI Myworkasprogramchairwasmadealoteasierbytheelectronicsubm- sionsoftwarewrittenbyChanathipNamprempreforCrypto2000withmod- cationsbyAndreAdelsbachforEurocrypt2001,andbythereviewingsoftware developedandwrittenbyBartPreneel,WimMoreau,andJorisClaessensfor Eurocrypt2000. IwouldliketothankOledaSilvaSmithforsettingupallthis softwarelocallyandforthehelpwiththeproblemsIencountered. Iamalso gratefultoWimMoreauandChanathipNamprempreforsolvingsomeofthe problemswehadwiththesoftware. OnbehalfofthegeneralchairIwouldliketoextendmygratitudetothe membersofthelocalorganizingcommitteeatTUEindhoven,inparticularto PeterRoelseandGergelyAlp'ar. For?nancialsupportoftheconferencethe- ganizingcommitteegratefullyacknowledgesthisyear'ssponsors:PhilipsSe- conductorsCryptologyCompetenceCenter,MitsubishiElectricCorporation,cv cryptovision,Cryptomathic,ERCIM,CMG,Sectra,EUFORCE,andEIDMA. Finally,athank-yougoestoallwhosubmittedpaperstothisconferenceand lastbutnotleasttomyfamilyfortheirloveandunderstanding. February2002 LarsKnudsen EUROCRYPT2002 April28-May2,2002,Amsterdam,TheNetherlands Sponsoredbythe InternationalAssociationofCryptologicResearch(IACR) incooperationwith TheCodingandCryptogroupattheTechnicalUniversity ofEindhoveninTheNetherlands GeneralChair BerrySchoenmakers,DepartmentofMathematicsandComputingScience, TechnicalUniversityofEindhoven,TheNetherlands ProgramChair LarsR. Knudsen,DepartmentofMathematics, TechnicalUniversityofDenmark ProgramCommittee DanBoneh...StanfordUniversity,USA StefanBrands...McGillUniversitySchoolofComputerScience, Montreal,Canada ChristianCachin...IBMResearch,Zurich,Switzerland DonCoppersmith...IBMResearch,USA IvanDamg?ard...AarhusUniversity,Denmark AnandDesai...NTTMultimediaCommunicationsLaboratories,USA RosarioGennaro...IBMResearch,USA AlainHiltgen...UBS,Switzerland MarkusJakobsson ...RSALaboratories,USA ThomasJohansson...UniversityofLund,Sweden AntoineJoux...DCSSI,France PilJoongLee...Postech,Korea ArjenLenstra...CitibankandTechnicalUniversityofEindhoven KeithMartin...RoyalHolloway,UniversityofLondon,UK MitsuruMatsui...MitsubishiElectric,Japan PhongQ. Nguyen...CNRS/EcoleNormaleSup'erieure,France KaisaNyberg...NokiaResearchCenter,Finland BartPreneel...KatholiekeUniversiteitLeuven,Belgium ReihanehSafavi-Naini...UniversityofWollongong,Australia NigelSmart...UniversityofBristol,UK PaulVanOorschot...CarletonUniversity,Canada RebeccaWright...DIMACS,USA TableofContents CryptanalysisI CryptanalysisofaPseudorandomGeneratorBasedonBraidGroups ...1 RosarioGennaro,DanieleMicciancio PotentialWeaknessesoftheCommutatorKeyAgreementProtocol BasedonBraidGroups...14 SangJinLee,EonkyungLee ExtendingtheGHSWeilDescentAttack ...29 StevenD. Galbraith,FlorianHess,NigelP. Smart Public-KeyEncryption UniversalHashProofsandaParadigm forAdaptiveChosenCiphertextSecurePublic-KeyEncryption ...45 RonaldCramer,VictorShoup Key-InsulatedPublicKeyCryptosystems ...65 YevgeniyDodis,JonathanKatz,ShouhuaiXu,MotiYung OntheSecurityofJointSignatureandEncryption...83 JeeHeaAn,YevgeniyDodis,TalRabin InvitedTalk AESandtheWideTrailDesignStrategy ...108 JoanDaemen,VincentRijmen InformationTheory&NewModels IndistinguishabilityofRandomSystems...110 UeliMaurer HowtoFoolanUnboundedAdversarywithaShortKey...133 AlexanderRussell,HongWang CryptographyinanUnboundedComputationalModel...1 49 DavidP. Woodru?,MartenvanDijk X Table of Contents ImplementationalAnalysis PerformanceAnalysisandParallelImplementation ofDedicatedHashFunctions ...165 JunkoNakajima,MitsuruMatsui FaultInjectionandaTimingChannelonanAnalysisTechnique...181 JohnA. Clark,JeremyL. Jacob SpeedingUpPointMultiplicationonHyperellipticCurves withE?ciently-ComputableEndomorphisms ...197 Young-HoPark,SangtaeJeong,JonginLim StreamCiphers FastCorrelationAttacks:AnAlgorithmicPointofView ...209 PhilippeChose,AntoineJoux,MichelMitton BDD-BasedCryptanalysisofKeystreamGenerators...222 MatthiasKrause LinearCryptanalysisofBluetoothStreamCipher ...238 JovanDj. Goli'c,VittorioBagini,GuglielmoMorgari DigitalSignaturesI GenericLowerBoundsforRootExtractionandSignatureSchemes inGeneralGroups ...256 IvanDamg?ard,MaciejKoprowski OptimalSecurityProofsforPSSandOtherSignatureSchemes ...272 Jean-S'ebastienCoron CryptanalysisII CryptanalysisofSFLASH...288 HenriGilbert,MarineMinier CryptanalysisoftheRevisedNTRUSignatureScheme...299 CraigGentry,MikeSzydlo Table of Contents XI KeyExchange DynamicGroupDi?e-HellmanKeyExchange underStandardAssumptions...3 21 EmmanuelBresson,OlivierChevassut,DavidPointcheval UniversallyComposableNotionsofKeyExchangeandSecureChannels...337 RanCanetti,HugoKrawczyk OnDeniabilityinQuantumKeyExchange...352 DonaldBeaver ModesofOperation APractice-OrientedTreatmentofPseudorandomNumberGenerators ...

Cryptanalysis I.- Cryptanalysis of a Pseudorandom Generator Based on Braid Groups.- Potential Weaknesses of the Commutator Key Agreement Protocol Based on Braid Groups.- Extending the GHS Weil Descent Attack.- Public-Key Encryption.- Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption.- Key-Insulated Public Key Cryptosystems.- On the Security of Joint Signature and Encryption.- Invited Talk.- AES and the Wide Trail Design Strategy.- Information Theory & New Models.- Indistinguishability of Random Systems.- How to Fool an Unbounded Adversary with a Short Key.- Cryptography in an Unbounded Computational Model.- Implementational Analysis.- Performance Analysis and Parallel Implementation of Dedicated Hash Functions.- Fault Injection and a Timing Channel on an Analysis Technique.- Speeding Up Point Multiplication on Hyperelliptic Curves with Efficiently-Computable Endomorphisms.- Stream Ciphers.- Fast Correlation Attacks: An Algorithmic Point of View.- BDD-Based Cryptanalysis of Keystream Generators.- Linear Cryptanalysis of Bluetooth Stream Cipher.- Digital Signatures I.- Generic Lower Bounds for Root Extraction and Signature Schemes in General Groups.- Optimal Security Proofs for PSS and Other Signature Schemes.- Cryptanalysis II.- Cryptanalysis of SFLASH.- Cryptanalysis of the Revised NTRU Signature Scheme.- Key Exchange.- Dynamic Group Diffie-Hellman Key Exchange under Standard Assumptions.- Universally Composable Notions of Key Exchange and Secure Channels.- On Deniability in Quantum Key Exchange.- Modes of Operation.- A Practice-Oriented Treatment of Pseudorandom Number Generators.- A Block-Cipher Mode of Operation for Parallelizable Message Authentication.- Invited Talk.- Rethinking PKI: What's Trust Got to Do with It?.- Digital Signatures II.- Efficient Generic Forward-Secure Signatures with an Unbounded Number of Time Periods.- From Identification to Signatures via the Fiat-Shamir Transform: Minimizing Assumptions for Security and Forward-Security.- Security Notions for Unconditionally Secure Signature Schemes.- Traitor Tracking & Id-Based Encryption.- Traitor Tracing with Constant Transmission Rate.- Toward Hierarchical Identity-Based Encryption.- Multiparty and Multicast.- Unconditional Byzantine Agreement and Multi-party Computation Secure against Dishonest Minorities from Scratch.- Perfectly Secure Message Transmission Revisited.- Symmetric Cryptology.- Degree of Composition of Highly Nonlinear Functions and Applications to Higher Order Differential Cryptanalysis.- Security Flaws Induced by CBC Padding - Applications to SSL, IPSEC, WTLS....