## About

98

Publications

5,696

Reads

**How we measure 'reads'**

A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more

3,959

Citations

Citations since 2017

Introduction

**Skills and Expertise**

## Publications

Publications (98)

A targeted exponentiation algorithm computes a group exponentiation operation $a^k$ with a reversible circuit in such a way that the initial state of the circuit consists of only the base $a$ and fixed values, and the final state consists of only the exponential $a^k$ and fixed values. Three targeted exponentiation algorithms based on Fibonacci add...

In a system for disconnected authentication, verification records corresponding to given authentication token outputs over a predetermined period of time, sequence of events, and/or set of challenges are downloaded to a verifier. The records include encrypted or hashed information for the given authentication token outputs. In one embodiment using...

The RSA-KEM Key Transport Algorithm is a one-pass (store-and-forward) mechanism for transporting keying data to a recipient using the recipient’s RSA public key. ("KEM " stands for "key encapsulation mechanism".) This document specifies the conventions for using the RSA-KEM Key Transport Algorithm with the Cryptographic Message Syntax (CMS). The AS...

As a multi-tenant service, cloud computing may be compared to container ships and cruise lines, which also provide services to large numbers of independent customers. To be cost-effective, cloud computing needs to be more like container shipping, with standardized containers, optimized costs, and automated assurances of non-interference from other...

In this paper, we define and explore proofs of retrievability(PORs). A POR scheme enables an archive or back-up service (prover) to produce a concise proof that a user (verifier) can retrieve a target file F, that is, that the archive retains and reliably transmits file data sucient for the user to recover F in its entirety. A POR may be viewed as...

Thesis (B.S.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 1984. MICROFICHE COPY AVAILABLE IN ARCHIVES AND ENGINEERING. Bibliography: leaf 97. by Burton Stephen Kaliski, Jr. B.S.

Traditional password-based authentication and key-exchange protocols suer from the simple fact that a single server stores the sen- sitive user password. In practice, when such a server is compromised, a large number of user passwords, (usually password hashes) are exposed at once. A natural solution involves splitting password between two or more...

The use of radio frequency identification (RFID) tags as an advanced electronic version of the UPC barcodes for identification is discussed. An RFID tag consists of a small integrated circuit attached to a small antenna and is capable of transmitting a unique serial number in response to a query. Protocols based on symmetric cryptography are sugges...

Introduction In RSA public-key encryption [30], Alice encrypts a plaintext M for Bob using Bob's public key (n, e) by computing the ciphertext where n, the modulus, is the product of two or more large primes, and e, the public exponent, is an odd integer e 3 that is relatively prime to #(n), the order of the multiplicative group Z # n . Bob, who kn...

Recent proposals for widespread deployment of Radio Frequency Identification (RFID) systems have raised significant concerns about consumer privacy. With current low-cost tag technology, these concerns are somewhat unavoidable, as the tags aren’t designed to differentiate between authorized readers and unauthorized ones, and likewise the readers ca...

Passwords and PINs continue to remain the most widespread forms of user authentication, despite growing awareness of their security limitations. This is because short secrets are convenient, particularly for an increasingly mobile user population. Many users are interested in employing a variety of computing devices with different forms of connecti...

The security of many signature schemes depends on the verifier’s assurance that the same hash function is applied during signature
verification as during signature generation. Several schemes provide this assurance by appending a hash function identifier
to the hash value. We show that such “hash function firewalls” do not necessarily prevent an op...

We show that the security of the TLS handshake protocol based on RSA can be related to the hardness of inverting RSA given a certain \partial-RSA" decision oracle. The reduction takes place in a security model with reasonable assumptions on the underlying TLS pseudo-randomfunction,therebyaddressingconcernsaboutitsconstruc- tionintermsoftwohashfunct...

The MQV key agreement protocol, a technique included in recent standards, is shown in its basic form to be vulnerable to an unknown key-share attack. Although the attack's practical impact on security is minimal---a key confirmation step easily prevents it---the attack is noteworthy in the principles it illustrates about protocol design. First, min...

A roaming user, who accesses a network from different client terminals, can be supported by a credentials server that authenticates the user by password then assists in launching a secure environment for the user. However, traditional credentials server designs are vulnerable to exhaustive password guessing attack at the server. We describe a new c...

Public-key algorithms have emerged as a critical security technology over the past two decades. The first generation of public-key algorithms are based on hard problems from number theory.

The problem of finite field basis conversion is to convert from the representation of a field element in one basis to the representation of the element in another basis. This paper presents new algorithms for the problem that require much less storage than previous solutions. For the finite field GF(2
m
), for example, the storage requirement of th...

A roaming user, who accesses a network front different client terminals, can be supported by a credentials server that authenticates the user by password then assists in launching a secure environment for the user. However, traditional credentials server designs are vulnerable to exhaustive password guessing attack at the server. We describe a cred...

. This note gives a layman's introduction to a subset of OSI's Abstract Syntax Notation One (ASN.1), Basic Encoding Rules (BER), and Distinguished Encoding Rules (DER). The particular purpose of this note is to provide background material sufficient for understanding and implementing the PKCS family of standards. 1. Introduction It is a generally a...

er m, most significant byte first, and encrypts the result with RSA by the usual exponentiation, c = m e mod n where (n,e) is the recipient's public key, and sends the ciphertext c to the recipient. The recipient decrypts the ciphertext c with RSA as m = c d mod n, converts the integer m to a string EB, checks that the result has the expected form,...

Conversion of finite field elements from one basis representation to another representation in a storage-efficient manner is crucial if these techniques are to be carried out in hardware for cryptographic applications. We present algorithms for conversion to and from dual of polynomial and dual of normal bases, as well as algorithms to convert to a...

The problem of finite field basis conversion is to convert from the representation of a field element in one basis to the representation of the element in another basis. This paper presents new algorithms for the problem that require much less storage than previous solutions. For the finite field GF(2(m)), for example, the storage requirement of th...

They came into prominence in the 1970’s, though their roots extend back several centuries. In the 1980’s, they survived substantial testing and many new members were added. The roles of their various members became better understood in the 1990’s, as the families gained influence throughout the world.
These are, of course, the two families of publi...

e the hash function doesn't have a key. A hash function can provide message authentication in a most satisfying manner when combined with a digital signature algorithm, which does have a key. But typical digital * Copyright 1995 RSA Laboratories, a division of RSA Data Security, Inc. All rights reserved. RSA Data Security, Inc. part number 003-9030...

Introduction During 1996, a new attack on cryptographic devices was proposed by researchers at Bellcore. This attack depends on introducing errors into key-dependent cryptographic operations through physical intrusion. Soon after, the initial Bellcore work which focused on public-key techniques was extended and applied to secret-key encryption tech...

Introduction The Public-Key Cryptography Standards (PKCS) are offered by RSA Laboratories to promote the development of secure application and other standards based on public-key cryptography. First published in 1991, PKCS has become widely implemented and referenced, and a significant amount of experience is now available to assist the development...

The transition from theory to industry standards presents many challenges, particularly in terms of what features are important
and how they are to be specified. Public-key cryptography, now in its third decade, is in the midst of such a transition.
With an introduction to the P1363 project Standard Specifications for Public Key Cryptography, this...

One of the purported advantages of the elliptic curve cryptosystem proposed by Demytko in 1993 is resistance to signature
forgery under a chosen message attack. Based on a similar result by Bleichenbacheret al. on the LUC cryptosystem, this purported advantage is shown not to hold.

First Page of the Article

. This document gives some examples of PKCS. The reader is assumed to be familiar with the members of the PKCS family, or at least to have read the PKCS overview. 1. Introduction This document illustrates some of the PKCS standards with the following sequence of examples: 1. An example user, called "Test User 1," generates an RSA key pair according...

. This note gives an overview of the PKCS family of standards for public-key cryptography. These standards cover RSA encryption, Diffie-Hellman key agreement, password-based encryption, extended-certificate syntax, cryptographic message syntax, private-key information syntax, and certification request syntax, as well as selected attributes. The not...

The IEEE P1363 working group is developing standards for public-key cryptography based on RSA and Diffie-Hellman algorithm families and on elliptic curve systems. This paper summarizes the current activities of that group.

This paper analyzes the security of the RC5 encryption algorithm against differential and linear cryptanalysis. RC5 is a new
block cipher recently designed by Ron Rivest. It has a variable word size, a variable number of rounds, and a variable-length
secret key. In RC5, the secret key is used to fill an expanded key table which is then used in encr...

We present a technique which aids in the linear cryptanalysis of a block cipher and allows for a reduction in the amount of
data required for a successful attack. We note the limits of this extension when applied to DES, but illustrate that it is
generally applicable and might be exceptionally successful when applied to other block ciphers. This fo...

The RSA trapdoor proposed in Ross Anderson's recent letter can be broken. A recent letter by Ross Anderson [1] proposes a "trapdoor" in the RSA public-key cryptosystem [5] whereby a hardware device generates RSA primes p and p 0 in such a way that the hardware manufacturer can easily factor the RSA modulus n = pp 0 . Factoring the modulus hopefully...

We describe the results of experiments on the use of multiple approximations in a linear cryptanalytic attack on FEAL; we pay partic- ular attention to FEAL-8. While these attacks on FEAL are interesting in their own right, many important and intriguing issues in the use of multiple approximations are brought to light.

The author reviews encryption algorithms and standards, how they compare, how they differ, and where they are headed. Attention is given to secret-key cryptosystems, public-key cryptosystems, digital signature schemes, key-agreement algorithms, cryptographic hash functions, and authentication codes. Applications considered are secure electronic mai...

The paper discusses the contents of a recent paper by Anderson which proposes a trapdoor in the RSA public key cryptosystem whereby a hardware device generates RSA primes p and p' in such a way that the hardware manufacturer can easily factor the RSA modulus n = pp'. The proposed trapdoor is based on a secret value A known only to the manufacturer....

In recent years one-way functions have been shown to have important applications in cryptography, especially one-way functions that are also permutations. But even with the generality of this research, no function is known to be one-way and the few specific permutations believed to be one-way are all invertible in subexponential time. Elliptic curv...

MD4 is a new, fast message digest algorithm. It inputs a message of any length and outputs a digest of 128 bits. It is conjectured that it is computationally infeasible to find two messages with the same digest or a message with a prespecified digest. MD4 processes 1.45M bytes/s on a SUN Spare station, 7OK bytes/s on a DEC MicroVax II, and 32K byte...

We describe a cryptographic library for the Motorola DSP56000 that provides hardware speed yet software flexibility. The library includes modular arithmetic, DES, message digest and other methods. Of particular interest is an algorithm for modular multiplication that interleaves multiplication with Montgomery modular reduction to give a very fast i...

The Data Encryption Standard (DES) defines an indexed set of permutations acting on the message space M = {0, l}64. If this set of permutations were closed under functional composition, then DES would be vulnerable to a known-plaintext attack that runs in 228 steps, on the average. It is unknown in the open literature whether or not DES has this we...

Signal processors and array processors use buffers to hold signal samples and access the buffer elements in specified orders to effect various processing algorithms. Array processor libraries normally only provide language level support for one-dimensional buffers and for address sequences that are, themselves, essentially one-dimensional. The SPS-...

this report, we will focus our discussions on the securityofRC5 against di#erential and linear cryptanalysis, but we will also give a brief summary of other known cryptanalytic results on RC5.

This memo represents a republication of PKCS #1 v2.1 from RSALaboratories' Public-Key Cryptography Standards (PKCS) series, andchange control is retained within the PKCS process. The body of thisdocument is taken directly from the PKCS #1 v2.1 document, withcertain corrections made during the publication process.Table of Contents1.

This memo provides information for the Internet community. It doesnot specify an Internet standard of any kind. Distribution of thismemo is unlimited.Copyright NoticeCopyright (C) The Internet Society (1998). All Rights Reserved.OverviewThis document describes a syntax for certification requests.1. ScopeA certification request consists of a disting...