By C. P. Schnorr, H. H. Hörner (auth.), Louis C. Guillou, Jean-Jacques Quisquater (eds.)

This quantity constitutes the court cases of EUROCRYPT '95, the 1995 overseas Workshop at the concept and alertness of Cryptographic concepts, held in Saint-Malo, France in might 1995 less than the sponsorship of the overseas organization for Cryptologic examine (IACR).

The quantity includes revised models of the 33 papers chosen from a complete of 113 submissions. All present points of cryptologic study and complicated purposes are addressed; there are sections on cryptanalysis, signatures, computational quantity conception, cryptographic protocols, mystery sharing, digital money, shift registers and Boolean features, authentication codes, new schemes, complexity facets, and implementation elements.

N}, I J ( L~) ,will be denoted Z ( t , L ) . If a(mi) is a correct signature on mi E M for i = 1,. . ,L , then u(m) denotes ( a ( n l ) a(rn2), , . . ,~ ( r n ~ For ) ) . every i E I J ( L~) , “a(m)+ I” denotes the event that there exists (sk,, , sk,,, . . , L } : mj) = +j). Definition3. Let a group signature scheme (n, k,gen, sign, test, iden) and T , polynomial in k,be given. The scheme provides anonymity for signing T messages if for any non-empty J C {1,2,.. , n } and any F ’ ~ Jin the scenario described above, and for any L 5 lJlT different messages the following holds.

An 1/0 sum is homomorphic if the input and the output functions are homomorphisms for some considered group operation(s). A threefold sum is homomorphic if the parent 1/0 sum is homomorphic. , for all U , V E X, f i ( U * i V ) = f i ( U ) @ f i ( Vand ) gi(U*i+lV) = gi(U)@gi(V). Theorem 8. Consider a cascade of p rounds with keyed round functions F ( l ) ,. . ’, T(’)is a homomorphic threefold sum for the i-th m m d , and T(l),. . , T(p) *whew ‘‘*7 are linked. {’):= T(i) is given by Matsui ’s piling-up formula, (9).

Repeat Step 1 arid 2 for all N available p/c-pairs. 4. Output all keys that niaximize lc[k]- $ 1 as candidates for the key actually used in the last round. The quantity c [ i ] is proportional to an obvious estimate of the key-dependent irnbalance of the 110 sum under the assumption that &, is the right key. Under suitable statistical assumptions, Step 4 irnplernents the r~iaxirriiira-likelihooddecision rule for the last-round key when the counts are considered t o be the observation [ 8 ] . The basic attack must in practice be speeded up by exploiting "key equivalence".