David Freeman, U.C. Berkeley, USA

Title: Constructing Pairing-Friendly Elliptic Curves for Cryptography

Elliptic curves with small embedding degree and large prime-order subgroup are key ingredients for implementing pairing-based cryptographic systems.  Such "pairing-friendly" curves are rare and thus require specific constructions.

In this talk, we will describe a single coherent framework that encompasses all of the constructions of pairing-friendly curves currently existing in the literature.  We find that the methods that produce the most efficient curves are limited to small embedding degrees, while the methods that work for all embedding degrees usually produce curves with less than optimal efficiency.

We will also survey recent developments in the field, including curves with composite-order subgroups, variable CM discriminants, and pairing-friendly hyperelliptic curves.

This talk will include joint work with M. Scott and E. Teske.

Kris Gaj, George Mason University, USA

Title: Factoring in Hardware

Difficulty of factoring large integers is at the core of the security of RSA, one of the most commonly used cryptographic algorithms protecting majority of the today's on-line financial transactions. Most recently, an effort has started in the open cryptographic community to estimate the difficulty and cost of factoring RSA keys, using hardware based on Field Programmable Gate Arrays (FPGAs) and/or Application Specific Integrated Circuits (ASICs).

In this talk, we will summarize the progress in this area reported during two editions of the Special-purpose Hardware for Attacking Cryptographic Systems (SHARCS) workshop held in Europe since 2005.

We will then describe a research project conducted at George Mason University aimed at optimizing and implementing three special purpose factoring methods, rho, p-1, and ECM (Elliptic Curve Method). These methods can be applied in series to the outputs of the sieving phase of the Number Field Sieve, the best currently known general-purpose method of factoring large integers, in order to fully factor intermediate results in the range of 200-350 bits, which are already likely to contain only relatively small prime factors. A timing comparison to optimized software implementations will be presented, as well as a comparison in terms of the performance to cost ratio among the FPGA, ASIC, and microprocessor technologies.

We will discuss state of the art high-performance reconfigurable computers based on FPGAs, their programming environments, and the first results of porting our designs to selected machines of this type.

We will also estimate the potential advantage of using special-purpose hardware machines based on ASICs over general-purpose computers based on FPGAs and/or microprocessors.

Tatsuaki Okamoto, NTT, Japan

Title: Anonymous Credential and Optimistic Fair Exchange

Lecture 1.

Anonymous credential is one of the most important notions to counter some of the privacy problems about identity certificates. The basic properties of anonymous credential systems are unforgeability, anonymity and unlinkability. The existing most efficient anonymous credential schemes are based on the Strong RSA assumption or the LRSW assumption. In my talk, I will introduce another efficient anonymous credential system based on the Strong DH assumption.  

Lecture 2.

Optimistic fair exchange protocols allow two involved parties to either each party get the other's item or neither party does, where a Trusted Third Party (TTP) is not invoked when two involved parties perform the protocol correctly. We now consider protocols that exchange a digital signature and digital data. In my talk, I introduce a general ``optimistic'' fair exchange protocol which is applicable to any secure digital signatures. I then present the definition of an ideal functionality of fair exchange protocols in the universal composability (UC) framework, and show that our protocol satisfies the UC security. This is a joint work with Norio Akagi, Yoshifumi Manabe and Yusuke Okada.

Â÷ÀçÃá, ICU, Korea

Title: An elementary tutorial on provable security

We give an elementary introduction to provable security aimed at graduate students starting cryptography with mathematical background.

We start with preliminaries on randomized computation, and then discuss basic ideas on formal definitions of security, primitive hard problems, and the reduction method.  Based on this, we illustrate an example of security proof using random oracle model.

Â÷¿µÅÂ, secui.com, Korea

Title: ³×Æ®¿öÅ© º¸¾È±â¼ú µ¿Çâ

º» ¹ßÇ¥¿¡¼­´Â ³×Æ®¿öÅ© º¸¾ÈÀÇ µ¿Çâ°ú, ¸ÖƼ¹Ìµð¾î Åë½Å¿¡¼­ÀÇ º¸¾ÈÀÇ Çʿ伺 Áõ°¡¿¡ ´ëÇØ ³íÀÇ ÇÑ´Ù.

õÁ¤Èñ, ±è¼º¿í, ¼­¿ï´ëÇб³, Korea

Title: ¼º±ä Áö¼ö ÀÌ»ê·Î±× ¹®Á¦(Low Hamming Weight Discrete Logarithm Problem)

Coppersmith°¡ Á¦¾ÈÇÑ ¼º±ä Áö¼ö ÀÌ»ê·Î±× ¹®Á¦¿¡ ´ëÇÑ ¾Ë°í¸®ÁòÀº ´ëĪ ºÐÇÒ ½Ã½ºÅÛ(symmetric splitting system)À» ÀÌ¿ëÇÏ°í ÀÖ´Ù. ÀÌ¿Í ´Ù¸£°Ô Áö¼ö¸¦ ºñ´ëĪÀûÀ¸·Î ºÐÇÒÇÏ´Â ¾Ë°í¸®ÁòÀ» ¼³°èÇÏ°í À̸¦ À¯·´ Ç¥ÁØÀ¸·Î Á¦¾ÈµÈ GPSÀÎÁõ ¾Ë°í¸®Áò °ø°Ý¿¡ Àû¿ëÇغ»´Ù. ¶ÇÇÑ ºñ´ëĪÀû ºÐÇÒ ½Ã½ºÅÛ(asymmetric splitting system)À» ±¸¼ºÇÒ ¶§ ºÐÇÒÀÇ ÃÖÀûÈ­ ¹æ¾È¿¡ ´ëÇØ ¾Ë¾Æº»´Ù.

ÇÑ»ó±Ù, KAIST, Korea

Title: ARIA¿¡ ´ëÇÑ ´ë¼öÀû °ø°Ý

ARIA¿¡ ´ëÇÑ ´ë¼öÀû °ø°ÝÀÇ Çö½Ç¼ºÀ» ¾Ë¾Æº»´Ù. ƯÈ÷, SAT solver¸¦ ÀÌ¿ëÇÑ °ø°Ý°ú XL ¾Ë°í¸®ÁòÀ» ±¸ÇöÇÏ°í, ÀÌ °ø°Ý ¹æ¹ýµé¿¡ ´ëÇÑ Çö½Ç¼º¿¡ ´ëÇØ ³íÀÇÇÑ´Ù.

ÇÑÁ¾¿í, ETRI, Korea

Title: Ȩ³×Æ®¿öÅ© ±â¼úµ¿Çâ ¹× º¸¾ÈÀ̽´

IT839ÀÇ ÇÑ ºÐ¾ß·Î Á¤ºÎÀÇ ÁÖµµÇÏ¿¡ ÃßÁøµÇ¾î¿Ô´ø Ȩ³×Æ®¿öÅ©ºÐ¾ßÀÇ ±â¼úµ¿Çâ¿¡ ´ëÇؼ­ »ìÆ캻´Ù. Ȩ³×Æ®¿öÅ©¸¦ ±¸¼ºÇÏ´Â À¯¹«¼± ³×Æ®¿öÅ©±â¼ú, Á¤º¸°¡Àü±â±â, ¹Ìµé¿þ¾î±â¼ú µî¿¡ ´ëÇؼ­ ¼³¸íÇÏ°í, Åë½Å»ç¾÷ÀÚ Áß½ÉÀÇ È¨³×Æ®¿öÅ© ½Ã¹ü»ç¾÷°ú °Ç¼³»ç Áß½ÉÀÇ È¨³×Æ®¿öÅ© ´ÜÁö ÇöȲ µîÀ» »ìÆ캻´Ù. ¸¶Áö¸·À¸·Î Ȩ³×Æ®¿öÅ©¿¡¼­ ¹ß»ý °¡´ÉÇÑ º¸¾ÈÀ̽´ ¹× °ü·Ã ¿¬±¸ÇöȲ¿¡ ´ëÇؼ­ ¼³¸íÇÑ´Ù.

È«µæÁ¶, KAIST, °í·Á´ëÇб³

Title: Çؽ¬ÇÔ¼ö ºÐ¼® µµ±¸ °³¹ß

WangÀÇ Çؽ¬ÇÔ¼ö ºÐ¼® ³í¸®¸¦ ±âÃÊ·Î ÀÚµ¿È­µÈ Çؽ¬ÇÔ¼ö ºÐ¼® µµ±¸¸¦ °³¹ßÇÏ¿© ½ÇÁ¦ Çؽ¬ÇÔ¼ö¿¡ Àû¿ëÇÏ°í, ÀÌÀÇ ÀÀ¿ëÀ¸·Î½á ¸Þ½ÃÁöÀÎÁõ¿¡ »ç¿ëµÇ´Â HMAC¿¡ ´ëÇÑ Å°º¹±¸ °ø°Ý°ú APOP, EAP µîÀÇ ÀÎÁõÇÁ·ÎÅäÄÝ Æнº¿öµå º¹±¸ °ø°ÝÀ» ¼öÇàÇÑ´Ù.