Adi Shamir

Second Preimage Attacks on Dithered Hash Functions (2008)

Abstract. In this paper we consider the di culty of factoring multivariate polynomials F (x � y�z�:::) modulon. We consider in particular the case in which F is a product of two randomly chosen...

Elena Andreeva, Charles Bouillaguet, Pierre-alain Fouque, Jonathan J. Hoch, John Kelsey, Adi Shamir, ...

Abstract. We develop a new generic long-message second preimage attack, based on combining the techniques in the second preimage attacks of Dean [8] and Kelsey and Schneier [16] with the herding...

Second Preimage Attacks on Dithered Hash Functions (2008)

Charles Bouillaguet, Pierre-alain Fouque, Adi Shamir, Sebastien Zimmer

Abstract. The goal of this paper is to analyze the security of dithered variants of the Merkle-Damgård mode of operation that use a third input to indicate the position of a block in the message to...

CWL6.pdf a2624_1.pdf Sagnac Effect in Rotating Photonic Crystal Micro-Cavities and Miniature Optical Gyroscopes (2008)

Ben Z. Steinberg, Adi Shamir, Amir Boag

Abstract: Rotating crystals that contain a circular path of slow-light structure (e.g. CROW) are studied using tight-binding theory. Novel manifestations of the Sagnac effect in non-degenerate and...

Abstract On the Cost of Factoring RSA-1024 (2008)

LENGTH-BASED CRYPTANALYSIS: THE CASE OF THOMPSON’S GROUP (2008)

As many cryptographic schemes rely on the hardness of integer factorization, exploration of the concrete costs of factoring large integers is of considerable interest. Most research has focused on...

Dima Ruinskiy, Adi Shamir, Boaz Tsaban

Abstract. The length-based approach is a heuristic for solving randomly generated equations in groups which possess a reasonably behaved length function. We describe several improvements of the...

Special-Purpose Hardware for Factoring: the NFS Sieving Step (2008)

Programming R. Rivest Techniques Editor How to Share a Secret (2008)

In the quest for factorization of larger integers, the present bottleneck is the sieving step of the Number Field Sieve algorithm. Several special-purpose hardware architectures have been proposed...

Special-Purpose Hardware for Factoring: the NFS Sieving Step (2008)

In this paper we show how to divide data D into n pieces in such a way that D is easily reconstructable from any k pieces, but even complete knowledge of k- 1 pieces reveals absolutely no information...

Phan, Raphael C.-W., Shamir, Adi.

1 Introduction The hardness of factoring large integers drawn from appropriate distributions is a central assumption in cryptography, and underlies many public-key cryptosystems and protocols. The...

In this paper, we present improved related-key attacks on the original DESX, and DESX+, a variant of the DESX with its pre- and post-whitening XOR operations replaced with addition modulo $2^{64}$....

Second Preimage Attacks on Dithered Hash Functions (2008)

Andreeva, Elena, Bouillaguet, Charles, Fouque, Pierre-Alain, Hoch, Jonathan, Kelsey, John, Shamir, Adi, ...

We develop a new generic long-message second preimage attack, based on combining the techniques in the second preimage attacks of Dean [8] and Kelsey and Schneier [16] with the herding attack of...

Second Preimage Attacks on Dithered Hash Functions (2008)

Andreeva, Elena, Bouillaguet, Charles, Fouque, Pierre-Alain, Hoch, Jonathan, Kelsey, John, Shamir, Adi, ...

We develop a new generic long-message second preimage attack, based on combining the techniques in the second preimage attacks of Dean [8] and Kelsey and Schneier [16] with the herding attack of...

Counterpane Systems (2007)

Eli Biham, Alex Biryukov, Niels Ferguson, Lars R. Knudsen, Adi Shamir

Magenta [1] is an encryption algorithm submitted for AES by Deutsche Telekom AG. In this note we cryptanalyze Magenta, and any algorithm of the same structure and key schedule. We refer the reader to...

3 (2007)

Arjen K. Lenstra, Adi Shamir, Jim Tomlinson, Eran Tromer

Abstract. In [1], Bernstein proposed a circuit-based implementation of the matrix step of the number eld sieve factorization algorithm. These circuits oer an asymptotic cost reduction under the...

Software-Hardware Trade-ooes; application to A5/1 Cryptanalysis (2007)

Thomas Pornin, Jacques Stern, Adi Shamir, David Wagner

Abstract This paper shows how a well-balanced trade-ooe between a generic workstation and dumb but fast recongurable hardware can lead to a more eOEcient implementation of a cryptanalysis than a full...

1. HOW TO COPYRIGHT A FUNCTION? (2007)

David Naccache, Adi Shamir, Julien P. Stern

This paper introduces a method for tracking different copies of functionally equivalent algorithms containing identification marks kno- wn to the attacker. Unlike all previous solutions, the new...

Visual Cryptography II: Improving the Contrast Via the (2007)

Cover Base, Moni Naor, Adi Shamir

In Eurocrypt'94 we proposed a a new type of cryptographic scheme, which can decode concealed images without any cryptographic computations, by placing two transparencies on top of each other and...

1 (2007)

Scott Fluhrer, Itsik Mantin, Adi Shamir

Abstract. In this paper we present several weaknesses in the key scheduling algorithm of RC4, and describe their cryptanalytic significance. We identify a large number of weak keys, in which...

On The Method of "XL" And Its Ineciency to TTM (2007)

T. Moh, In The Article, Nicolas Courtois, Adi Shamir, Jacques Patarin, Er Klimov

propose a method named "XL " which gives an "ecient algorithm for solving overdened systems of multivariate polynomial equations". In the abstract, they state...

Weaknesses in the Key Scheduling Algorithm of (2007)

Rc Scott Fluhrer, Scott Fluhrer, Itsik Mantin, Adi Shamir

In this paper we present several weaknesses in the key scheduling algorithm of RC4, and describe their cryptanalytic signi cance. We identify a large number of weak keys, in which knowledge of a...

1 (2007)

How to Copyright a Function? [Published in H. Imai and Y. Zheng, Eds., Public-Key Cryptography, vol. 1560 of Lecture Notes in Computer Science, pp. 188–196, Springer-Verlag, 1999.] (2007)

Let d(n) denote the number of positive integral divisors of n. In this paper we show that the Mobius function, (N ), can be computed by a single call to an oracle for d(n). We also show that any...

David Naccache, Adi Shamir, Julien P. Stern, Gemplus Card International

Abstract. This paper introduces a method for tracking different copies of functionally equivalent algorithms containing identification marks known to the attacker. Unlike all previous solutions, the...

3 (2007)

Y. Zheng, Public-key Cryptography, David Naccache, Adi Shamir, Julien P. Stern

Abstract. This paper introduces a method for tracking di#erent copies of functionally equivalent algorithms containing identification marks known to the attacker. Unlike all previous solutions, the...

Cryptanalysis of group-based key agreement protocols using subgroup distance functions (2007)

Ruinskiy, Dima, Shamir, Adi, Tsaban, Boaz

We introduce a new approach for cryptanalysis of key agreement protocols based on noncommutative groups. This approach uses functions that estimate the distance of a group element to a given...

Length-based cryptanalysis: The case of Thompson's Group (2006)

Ruinskiy, Dima, Shamir, Adi, Tsaban, Boaz

The length-based approach is a heuristic for solving randomly generated equations in groups which possess a reasonably behaved length function. We describe several improvements of the previously...

How to leak a secret: Theory and applications of ring signatures (2006)

Rigorous bounds on cryptanalytic time/memory tradeoffs (2006)

Abstract. In this work we formalize the notion of a ring signature, which makes it possible to specify a set of possible signers without revealing which member actually produced the signature. Unlike...

Elad Barkan, Eli Biham, Adi Shamir

Abstract. In this paper we formalize a general model of cryptanalytic time/memory tradeoffs for the inversion of a random function f: {0, 1,..., N − 1} ↦ → {0, 1,..., N − 1}. The model...

Length-Based Cryptanalysis: The Case Of (2006)

Thompson's Group Dima, Dima Ruinskiy, Adi Shamir, Boaz Tsaban

The length-based approach is a heuristic for solving randomly generated equations in groups which possess a reasonably behaved length function. We describe several improvements of the previously...

Cache Attacks and Countermeasures: the Case of AES (2006)

Cache Attacks and Countermeasures: the Case of AES (2006)

Abstract. We describe several software side-channel attacks based on inter-process leakage through the state of the CPU’s memory cache. This leakage reveals memory access patterns, which can be...

Cache Attacks and Countermeasures: the Case of AES (2006)

Abstract. We describe several software side-channel attacks based on inter-process leakage through the state of the CPU’s memory cache. This leakage reveals memory access patterns, which can be...

Breaking the ICE - finding multicollisions in iterated concatenated and expanded (ICE) hash functions (2006)

revised 2005-11-20

Jonathan J. Hoch, Adi Shamir

Abstract. The security of hash functions has recently become one of the hottest topics in the design and analysis of cryptographic primitives. Since almost all the hash functions used today...

Scalable Hardware for Sparse Systems of Linear Equations, with Applications to Integer Factorization (2005)

Willi Geiselmann, Adi Shamir, Rainer Steinw, Eran Tromer

Keywords: factorization, number field sieve, sparse systems of linear equations 1 Introduction In recent years, various special-purpose hardware implementations of the Number Field Sieve (NFS)...

Cache Attacks and Countermeasures: the Case of AES (2005)

Scalable Hardware for Sparse Systems of Linear Equations, with Applications to Integer Factorization (2005)

We describe several software side-channel attacks based on inter-process leakage through the state of the CPU's memory cache. This leakage reveals memory access patterns, which can be used for...

Willi Geiselmann, Adi Shamir, Rainer Steinw, Eran Tromer

Abstract. Motivated by the goal of factoring large integers using the Number Field Sieve, several special-purpose hardware designs have been recently proposed for solving large sparse systems of...

Fault Analysis of Stream Ciphers (2004)

Jonathan J. Hoch, Adi Shamir

Abstract. A fault attack is a powerful cryptanalytic tool which can be applied to many types of cryptosystems which are not vulnerable to direct attacks. The research literature contains many...

Factoring estimates for a 1024-bit RSA modulus (2003)

Abstract. In this paper, we present improved related-key attacks on the original DESX, and DESX+, a variant of the DESX with its preand post-whitening XOR operations replaced with addition modulo 2...

Arjen Lenstra, Eran Tromer, Adi Shamir, Wil Kortsmit, Bruce Dodson, James Hughes, ...

Abstract. We estimate the yield of the number field sieve factoring algorithm when applied to the 1024-bit composite integer RSA-1024 and the parameters as proposed in the draft version [17] of the...

Factoring Large Numbers with the TWIRL Device (2003)

On the Cost of Factoring RSA-1024 (2003)

Abstract. The security of the RSA cryptosystem depends on the difficulty of factoring large integers. The best current factoring algorithm is the Number Field Sieve (NFS), and its most di#cult part...

Factoring estimates for a 1024-bit RSA modulus (2003)

As many cryptographic schemes rely on the hardness of integer factorization, exploration of the concrete costs of factoring large integers is of considerable interest. Most research has focused on...

Arjen Lenstra, Eran Tromer, Adi Shamir, Wil Kortsmit, Bruce Dodson, Paul Leyl

Abstract. We estimate the yield of the number field sieve factoring algorithm when applied to the 1024-bit composite integer RSA-1024 and the parameters as proposed in the draft version [17] of the...

Factoring Large Numbers with the TWIRL Device (2003)

A New Approach to Recursive Programs. (2002)

Abstract. The security of the RSA cryptosystem depends on the difficulty of factoring large integers. The best current factoring algorithm is the Number Field Sieve (NFS), and its most difficult part...

Manna,Zohar, Shamir,Adi

In this paper, the authors critically evaluate the classical least-fixedpoint approach towards recursive programs. They suggest a new approach which extracts the maximal amount of valuable...

The Theoretical Aspects of the Optimal Fixedpoint, (2002)

Manna,Zohar, Shamir,Adi

In this paper the authors define a new type of fixedpoint of recursive definitions and investigate some of its properties. This optimal fixedpoint (which always uniquely exists) contains, in some...

On Digital Signatures and Public-Key Cryptosystems. (2002)

Rivest,Ronald L., Shamir,Adi, Adleman,Len

It is shown that the single operation of raising a number to a fixed power modulo a composite modulus is sufficient to implement digital signatures: a way of creating for a (digitized) document a...

The Convergence of Functions to Fixedpoints of Recursive Definitions. (2002)

Manna,Zohar, Shamir,Adi

The classical method for constructing the least fixedpoint of a recursive definition is to generate a sequence of functions whose initial element is the totally undefined function and which converges...

On the Security of the Merkle-Hellman Cryptographic Scheme, (2002)

Shamir,Adi, Zippel,Richard E.

In this paper we show that a simplified version of the Merkle-Hellman public-key cryptographic system is breakable. While their full-fledged system seems to be resistant to the cryptanalytic attack...

Mental Poker, (2002)

Shamir,Adi, Rivest,Ronald L., Adleman,Leonard M.

Is it possible to play a fair game of 'Mental Poker'. We will give a complete (but paradoxical) answer to this question. We will first prove that the problem is intrinsically insoluble, and then...

A T = 0(2n/2), S = 0(2/4) Algorithm for Certain NP-Complete Problems, (2002)

Schroeppel,Richard, Shamir,Adi

In this paper we develop a general purpose algorithm that can solve a number of NP-complete problems in time T=0(2 to the m/2 power) and space S=0(2 to the m/4 power). The algorithm can be...

The LSD Broadcast Encryption Scheme (2002)

Dani Halevy, Adi Shamir

Abstract. Broadcast Encryption schemes enable a center to broadcast encrypted programs so that only designated subsets of users can decrypt each program. The stateless variant of this problem...

Analysis of bernstein’s factorization circuit (2002)

Arjen K. Lenstra, Adi Shamir, Jim Tomlinson, Eran Tromer

Abstract. In [1], Bernstein proposed a circuit-based implementation of the matrix step of the number field sieve factorization algorithm. These circuits offer an asymptotic cost reduction under the...

Analysis of bernstein’s factorization circuit (2002)

Arjen K. Lenstra, Adi Shamir, Jim Tomlinson, Eran Tromer

Abstract. In [1], Bernstein proposed a circuit-based implementation of the matrix step of the number field sieve factorization algorithm. These circuits offer an asymptotic cost reduction under the...

Analysis of bernstein’s factorization circuit (2002)

Arjen K. Lenstra, Adi Shamir, Jim Tomlinson, Eran Tromer

Abstract. In [1], Bernstein proposed a circuit-based implementation of the matrix step of the number field sieve factorization algorithm. These circuits offer an asymptotic cost reduction under the...

Analysis of bernstein’s factorization circuit (2002)

Arjen K. Lenstra, Adi Shamir, Jim Tomlinson, Eran Tromer

1 Introduction In [1], a new circuit-based approach is proposed for one of the steps of the number field sieve (NFS) integer factorization method, namely finding a linear relation in a large but...

Guaranteeing the diversity of number generators (2001)

Shamir, Adi, Tsaban, Boaz

A major problem in using iterative number generators of the form x_i=f(x_{i-1}) is that they can enter unexpectedly short cycles. This is hard to analyze when the generator is designed, hard to...

Guaranteeing the diversity of number generators (2001)

Adi Shamir, Boaz Tsaban

Abstract. A major problem in using iterative number generators of the form x i = f(x i 1) is that they can enter unexpectedly short cycles. This is hard to analyze when the generator is designed,...

Guaranteeing the diversity of number generators (2001)

Adi Shamir, Boaz Tsaban

A major problem in using iterative number generators of the form xi = f (xi−1) is that they can enter unexpectedly short cycles. This is hard to analyze when the generator is designed, hard to...

Structural cryptanalysis of SASAS (2001)

Improved online/offline signature schemes (2001)

Abstract. In this paper we consider the security of block ciphers which contain alternate layers of invertible S-boxes and affine mappings (there are many popular cryptosystems which use this...

Adi Shamir, Yael Tauman

Abstract. The notion of on-line/off-line signature schemes was introduced in 1990 by Even, Goldreich and Micali. They presented a general method for converting any signature scheme into an...

How to leak a secret (2001)

Improved online/offline signature schemes (2001)

Abstract. In this paper we formalize the notion of a ring signature, which makes it possible to specify a set of possible signers without revealing which member actually produced the signature....

Adi Shamir, Yael Tauman

Abstract. The notion of on-line/off-line signature schemes was introduced in 1990 by Even, Goldreich and Micali. They presented a general method for converting any signature scheme into an...

Structural cryptanalysis of SASAS (2001)

Weaknesses in the key scheduling algorithm (2001)

Abstract. In this paper we consider the security of block ciphers which contain alternate layers of invertible S-boxes and ane mappings (there are many popular cryptosystems which use this structure,...

Scott Fluhrer, Itsik Mantin, Adi Shamir

Abstract. In this paper we present several weaknesses in the key scheduling algorithm of RC4, and describe their cryptanalytic signi cance. We identify a large number of weak keys, in which knowledge...

A Practical Attack on Broadcast RC4 (2001)

Itsik Mantin And, Itsik Mantin, Adi Shamir

RC4 is the most widely deployed stream cipher in software applications. In this paper we describe a major statistical weakness in RC4, which makes it trivial to distinguish between short outputs of...

Efficient Algorithms for Solving Overdefined Systems of Multivariate Polynomial Equations (2000)

Nicolas Courtois, Er Klimov, Jacques Patarin, Adi Shamir

Abstract. The security of many recently proposed cryptosystems is based on the difficulty of solving large systems of quadratic multivariate polynomial equations. This problem is NP-hard over any...

Software-hardware Trade-offs: Application to A5/1 Cryptanalysis (2000)

Abstract. A5/1 is the strong version of the encryption algorithm used by about 130 million GSM customers in Europe to protect the over-the-air privacy of their cellular voice and data communication....

Thomas Pornin, Jacques Stern, Alex Biryukov, Adi Shamir, David Wagner

Abstract. This paper shows how a well-balanced trade-off between a generic workstation and dumb but fast reconfigurable hardware can lead to a more efficient implementation of a cryptanalysis than a...

Analysis and Optimization of the TWINKLE Factoring Device (2000)

Arjen K. Lenstra, Adi Shamir

Abstract. We describe an enhanced version of the TWINKLE factoring device and analyse to what extent it can be expected to speed up the sieving step of the Quadratic Sieve and Number Field Sieve...

Analysis and Optimization of the TWINKLE Factoring Device (2000)

Arjen K. Lenstra, Adi Shamir

Abstract. We describe an enhanced version of the TWINKLE factoring device and analyse to what extent it can be expected to speed up the sieving step of the Quadratic Sieve and Number Field Sieve...

Abstract. A5/1 is the strong version of the encryption algorithm used by about 130 million GSM customers in Europe to protect the overthe-air privacy of their cellular voice and data communication....

On the Method of "XL" and Its Inefficiency to TTM (2000)

Abstract. A5/1 is the strong version of the encryption algorithm used by about 130 million GSM customers in Europe to protect the overthe-air privacy of their cellular voice and data communication....

T. Moh, In The Preprint, Nicolas Courtois, Adi Shamir, Jacques Patarin, Er Klimov

Introduction In the preprint [2], Nicolas Courtois, Adi Shamir, Jacques Patarin and Alexander Klimov propose a method named "XL" which gives an "efficient algorithm for solving...

Alex Biryukov Adi, Adi Shamir, David Wagner

. A5/1 is the strong version of the encryption algorithm used by about 130 million GSM customers in Europe to protect the overthe -air privacy of their cellular voice and data communication. The best...

Efficient Algorithms for Solving Overdefined Systems of Multivariate Polynomial Equations (2000)

A5/1 is the strong version of the encryption algorithm used by about 130 million GSM customers in Europe to protect the over-the-air privacy of their cellular voice and data communication. The best...

Nicolas Courtois, Er Klimov, Jacques Patarin, Adi Shamir

Abstract. The security of many recently proposed cryptosystems is based on the difficulty of solving large systems of quadratic multivariate polynomial equations. This problem is NP-hard over any...

Cryptanalysis of Skipjack reduced to 31 rounds using impossible differentials (1999)

Cryptanalysis of Skipjack reduced to 31 rounds using impossible differentials (1999)

Abstract. In this paper we present a new cryptanalytic technique, based on impossible differentials, and use it to show that Skipjack reduced from 32 to 31 rounds can be broken by an attack which is...

Factoring large numbers with the TWINKLE device (1999)

Abstract. In this paper we present a new cryptanalytic technique, based on impossible differentials, and use it to show that Skipjack reduced from 32 to 31 rounds can be broken by an attack which is...

Twenty years of attacks on the RSA cryptosystem (1999)

The current record in factoring large RSA keys is the factorization of a 465 bit (140 digit) number achieved in February 1999 by running the Number Field Sieve onhundreds of workstations for several...

Dan Boneh, The Rsa Cryptosystem, Invented Ron Rivest, Adi Shamir, Len Adleman, Was Rst

publicized in the August 1977 issue of Scienti c American. The cryptosystem is most commonly

Miss in the middle attacks on IDEA and Khufu (1999)

Cryptanalysis of Skipjack reduced to 31 rounds using impossible differentials (1999)

Abstract. In a recent paper we developed a new cryptanalytic technique based on impossible differentials, and used it to attack the Skipjack encryption algorithm reduced from 32 to 31 rounds. In this...

Cryptanalysis of the HFE Public Key Cryptosystem by Relinearization (1999)

Abstract. In this paper we present a new cryptanalytic technique, based on impossible differentials, and use it to show that Skipjack reduced from 32 to 31 rounds can be broken by an attack which is...

Aviad Kipnis, Adi Shamir

The RSA public key cryptosystem is based on a single modular equation in one variable. A natural generalization of this approach is to consider systems of several modular equations in several...

Real Time Cryptanalysis of the Alleged A5/1 on a PC (1999)

Factoring Large Numbers with the TWINKLE Device (Extended Abstract) (1999)

A5/1 is the strong version of the encryption algorithm used by about 100 million GSM customers in Europe to protect the over-the-air privacy of their cellular voice and data communication. The best...

Cryptanalysis of Skipjack Reduced to 31 Rounds using Impossible Differentials (1999)

) Adi Shamir Dept. of Applied Math. The Weizmann Institute of Science Rehovot 76100, Israel shamir@wisdom.weizmann.ac.il Abstract The current record in factoring large RSA keys is the factorization...

Real time cryptanalysis of the alleged A5/1 on a PC. http://cryptome.org/a51-bs.htm (1999)

In this paper we present a new cryptanalytic technique, based on impossible differentials, and use it to show that Skipjack reduced from 32 to 31 rounds can be broken by an attack which is faster...

Miss in the middle attacks on IDEA and Khufu (1999)

Abstract A5/1 is the strong version of the encryption algorithm used by about 100 million GSM customers in Europe to protect the over-the-air privacy of their cellular voice and data communication....

Factoring large numbers with the TWINKLE device (1999)

Abstract. In a recent paper we developed a new cryptanalytic technique based on impossible differentials, and used it to attack the Skipjack encryption algorithm reduced from 32 to 31 rounds. In this...

Cryptanalysis of the Oil and Vinegar Signature Scheme (1998)

The current record in factoring large RSA keys is the factorization of a 465 bit (140 digit) number achieved in February 1999 by running the Number Field Sieve onhundreds of workstations for several...

Aviad Kipnis, Adi Shamir

Abstract. Several multivariate algebraic signature schemes had been proposed in recent years, but most of them had been broken by exploiting the fact that their secret trapdoors are low rank...

Initial Observations on Skipjack: Cryptanalysis of Skipjack-3XOR (1998)

Eli Biham, Alex Biryukov, Orr Dunkelman, Eran Richardson, Adi Shamir

Abstract. Skipjack is the secret key encryption algorithm developed by the NSA for the Clipper chip and Fortezza PC card. It uses an 80-bit key, 128 table lookup operations, and 320 XOR operations to...

Initial Observations on Skipjack: Cryptanalysis of Skipjack-3XOR (1998)

Eli Biham, Alex Biryukov, Orr Dunkelman, Eran Richardson, Adi Shamir

Abstract. Skipjack is the secret key encryption algorithm developed by the NSA for the Clipper chip and Fortezza PC card. It uses an 80-bit key, 128 table lookup operations, and 320 XOR operations to...

Cryptanalysis of Magenta (1998)

Eli Biham, Alex Biryukov, Niels Ferguson, Lars R. Knudsen, Bruce Schneier, Adi Shamir

he top half of the data, and X B i is the bottom half. We #rst present a chosen plaintext attack using 2 64 chosen plaintexts and requiring 2 64 steps of analysis. 1. Choose an arbitrary plaintext X...

Playing Hide and Seek With Stored Keys (1998)

Adi Shamir And, Adi Shamir, Nicko Van Someren

In this paper we consider the problem of efficiently locating cryptographic keys hidden in gigabytes of data, such as the complete file system of a typical PC. We describe efficient algebraic attacks...

The Steganographic File System (1998)

Ross Anderson, Roger Needham, Adi Shamir

Users of some systems are at risk of being compelled to disclose their keys or other private data, and this risk could be mitigated if access control mechanisms supported an element of plausible...

Cryptanalysis of Magenta (1998)

Eli Biham, Alex Biryukov, Niels Ferguson, Lars R. Knudsen, Bruce Schneier, Adi Shamir

Magenta [1] is an encryption algorithm submitted for AES by Deutsche Telekom AG, and presented...

Initial Observations on Skipjack: Cryptanalysis of Skipjack-3XOR (1998)

Eli Biham, Alex Biryukov, Orr Dunkelman, Eran Richardson, Adi Shamir

. Skipjack is the secret key encryption algorithm developed by the NSA for the Clipper chip and Fortezza PC card. It uses an 80-bit key, 128 table lookup operations, and 320 XOR operations to map a...

The Steganographic File System (1998)

Ross Anderson, Roger Needham, Adi Shamir

. Users of some systems are at risk of being compelled to disclose their keys or other private data, and this risk could be mitigated if access control mechanisms supported an element of plausible...

Geometric Cryptography: Identification by Angle Trisection (1997)

Mike Burmester, Surrey Tw Oex, Ronald L. Rivest, Adi Shamir

We propose the field of "geometric cryptography," where messages and ciphertexts may be represented by geometric quantities such as angles or intervals, and where computation is performed...

New modernism :--architecture in the age of digital technology /--by Adi Shamir. (1996)

Shamir, Adi.

Thesis (Master of Architecture)-- University of California, Berkeley, May 1996.

PayWord and MicroMint: two simple micropayment schemes (1996)

Ronald L. Rivest, Adi Shamir

We present two simple micropayment schemes, \PayWord " and \MicroMint, " for making small purchases over the Internet. We were inspired to work on this problem by DEC's...

Time-lock puzzles and timed-release crypto (1996)

Ronald L. Rivest, Adi Shamir, David A. Wagner

Our motivation is the notion of "timed-release crypto, " where the goal is to encrypt a message so that it can not be decrypted by anyone, not even the sender, until a...

Time-lock puzzles and timed-release crypto (1996)

Ronald L. Rivest, Adi Shamir, David A. Wagner

Our motivation is the notion of \timed-release crypto, " where the goal is to encrypt a message so that it can not be decrypted byanyone, not even the sender, until a pre-determined amount...

Time-lock puzzles and timed-release Crypto (1996)

Ronald L. Rivest, Adi Shamir, David A. Wagner

Introduction Our motivation is the notion of "timed-release crypto," where the goal is to encrypt a message so that it can not be decrypted by anyone, not even the sender, until a...

PayWord and MicroMint: Two simple micropayment schemes (1996)

Ronald Rivest, Adi Shamir

this paper. We discuss these related proposals further in Section 5. The user authenticates a complete chain to the vendor with a single public-key signature, and then successively reveals each...

Visual Cryptography II: Improving the Contrast Via the Cover Base (1996)

Cover Base, Moni Naor, Adi Shamir

In Eurocrypt'94 [3] we proposed a a new type of cryptographic scheme, which can decode concealed images without any cryptographic computations, by placing two transparencies on top of each other...

Visual Cryptography II: Improving the Contrast Via the Cover Base (1996)

Cover Base, Moni Naor, Adi Shamir

In Eurocrypt'94 we proposed a a new type of cryptographic scheme, which can decode concealed images without any cryptographic computations, by placing two transparencies on top of each other and...

Time-lock puzzles and timed-release crypto (1996)

Ronald L. Rivest, Adi Shamir, Davida. Wagner

Our motivation is the notion of \timed-release crypto, " where the goal is to encrypt a message so that it can not be decrypted byanyone, not even the sender, until a pre-determined amount...

PayWord and MicroMint: two simple micropayment schemes (1996)

Ronald L. Rivest, Adi Shamir

We present two simple micropayment schemes, “PayWord ” and “MicroMint, ” for making small purchases over the Internet. We were inspired to work on this problem by DEC’s “Millicent ”...

PayWord and MicroMint: two simple micropayment schemes (1996)

Ronald L. Rivest, Adi Shamir

We present two simple micropayment schemes, \PayWord " and \MicroMint, " for making small purchases over the Internet. We were inspired to work on this problem by DEC's...

Visual Cryptography (1995)

Moni Naor Adi, Adi Shamir

In this paper we consider a new type of cryptographic scheme, which can decode concealed images without any cryptographic computations. The scheme is perfectly secure and very easy to implement. We...

Visual Cryptography (1995)

Moni Naor, Adi Shamir

In this paper we consider a new type of cryptographic scheme, which can decode concealed images without any cryptographic computations. The scheme is perfectly secure and very easy to implement. We...

Visual Cryptography (1995)

Moni Naor, Adi Shamir

In this paper we consider a new type of cryptographic scheme, which can decode concealed images without any cryptographic computations. The scheme is perfectly secure and very easy to implement. We...

On Matsui's Linear Cryptanalysis (1994)

On Distribution, Eli Biham, Adi Shamir, Differential Cryptanalysis, Data Encryption

this paper were found using variants of programs, whose originals were written by Ishai Ben-Aroya. References

Efficient Signature Schemes Based on Birational Permutations (1993)

Differential Cryptanalysis of the Full 16-round DES (1993)

: Many public key cryptographic schemes (such as cubic RSA) are based on low degree polynomials whose inverses are high degree polynomials. These functions are very easy to compute but time consuming...

Differential Cryptanalysis of DES-like Cryptosystems (1991)

In this paper we develop the first known attack which is capable of breaking the full 16 round DES in less than the 2 55 complexity of exhaustive search. The data analysis phase computes the key by...

Differential Cryptanalysis of Snefru, Khafre, REDOC-II, LOKI and Lucifer (1991)

The Data Encryption Standard (DES) is the best known and most widely used cryptosystem for civilian applications. It was developed at IBM and adopted by the National Buraeu of Standards in the mid...

Differential Cryptanalysis of Feal and N-Hash (1991)

In [1,2] we introduced the notion of differential cryptanalysis based on chosen plaintext attacks. In [3,4] we described the application of differential cryptanalysis to Feal[12,11] and extended the...

Differential Cryptanalysis attacks (1991)

In [1,2] we introduced the notion of differential cryptanalysis and described its application to DES[11] and several of its variants. In this paper we show the applicability of differential...

Des-like Cryptosystems, Eli Biham, Adi Shamir

The Data Encryption Standard (DES) is the best known and most widely used cryptosystem for civilian applications. It was developed at IBM and adopted by the National Buraeu of Standards in the mid...

Witness indistinguishable and witness hiding protocols (1990)

Uriel Feige, Adi Shamir

A two party protocol in which party A uses one of several secret witnesses to an NP assertion is witness indistinguishable if party B cannot tell which witness A is actually using. The protocol is...

How to prove yourself: Practical solutions to identification and signature problems (1987)

Amos Fiat, Adi Shamir

In this paper we describe simple identification and signature schemes which enable any user to prove his identity and the authenticity of his messages to any other user without shared or public keys....

How to share a secret (1979)

How to share a secret (1979)

We introduce the notion of a ring signature: a digital signature that species a set of possible signers, such that the verier can't tell which member actually produced the signature. Unlike...

Differential Cryptanalysis of the full 16-round DES (1977)

Abstract. In this paper we formalize the notion of a ring signature, which makes it possible to specify a set of possible signers without revealing which member actually produced the signature....

The Fixedpoints of recursive definitions / (1976)

CII plaintexts (out of the 2 56 possible ASCII plaintexts). References

Shamir, Adi.

Thesis (doctoral)--Weitzmann Institute of Science, 1976.

Cryptanalytic Time/Memory/Data Tradeoffs for Stream Ciphers (1976)

Cryptanalytic Time/Memory/Data Tradeoffs for Stream Ciphers (1976)

Abstract. In 1980 Hellman introduced a general technique for breaking arbitrary block ciphers with N possible keys in time T and memory M related by the tradeoff curve TM 2 = N 2 for 1 ≤ T ≤ N....