The research activities in this group are concentrated on the design, evaluation, and implementation of cryptographic algorithms and protocols, and on security architectures for computers and telecommunications networks. Cryptography is generally acknowledged as the best method of data protection against passive (eavesdropping) and active (data diddling, replay) fraud. The research is oriented to fundamental problems with a practical importance. Part of the work within COSIC is carried out in close collaboration with the company Utimaco Belgium.
COSIC is headed by René Govaerts and Joos Vandewalle, and has two post-doctoral researchers and 5 Ph.D. students.
COSIC cooperates with the University of California at Berkeley, Bell Northern Research, RSA Laboratories, Stanford University, Diva Communications, CWI Amsterdam, Cardware, Gemplus Card International, Service d'Etudes Communes de la Poste et de France Telecom, PTT Research Nederland, Sintef Delab, DigiCash BV, Institut für Sozialforschung, Universität Hildesheim, Ingenico, Aarhus Universitet, the Dutch organization for Applied Scientific Research (TNO), ENST Paris, Eucis-Conseil, Baltimore Technologies, Cambridge University, ICL, Bull, Vodafone Ltd, Siemens-ATEA, Giesecke & Devrient, Panafon, Royal Holloway University of London, Siemens AG.
COSIC's publication list, recent papers, and other useful information are available by anonymous ftp on ` ftp.esat.kuleuven.ac.be' in the directory /pub/COSIC/. The World Wide Web home page http://www.esat.kuleuven.ac.be/cosic/cosic.html contains more information about COSIC and its members.
Cryptanalysis of hash functions
R. Govaerts, J. Vandewalle, B. Preneel, L. Knudsen
Cryptographic hash functions are functions that compress an input of arbitrary size to a fixed length result. They are a useful building block for applications such as the authentication of information, digital signatures, and the protection of passwords and pass-phrases.
It was shown that the LOKI-DBH hash function, which is a hash function based on a block cipher proposed in 1989, is insecure. This result is important, since LOKI-DBH was the last unbroken hash function from a large class of efficient hash functions based on a block cipher.
In collaboration with Don Coppersmith of IBM Yorktown, several new attacks were developed on MASH-1 and MASH-2 (Modular Arithmetic Secure Hash Function). The key element in these attacks is the use of the LLL algorithm to find short vectors in a lattice. These attacks led to a revision of the draft ISO Standard CD 10118-4 on hash functions based on modular arithmetic.
Cryptanalysis of Message Authentication Codes
R. Govaerts, J. Vandewalle, B. Preneel, P.C. van Oorschot
Message Authentication Codes or MACs are cryptographic hash functions that take as a secondary input a secret key; they are mainly used for conventional message authentication. The most important requirement for a MAC is that someone who does not know the secret key is not able to forge the MAC on a message of his choice.
A new forgery attack applicable to all iterated MAC algorithms
was found, the first known such attack requiring fewer operations
than exhaustive key search. The attack requires about 
known
text-MAC pairs and 
chosen texts, where m is the bitlength of the
MAC result and n is that of the internal memory (chaining variable).
It applies to all known MAC algorithms, including the widely used (banking)
standards such as CBC-MAC and MAA (Message Authenticator Algorithm).
For some MACs, the attack can be extended to a key recovery attack, which poses a more serious threat to practical applications. A certificational key recovery attack was developed on the Internet Society RFC 1828 (Request For Comment on IP Authentication using Keyed MD5). It was also shown that the security of several previous methods for constructing MACs from hash functions, including the secret prefix, secret suffix, and envelope methods, is less than expected.
Design and analysis of block ciphers
R. Govaerts, J. Vandewalle, B. Preneel, V. Rijmen, J. Daemen,
E. De Win
Since the introduction of differential and, more recently, linear cryptanalysis, many block cipher proposals were shown vulnerable to chosen or known plaintext attacks. New block ciphers are designed with these attacks in mind and are made resistant against these attacks.
CAST is an example of the new generation of block ciphers. We verified its resistance against known cryptanalytic attacks. Afterwards, we described and implemented a new attack based on the non-surjectiveness of the round function of CAST. We also pointed out a major weakness in the key scheduling of the cipher.
To demonstrate that it is possible to build a cipher that is resistant against linear and differential cryptanalysis without introducing new weaknesses, we introduced SHARK. The cipher uses principles from coding theory to guarantee maximal diffusion. The structure of the cipher is designed with a fast software implementation in mind, and is oriented towards high-end computer architectures (64 bit operations).
Visual cryptography
R. Govaerts, J. Vandewalle, B. Preneel, V. Rijmen
At Eurocrypt'94, M. Naor and A. Shamir introduced the concept of visual cryptography. The basic idea is to ``share'' the information of a black-and-white picture over two or more transparencies. While the separate transparencies reveal no information, the picture becomes clear when enough transparencies are stacked. This technique relies heavily on the filtering abilities of the human visual system.
Some extensions have been made to the concepts of visual cryptography. Also, a tool was developed to generate transparencies that illustrate several cryptographic techniques: two-out-of-three problem, encryption, steganography (hiding of information in an innocent looking message), ... Besides being useful didactical material, these illustrations are often used as tangible examples of cryptography for visitors to the department.
Security aspects of electronic payment systems
R. Govaerts, J. Vandewalle, C. Radu
Electronic coins are the electronic equivalent of standard cash money. They can be implemented based on public key technology: a coin corresponds to a secret/public key pair used by the payer to sign the specification of a payment. In order to guarantee the authenticity of a coin, the bank certifies the public key of the coin by digitally signing it with respect to its own public key. Later on, this public-key certificate can be verified off-line by the payee, using the bank's public key. The bank issues the public-key certificates of the coins during withdrawal. The ability of the designer to make the issuing of certificates a restrictive blind signature protocol is crucial in providing both privacy for the payer and integrity for the bank.
We have designed a new restrictive blind signature scheme that can be used both during withdrawal of electronic cash and issuing of credentials. This cryptographic primitive is developed from an interactive signature scheme, employing a witness hiding basic proof system. In order to sign a message undeniably and at the same time preserve a certain blind-invariant structure encoding the identity of the recipient, we divert a proof of knowledge of a representation rather than a proof of knowledge of a discrete logarithm. Therefore, another identification/signature protocol, similar to Okamoto's Identification Scheme 1, can be used as a starting point in the design of the restrictive blind signature protocol, instead of Schnorr's identification/signature scheme. Moreover, we conjecture that the restrictiveness of the new scheme is better than that derived from Schnorr's protocol. The scheme is provable to a large extent. The decrease in efficiency is kept at a reasonable level, and can be overcome using pre-computation. Further work aims to analyze the applicability of the new restrictive blind issuing protocol to both electronic coins and credentials.
Elliptic curve cryptosystems
R. Govaerts, J. Vandewalle, B. Preneel, A. Bosselaers, E. De Win
Elliptic curves are relatively new in cryptography. An elliptic curve is the set of solutions of a cubic bivariate equation over a field, typically a finite field of characteristic 2. The definition of an appropriate binary operation turns this set into a group.
The discrete logarithm problem over this group is considerably more complex than the discrete logarithm problem over the underlying field because the index calculus attack cannot be applied. This means that exponents and keys can be much smaller for the same degree of security.
To perform operations over an elliptic curve, one must be able to calculate in the underlying field. Several ways to do arithmetic operations in finite fields of characteristic 2 have been examined and the fastest have been implemented. Table 1 gives timing information for some important operations.
Table 1: Execution times for some important arithmetic operations in a
finite field of characteristic 2. Timings were executed on an
Intel 486DX/66 based PC with the Watcom C/386 9.0 C-compiler.
Evaluation of cryptographic soft- and hardware
R. Govaerts, J. Vandewalle, B. Preneel, A. Bosselaers,
M. Vandenwauver, V. Rijmen, E. De Win
In an industrial environment the communications network is the first place where special protection is introduced, as this is certainly one of the most vulnerable parts of an information system. Depending on the application, the users require protection of the information against disclosure and/or the protection of the authenticity of the information and its origin. This protection can only be achieved through the use of cryptographic algorithms, implemented either in hardware or in software. Two types of algorithms are available on the market: algorithms that are public and widely used, and secret algorithms.
A public algorithm has the advantage that is has been thoroughly analyzed and that security properties are well-known. However, the fact that an algorithm is widely used implies that the number of potential attackers increases, and that it offers an interesting target. A breakthrough in cryptanalysis will result in a substantial benefit and the cost of special purpose hardware can be depreciated over different applications. These considerations explain the preference of several organizations for secret algorithms or for variations on publicly known algorithms. However, one has to be very careful with this type of algorithms as a large number of them were declared secure by their designers but have been broken afterwards. As a consequence, a secret algorithm must be evaluated by different cryptographic experts before it can be given any trust. Such an independent evaluation is based on literature study, and both algebraic and statistical evaluation. In addition, recommendations can be made to improve the security of the system. The difference with an academic evaluation is that imposed requirements are to be related to the economic implications of a successful fraud. For both types of algorithms one also has to pay special attention to the cryptographic protocols and the key management system.
A Secure European System for Applications in a Multi-Vendor Environment
(RACE 2051 SESAME)
R. Govaerts, J. Vandewalle, B. Preneel, M. Vandenwauver
The goal of SESAME is to increase the level of security in distributed systems. Contemporary computer systems are often very complex and consist of a heterogeneous mix of different platforms and operating systems (the now so popular INTERNET is the ultimate example of this). In this kind of environment the need for access control, single sign-on, cryptographic protection of the exchanges, ... is very clear. Therefore, the EU prompted, under its RACE programme, a project that would prove not only the theoretical existence of such a system but would also implement it and test it in real life circumstances. The name of this project was SESAME, and the main partners of the consortium were Bull, ICL and Siemens (SNI).
The involvement of the COSIC research group consisted in the first part of being an active member of the SESAME End User Group (SEUG). The goals of the SEUG were: to give an expert view on the system as it was under construction, to feed back information on different pilot tests and to promote the results. In view of this last objective the SEUG was enlarged with a number of industrial pilots (Alcatel, Thomson, ...) for 1995 and a new group called ``SESAME User Forum'' was created. During 1995 there were two major upgrades of the system (called version 3 and 4). Both of them have been ported to the HP environment of the COSIC group and have been tested extensively. Version 4 is the ultimate release of the RACE project as it has finished at the end of 1995, and is now available to the general public. As our contribution to the promotion of SESAME we set up a WWW home page http://www.esat.kuleuven.ac.be/cosic/sesame.html that contains all the available information and from where the technology can be downloaded.
Conditional Access for Europe (ESPRIT 7023 CAFE)
R. Govaerts, J. Vandewalle, A. Bosselaers, C. Radu
CAFE is a European project, carried out by a consortium of companies active in electronic payments together with leading research organizations. It is supported, also financially, by the European Commission. The project has applied modern cryptographic techniques to produce a highly secure but also open and flexible system for consumer payments using electronic money. The CAFE system is undergoing a trial on the premises of the European Commission in Brussels in the last quarter of 1995 and the first quarter of 1996. If successful, the technology should be ready for the market in the second quarter of 1996.
The CAFE system is based on recent research in public key cryptography. The use of public key technology offers big advantages over other payment and identification systems. It allows the use of a smart card or an electronic wallet for signature transporting. Electronic money, issued by a bank, can be tagged with a unique electronic signature per payment, to be compared with the unique number on printed bank notes. This signature can be down-loaded into the smart card or wallet. This feature makes the system more secure, less expensive, and offers the privacy people want. The public key nature of the CAFE protocols makes it also possible to create an open system. Participants don't have to trust each other and don't have to negotiate on the division of the risks involved. Once in use, multiple providers of goods and services, as well as multiple issuers of electronic money can join the system.
During the third, and last, CAFE year, COSIC was involved in developing and specifying extensions to the basic protocols developed in the previous two years for additional applications, such as public transport tickets, purchase receipts, physical access control, and prepaid mobile communications. The basic protocols were also revised, based on experience gained during implementation of the protocols for the trial. The end of 1995 and beginning of 1996 is used for the production of the project's final report.
Advanced Security for Personal Communications Technologies (ACTS 095
ASPeCT)
R. Govaerts, J. Vandewalle, B. Preneel, L. Knudsen, A. Bosselaers
The mobile telecommunications world is undergoing a continuing transformation as increasing numbers of services are being offered to a growing number of users by more and more operators. It is essential for the continuing success of this process that the evolving security requirements of users and service providers are addressed in an appropriate and timely way.
The goal of ASPeCT is to study the feasibility and acceptability of new and advanced security features in existing and future personal communications networks, based on trials and demonstrations. In the first year of the project, COSIC has been working on fraud detection in UMTS (Universal Mobile Telecommunication System); COSIC is exploring an approach based on neural networks in collaboration with our colleagues of the research group SISTA. Also, research was started on the use of Trusted Third parties for end-to-end security services (such as non-repudiation of origin and notarization). COSIC is mainly contributing to the design of protocols. COSIC is also involved in an exploration of the capabilities of future User Identity Modules and in work on the security and integrity of billing in UMTS. More information can be found on the ASPeCT WWW home page http://www.esat.kuleuven.ac.be/cosic/aspect.