This book constitutes the refereed conference proceedings of the 18th Australasian Conference on Information Security and Privacy, ACISP 2013, held in Brisbane, Australia, in July 2013.

The 28 revised full papers presented were carefully selected from 78 submissions.

Conference papers are organized in technical sessions, covering topics of Cryptanalysis, RSA, Lattices and Security Proofs, Public Key Cryptography, Hashing, Signatures, Passwords, Mobile Security, and Secret Sharing.

instead of extracting one word of the internal state directly. In 2004, Phelix was submitted to the eSTREAM contest and was selected as a Phase 2 Focus Candidate for both Proﬁle 1 and Proﬁle 2, but was not advanced to Phase 3 mainly due to Wu and Preneel’s key recovery attack [7]. Their attack shows that if the cipher is used incorrectly (nonces reused), the key of Phelix can be recovered with about 237 operations, 234 chosen nonces and 238.2 chosen plaintext words. However, there is some debate

on the validity of this attack model, notably by Bernstein [8]. A counter example is that all additive stream ciphers can be broken under the above security deﬁnition if the adversary is not nonce-respecting. Despite of the above disputes, Helix and Phelix provide an innovative and interesting design approach according to the ﬁnal eSTREAM portfolio report [9], especially in terms of the increasing demand of the authenticated encryption [10]. In this paper, we study the security of Helix and

towards unifying all the previous works [17,4,2,9]. Our Contributions. Let p ≥ N β , and let n denote the number of the unknown blocks. In this paper we show that we can factorize the multi-power RSA modulus N = pr q given a 1− n+1 1 1 − (1 − rβ) n − (n + 1)(1 − rβ) 1 − rβ n 1 − rβ fraction of the bits in p together with their positions. Our results generalize the previous results in the following sense: Factoring Multi-power RSA Modulus N = pr q with Partial Known Bits 59 1 – For β = r+1

scheme. The public key is given by 3 pk = (hi )3i=1 = (g x2i−1 gˆx2i )i=1 and the secret key is given by sk = (xi )6i=1 , where g, gˆ are two random generators and (xi )6i=1 are independently and uniformly chosen from Zq . To encrypt a message m ∈ Zq under public key pk, we select a random r ∈ Zq and then set the ciphertext as C = (u, u ˆ, c, v) = (g r , gˆr , hr1 · rt r ˆ, c) and H is a suitable hash function. In encode(m), h2 h3 ), where t = H(u, u the proof, the simulator starts from a public

oracles in arbitrarily interleaved order of messages. A probability of an event E is denoted by Pr[E]. A probability of an event E on condition that events E1 , . . . , Em occur in this order is denoted as Pr[E1 ; · · · ; Em : E]. 2.1 Access Structure Let U = {χ1 , . . . , χu } be an attribute universe, or simply set U = {1, . . . , u}. We must distinguish two cases: the case that U is small (i.e. |U| = u is bounded by some polynomial in λ) and the case that U is large (i.e. u is not