generates several peaks (shown in Fig. 3), and it is difficult to dis- tinguish which peaks are generated by which images of the input. However, the peak values and their corresponding positions shown in Table 1 indicate only four significant peaks. To obtain the images corresponding to these four peaks, the DRFT-based correlator is applied. T o see which image in both the reference and the input generates the first peak, we move Fig. 2 40 pixels in the X-direction and 124 pixels in the Y-direction. The moved image is correlated with the input object by the DRFT-based correlator, resulting in the displayed image shown in Fig. 4a, which is the ‘A and B’ image in the top righthand corner of Fig. 1. By applying the same procedures to the second, third, and fourth peaks, we obtain two single Bs and one single A, shown in Fig. 4h-d. The conclusion of the DRFT-based correlation between Figs. 1 and 2 is that Fig. 1 contains four patterns; ‘A and B’, two single Bs, and one single A
a b
C d
Pig. 4 DRFT-based correlator output corresponding to dgferent peaks a 1st peak
b 2nd peak c 3rd peak d 4th peak
Table 1: Seven larger peak values of Fig. 3
Conclusion: The DRFT contains both time and frequency infor- mation. Thus, the DRFT-based correlator can not only generate correlation peaks, but also display the corresponding correlated images. With this property, the DRFT-based correlator can be used to recognise multiple different objects.
0 IEE 1998 10 April1998
Electronics Letters Online No: 19980738
Neng-Chung Hu and Kuo-Kan Yu (Electronic Engineering Department, Nutional Taiwan University of Science and Technology, 43, Keelung Road, Sec. 4, Taipei, Tuiwan, Republic of Chinu)
References
1 HORNER, J L , and BARTELT, 1-1 o : ‘Two-bit correlation’, Appl Opt , 1985, 24, ( I Q pp. 2889-2893
2 MAHALANOBE, A , KUMAR, B v K.V , and CASASENT, D.: ‘Minimum
average correlation energy filters’, Appl. Opt., 1987, 26, (17), pp. 3 JAVIDI, B , WANG, J , and TANG, Q.: ‘Multiple-object binary joint transform correlation using multiple-level threshold crossing’, Appl. Opt., 1991, 30, (29), pp. 4234-4244
4 SANTHANAM, B., and MCCLELLAN, J.H.: ‘The discrete rotational Fourier transform’, IEEE Trans. Signal Process., 1996, SP-44, (4),
pp. 994998 3633-3640
Improvement of Saeednia’s self-certified key
exchange protocols
Tzong-Chen Wu, Yuh-Shihng Chang and
Tzouh-Yi
Lin
In 1997, two self-certified key exchange protocols were proposed by Saeednia. It is shown that Saeednia’s self-certified key exchange protocols are insecure in that an adversary may impersonate any legitimate user in key exchange. An improvcment against the impersonation attack is described.
Intvoduction: Saeednia [ 11 presented two key exchange protocols based on Girault’s self-certified public key system [2]. In Saeed- nia‘s key exchange protocols, there exists a trusted third party (TTP) for system setup and user registration; however, the TTP does not know the secret key of any user during user registration. Saeednia’s key exchange protocols preserve the merits inherent in both the identity-based system and the self-certified system, and hence allow a considerable reduction in communication complex- ity. In this Letter, we first show that Saeednia’s self-certified key exchange protocols are insecure. An adversary may impersonate any legitimate user in running these protocols. We also present an improvement that can withstand the impersonation attack. Saeednia’s key exchange protocol: In the setup of this system, the TTP chooses an integer n as the product of two large distinct primes p and q of almost the same sue, such that p = 2p‘
+
1 andq =
24
+
1, where p’ and q‘ are also primes, a base g # 1 of orderI = p’q’, a large integer U < Y, and a one-way hash function$ The
TTP makes g, U, f and n public, keeps r secret and discards p and
q afterwards. Next, any user U, can register with the TTP by per- forming the following steps:
(i)
U,
randomly chooses a secret keyx,
E Z,, computes the public key(ii) The TTP prepares a string
I,
associated withq’s
personal information (name, address, etc.) and computesV,’s
identity ID, =XI,).
(iii) The TTP computes w, = y,”~-’ mod n as a witness and sends
{I,, lV,} to U;.
(iv) U; verifies the identity and the witness by checking that y z =
w / ( I r J mod n.
Saeednia claimed that forging a valid witness w, for U, is equiv- alent to breaking an instance of the RSA cryptosystem [3]. Sup- pose that
U,
and want to exchange a secret key to be used for secure communication. They can perform the following protocols. These protocols are based on the well-known Diffie-Hellman key distribution system [4]. Note that the secret key exchanged in pro- tocol 1 is invariant, while it is time-variant in protocol 2.Protocol 1
(I) U, sends
{t,
)vi} to r/: (ii)U,
sends {I,, w,} toU,
(iii) U; computes the secret key shared with U) as k = y f ( Y mod n
(iv)
U,
computes the secret key shared withU,
as k = x~ mod nProtocol 2
(i)
q
randomly chooses a secret integer t, E Z,, computes v, = g‘z niod n and sends {Z,, w,, v,} toU,
(ii) randomly chooses a secret integer t, E Z,, computes v, = g‘i
mod n and sends { J , iv,, v,} to
V ,
(iii)
U,
computes the secret key shared with as k = wJ(l,J . v?mod n
(iv)
r/,
computes the secret key shared with as k = w/(‘l).t, v : ~ mod n.= g‘i mod n and gives it to the TTP.
Note that the secret key shared between
U,
and can be regardedas
k =
$,
= y,“J = g ” A s i (mod n ) (in protocol 1)or
k =
7Ji‘
U;? = g, ‘ J % t z J = g(” i ? ) + ( z ~ L ? ) (nlod77)
(in protocol 2)
Attack on Saeedniu’s key exchange protocols: Consider the case that an adversary pretends to ;act as
U,
and tries to exchange a secret key with U, such that C: will indeed share the secret key withU,.
First of all, the adversary randomly chooses an integera
E Z,. Then he sets
x:
=a
. f(IJ as a fake secret key for0:
and replacesU’s
original public key y r (maintained by the TTP) with y: = g’~ mod n. Thereafter, the adversary can easily compute a valid witnessw:
= mod n forq,
since the substituted public key y: = g“fclJ = w:’(TzJ (mod n) is also self-certified. In protocol 1, if the adversary sends {Iz, w:} 1.0U,
in step (i) and intercepts the message { J ,w,}
that is intended to be sent to U, in step (ii), both the adversary andq
will share the same secret keyk‘
= I V ’ ~ ~ ~ ~ ) xi =(mod n). Moreover, U, will believe that he indeed communicates with U,, because the pair
b:,
14,:) will be authenti- cated successfully. It can be seen that protocol 2 is also vulnerable to such an attack.= g‘;
Our improvement: The weakness of Saeednia’s key exchange pro- tocols is that the witness w, computed by the TTP is not self-certi- fied, although to forge a valid w, is equivalent to breaking an instance of the RSA cryptosystem. We can easily remove this weakness by replacing step (iii) of the user registration phase with
(iii*) The TTP computes w, = (y! -
IDJTD~
’
mod n as a witness and sends {Z,, w,} to U,.Our improvement only requires one more subtraction than the original step. Note that y z =
g
l
= (y”~+
IDz)
(mod n). This implies that, without knowingx,,
any adversary can easily com- pute an authenticated pair(w,,
yJ forU,
satisfying the check in step (iv) of the user registration phase. However, the adversary still does not know U’s secret k:eyx,
unless he can solve the prob- lem of computing discrete logarithm modulo a large composite [5, 61. Since x, is unknown, the adversary cannot pretend to act as U, to share a secret key withq.
That is, in steps (iii) and (iv) of pro- tocols 1 and 2, the adversary artdU,
cannot obtain the same secret key.0 IEE 1998
Electronics Letters Online No: 19!180797
Tzong-Chen Wu, Yuh-Shihng Chang and Tzouh-Yi Lin (Department
.f‘Inforniation Management, Nati,onal Taiwan University of Science and Technology, 43, Section 4, Keelung Road, Taipei, Taiwan 106, Republic of China)
E-mail: [email protected]
24 March 1998
References
1 SAEEDNIA, s.: ‘Identity-based and self-certified key-exchange protocols’. Proc. Information Security and Privacy Second Australasian Conf., Sydney, Australia, 7-9 June 1997, pp. 303-313 2 GIRAULT, M.: ‘Self-certified public keys’. Advances in Cryptology -
Eurocrypt ’91, 1991, (Springer-Verlag), pp. 491-497
3 RIVEST, K.L , SIIAMIR. A , and ADLEMAN. L.: ‘A method for obtaining digital signatures and public key cryptosystems’, Commun. A C M ,
1978, 21, (2), pp. 120-126
4 DIFTIE, w., and HELLMAN, M . E . : ‘New directions in cryptography’,
IEEE Trans. IF?$ Theory, 19715, IT-22, (6), pp. 135-145
5 BRICKELL, E.F , and MCCURLEY, K s.: ‘An interactive identification
scheme based on discrete logyarithms and factoring’. Advances in Cryptology - Eurocrypt ’90, (Springer-Verlag, 1990), pp. 63-71 6 GIRAULT, M.: ‘An identity-based identification scheme based on
discrete logarithms modulo a composite number’. Advances in Cryptology - Eurocrypt ’90, (Springer-Verlag, 1990), pp. 481-486 ELECTRONICS LETTERS:
28th
May 1998Vol. 3 4
4OGloit/s
EAM
driver
IC
iin
SiGe
bipolar
technology
R.
Schmid,
T.F.
Meister,
M. Rest
and
H.-M.
Rein
An SiGe bipolar IC for directly driving a dgferential
electroabsorption modulator in a 40Gbitis fibre optic TDM system is presented. An adjustakile modulator bias voltage (0 to -2v)
is generated on-chip by a novel active network in the output stage. Clear eye diagrams at 40Gbit/s and output swings up to 2.5Vp, (nominal 2V,,) were measured on mounted chips.
Introduction: Today, there is a worldwide trend towards increasing the data rate in fibre optic TDM systems from 10 to 40Gbitis (c.f. [l]). A severe bottleneck in the electronics of such a system is the modulator driver on the transmitting side. This is because of the contradicting demands on high voltage swing and high operating speed
[%I.
Electroabsorption modulators (EAM) need a lower volt- age swing compared to Mach-Zehnder interferometers (MZI) and may, therefore, be more suitable to be driven by monolithic inte- grated circuits (rather then by expensive hybrid amplifiers). How- ever, one disadvantage, the EAM represents a capacitive load, in contrast to the 50R input of an MZI. As a consequence, at 40Gbitis it would be extremely difficult to drive the modulator via a 5O.Q transmission line. In this case, due to insufficient matching, double-reflections would occur whi’ch increase time jitter. To solve these problems, we preferred (in contrast to the usual practice) to bond the driver outputs directly to .the EAM chip. High-speed per- formance is further improved and mounting costs are reduced by implementing the (low-ohmic) load resistors as well as the EAM biasing on the driver chip.Promising results at 30Gbitis have been published for ICs in III-V compound semiconductors which show single-ended voltage swings of 2.2Vp, [3, 41, while in the presentation corresponding to [4], even 40Gbit/s at 2.9V,,, swing is claimed. However, all these results were achieved for on-chip measurements only. Moreover, capacitive loading by an EAM and the resulting problems, men- tioned above, are not considered.
To reliably achieve 40Gbitis with the SiGe bipolar technology available here, we must reduce the voltage swing at the driver out- put. For this, a symmetrical EAM configuration was used which can be driven by differential signalls with a voltage swing of 2V,, (2 x 1VPP). v,=+4v
rTl-&Crth
inp setup farI
electrical measurements ~qE
:ma4Fig. 1 Circuit concept of modulator dviver
Alternative loading by differential EAM or sampling scope is indi- cated
Circuit design: Fig. 1 shows the circuit concept of the driver IC, which consists of two current switches (CS1, CS2) each driven by three emitter follower (EF) pairs, as in our previously published designs [2, 51. However, due to the direct coupling of driver and EAM chip, the output stage must now be much more sophisti- cated.
First, the output current switch (CS2) is extended to a cascode configuration by a grounded-base stage (GBS), which mitigates
potential breakdown problems of the output transistors and, moreover, slightly increases operating speed. Owing to the strong capacitive loading by the EAM, the output time constant must be reduced by low output resistances (nominal R, = 25.Q), requiring a high switching current in the output stage (nomnal AI = 40mA). For generating the EAM bias, the output resistors are connected to cascaded EFs (EF1, EF2). The bias voltage V,,,, equals the
