From the Publisher:
A valuable reference for the novice as well as for the expert who needs a wider scope of coverage within the area of cryptography, this book provides easy and rapid access of information and includes more than 200 algorithms and protocols; more than 200 tables and figures; more than 1,000 numbered definitions, facts, examples, notes, and remarks; and over 1,250 significant references, including brief comments on each paper.

Handbook of Applied Cryptography

https://cs.uwaterloo.ca/~brecht/courses/854-Emerging-2014/readings/iot/iot-survey.pdf

The Internet of Things: A survey

Cryptosystem designers frequently assume that secrets will be manipulated in closed, reliable computing environments. Unfortunately, actual computers and microchips leak information about the operations they process. This paper examines specific methods for analyzing power consumption measurements to find secret keys from tamper resistant devices. We also discuss approaches for building cryptosystems that can operate securely in existing hardware that leaks information.

/pdf/differential-power-analysis-4t7fjmuc7b.pdf

Differential Power Analysis

We propose a fully homomorphic encryption scheme -- i.e., a scheme that allows one to evaluate circuits over encrypted data without being able to decrypt. Our solution comes in three steps. First, we provide a general result -- that, to construct an encryption scheme that permits evaluation of arbitrary circuits, it suffices to construct an encryption scheme that can evaluate (slightly augmented versions of) its own decryption circuit; we call a scheme that can evaluate its (augmented) decryption circuit bootstrappable.Next, we describe a public key encryption scheme using ideal lattices that is almost bootstrappable.Lattice-based cryptosystems typically have decryption algorithms with low circuit complexity, often dominated by an inner product computation that is in NC1. Also, ideal lattices provide both additive and multiplicative homomorphisms (modulo a public-key ideal in a polynomial ring that is represented as a lattice), as needed to evaluate general circuits.Unfortunately, our initial scheme is not quite bootstrappable -- i.e., the depth that the scheme can correctly evaluate can be logarithmic in the lattice dimension, just like the depth of the decryption circuit, but the latter is greater than the former. In the final step, we show how to modify the scheme to reduce the depth of the decryption circuit, and thereby obtain a bootstrappable encryption scheme, without reducing the depth that the scheme can evaluate. Abstractly, we accomplish this by enabling the encrypter to start the decryption process, leaving less work for the decrypter, much like the server leaves less work for the decrypter in a server-aided cryptosystem.

/pdf/fully-homomorphic-encryption-using-ideal-lattices-3oirjo0huq.pdf

Fully homomorphic encryption using ideal lattices

In several distributed systems a user should only be able to access data if a user posses a certain set of credentials or attributes. Currently, the only method for enforcing such policies is to employ a trusted server to store the data and mediate access control. However, if any server storing the data is compromised, then the confidentiality of the data will be compromised. In this paper we present a system for realizing complex access control on encrypted data that we call ciphertext-policy attribute-based encryption. By using our techniques encrypted data can be kept confidential even if the storage server is untrusted; moreover, our methods are secure against collusion attacks. Previous attribute-based encryption systems used attributes to describe the encrypted data and built policies into user's keys; while in our system attributes are used to describe a user's credentials, and a party encrypting data determines a policy for who can decrypt. Thus, our methods are conceptually closer to traditional access control methods such as role-based access control (RBAC). In addition, we provide an implementation of our system and give performance measurements.

/pdf/ciphertext-policy-attribute-based-encryption-q09jxdyx4n.pdf

Ciphertext-Policy Attribute-Based Encryption

We study the problem of partial key exposure. Standard cryptographic definitions and constructions do not guarantee any security even if a tiny fraction of the secret key is compromised. We show how to build cryptographic primitives that remain secure even when an adversary is able to learn almost all of the secret key.

The key to our approach is a new primitive of independent interest, which we call an Exposure-Resilient Function (ERF) - a deterministic function whose output appears random (in a perfect, statistical or computational sense) even if almost all the bits of the input are known. ERF's by themselves efficiently solve the partial key exposure problem in the setting where the secret is simply a random value, like in private-key cryptography. They can also be viewed as very secure pseudorandom generators, and have many other applications.

To solve the general partial key exposure problem, we use the (generalized) notion of an All-Or-Nothing Transform (AONT), an invertible (randomized) transformation T which, nevertheless, reveals "no information" about x even if almost all the bits of T(x) are known. By applying an AONT to the secret key of any cryptographic system, we obtain security against partial key exposure. To date, the only known security analyses of AONT candidates were made in the random oracle model. We show how to construct ERF's and AONT's with nearly optimal parameters. Our computational constructions are based on any one-way function. We also provide several applications and additional properties concerning these notions.

/pdf/exposure-resilient-functions-and-all-or-nothing-transforms-2i7v0qart8.pdf

Exposure-resilient functions and all-or-nothing transforms

The recently proposed universally composable (UC) security framework, for analyzing security of cryptographic protocols, provides very strong security guarantees. In particular, a protocol proven secure in this framework is guaranteed to maintain its security even when deployed in arbitrary multi-party, multi-protocol, multi-execution environments. Protocols for securely carrying out essentially any cryptographic task in a universally composable way exist, both in the case of an honest majority (in the plain model, i.e., without set-up assumptions) and in the case of no honest majority (in the common reference string model). However, in the plain model, little was known for the case of no honest majority and, in particular, for the important special case of two-party protocols.

We study the feasibility of universally composable two-party function evaluation in the plain model. Our results show that very few functions can be computed in this model so as to provide the UC security guarantees. Specifically, for the case of deterministic functions, we provide a full characterization of the functions computable in this model. (Essentially, these are the functions that depend on at most one of the parties' inputs, and furthermore are "efficiently invertible" in a sense defined within.) For the case of probabilistic functions, we show that the only functions computable in this model are those where one of the parties can essentially uniquely determine the joint output.

/pdf/on-the-limitations-of-universally-composable-two-party-4bm7iuww1z.pdf

On the limitations of universally composable two-party computation without set-up assumptions

This document introduces Timed Efficient Stream Loss-tolerant
Authentication (TESLA). TESLA allows all receivers to check the
integrity and authenticate the source of each packet in multicast or
broadcast data streams. TESLA requires no trust between receivers,
uses low-cost operations per packet at both sender and receiver, can
tolerate any level of loss without retransmissions, and requires no
per-receiver state at the sender. TESLA can protect receivers against
denial of service attacks in certain circumstances. Each receiver must
be loosely time-synchronized with the source in order to verify
messages, but otherwise receivers do not have to send any messages.
TESLA alone cannot support non-repudiation of the data source to third
parties. This informational document is intended to assist in writing
standardizable and secure specifications for protocols based on TESLA
in different contexts. This memo provides information for the Internet
community.

/pdf/timed-efficient-stream-loss-tolerant-authentication-tesla-wz0c7to44j.pdf

Timed Efficient Stream Loss-Tolerant Authentication (TESLA): Multicast Source Authentication Transform Introduction

This paper proposes a simple threshold Public-Key Cryptosystem (PKC) which is secure against adaptive chosen ciphertext attack, under the Decisional Diffie-Hellman (DDH) intractability assumption.

Previously, it was shown how to design non-interactive threshold PKC secure under chosen ciphertext attack, in the random-oracle model and under the DDH intractability assumption [25]. The random-oracle was used both in the proof of security and to eliminate interaction. General completeness results for multi-party computations [6,13] enable in principle converting any single server PKC secure against CCA (e.g., [19,17]) into a threshold one, but the conversions are inefficient and require much interaction among the servers for each ciphertext decrypted. The recent work by Cramer and Shoup [17] on single server PKC secure against adaptive CCA is the starting point for the new proposal.

/pdf/an-efficient-threshold-public-key-cryptosystem-secure-1gccsvrueo.pdf

An efficient threshold public key cryptosystem secure against adaptive chosen ciphertext attack

We present a security analysis of the Diffie-Hellman key-exchange protocol authenticated with digital signatures used by the Internet Key Exchange (IKE) standard. The analysis is based on an adaptation of the key-exchange model from [Canetti and Krawczyk, Eurocrypt'01] to the setting where peers identities are not necessarily known or disclosed from the start of the protocol. This is a common practical setting, including the case of IKE and other protocols that provide confidentiality of identities over the network. The formal study of this "post-specified peer" model is a further contribution of this paper.

Ran Canetti

Papers

Exposure-resilient functions and all-or-nothing transforms

On the limitations of universally composable two-party computation without set-up assumptions

Timed Efficient Stream Loss-Tolerant Authentication (TESLA): Multicast Source Authentication Transform Introduction

An efficient threshold public key cryptosystem secure against adaptive chosen ciphertext attack

Security Analysis of IKE's Signature-based Key-Exchange Protocol.