Showing papers in "IACR Cryptology ePrint Archive in 2001"

Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack.

Abstract: A new public key encryption scheme, along with several variants, is proposed and analyzed. The scheme and its variants are quite practical, and are proved secure against adaptive chosen ciphertext attack under standard intractability assumptions. These appear to be the rst publickey encryption schemes in the literature that are simultaneously practical and provably secure.

Universally Composable Commitments.

Abstract: We propose a new security measure for commitment protocols, called Universally Composable (UC) Commitment. The measure guarantees that commitment protocols behave like an “ideal commitment service,” even when concurrently composed with an arbitrary set of protocols. This is a strong guarantee: it implies that security is maintained even when an unbounded number of copies of the scheme are running concurrently, it implies non-malleability (not only with respect to other copies of the same protocol but even with respect to other protocols), it provides resilience to selective decommitment, and more. Unfortunately two-party uc commitment protocols do not exist in the plain model. However, we construct two-party uc commitment protocols, based on general complexity assumptions, in the common reference string model where all parties have access to a common string taken from a predetermined distribution. The protocols are non-interactive, in the sense that both the commitment and the opening phases consist of a single message from the committer to the receiver.

An Identity Based Authenticated Key Agreement Protocol Based on the Weil Pairing.

Abstract: An ID-based authenticated two pass key agreement protocol which makes use of the Weil pairing is presented. The protocol is described and its properties are discussed, including the ability to add key confirmation.

A Proposal for an ISO Standard for Public Key Encryption.

Abstract: This document should be viewed less as a first draft of a standard for public-key encryption, and more as a proposal for what such a draft standard should contain. It is hoped that this proposal will serve as a basis for discussion, from which a consensus for a standard may be formed.

DHIES: An encryption scheme based on the Diffie-Hellman Problem

Abstract: This paper describes a Diffie-Hellman based encryption scheme, DHIES (formerly named DHES and DHAES), which is now in several (draft) standards. The scheme is as efficient as ElGamal encryption, but has stronger security properties. Furthermore, these security properties are proven to hold under appropriate assumptions on the underlying primitive. DHIES is a Diffie-Hellman based scheme that combines a symmetric encryption method, a message authentication code, and a hash function, in addition to number-theoretic operations, in a way which is intended to provide security against chosenciphertext attacks. The proofs of security are based on the assumption that the underlying symmetric primitives are secure and on appropriate assumptions about the Diffie-Hellman problem. The latter are interesting variants of the customary assumptions on the Diffie-Hellman problem, and we investigate relationships among them, and provide security lower bounds. Our proofs are in the standard model; no random-oracle assumption is required.

Universal Arguments and their Applications.

Abstract: We put forward a new type of computationally sound proof system called universal arguments. Universal arguments are related but different from both CS proofs (as defined by Micali [SIAM J. Comput., 37 (2000), pp. 1253-1298]) and arguments (as defined by Brassard, Chaum, and Crepeau [J. Comput. System Sci., 37 (1988), pp. 156-189]. In particular, we adopt the instance-based prover-efficiency paradigm of CS proofs but follow the computational-soundness condition of argument systems (i.e., we consider only cheating strategies that are implementable by polynomial-size circuits). We show that universal arguments can be constructed based on standard intractability assumptions that refer to polynomial-size circuits (rather than based on assumptions that refer to subexponential-size circuits as used in the construction of CS proofs). Furthermore, these protocols have a constant number of rounds and are of the public-coin type. As an application of these universal arguments, we weaken the intractability assumptions used in the non-black-box zero-knowledge arguments of Barak [in Proceedings of the 42nd IEEE Symposiun on Foundations of Computer Science, 2001]. Specifically, we only utilize intractability assumptions that refer to polynomial-size circuits (rather than assumptions that refer to circuits of some “nice” superpolynomial size).

An Integer Commitment Scheme based on Groups with Hidden Order.

Abstract: We present a commitment scheme allowing commitment to arbitrary size integers, based on any Abelian group with certain properties, most importantly that it is hard for the committer to compute its order. Potential examples include RSA and class groups. We also give efficient zero-knowledge protocols for proving knowledge of the contents of a commitment and for verifying multiplicative relations over the integers on committed values. This means that our scheme can support, for instance, the efficent interval proofs of Boudot[1]. The scheme can be seen as a modification and a generalization of an earlier scheme of Fujisaki and Okamoto [5], and in particular our results show that we can use a much larger class of RSA moduli than the safe prime products proposed in [5]. Also, we correct some mistakes in the proofs of [5] and give what appears to be the first multiplication protocol for a Fujisaki/Okamoto-like scheme with a complete proof of soundness.

Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation.

Abstract: In this paper we show that any two-party functionality can be securely computed in a constant number of rounds, where security is obtained against (polynomial-time) malicious adversaries that may arbitrarily deviate from the protocol specification. This is in contrast to Yao’s constantround protocol that ensures security only in the face of semi-honest adversaries, and to its malicious adversary version that requires a polynomial number of rounds. In order to obtain our result, we present a constant-round protocol for secure coin-tossing of polynomially many coins (in parallel). We then show how this protocol can be used in conjunction with other existing constructions in order to obtain a constant-round protocol for securely computing any two-party functionality. On the subject of coin-tossing, we also present a constant-round almost perfect coin-tossing protocol, where by “almost perfect” we mean that the resulting coins are guaranteed to be statistically close to uniform (and not just pseudorandom).

Efficient and Non-Interactive Non-Malleable Commitment.

Abstract: We present new constructions of non-malleable commitment schemes, in the public parameter model (where a trusted party makes parameters available to all parties), based on the discrete logarithm or RSA assumptions. The main features of our schemes are: they achieve near-optimal communication for arbitrarily-large messages and are noninteractive. Previous schemes either required (several rounds of) interaction or focused on achieving non-malleable commitment based on general assumptions and were thus efficient only when committing to a single bit. Although our main constructions are for the case of perfectly-hiding commitment, we also present a communication-efficient, noninteractive commitment scheme (based on general assumptions) that is perfectly binding.

Resettably-Sound Zero-Knowledge and its Applications.

Abstract: Resettably-sound proofs and arguments remain sound even when the prover can reset the verifier, and so force it to use the same random coins in repeated executions of the protocol. We show that resettably-sound zero-knowledge arguments for NP exist if collision-resistant hash functions exist. In contrast, resettably-sound zero-knowledge proofs are possible only for languages in P=poly. We present two applications of resettably-sound zero-knowledge arguments. First, we construct resettable zero-knowledge arguments of knowledge for NP, using a natural relaxation of the definition of arguments (and proofs) of knowledge. We note that, under the standard definition of proofs of knowledge, it is impossible to obtain resettable zero-knowledge arguments of knowledge for languages outside BPP. Second, we construct a constant-round resettable zero-knowledge argument for NP in the public-key model, under the assumption that collisionresistant hash functions exist. This improves upon the sub-exponential hardness assumption required by previous constructions. We emphasize that our results use non-black-box zero-knowledge simulations. Indeed, we show that some of the results are impossible to achieve using black-box simulations. In particular, only languages in BPP have resettably-sound arguments that are zero-knowledge with respect to black-box simulation.

On the Security of the SPEKE Password-Authenticated Key Exchange Protocol.

Abstract: In the most strict formal deenition of security for password-authenticated key exchange, an adversary can test at most one password per impersonation attempt. We propose a slightly relaxed deenition which restricts an adversary to testing at most a constant number of passwords per impersonation attempt. This deenition seems useful, since there is currently a popular password-authenticated key exchange protocol called SRP that seems resistant to oo-line dictionary attack, yet does allow an adversary to test two passwords per impersonation attempt. In this paper we prove (in the random oracle model) that a certain instantiation of the SPEKE protocol that uses hashed passwords instead of non-hashed passwords is a secure password-authenticated key exchange protocol (using our relaxed deenition) based on a new assumption, the Decision Inverted-Additive Diie-Hellman assumption. Since this is a new security assumption , we investigate its security and relation to other assumptions; speciically we prove a lower bound for breaking this new assumption in the generic model, and we show that the computational version of this new assumption is equivalent to the Computational Diie-Hellman assumption.

Are 'Strong' Primes Needed for RSA.

Abstract: We review the arguments in favor of using so called strong primes in the RSA public key cryptosystem There are two types of such arguments those that say that strong primes are needed to protect against factoring attacks and those that say that strong primes are needed to protect against cycling attacks based on repeated encryption We argue that contrary to common belief it is unnecessary to use strong primes in the RSA cryptosystem That is by using strong primes one gains a negligible increase in security over what is obtained merely by using random primes of the same size There are two parts to this argument First the use of strong primes provides no additional protection against factoring attacks because Lenstra s method of factoring based on elliptic curves ECM circumvents any protection that might have been o ered by using strong primes The methods that strong primes are intended to guard against as well as ECM are probabalistic in nature but ECM succeeds with higher probability For RSA key sizes being proposed now the probability of success of these methods is very low Additionally the newer Number Field Sieve algorithm can factor RSA keys with virtual certainty in less time than these methods Second a simple group theoretic argument shows that cycling attacks are extremely unlikely to be e ective as long as the primes used are large Indeed even probabalistic factoring attacks will succeed much more quickly and with higher probability than cycling attacks

Efficient Traitor Tracing Algorithms using List Decoding.

Abstract: We use powerful new techniques for list decoding errorcorrecting codes to efficiently trace traitors. Although much work has focusedon constructing traceability schemes, the complexity of the tracing algorithm has receivedlittle attention. Because the TA tracing algorithm has a runtime of O(N) in general, where N is the number of users, it is inefficient for large populations.We produce schemes for which the TA algorithm is very fast. The IPP tracing algorithm, though less efficient, can list all coalitions capable of constructing a given pirate. We give evidence that when using an algebraic structure, the ability to trace with the IPP algorithm implies the ability to trace with the TA algorithm. We also construct schemes with an algorithm that finds all possible traitor coalitions faster than the IPP algorithm. Finally, we suggest uses for other decoding techniques in the presence of additional information about traitor behavior.

Forward-Security in Private-Key Cryptography.

Abstract: This paper provides a comprehensive treatment of forward-security in the context of sharedkey based cryptographic primitives, as a practical means to mitigate the damage caused by key-exposure. We provide denitions of security, practical proven-secure constructions, and applications for the main primitives in this area. We identify forward-secure pseudorandom bit generators as the central primitive, providing several constructions and then showing how forward-secure message authentication schemes and symmetric encryption schemes can be built based on standard schemes for these problems coupled with forward-secure pseudorandom bit generators. We then apply forward-secure message authentication schemes to the problem of maintaining secure access logs in the presence of break-ins.

A Time-Memory Tradeoff Attack Against LILI-128.

Abstract: In this note we discuss a novel and simple time-memory tradeoff attack against the stream cipher LILI-128. The attack defeats the security advantage of having an irregular stepping function. The attack requires 246 bits of keystream, a lookup table of 245 89-bit words and computational effort which is roughly equivalent to 248 DES operations.

Fast hashing onto elliptic curves over fields of characteristic 3.

Abstract: We describe a fast hash algorithm that maps arbitrary messages onto points of an elliptic curve defined over a finite field of characteristic 3. Our new scheme runs in time O(m) for curves over F3m . The best previous algorithm for this task runs in time O(m). Experimental data confirms the speedup by a factor O(m), or approximately a hundred times for practical m values. Our results apply for both standard and normal basis representations of F3m .

Linear Code Implies Public-Key Traitor Tracing.

Abstract: In this paper, we first show that three public-key (k, n)- traceability schemes can be derived from an [n, u, d]-linear code C such that d ? 2k+1. The previous schemes are obtained as special cases. This observation gives a more freedom and a new insight to this field. For example, we show that Boneh-Franklin scheme is equivalent to a slight modification of the corrected Kurosawa-Desmedt scheme. This means that BF scheme is redundant or overdesigned because the modified KD scheme is much simpler. It is also shown that the corrected KD scheme is the best among them.

Communication Complexity and Secure Function Evaluation.

Abstract: We suggest two new methodologies for the design of efficient secure protocols, that differ with respect to their underlying computational models. In one methodology we utilize the communication complexity tree (or branching for f and transform it into a secure protocol. In other words, "any function f that can be computed using communication complexity c can be can be computed securely using communication complexity that is polynomial in c and a security parameter". The second methodology uses the circuit computing f, enhanced with look-up tables as its underlying computational model. It is possible to simulate any RAM machine in this model with polylogarithmic blowup. Hence it is possible to start with a computation of f on a RAM machine and transform it into a secure protocol. We show many applications of these new methodologies resulting in protocols efficient either in communication or in computation. In particular, we exemplify a protocol for the "millionaires problem", where two participants want to compare their values but reveal no other information. Our protocol is more efficient than previously known ones in either communication or computation.

How to achieve a McEliece-based Digital Signature Scheme.

Abstract: McEliece is one of the oldest known public key cryptosystems. Though it was less widely studied than RSA, it is remarkable that all known attacks are still exponential. It is widely believed that code-based cryptosystems like McEliece do not allow practical digital signatures. In the present paper we disprove this belief and show a way to build a practical signature scheme based on coding theory. Its security can be reduced in the random oracle model to the well-known syndrome decoding problem and the distinguishability of permuted binary Goppa codes from a random code. For example we propose a scheme with signatures of 81-bits and a binary security workfactor of 283.

The One-More-RSA-Inversion Problems and the Security of Chaum's Blind Signature Scheme.

Abstract: We introduce a new class of computational problems which we call the “one-more-RSAinversion” problems. Our main result is that two problems in this class, which we call the chosen-target and known-target inversion problems respectively, have polynomially-equivalent computational complexity. We show how this leads to a proof of security for Chaum’s RSA-based blind signature scheme in the random oracle model based on the assumed hardness of either of these problems. We define and prove analogous results for “one-more-discrete-logarithm” problems. Since the appearence of the preliminary version of this paper, the new problems we have introduced have found other uses as well.

Ciphers with Arbitrary Finite Domains.

Abstract: We explore the problem of enciphering members of a finite set M where k = |M| is arbitrary (in particular, it need not be a power of two). We want to achieve this goal starting from a block cipher (which requires a message space of size N = 2n, for some n). We look at a few solutions to this problem, focusing on the case when M= [O, k - 1]. We see ciphers with arbitrary domains as a worthwhile primitive in its own right, and as a potentially useful one for making higher-level protocols.

Some observations on the theory of cryptographic hash functions.

Abstract: In this paper, we study issues related to the notion of "secure" hash functions. Several necessary conditions are considered, as well as a popular sufficient condition (the so-called random oracle model). We study the security of various problems that are motivated by the notion of a secure hash function. These problems are analyzed in the random oracle model, and we prove that the obvious trivial algorithms are optimal. As well, we look closely at reductions between various problems. In particular, we consider the important question "does collision resistance imply preimage resistance?". We provide partial answers to this question --- both positive and negative! --- based on uniformity properties of the hash function under consideration.

An observation regarding Jutla's modes of operation.

Abstract: Recently, Jutla suggested two new modes of operation for block ciphers. These modes build on traditional CBC and ECB modes, respectively, but add to them masking of the outputs and inputs. Jutla proved that these masking operations considerably strengthen CBC and ECB modes. In particular, together with a simple checksum, the modified modes ensure not only confidentiality, but also authenticity. Similar modes were also suggested by Gligor and Donescu and by Rogaway. In Jutla’s proposal (as well as in some of the other proposals), the masks themselves are derived from an IV via the same block cipher as used for the encryption (perhaps with a different key). In this work we note, however, that the function for deriving these masks need not be cryptographic at all. In particular, we prove that a universal hash function (a-la-CarterWegman) is sufficient for this purpose. ∗IBM T. J. Watson Research Center, P.O. Box 704, Yorktown Heights, NY 10598, USA,shaih@watson.ibm.com

A Block-Cipher Mode of Operation for Parallelizable Message Authentication.

Abstract: We define and analyze a simple and fully parallelizable block-cipher mode of operation for message authentication. Parallelizability does not come at the expense of serial efficiency: in a conventional, serial environment, the algorithm’s speed is within a few percent of the (inherently sequential) CBC MAC. The new mode, PMAC, is deterministic, resembles a standard mode of operation (and not a Carter-Wegman MAC), works for strings of any bit length, employs a single block-cipher key, and uses just max{1, |M |/n } block-cipher calls to MAC a string M ∈ {0, 1}∗ using an n-bit block cipher. We prove PMAC secure, quantifying an adversary’s forgery probability in terms of the quality of the block cipher as a pseudorandom permutation.