Showing papers in "IACR Cryptology ePrint Archive in 2003"

Chosen-Ciphertext Security from Identity-Based Encryption.

Abstract: We propose a simple and efficient construction of a CCA-secure public-key encryption scheme from any CPA-secure identity-based encryption (IBE) scheme. Our construction requires the underlying IBE scheme to satisfy only a relatively “weak” notion of security which is known to be achievable without random oracles; thus, our results provide a new approach for constructing CCA-secure encryption schemes in the standard model. Our approach is quite different from existing ones; in particular, it avoids non-interactive proofs of “well-formedness” which were shown to underlie most previous constructions. Furthermore, applying our conversion to some recently-proposed IBE schemes results in CCA-secure schemes whose efficiency makes them quite practical.

Certificate-Based Encryption and the Certificate Revocation Problem.

Abstract: We introduce the notion of certificate-based encryption. In this model, a certificate – or, more generally, a signature – acts not only as a certificate but also as a decryption key. To decrypt a message, a keyholder needs both its secret key and an up-to-date certificate from its CA (or a signature from an authorizer). Certificate-based encryption combines the best aspects of identity-based encryption (implicit certification) and public key encryption (no escrow). We demonstrate how certificate-based encryption can be used to construct an efficient PKI requiring less infrastructure than previous proposals, including Micali’s Novomodo, Naor-Nissim and Aiello-Lodha-Ostrovsky. Comment: This is a version of the Eurocrypt 2003 paper, identical except for this comment and a correction in Section 3.2. I’m posting it online to make it more widely available, particularly since a couple of recent works propose essentially the same idea.

New identity based signcryption schemes from pairings.

Abstract: We present a new identity based scheme based on pairings over elliptic curves. It combines the functionalities of signature and encryption and is provably secure in the random oracle model. We compare it with Malone-Lee’s one from security and efficiency points of view. We give a formal proof of semantical security under the Decisional Bilinear Diffie-Hellman assumption for this new scheme and we show how to devise other provably secure schemes that produce even shorter ciphertexts.

On the (In) security of the Fiat-Shamir Paradigm

Abstract: In 1986, Fiat and Shamir proposed a general method for transforming secure 3-round public-coin identiflcation schemes into digital signature schemes. The idea of the transformation was to replace the random message of the verifler in the identiflcation scheme, with the value of some deterministic\hash" function evaluated on various quantities in the protocol and on the message to be signed. The Fiat-Shamir methodology for producing digital signature schemes quickly gained popularity as it yields e‐cient and easy to implement digital signature schemes. The most important question however remained open: are the digital signatures produced by the Fiat-Shamir methodology secure? In this paper, we answer this question negatively. We show that there exist secure 3round public-coin identiflcation schemes for which the Fiat-Shamir transformation yields insecure digital signature schemes for any \hash" function used by the transformation. This is in contrast to the work of Pointcheval and Stern which proved that the FiatShamir methodology always produces digital signatures secure against chosen message attack in the \Random Oracle Model" { when the hash function is modelled by a random oracle. Among other things, we make new usage of Barak’s technique for taking advantage of non black-box access to a program, this time in the context of digital signatures.

Low-Cost Solutions for Preventing Simple Side-Channel Analysis: Side-Channel Atomicity.

Abstract: We introduce simple methods to convert a cryptographic algorithm into an algorithm protected against simple side-channel attacks. Contrary to previously known solutions, the proposed techniques are not at the expense of the execution time. Moreover, they are generic and apply to virtually any algorithm. In particular, we present several novel exponentiation algorithms, namely, a protected square-and-multiply algorithm, its right-to-left counterpart, and several protected sliding-window algorithms. We also illustrate our methodology applied to point multiplication on elliptic curves. All these algorithms share the common feature that the complexity is globally unchanged compared to the corresponding unprotected implementations.

An Un-Instantiable Random-Oracle-Model Scheme for a Hybrid-Encryption Problem

Abstract: We present a simple, natural random-oracle (RO) model scheme, for a practical goal, that is uninstantiable, meaning is proven in the RO model to meet its goal yet admits no standard-model instantiation that meets this goal. The goal in question is IND-CCA-preserving asymmetric encryption which formally captures security of the most common practical usage of asymmetric encryption, namely to transport a symmetric key in such a way that symmetric encryption under the latter remains secure. The scheme is an ElGamal variant, called Hash ElGamal, that resembles numerous existing RO-model schemes, and on the surface shows no evidence of its anomalous properties. These results extend our understanding of the gap between the standard and RO models, and bring concerns raised by previous work closer to practice by indicating that the problem of RO-model schemes admitting no secure instantiation can arise in domains where RO schemes are commonly designed.

Scalable Protocols for Authenticated Group Key Exchange.

Abstract: We consider the problem of authenticated group key exchange among n parties communicating over an insecure public network. A number of solutions to this problem have been proposed; however, all prior provably secure solutions do not scale well and, in particular, require O(n) rounds. Our main contribution is the first scalable protocol for this problem along with a rigorous proof of security in the standard model under the DDH assumption; our protocol uses a constant number of rounds and requires only O(1) "full" modular exponentiations per user. Toward this goal (and adapting work of Bellare, Canetti, and Krawczyk), we first present an efficient compiler that transforms any group key-exchange protocol secure against a passive eavesdropper to an authenticated protocol which is secure against an active adversary who controls all communication in the network. This compiler adds only one round and O(1) communication (per user) to the original scheme. We then prove secure—against a passive adversary—a variant of the two-round group key-exchange protocol of Burmester and Desmedt. Applying our compiler to this protocol results in a provably secure three-round protocol for authenticated group key exchange which also achieves forward secrecy.

Certificateless Public Key Cryptography.

Abstract: This paper introduces the concept of certificateless public key cryptography (CL-PKC). In contrast to traditional public key cryptographic systems, CL-PKC does not require the use of certificates to guarantee the authenticity of public keys. It does rely on the use of a trusted third party (TTP) who is in possession of a master key. In these respects, CL-PKC is similar to identity-based public key cryptography (ID-PKC). On the other hand, CL-PKC does not suffer from the key escrow property that seems to be inherent in ID-PKC. Thus CL-PKC can be seen as a model for the use of public key cryptography that is intermediate between traditional certificated PKC and ID-PKC. We make concrete the concept of CL-PKC by introducing certificateless public key encryption (CL-PKE), signature and key exchange schemes. We also demonstrate how hierarchical CL-PKC can be supported. The schemes are all derived from pairings on elliptic curves. The lack of certificates and the desire to prove the schemes secure in the presence of an adversary who has access to the master key requires the careful development of new security models. For reasons of brevity, the focus in this paper is on the security of CL-PKE. We prove that our CL-PKE scheme is secure in a fully adaptive adversarial model, provided that an underlying problem closely related to the Bilinear Diffie-Hellman Problem is hard.

On the Selection of Pairing-Friendly Groups.

Abstract: We propose a simple algorithm to select group generators suitable for pairing-based cryptosystems. The selected parameters are shown to favor implementations of the Tate pairing that are at once conceptually simple and efficient, with an observed performance about 2 to 10 times better than previously reported implementations, depending on the embedding degree. Our algorithm has beneficial side effects: various non-pairing operations become faster, and bandwidth may be saved.

Identity-Based Threshold Decryption.

Abstract: In this paper, we examine issues related to the construction of identity-based threshold decryption schemes and argue that it is important in practice to design an identity-based threshold decryption scheme in which a private key associated with an identity is shared. A major contribution of this paper is to construct the first identity-based threshold decryption scheme secure against chosen-ciphertext attack. A formal proof of security of the scheme is provided in the random oracle model, assuming the Bilinear Diffie-Hellman problem is computationally hard. Another contribution of this paper is, by extending the proposed identity-based threshold decryption scheme, to construct a mediated identity-based encryption scheme secure against more powerful attacks than those considered previously.

Public Key Encryption with keyword Search.

Abstract: We study the problem of searching on data that is encrypted using a public key system. Consider user Bob who sends email to user Alice encrypted under Alice’s public key. An email gateway wants to test whether the email contains the keyword “urgent” so that it could route the email accordingly. Alice, on the other hand does not wish to give the gateway the ability to decrypt all her messages. We define and construct a mechanism that enables Alice to provide a key to the gateway that enables the gateway to test whether the word “urgent” is a keyword in the email without learning anything else about the email. We refer to this mechanism as Public Key Encryption with keyword Search. As another example, consider a mail server that stores various messages publicly encrypted for Alice by others. Using our mechanism Alice can send the mail server a key that will enable the server to identify all messages containing some specific keyword, but learn nothing else. We define the concept of public key encryption with keyword search and give several constructions.

Physically Observable Cryptography.

Abstract: Complexity-theoretic cryptography considers only abstract notions of computation, and hence cannot protect against attacks that exploit the information leakage (via electromagnetic fields, power consumption, etc.) inherent in the physical execution of any cryptographic algorithm. Such “physical observation attacks” bypass the impressive barrier of mathematical security erected so far, and successfully break mathematically impregnable systems. The great practicality and the inherent availability of physical attacks threaten the very relevance of complexity-theoretic security. To respond to the present crisis, we put forward physically observable cryptography: a powerful, comprehensive, and precise model for defining and delivering cryptographic security against an adversary that has access to information leaked from the physical execution of cryptographic algorithms. Our general model allows for a variety of adversaries. In this paper, however, we focus on the strongest possible adversary, so as to capture what is cryptographically possible in the worst possible, physically observable setting. In particular, we • consider an adversary that has full (and indeed adaptive) access to any leaked information; • show that some of the basic theorems and intuitions of traditional cryptography no longer hold in a physically observable setting; and • construct pseudorandom generators that are provably secure against all physical-observation attacks. Our model makes it easy to meaningfully restrict the power of our general physically observing adversary. Such restrictions may enable schemes that are more efficient or rely on weaker assumptions, while retaining security against meaningful physical observations attacks.

Combinational Logic Design for AES SubByte Transformation on Masked Data.

Abstract: Low power consumption, low gate count and high throughput used to be standard design criteria for cryptographic coprocessors designated for smart cards and related embedded devices. Not anymore. With the advent of side channel attacks, the first and foremost concern is device resistance to such attacks, at a price. General-purpose hardware countermeasures, such as metal shields, tamperdetectors, clock randomization, random current generators, seem not anymore a sufficient protection against sophisticated differential power analysis or fault attacks specifically tailored to break a particular device. In this paper we describe an attempt to embed data masking technique at a hardware design level for an AES coprocessor. We concentrate on inversion in GF since it is the only non-linear operation, and requires complex transformations on the masked data and masks.

A Universally Composable Cryptographic Library

Abstract: Bridging the gap between formal methods and cryptography has recently received a lot of interest, i.e., investigating to what extent proofs of cryptographic protocols made with abstracted cryptographic operations are valid for real implementations. However, a major goal has not been achieved yet: a soundness proof for an abstract crypto-library as needed for the cryptographic protocols typically proved with formal methods, e.g., authentication and key exchange protocols. Prior work that directly justifies the typical Dolev-Yao abstraction is restricted to passive adversaries and certain protocol environ-ion is restricted to passive adversaries and certain protocol environments. Prior work starting from the cryptographic side entirely hides the cryptographic objects, so that the operations are not composable: While secure channels or signing of application data is modeled, one cannot encrypt a signature or sign a key. We make the major step towards this goal: We specify an abstract cryptolibrary that allows composed operations, define a cryptographic realization, and prove that the abstraction is sound for arbitrary active attacks in arbitrary reactive scenarios. The library currently contains public-key encryption and signatures, nonces, lists, and application data. The proof is a novel combination of a probabilistic, imperfect bisimulation with cryptographic reductions and static information-flow analysis.

Proxy Blind Signature Scheme.

Abstract: Blind signature is the concept to ensure anonymity of e-coins. Untracebility and unlinkability are two main properties of real coins, which require mimicking electronically. Whenever a user is permitted to spend an e-coin, he is in need to fulfill above requirements of blind signature. This paper proposes a proxy blind signature scheme with which a proxy is able to make proxy blind signature which verifier is able to verify in a way similar to proxy signature schemes.

New Proxy Signature, Proxy Blind Signature and Proxy Ring Signature Schemes from Bilinear Pairing.

Abstract: Proxy signatures are very useful tools when one needs to delegate his/her signing capability to other party After Mambo et al’s first scheme was announced, many proxy signature schemes and various types of proxy signature schemes have been proposed Due to the various applications of the bilinear pairings in cryptography, there are many IDbased signature schemes have been proposed In this paper, we address that it is easy to design proxy signature and proxy blind signature from the conventional ID-based signature schemes using bilinear pairings, and give some concrete schemes based on existed ID-based signature schemes At the same time, we introduce a new type of proxy signature – proxy ring signature, and propose the first proxy ring signature scheme based on an existed ID-based ring signature scheme

CWC: A high-performance conventional authenticated encryption mode.

Abstract: We introduce CWC, a new block cipher mode of operation for protecting both the privacy and the authenticity of encapsulated data. CWC is currently the only such mode having all five of the following properties: provable security, parallelizability, high performance in hardware, high performance in software, and no intellectual property concerns. We believe that having all five of these properties makes CWC a powerful tool for use in many performance-critical cryptographic applications. CWC is also the only appropriate solution for some applications; e.g., standardization bodies like the IETF and NIST prefer patent-free modes, and CWC is the only such mode capable of processing data at 10Gbps in hardware, which will be important for future IPsec (and other) network devices. As part of our design, we also introduce a new parallelizable universal hash function optimized for performance in both hardware and software.

Security Analysis of Shim's Authenticated Key Agreement Protocols from Pairings.

Abstract: Recently, Shim proposed a tripartite authenticated key agreement protocol from Weil pairing to overcome the security flaw in Joux’s protocol Later, Shim also proposed an ID-based authenticated key agreement protocol which is an improvement of Smart’s protocol in order to provide the forward secrecy In this paper, we show that these two protocols are insecure against the key-compromise impersonation attack and the manin-the-middle attack respectively

Identity Based Undeniable Signatures.

Abstract: In this paper, we give a first example of identity based undeniable signature using pairings over elliptic curves. We extend to the identity based setting the security model for the notions of invisibility and anonymity given by Galbraith and Mao in 2003 and we prove that our scheme is existentially unforgeable under the Bilinear Diffie-Hellman assumption in the random oracle model. We also prove that it has the invisibility property under the Decisional Bilinear Diffie-Hellman assumption and we discuss about the efficiency of the scheme.

Length-Based Attacks for Certain Group Based Encryption Rewriting Systems

Abstract: In this note, we describe a probabilistic attack on public ke y cryptosystems based on the word/conjugacy problems for finitely presented groups of the type proposed r ecently by Anshel, Anshel and Goldfeld. In such a scheme, one makes use of the property that in the given group the word problem has a polynomial time solution, while the conjugacy problem has no known polynomial solution. An example is the braid group from topology in which the word problem is solvable in polynomial time while the only known solutions to the conjugacy problem are exponential. The attack in this paper is based on having a canonical representative of each string relative to which a length function may be computed. Hence the term length attack. Such canonical representatives are known to exist for the braid group.

A Polynomial Time Algorithm for the Braid Diffie-Hellman Conjugacy Problem.

Abstract: We propose the first polynomial time algorithm for the braid Diffie-Hellman conjugacy problem (DHCP) on which the braid key exchange scheme and the braid encryption scheme are based [9]. We show the proposed method solves the DHCP for the image of braids under the Lawrence-Krammer representation and the solutions play the equivalent role of the original key for the DHCP of braids. Given a braid index n and a canonical length l, the complexity is about O(n 14.4 l 3.2) or O(n 4τ + 2e l 2e ) bit operations for τ = log2 7 ≈ 2.8 and e> log2 3 ≈ 1.57.

Efficient Multi-Party Computation over Rings.

Abstract: Secure multi-party computation (MPC) is an active research area, and a wide range of literature can be found nowadays suggesting improvements and generalizations of existing protocols in various directions. However, all current techniques for secure MPC apply to functions that are represented by (boolean or arithmetic) circuits over finite fields. We are motivated by two limitations of these techniques: - GENERALITY. Existing protocols do not apply to computation over more general algebraic structures (except via a brute-force simulation of computation in these structures). - EFFICIENCY. The best known constant-round protocols do not efficiently scale even to the case of large finite fields. Our contribution goes in these two directions. First, we propose a basis for unconditionally secure MPC over an arbitrary finite ring, an algebraic object with a much less nice structure than a field, and obtain efficient MPC protocols requiring only a black-box access to the ring operations and to random ring elements. Second, we extend these results to the constant-round setting, and suggest efficiency improvements that are relevant also for the important special case of fields. We demonstrate the usefulness of the above results by presenting a novel application of MPC over (non-field) rings to the round-efficient secure computation of the maximum function.

NAEP: Provable Security in the Presence of Decryption Failures.

Abstract: We consider the impact of the possibility of decryption failures in proofs of security for padding schemes, where these failures are both message and key dependent. We explain that an average case failure analysis is not necessarily sufficient to achieve provable security with existing CCA2-secure schemes. On a positive note, we introduce NAEP, an efficient padding scheme similar to PSS-E designed especially for the NTRU one-way function. We show that with this padding scheme we can prove security in the presence of decryption failures, under certain explicitly stated assumptions. We also discuss the applicability of proofs of security to instantiated cryptosystems in general, introducing a more practical notion of cost to describe the power of an adversary.

Robust discretization, with an application to graphical passwords.

Abstract: When data or the processing on the data has some uncertainty, discretization of those data can lead to significantly different output. For example, in certain graphical password schemes, a slight uncertainty in the clicking places can produce a different password; another example is digital watermarking, where a slight change in the features can produce a different watermark. We present a discretization method which is tolerant to uncertainties (described by an error distance r, which can be adjusted to the applications). This enables us to implement very flexible graphical password schemes, and digital watermarking. (Abstract still to be completed.)

A Cryptographically Sound Security Proof of the Needham-Schroeder-Lowe Public-Key Protocol.

Abstract: We present a cryptographically sound security proof of the well-known Needham-Schroeder-Lowe public-key protocol for entity authentication. This protocol was previously only proved over unfounded abstractions from cryptography. We show that it is secure against arbitrary active attacks if it is implemented using standard provably secure cryptographic primitives. Nevertheless, our proof does not have to deal with the probabilistic aspects of cryptography and is, hence, in the scope of current automated proof tools. We achieve this by exploiting a recently proposed Dolev-Yao-style cryptographic library with a provably secure cryptographic implementation. Besides establishing the cryptographic security of the Needham-Schroeder-Lowe protocol, our result exemplifies the potential of this cryptographic library and paves the way for the cryptographically sound verification of security protocols by automated proof tools.

Weak Fields for ECC.

Abstract: We demonstrate that some finite fields, including \(\mathbb{F}_{{2}^{210}}\), are weak for elliptic curve cryptography in the sense that any instance of the elliptic curve discrete logarithm problem for any elliptic curve over these fields can be solved in significantly less time than it takes Pollard’s rho method to solve the hardest instances. We discuss the implications of our observations to elliptic curve cryptography, and list some open problems.

An identity-based ring signature scheme from bilinear pairings.

Abstract: At the conference Asiacrypt 2001, Rivest, Shamir and Tauman firstly addressed the concept of ring signature. In this paper we propose an identity-based ring signature scheme from bilinear pairings. As compared with the Zhang-Kim scheme (presented at the conference Asiacrypt 2002), our scheme is more efficient in computation and requires fewer pairing operations.