Sponge Based CCA2 Secure Asymmetric Encryption for Arbitrary Length Message
29 Jun 2015-Vol. 9144, pp 93-106
TL;DR: This paper provides a new scheme in OAEP framework based on Sponge construction and calls it Sponge based asymmetric encryption padding (SpAEP), which is CCA2 secure for any trapdoor one-way permutation in the ideal permutation model for arbitrary length messages.
Abstract: OAEP and other similar schemes proven secure in Random-Oracle Model require one or more hash functions with output size larger than those of standard hash functions. In this paper, we show that by utilizing popular Sponge constructions in OAEP framework, we can eliminate the need of such hash functions. We provide a new scheme in OAEP framework based on Sponge construction and call our scheme Sponge based asymmetric encryption padding (SpAEP). SpAEP is based on 2 functions: Sponge and SpongeWrap, and requires only standard output sizes proposed and standardized for Sponge functions. Our scheme is CCA2 secure for any trapdoor one-way permutation in the ideal permutation model for arbitrary length messages. Our scheme utilizes the versatile Sponge function to enhance the capability and efficiency of the OAEP framework. SpAEP with any trapdoor one-way permutation can also be used as a key encapsulation mechanism and a tag-based key encapsulation mechanism for hybrid encryption. Our scheme SpAEP utilizes the permutation model efficiently in the setting of public key encryption in a novel manner.
Citations
More filters
Dissertation•
01 Oct 2017
TL;DR: New effective padding schemes are proposed and able to mitigate the various computation and memory overhead compared to previous works and also able to provide streaming capability which was missing in most of the previous works.
Abstract: This thesis focuses on structural remodelling and security proof of cryptographic schemes. A message pre-processing, also known as asymmetric message padding, is an essential step in asymmetric encryption which is heavily used in secure banking applications. In this thesis, we propose new effective padding schemes and able to mitigate the various computation and memory overhead compared to previous works. We are also able to provide streaming capability which was missing in most of the previous works. Mathematical security proof of proposed schemes justifies their security.
3 citations
Cites methods from "Sponge Based CCA2 Secure Asymmetric..."
...The Sponge-based padding proposed in [8] is versatile and has been used in a different security model for asymmetric encryption based on an ideal permutation....
[...]
TL;DR: In this paper, the authors proposed a heterogeneous deniable authenticated encryption (HDAE) scheme for location-based services, which permits a sender in a public key infrastructure environment to transmit a message to a receiver in an identity-based environment.
Abstract: The location-based services can provide users with the requested location information. But users also need to disclose their current location to the location-based service provider. Therefore, how to protect user's location privacy is a major concern. In this paper, we propose a heterogeneous deniable authenticated encryption scheme called HDAE for location-based services. The proposed scheme permits a sender in a public key infrastructure environment to transmit a message to a receiver in an identity-based environment. Our design utilizes a hybrid encryption method combing the tag-key encapsulation mechanism (tag-KEM) and the data encapsulation mechanism (DEM), which is well adopted for location-based services applications. We give how to design an HDAE scheme utilizing a heterogeneous deniable authenticated tag-KEM (HDATK) and a DEM. We also construct an HDATK scheme and provide security proof in the random oracle model. Comprehensive analysis shows that our scheme is efficient and secure. In addition, we give an application of the HDAE to a location-based services system.
2 citations
TL;DR: This work designs a generic and efficient signcryption scheme featuring parallel encryption and signature on top of a sponge-based message-padding underlying structure, and proves the construction secure when instantiated from weakly secure asymmetric primitives such as a trapdoor one-way encryption and a universal unforgeable signature.
Abstract: Abstract Signcryption aims to provide both confidentiality and authentication of messages more efficiently than performing encryption and signing independently. The “Commit-then-Sign & Encrypt” (CtS&E) method allows to perform encryption and signing in parallel. Parallel execution of cryptographic algorithms decreases the computation time needed to signcrypt messages. CtS&E uses weaker cryptographic primitives in a generic way to achieve a strong security notion of signcryption. Various message pre-processing schemes, also known as message padding, have been used in signcryption as a commitment scheme in CtS&E. Due to its elegance and versatility, the sponge structure turns out to be a useful tool for designing new padding schemes such as SpAEP [T. K. Bansal, D. Chang and S. K. Sanadhya, Sponge based CCA2 secure asymmetric encryption for arbitrary length message, Information Security and Privacy – ACISP 2015, Lecture Notes in Comput. Sci. 9144, Springer, Berlin 2015, 93–106], while offering further avenues for optimization and parallelism in the context of signcryption. In this work, we design a generic and efficient signcryption scheme featuring parallel encryption and signature on top of a sponge-based message-padding underlying structure. Unlike other existing schemes, the proposed scheme also supports arbitrarily long messages. We prove the construction secure when instantiated from weakly secure asymmetric primitives such as a trapdoor one-way encryption and a universal unforgeable signature. With a careful analysis and simple tweaks, we demonstrate how different combinations of weakly secure probabilistic and deterministic encryption and signature schemes can be used to construct a strongly secure signcryption scheme, further broadening the choices of underlying primitives to cover essentially any combination thereof. To the best of our knowledge, this is the first signcryption scheme based on the sponge structure that also offers strong security using weakly secure underlying asymmetric primitives, even deterministic ones, along with the ability to handle long messages, efficiently.
2 citations
15 Nov 2020
TL;DR: This paper proposes a heterogeneous deniable authenticated encryption scheme called HDAE, which permits a sender in a public key infrastructure environment to transmit a message to a receiver in an identity-based environment and construct an HDATK scheme and provide security proof in the random oracle model.
Abstract: Deniable authenticated encryption can achieve confidentiality and deniable authentication in a logical single step. Such a cryptographic primitive simplifies the design of cryptographic scheme and reduces the cost of computation and communication. In this paper, we propose a heterogeneous deniable authenticated encryption scheme called HDAE. The proposed scheme permits a sender in a public key infrastructure environment to transmit a message to a receiver in an identity-based environment. Our design utilizes tag-key encapsulation mechanism (tag-KEM) and data encapsulation mechanism (DEM) hybrid encryption methods, which is especially applicable in some privacy protection occasions. In addition, we give how to design an HDAE scheme utilizing a heterogeneous deniable authenticated tag-KEM (HDATK) and a DEM. We also construct an HDATK scheme and provide security proof in the random oracle model. Comprehensive analysis shows that our scheme is efficient and secure.
2 citations
TL;DR: In this paper, a biometric identity-based privacy-preserving scheme was proposed for WBAN, where a user's identity can be constructed from its biometric information, and the proposed access control scheme provided confidentiality, authentication, integrity, non-repudiation and anonymity in the random oracle model.
1 citations
References
More filters
IBM1
TL;DR: It is argued that the random oracles model—where all parties have access to a public random oracle—provides a bridge between cryptographic theory and cryptographic practice, and yields protocols much more efficient than standard ones while retaining many of the advantages of provable security.
Abstract: We argue that the random oracle model—where all parties have access to a public random oracle—provides a bridge between cryptographic theory and cryptographic practice. In the paradigm we suggest, a practical protocol P is produced by first devising and proving correct a protocol PR for the random oracle model, and then replacing oracle accesses by the computation of an “appropriately chosen” function h. This paradigm yields protocols much more efficient than standard ones while retaining many of the advantages of provable security. We illustrate these gains for problems including encryption, signatures, and zero-knowledge proofs.
5,313 citations
"Sponge Based CCA2 Secure Asymmetric..." refers methods in this paper
...Therefore, for generating lengthy hash output, RSA-Full Domain Hash [16, 17, 18] or the Mask Generation Function (MGF1) [6] in RSA-OAEP are currently implemented with a complex construction of fixed length hashes and counters....
[...]
11 Aug 1991
TL;DR: A formalization of chosen ciphertext attack is given in the model which is stronger than the "lunchtime attack" considered by Naor and Yung, and it is proved a non-interactive public-key cryptosystem based on non-Interactive zero-knowledge proof of knowledge to be secure against it.
Abstract: The zero-knowledge proof of knowledge, first denned by Fiat, Fiege and Shamir, was used by Galil, Haber and Yung as a means of constructing (out of a trapdoor function) an interactive public-key cryptosystem provably secure against chosen ciphertext attack. We introduce a revised setting which permits the definition of a non-interactive analogue, the non-interactive zero-knowledge proof of knowledge, and show how it may be constructed in that setting from a non-interactive zero-knowledge proof system for NP (of the type introduced by Blum, Feldman and Micali). We give a formalization of chosen ciphertext attack in our model which is stronger than the "lunchtime attack" considered by Naor and Yung, and prove a non-interactive public-key cryptosystem based on non-interactive zero-knowledge proof of knowledge to be secure against it.
1,198 citations
"Sponge Based CCA2 Secure Asymmetric..." refers background in this paper
...The definition of security we have presented here is from [34]....
[...]
IBM1
TL;DR: Non-malleable schemes for each of the contexts of string commitment and zero-knowledge proofs of possession of knowledge, where a user need not know anything about the number or identity of other system users are presented.
Abstract: The notion of non-malleable cryptography, an extension of semantically secure cryptography, is defined. Informally, the additional requirement is that given the ciphertext it is impossible to generate a different ciphertext so that the respective plaintexts are related. The same concept makes sense in the contexts of string commitment and zero-knowledge proofs of possession of knowledge. Non-malleable schemes for each of these three problems are presented. The schemes do not assume a trusted center; a user need not know anything about the number or identity of other system users.
1,180 citations
12 May 1996
TL;DR: An RSA-based signing scheme which combines essentially optimal efficiency with attractive security properties and a second scheme which maintains all of the above features and in addition provides message recovery is provided.
Abstract: We describe an RSA-based signing scheme which combines essentially optimal efficiency with attractive security properties. Signing takes one RSA decryption plus some hashing, verification takes one RSA encryption plus some hashing, and the size of the signature is the size of the modulus. Assuming the underlying hash functions are ideal, our schemes are not only provably secure, but are so in a tight way-- an ability to forge signatures with a certain amount of computational resources implies the ability to invert RSA (on the same size modulus) with about the same computational effort. Furthermore, we provide a second scheme which maintains all of the above features and in addition provides message recovery. These ideas extend to provide schemes for Rabin signatures with analogous properties; in particular their security can be tightly related to the hardness of factoring.
1,079 citations
"Sponge Based CCA2 Secure Asymmetric..." refers methods in this paper
...Therefore, for generating lengthy hash output, RSA-Full Domain Hash [16, 17, 18] or the Mask Generation Function (MGF1) [6] in RSA-OAEP are currently implemented with a complex construction of fixed length hashes and counters....
[...]
Journal Article•
TL;DR: In this article, the relative strengths of popular notions of security for public key encryption schemes are compared under chosen plaintext attack and two kinds of chosen ciphertext attack, and the goals of privacy and non-malleability are considered.
Abstract: We compare the relative strengths of popular notions of security for public key encryption schemes. We consider the goals of privacy and non-malleability, each under chosen plaintext attack and two kinds of chosen ciphertext attack. For each of the resulting pairs of definitions we prove either an implication (every scheme meeting one notion must meet the other) or a separation (there is a scheme meeting one notion but not the other, assuming the first notion can be met at all). We similarly treat plaintext awareness, a notion of security in the random oracle model. An additional contribution of this paper is a new definition of non-malleability which we believe is simpler than the previous one.
1,057 citations