Showing papers on "Ciphertext published in 2005"
22 May 2005
TL;DR: In this article, a new type of identity-based encryption called Fuzzy Identity-Based Encryption (IBE) was introduced, where an identity is viewed as set of descriptive attributes, and a private key for an identity can decrypt a ciphertext encrypted with an identity if and only if the identities are close to each other as measured by the set overlap distance metric.
Abstract: We introduce a new type of Identity-Based Encryption (IBE) scheme that we call Fuzzy Identity-Based Encryption. In Fuzzy IBE we view an identity as set of descriptive attributes. A Fuzzy IBE scheme allows for a private key for an identity, ω, to decrypt a ciphertext encrypted with an identity, ω ′, if and only if the identities ω and ω ′ are close to each other as measured by the “set overlap” distance metric. A Fuzzy IBE scheme can be applied to enable encryption using biometric inputs as identities; the error-tolerance property of a Fuzzy IBE scheme is precisely what allows for the use of biometric identities, which inherently will have some noise each time they are sampled. Additionally, we show that Fuzzy-IBE can be used for a type of application that we term “attribute-based encryption”.
In this paper we present two constructions of Fuzzy IBE schemes. Our constructions can be viewed as an Identity-Based Encryption of a message under several attributes that compose a (fuzzy) identity. Our IBE schemes are both error-tolerant and secure against collusion attacks. Additionally, our basic construction does not use random oracles. We prove the security of our schemes under the Selective-ID security model.
3,610 citations
14 Aug 2005
TL;DR: In this paper, the authors describe two new public key broadcast encryption systems for stateless receivers, which are fully secure against any number of colluders and provide a tradeoff between ciphertext size and public key size.
Abstract: We describe two new public key broadcast encryption systems for stateless receivers. Both systems are fully secure against any number of colluders. In our first construction both ciphertexts and private keys are of constant size (only two group elements), for any subset of receivers. The public key size in this system is linear in the total number of receivers. Our second system is a generalization of the first that provides a tradeoff between ciphertext size and public key size. For example, we achieve a collusion resistant broadcast system for n users where both ciphertexts and public keys are of size $O(\sqrt{N})$ for any subset of receivers. We discuss several applications of these systems.
1,214 citations
Posted Content•
TL;DR: In this paper, a Hierarchical Identity Based Encryption (HIBE) scheme is presented, where the ciphertext consists of just three group elements and decryption requires only two bilinear map computations, regardless of the hierarchy depth.
Abstract: We present a Hierarchical Identity Based Encryption (HIBE) system where the ciphertext consists of just three group elements and decryption requires only two bilinear map computations, regardless of the hierarchy depth. Encryption is as ecient as in other HIBE systems. We prove that the scheme is selective-ID secure in the standard model and fully secure in the random oracle model. Our system has a number of applications: it gives very ecient forward secure public key and identity based cryptosystems (with short ciphertexts), it converts the NNL broadcast encryption system into an ecient public key broadcast system, and it provides an ecient mechanism for encrypting to the future. The system also supports limited delegation where users can be given restricted private keys that only allow delegation to bounded depth. The HIBE system can be modified to support sublinear size private keys at the cost of some ciphertext expansion.
1,076 citations
22 May 2005
TL;DR: In this article, a Hierarchical Identity Based Encryption (HIBE) scheme is presented, where the ciphertext consists of just three group elements and decryption requires only two bilinear map computations, regardless of the hierarchy depth.
Abstract: We present a Hierarchical Identity Based Encryption (HIBE) system where the ciphertext consists of just three group elements and decryption requires only two bilinear map computations, regardless of the hierarchy depth. Encryption is as efficient as in other HIBE systems. We prove that the scheme is selective-ID secure in the standard model and fully secure in the random oracle model. Our system has a number of applications: it gives very efficient forward secure public key and identity based cryptosystems (with short ciphertexts), it converts the NNL broadcast encryption system into an efficient public key broadcast system, and it provides an efficient mechanism for encrypting to the future. The system also supports limited delegation where users can be given restricted private keys that only allow delegation to bounded depth. The HIBE system can be modified to support sublinear size private keys at the cost of some ciphertext expansion.
985 citations
TL;DR: This paper explores the realization of a previously proposed cryptographic construct, called fuzzy vault, with the fingerprint minutiae data, which aims to secure critical data with the fingerprints in a way that only the authorized user can access the secret by providing the valid fingerprint.
Abstract: Biometrics-based user authentication has several advantages over traditional password-based systems for standalone authentication applications, such as secure cellular phone access. This is also true for new authentication architectures known as crypto-biometric systems, where cryptography and biometrics are merged to achieve high security and user convenience at the same time. In this paper, we explore the realization of a previously proposed cryptographic construct, called fuzzy vault, with the fingerprint minutiae data. This construct aims to secure critical data (e.g., secret encryption key) with the fingerprint data in a way that only the authorized user can access the secret by providing the valid fingerprint. The results show that 128-bit AES keys can be secured with fingerprint minutiae data using the proposed system.
397 citations
Journal Article•
TL;DR: A Hierarchical Identity Based Encryption system where the ciphertext consists of just three group elements and decryption requires only two bilinear map computations, regardless of the hierarchy depth, which is proved to be as efficient as in other HIBE systems.
Abstract: We present a Hierarchical Identity Based Encryption (HIBE) system where the ciphertext consists of just three group elements and decryption requires only two bilinear map computations, regardless of the hierarchy depth. Encryption is as efficient as in other HIBE systems. We prove that the scheme is selective-ID secure in the standard model and fully secure in the random oracle model. Our system has a number of applications: it gives very efficient forward secure public key and identity based cryptosystems (with short ciphertexts), it converts the NNL broadcast encryption system into an efficient public key broadcast system, and it provides an efficient mechanism for encrypting to the future. The system also supports limited delegation where users can be given restricted private keys that only allow delegation to bounded depth. The HIBE system can be modified to support sublinear size private keys at the cost of some ciphertext expansion.
332 citations
07 Nov 2005
TL;DR: In this paper, Boneh and Boyen proposed a new identity-based encryption (IBE) scheme that is secure in the standard model against chosen ciphertext attacks without random oracles.
Abstract: We describe a new encryption technique that is secure in the standard model against chosen ciphertext attacks. We base our method on two very efficient Identity-Based Encryption (IBE) schemes without random oracles due to Boneh and Boyen, and Waters.Unlike previous CCA2-secure cryptosystems that use IBE as a black box, our approach is very simple and compact. It makes direct use of the underlying IBE structure, and requires no cryptographic primitive other than the IBE scheme itself. This conveys several advantages. We achieve shorter ciphertext size than the best known instantiations of the other methods, and our technique is as efficient as the Boneh and Katz method (and more so than that of Canetti, Halevi, and Katz). Further, our method operates nicely on hierarchical IBE, and since it allows the validity of ciphertexts to be checked publicly, it can be used to construct systems with non-interactive threshold decryption.In this paper we describe two main constructions: a full encryption system based on the Waters adaptive-ID secure IBE, and a KEM based on the Boneh-Boyen selective-ID secure IBE. Both systems are shown CCA2-secure in the standard model, the latter with a tight reduction. We discuss several uses and extensions of our approach, and draw comparisons with other schemes that are provably secure in the standard model.
306 citations
TL;DR: Simulation results show that the proposed Cryptosystem requires less time to encrypt the plaintext as compared to the existing chaotic cryptosystems and further produces the ciphertext having flat distribution of same size as theplaintext.
223 citations
Proceedings Article•
01 Jan 2005
TL;DR: In 1998, Blaze, Bleumer and Strauss (BBS) proposed an application called atomic proxy re-encryption, in which a semitrusted proxy converts a ciphertext for Alice into a cipher text for Bob without seeing the underlying plaintext as mentioned in this paper.
Abstract: In 1998, Blaze, Bleumer, and Strauss (BBS) proposed an application called atomic proxy re-encryption, in which a semitrusted proxy converts a ciphertext for Alice into a ciphertext for Bob without seeing the underlying plaintext. We predict that fast and secure re-encryption will become increasingly popular as a method for managing encrypted file systems. Although efficiently computable, the wide-spread adoption of BBS re-encryption has been hindered by considerable security risks. Following recent work of Dodis and Ivan, we present new re-encryption schemes that realize a stronger notion of security and demonstrate the usefulness of proxy re-encryption as a method of adding access control to a secure file system. Performance measurements of our experimental file system demonstrate that proxy re-encryption can work effectively in practice.
210 citations
07 Nov 2005
TL;DR: A new cryptographic primitive is introduced, called insubvertible encryption, that produces ciphertexts which can be randomized without the need of any key material, which enables post-sale applications of manufacturer-issued RFID tags while preserving the privacy of consumers.
Abstract: We introduce a new cryptographic primitive, called insubvertible encryption, that produces ciphertexts which can be randomized without the need of any key material. Unlike plain universal re-encryption schemes, insubvertible encryption prevents against adversarial exploitation of hidden channels, by including certificates proving that the ciphertext can only be decrypted by authorized parties.The scheme can be applied to RFID tags, providing strong protection against tracing. This enables post-sale applications of manufacturer-issued RFID tags while preserving the privacy of consumers. The functionality required of the RFID tags is minimal, namely that they be re-writable (many-writable). No cryptographic capabilities are required of the tags themselves, as the readers perform all necessary computations.
200 citations
23 Jan 2005
TL;DR: This paper constructs an efficient “multi-receiver identity-based encryption scheme” that only needs one (or none if precomputed and provided as a public parameter) pairing computation to encrypt a single message for n receivers, in contrast to the simple construction that re-encrypts a message n times using Boneh and Franklin's identity- based encryption scheme.
Abstract: In this paper, we construct an efficient “multi-receiver identity-based encryption scheme”. Our scheme only needs one (or none if precomputed and provided as a public parameter) pairing computation to encrypt a single message for n receivers, in contrast to the simple construction that re-encrypts a message n times using Boneh and Franklin's identity-based encryption scheme, considered previously in the literature. We extend our scheme to give adaptive chosen ciphertext security. We support both schemes with security proofs under precisely defined formal security model. Finally, we discuss how our scheme can lead to a highly efficient public key broadcast encryption scheme based on the “subset-cover” framework.
TL;DR: A novel technique is developed that enables visual cryptography of color as well as gray-scale images with a unique flexibility that enables a single encryption of a color image but enables three types of decryptions on the same ciphertext.
Abstract: Visual cryptography is a powerful technique that combines the notions of perfect ciphers and secret sharing in cryptography with that of raster graphics. A binary image can be divided into shares that can be stacked together to approximately recover the original image. Unfortunately, it has not been used much primarily because the decryption process entails a severe degradation in image quality in terms of loss of resolution and contrast. Its usage is also hampered by the lack of proper techniques for handling gray-scale and color images. We develop a novel technique that enables visual cryptography of color as well as gray-scale images. With the use of halftoning and a novel microblock encoding scheme, the technique has a unique flexibility that enables a single encryption of a color image but enables three types of decryptions on the same ciphertext. The three different types of decryptions enable the recovery of the image of varying qualities. The physical transparency stacking type of decryption enables the recovery of the traditional visual cryptography quality image. An enhanced stacking technique enables the decryption into a halftone quality image. Finally, a computation-based decryption scheme makes the perfect recovery of the original image possible. Based on this basic scheme, we establish a progressive mechanism to share color images at multiple resolutions. We extract shares from each resolution layer to construct a hierarchical structure; the images of different resolutions can then be restored by stacking the different shared images together. Thus, our technique enables flexible decryption. We implement our technique and present results.
Patent•
20 Oct 2005
TL;DR: In this paper, an intercept system can provide any combination of operations that include near-real-time intercept, capture of intercepted data in structured authenticated form, clear text intercept for communications where there is access to encryption keys, cipher text intercept and no access to encrypted keys, provision of transactional logs to the authorized agency, interception without altering the operation of the target services, and encryption of stored intercepted information.
Abstract: An intercept system provides more effective and more efficient compliance with legal intercept warrants. The intercept system can provide any combination of operations that include near-real-time intercept, capture of intercepted data in structured authenticated form, clear text intercept for communications where there is access to encryption keys, cipher text intercept for communications where there is no access to encryption keys, provision of transactional logs to the authorized agency, interception without altering the operation of the target services, and encryption of stored intercepted information.
TL;DR: In this article, an efficient IBE scheme that employs a simple version of the Sakai-Kasahara scheme and the Fujisaki-Okamoto transformation is presented, referred to as SK-IBE.
Abstract: Identity-based encryption (IBE) is a special asymmetric encryption method where a public encryption key can be an arbitrary identifier and the corresponding private decryption key is created by binding the identifier with a system's master secret. In 2003 Sakai and Kasahara proposed a new IBE scheme, which has the potential to improve performance. However, to our best knowledge, the security of their scheme has not been properly investigated. This work is intended to build confidence in the security of the Sakai-Kasahara IBE scheme. In this paper, we first present an efficient IBE scheme that employs a simple version of the Sakai-Kasahara scheme and the Fujisaki-Okamoto transformation, which we refer to as SK-IBE. We then prove that SK-IBE has chosen ciphertext security in the random oracle model based on a reasonably well-explored hardness assumption.
22 May 2005
TL;DR: In this paper, the authors proposed a bilinear Diffie-Hellman-based traitor tracing scheme with a ciphertext/plaintext rate asymptotically 1.
Abstract: Traitor tracing schemes are of major importance for secure distribution of digital content. They indeed aim at protecting content providers from colluding users to build pirate decoders. If such a collusion happens, at least one member of the latter collusion will be detected. Several solutions have already been proposed in the literature, but the most important problem to solve remains having a very good ciphertext/plaintext rate. At Eurocrypt '02, Kiayias and Yung proposed the first scheme with such a constant rate, but still not optimal. In this paper, granted bilinear maps, we manage to improve it, and get an “almost” optimal scheme, since this rate is asymptotically 1. Furthermore, we introduce a new feature, the “public traceability”, which means that the center can delegate the tracing capability to any “untrusted” person. This is not the first use of bilinear maps for traitor tracing applications, but among the previous proposals, only one has remained unbroken: we present an attack by producing an anonymous pirate decoder. We furthermore explain the flaw in their security analysis. For our scheme, we provide a complete proof, based on new computational assumptions, related to the bilinear Diffie-Hellman ones, in the standard model.
TL;DR: In this article, a pseudo-one-time pad encryption scheme was proposed to produce the instructions and data ciphertext in parallel with memory accesses, minimizing the trade-off between storage size and performance penalty.
Abstract: Due to the widespread software piracy and virus attacks, significant efforts have been made to improve security for computer systems. For stand-alone computers, a key observation is that, other than the processor, any component is vulnerable to security attacks. Recently, an execution only memory (XOM) architecture has been proposed to support copy and tamper resistant software. In this design, the program and data are stored in an encrypted format outside the CPU boundary. The decryption is carried out after they are fetched from memory and before they are used by the CPU. As a result, the lengthened critical path causes a serious performance degradation. We present an innovative technique in which the cryptography computation is shifted off from the memory access critical path. We propose using a different encryption scheme, namely, "pseudo-one-time pad" encryption, to produce the instructions and data ciphertext. With some additional on-chip storage, cryptography computations are carried in parallel with memory accesses, minimizing the performance penalty. We performed experiments to study the trade-off between storage size and performance penalty. Our technique reduces the performance overhead from 20.79 percent to 1.28 percent on average for reasonably sized (64 KB) on-chip storage.
Posted Content•
TL;DR: A chosen-ciphertext secure, searchable public key encryption scheme which allows for dynamic re-encryption of ciphertexts, and provides for node-targeted searches based on keywords or other identifiers.
Abstract: We consider the problem of using untrusted components to build correlation-resistant survivable storage systems that protect file replica locations, while allowing nodes to continuously re-distribute files throughout the network. The principal contribution is a chosen-ciphertext secure, searchable public key encryption scheme which allows for dynamic re-encryption of ciphertexts, and provides for node-targeted searches based on keywords or other identifiers. The scheme is provably secure under the SXDH assumption which holds in certain subgroups of elliptic curves, and a closely related assumption that we introduce.
Posted Content•
TL;DR: A novel framework for the generic construction of hybrid encryption schemes which produces more efficient schemes than the ones known before and allows immediate conversion from a class of threshold public-key encryption to a threshold hybrid one without considerable overhead, which may not be possible in the previous approach.
Abstract: This paper presents a novel framework for the generic construction of hybrid encryption schemes which produces more efficient schemes than the ones known before. A previous framework introduced by Shoup combines a key encapsulation mechanism (KEM) and a data encryption mechanism (DEM). While it is sufficient to require both components to be secure against chosen ciphertext attacks (CCA-secure), Kurosawa and Desmedt showed a particular example of KEM that is not CCA-secure but can be securely combined with a specific type of CCA-secure DEM to obtain a more efficient, CCA-secure hybrid encryption scheme. There are also many other efficient hybrid encryption schemes in the literature that do not fit Shoup’s framework. These facts serve as motivation to seek another framework. The framework we propose yields more efficient hybrid scheme, and in addition provides insightful explanation about existing schemes that do not fit into the previous framework. Moreover, it allows immediate conversion from a class of threshold public-key encryption to a hybrid one without considerable overhead, which may not be possible in the previous approach.
Posted Content•
TL;DR: In 1998, Blaze, Bleumer and Strauss (BBS) proposed an application called atomic proxy re-encryption, in which a semi-trusted proxy converts a ciphertext for Alice into a cipher text for Bob without seeing the underlying plaintext.
Abstract: In 1998, Blaze, Bleumer, and Strauss (BBS) proposed an application called atomic proxy re-encryption, in which a semi-trusted proxy converts a ciphertext for Alice into a ciphertext for Bob without seeing the underlying plaintext. We predict that fast and secure re-en cryption will become increasingly popular as a method for managing encrypted file systems. Although efficie ntly computable, the wide-spread adoption of BBS re-encryption has been hindered by considerable security risks. Following recent work of Dodis and Ivan, we present new re-encryption schemes that realize a stronger notion of security, and we demonstrate the usefulness of proxy re-encryption as a method of adding access control to a secure file system. Performance measurements of our experimental file system de monstrate that proxy re-encryption can work effectively in practice.
04 Dec 2005
TL;DR: This paper proposes novel constructions of IBE where a decryption key can be renewed without having to make changes to its public key, i.e. user’s identity by extending the hierarchical IBE (HIBE).
Abstract: In this paper, we discuss non-interactive updating of decryption keys in identity-based encryption (IBE). In practice, key revocation is a necessary and inevitable process and IBE is no exception when it comes to having to manage revocation of decryption keys without losing its merits in efficiency. Our main contribution of this paper is to propose novel constructions of IBE where a decryption key can be renewed without having to make changes to its public key, i.e. user’s identity. We achieve this by extending the hierarchical IBE (HIBE). Regarding security, we address semantic security against adaptive chosen ciphertext attacks for a very strong attack environment that models all possible types of key exposures in the random oracle model. In addition to this, we show method of constructing a partially collusion resistant HIBE from arbitrary IBE in the random oracle model. By combining both results, we can construct an IBE with non-interactive key update from only an arbitrary IBE.
25 Mar 2005
TL;DR: This paper argues that this is an important cryptographic primitive that must be used to protect privacy and authenticity of a collection of users who are connected through an ad-hoc network, such as Bluetooth, and presents an efficient IDRSC scheme based on bilinear pairing.
Abstract: In this paper, we present a new concept called an identity based ring signcryption scheme (IDRSC,). We argue that this is an important cryptographic primitive that must be used to protect privacy and authenticity of a collection of users who are connected through an ad-hoc network, such as Bluetooth. We also present an efficient IDRSC scheme based on bilinear pairing. As a regular signcryption scheme, our scheme combines the functionality of signature and encryption schemes. However, the idea is to have an identity based system. In our scheme, a user can anonymously sign-crypts a message on behalf of the group. We show that our scheme outperforms a traditional identity based scheme, that is obtained by a standard sign-then-encrypt mechanism, in terms of the length of the ciphertext. We also provide a formal proof of our scheme with the chosen cipher-text security under the decisional bilinear Diffie-Hellman assumption, which is believed to be intractable.
04 Apr 2005
TL;DR: A particular order preserving encryption scheme achieves the above mentioned energy benefits and flexibility when used to support comparison operations over encrypted texts for wireless sensor networks, while also managing to hide the plaintext distribution and being secure against ciphertext only attacks.
Abstract: End-to-end encryption schemes that support operations over ciphertext are of utmost importance for commercial private party wireless sensor network implementations to become meaningful and profitable. For wireless sensor networks, we demonstrated in our previous work that privacy homomorphisms, when used for this purpose, offer two striking advantages apart from end-to-end concealment of data and ability to operate on ciphertexts: flexibility by keyless aggregation and conservation and balancing of aggregator backbone energy. We offered proof of concept by applying a certain privacy homomorphism for sensor network applications that rely on the addition operation. But a large class of aggregator functions like median computation or finding maximum/minimum rely exclusively on comparison operations. Unfortunately, as shown by Rivest, et al., any privacy homomorphism is insecure even against ciphertext that only attacks if they support comparison operations. In this paper we show that a particular order preserving encryption scheme achieves the above mentioned energy benefits and flexibility when used to support comparison operations over encrypted texts for wireless sensor networks, while also managing to hide the plaintext distribution and being secure against ciphertext only attacks. The scheme is shown to have reasonable memory and computation overhead when applied for wireless sensor networks.
02 May 2005
TL;DR: A new approach to provide reliable data transmission in MANET with strong adversaries is proposed, combining Elliptic Curve Cryptography and Threshold Cryptosystem to securely deliver messages in n shares.
Abstract: This paper proposes a new approach to provide reliable data transmission in MANET with strong adversaries. We combine Elliptic Curve Cryptography and Threshold Cryptosystem to securely deliver messages in n shares. As long as the destination receives at least k shares, it can recover the original message. We explore seven ECC mechanisms, El-Gamal, Massey-Omura, Diffie-Hellman, Menezes-Vanstone, Koyama-Maurer-Okamoto-Vanstone, Ertaul, and Demytko. For secure data forwarding, we consider both splitting plaintext before encryption, and splitting ciphertext after encryption. Also we suggest to exchange keys between a pair of mobile nodes using Elliptic Curve Cryptography Diffie-Hellman. We did performance comparison of ECC and RSA to show ECC is more efficient than RSA.
TL;DR: Theoretical analysis indicates that the modified scheme can resist the reported attacks and simulation results show that this encryption scheme leads to a flat ciphertext distribution.
Abstract: We have proposed a chaotic cryptographic scheme based on iterating the logistic map and updating the look-up table dynamically. However, it has been broken recently. In this paper, the weaknesses of the original dynamic look-up table scheme are analyzed and a more secure chaotic encryption scheme based on this dynamic look-up table concept is proposed. Theoretical analysis indicates that the modified scheme can resist the reported attacks. Moreover, simulation results show that this encryption scheme leads to a flat ciphertext distribution.
14 Feb 2005
TL;DR: It is shown that cascading encryption schemes provides tolerance under chosen plaintext attack, non-adaptive chosen ciphertext attack (CCA1) and a weak form of adaptive chosne cipher text attack (weak CCA2), but not under the ‘standard' CCA1 attack.
Abstract: Cryptographic schemes are often constructed using multiple component cryptographic modules. A construction is tolerant for a (security) specification if it meets the specification, provided a majority (or other threshold) of the components meet their specifications. We define tolerant constructions, and investigate ‘folklore', practical cascade and parallel constructions. In particular, we show that cascading encryption schemes provides tolerance under chosen plaintext attack, non-adaptive chosen ciphertext attack (CCA1) and a weak form of adaptive chosne ciphertext attack (weak CCA2), but not under the ‘standard' CCA2 attack. Similarly, certain parallel constructions ensure tolerance for unforgeability of Signature/MAC schemes, OWF, ERF, AONT and certain collision-resistant hash functions. We present (new) tolerant constructions for (several variants of) commitment schemes, by composing simple constructions, and general method of composing tolerant constructions. Our constructions are simple, efficient and practical. To ensure practicality, we use concrete security analysis (in addition to the simpler asymptotic analysis).
Posted Content•
TL;DR: In this paper, the authors describe two new public key broadcast encryption systems for stateless receivers, which are fully secure against any number of colluders, and discuss several applications of these systems.
Abstract: We describe two new public key broadcast encryption systems for stateless receivers. Both systems are fully secure against any number of colluders. In our first construction both ciphertexts and private keys are of constant size (only two group elements), for any subset of receivers. The public key size in this system is linear in the total number of receivers. Our second system is a generalization of the first that provides a tradeoff between ciphertext size and public key size. For example, we achieve a collusion resistant broadcast system for n users where both ciphertexts and public keys are of size O( √ n) for any subset of receivers. We discuss several applications of these systems.
11 Aug 2005
TL;DR: In this paper, the power of conditional estimators was harnessed for correlation attacks on GSM's A5/1 stream ciphers, resulting in a correlation with a considerably higher bias.
Abstract: Irregularly-clocked linear feedback shift registers (LFSRs) are commonly used in stream ciphers. We propose to harness the power of conditional estimators for correlation attacks on these ciphers. Conditional estimators compensate for some of the obfuscating effects of the irregular clocking, resulting in a correlation with a considerably higher bias. On GSM's cipher A5/1, a factor two is gained in the correlation bias compared to previous correlation attacks. We mount an attack on A5/1 using conditional estimators and using three weaknesses that we observe in one of A5/1's LFSRs (known as R2). The weaknesses imply a new criterion that should be taken into account by cipher designers. Given 1500–2000 known-frames (about 4.9–9.2 conversation seconds of known keystream), our attack completes within a few tens of seconds to a few minutes on a PC, with a success rate of about 91%. To complete our attack, we present a source of known-keystream in GSM that can provide the keystream for our attack given 3–4 minutes of GSM ciphertext, transforming our attack to a ciphertext-only attack.
06 Jun 2005
TL;DR: Two new building blocks employed - a distributed blinding protocol and verifiable dual encryption proofs - could have uses beyond re-encryption protocols.
Abstract: A protocol is given to take an ElGamal ciphertext encrypted under the key of one distributed service and produce the corresponding ciphertext encrypted under the key of another distributed service, but without the plaintext ever becoming available. Each distributed service comprises a set of servers and employs threshold cryptography to maintain its service private key. Unlike prior work, the protocol requires no assumptions about execution speeds or message delivery delays. The protocol also imposes fewer constraints on where and when various steps are performed, which can bring improvements in end-to-end performance for some applications (e.g., a trusted publish/subscribe infrastructure). Two new building blocks employed - a distributed blinding protocol and verifiable dual encryption proofs - could have uses beyond re-encryption protocols
Patent•
25 Mar 2005TL;DR: In this paper, the IBE key exchange scheme uses an IBE encapsulation engine to produce a secret key and an encapsulated version of the secret key is used to unencapsulate the encapsulated key.
Abstract: Systems and methods for supporting symmetric-bilinear-map and asymmetric-bilinear-map identity-based-encryption (IBE) key exchange and encryption schemes are provided. IBE key exchange schemes use an IBE encapsulation engine to produce a secret key and an encapsulated version of the secret key. An IBE unencapsulation engine is used to unencapsulate the encapsulated key. IBE encryption schemes use an IBE encryption engine to produce ciphertext from plaintext. An IBE decryption engine is used to decrypt the ciphertext to reveal the plaintext. The IBE unencapsulation engine and decryption engines use bilinear maps. The IBE encapsulation and encryption engines perform group multiplication operations without using bilinear maps, improving efficiency. IBE private keys for use in decryption and unencapsulation operations may be generated using a distributed key arrangement in which each IBE private key is assembled from private key shares.
20 Sep 2005
TL;DR: A revised version of their signcryption scheme is proposed and its security under the assumption that the gap Diffie-Hellman problem is hard is shown and it is shown that their scheme cannot achieve the claimed security.
Abstract: In PKC'04, a signcryption scheme with key privacy was proposed by Libert and Quisquater Along with the scheme, some security models were defined with regard to the signcryption versions of confidentiality, existential unforgeability and ciphertext anonymity (or key privacy) The security of their scheme was also claimed under these models In this paper, we show that their scheme cannot achieve the claimed security by demonstrating an insider attack which shows that their scheme is not semantically secure against chosen ciphertext attack (not even secure against chosen plaintext attack) or ciphertext anonymous We further propose a revised version of their signcryption scheme and show its security under the assumption that the gap Diffie-Hellman problem is hard Our revised scheme supports parallel processing that can help reduce the computation time of both signcryption and de-signcryption operations