Showing papers on "Encryption published in 2007"

Ciphertext-Policy Attribute-Based Encryption

Abstract: In several distributed systems a user should only be able to access data if a user posses a certain set of credentials or attributes. Currently, the only method for enforcing such policies is to employ a trusted server to store the data and mediate access control. However, if any server storing the data is compromised, then the confidentiality of the data will be compromised. In this paper we present a system for realizing complex access control on encrypted data that we call ciphertext-policy attribute-based encryption. By using our techniques encrypted data can be kept confidential even if the storage server is untrusted; moreover, our methods are secure against collusion attacks. Previous attribute-based encryption systems used attributes to describe the encrypted data and built policies into user's keys; while in our system attributes are used to describe a user's credentials, and a party encrypting data determines a policy for who can decrypt. Thus, our methods are conceptually closer to traditional access control methods such as role-based access control (RBAC). In addition, we provide an implementation of our system and give performance measurements.

Introduction to Modern Cryptography

Abstract: Preface I. Introduction and Classical Cryptography Introduction Cryptography and Modern Cryptography The Setting of Private-Key Encryption Historical Ciphers and Their Cryptanalysis Principles of Modern Cryptography Principle 1 - Formal Definitions Principle 2 - Precise Assumptions Principle 3 - Proofs of Security Provable Security and Real-World Security References and Additional Reading Exercises Perfectly Secret Encryption Definitions The One-Time Pad Limitations of Perfect Secrecy Shannon's Theorem References and Additional Reading Exercises II. Private-Key (Symmetric) Cryptography Private-Key Encryption Computational Security The Concrete Approach The Asymptotic Approach Defining Computationally Secure Encryption The Basic Definition of Security Semantic Security Constructing Secure Encryption Schemes Pseudorandom Generators and Stream Ciphers Proofs by Reduction A Secure Fixed-Length Encryption Scheme Stronger Security Notions Security for Multiple Encryptions Chosen-Plaintext Attacks and CPA-Security Constructing CPA-Secure Encryption Schemes Pseudorandom Functions and Block Ciphers CPA-Secure Encryption from Pseudorandom Functions Modes of Operation Stream-Cipher Modes of Operation Block-Cipher Modes of Operation Chosen-Ciphertext Attacks Defining CCA-Security Padding-Oracle Attacks References and Additional Reading Exercises Message Authentication Codes Message Integrity Secrecy vs. Integrity Encryption vs. Message Authentication Message Authentication Codes - Definitions Constructing Secure Message Authentication Codes A Fixed-Length MAC Domain Extension for MACs CBC-MAC The Basic Construction Proof of Security Authenticated Encryption Definitions Generic Constructions Secure Communication Sessions CCA-Secure Encryption Information-Theoretic MACs Constructing Information-Theoretic MACs Limitations on Information-Theoretic MACs References and Additional Reading Exercises Hash Functions and Applications Definitions Collision Resistance Weaker Notions of Security Domain Extension: The Merkle-Damgard Transform Message Authentication Using Hash Functions Hash-and-MAC HMAC Generic Attacks on Hash Functions Birthday Attacks for Finding Collisions Small-Space Birthday Attacks Time/Space Tradeoffs for Inverting Functions The Random-Oracle Model The Random-Oracle Model in Detail Is the Random-Oracle Methodology Sound? Additional Applications of Hash Functions Fingerprinting and Deduplication Merkle Trees Password Hashing Key Derivation Commitment Schemes References and Additional Reading Exercises Practical Constructions of Symmetric-Key Primitives Stream Ciphers Linear-Feedback Shift Registers Adding Nonlinearity Trivium RC4 Block Ciphers Substitution-Permutation Networks Feistel Networks DES - The Data Encryption Standard 3DES: Increasing the Key Length of a Block Cipher AES - The Advanced Encryption Standard Differential and Linear Cryptanalysis Hash Functions Hash Functions from Block Ciphers MD5 SHA-0, SHA-1, and SHA-2 SHA-3 (Keccak) References and Additional Reading Exercises Theoretical Constructions of Symmetric-Key Primitives One-Way Functions Definitions Candidate One-Way Functions Hard-Core Predicates From One-Way Functions to Pseudorandomness Hard-Core Predicates from One-Way Functions A Simple Case A More Involved Case The Full Proof Constructing Pseudorandom Generators Pseudorandom Generators with Minimal Expansion Increasing the Expansion Factor Constructing Pseudorandom Functions Constructing (Strong) Pseudorandom Permutations Assumptions for Private-Key Cryptography Computational Indistinguishability References and Additional Reading Exercises III. Public-Key (Asymmetric) Cryptography Number Theory and Cryptographic Hardness Assumptions Preliminaries and Basic Group Theory Primes and Divisibility Modular Arithmetic Groups The Group ZN Isomorphisms and the Chinese Remainder Theorem Primes, Factoring, and RSA Generating Random Primes Primality Testing The Factoring Assumption The RSA Assumption Relating the RSA and Factoring Assumptions Cryptographic Assumptions in Cyclic Groups Cyclic Groups and Generators The Discrete-Logarithm/Diffie-Hellman Assumptions Working in (Subgroups of) Zp Elliptic Curves Cryptographic Applications One-Way Functions and Permutations Constructing Collision-Resistant Hash Functions References and Additional Reading Exercises Algorithms for Factoring and Computing Discrete Logarithms Algorithms for Factoring Pollard's p - 1 Algorithm Pollard's Rho Algorithm The Quadratic Sieve Algorithm Algorithms for Computing Discrete Logarithms The Pohlig-Hellman Algorithm The Baby-Step/Giant-Step Algorithm Discrete Logarithms from Collisions The Index Calculus Algorithm Recommended Key Lengths References and Additional Reading Exercises Key Management and the Public-Key Revolution Key Distribution and Key Management A Partial Solution: Key-Distribution Centers Key Exchange and the Diffie-Hellman Protocol The Public-Key Revolution References and Additional Reading Exercises Public-Key Encryption Public-Key Encryption - An Overview Definitions Security against Chosen-Plaintext Attacks Multiple Encryptions Security against Chosen-Ciphertext Attacks Hybrid Encryption and the KEM/DEM Paradigm CPA-Security CCA-Security CDH/DDH-Based Encryption El Gamal Encryption DDH-Based Key Encapsulation A CDH-Based KEM in the Random-Oracle Model Chosen-Ciphertext Security and DHIES/ECIES RSA Encryption Plain RSA Padded RSA and PKCS #1 v1.5 CPA-Secure Encryption without Random Oracles OAEP and RSA PKCS #1 v A CCA-Secure KEM in the Random-Oracle Model RSA Implementation Issues and Pitfalls References and Additional Reading Exercises Digital Signature Schemes Digital Signatures - An Overview Definitions The Hash-and-Sign Paradigm RSA Signatures Plain RSA RSA-FDH and PKCS #1 v Signatures from the Discrete-Logarithm Problem The Schnorr Signature Scheme DSA and ECDSA Signatures from Hash Functions Lamport's Signature Scheme Chain-Based Signatures Tree-Based Signatures Certificates and Public-Key Infrastructures Putting It All Together - SSL/TLS Signcryption References and Additional Reading Exercises Advanced Topics in Public-Key Encryption Public-Key Encryption from Trapdoor Permutations Trapdoor Permutations Public-Key Encryption from Trapdoor Permutations The Paillier Encryption Scheme The Structure of ZN2 The Paillier Encryption Scheme Homomorphic Encryption Secret Sharing and Threshold Encryption Secret Sharing Verifiable Secret Sharing Threshold Encryption and Electronic Voting The Goldwasser-Micali Encryption Scheme Quadratic Residues Modulo a Prime Quadratic Residues Modulo a Composite The Quadratic Residuosity Assumption The Goldwasser-Micali Encryption Scheme The Rabin Encryption Scheme Computing Modular Square Roots A Trapdoor Permutation Based on Factoring The Rabin Encryption Scheme References and Additional Reading Exercises Index of Common Notation Appendix A: Mathematical Background Identities and Inequalities Asymptotic Notation Basic Probability The "Birthday" Problem Finite Fields Appendix B: Basic Algorithmic Number Theory Integer Arithmetic Basic Operations The Euclidean and Extended Euclidean Algorithms Modular Arithmetic Basic Operations Computing Modular Inverses Modular Exponentiation Montgomery Multiplication Choosing a Uniform Group Element Finding a Generator of a Cyclic Group Group-Theoretic Background Efficient Algorithms References and Additional Reading Exercises References Index

Trapdoors for Hard Lattices and New Cryptographic Constructions.

Abstract: We show how to construct a variety of "trapdoor" cryptographic tools assuming the worst-case hardness of standard lattice problems (such as approximating the length of the shortest nonzero vector to within certain polynomial factors). Our contributions include a new notion of trapdoor function with preimage sampling, simple and efficient "hash-and-sign" digital signature schemes, and identity-based encryption. A core technical component of our constructions is an efficient algorithm that, given a basis of an arbitrary lattice, samples lattice points from a discrete Gaussian probability distribution whose standard deviation is essentially the length of the longest Gram-Schmidt vector of the basis. A crucial security property is that the output distribution of the algorithm is oblivious to the particular geometry of the given basis.

Attribute-based encryption with non-monotonic access structures

Abstract: We construct an Attribute-Based Encryption (ABE) scheme that allows a user's private key to be expressed in terms of any access formula over attributes. Previous ABE schemes were limited to expressing only monotonic access structures. We provide a proof of security for our scheme based on the Decisional Bilinear Diffie-Hellman (BDH) assumption. Furthermore, the performance of our new scheme compares favorably with existing, less-expressive schemes.

Multi-authority attribute based encryption

Abstract: In an identity based encryption scheme, each user is identified by a unique identity string. An attribute based encryption scheme (ABE), in contrast, is a scheme in which each user is identified by a set of attributes, and some function of those attributes is used to determine decryption ability for each ciphertext. Sahai and Waters introduced a single authority attribute encryption scheme and left open the question of whether a scheme could be constructed in which multiple authorities were allowed to distribute attributes [SW05]. We answer this question in the affirmative. Our scheme allows any polynomial number of independent authorities to monitor attributes and distribute secret keys. An encryptor can choose, for each authority, a number dk and a set of attributes; he can then encrypt a message such that a user can only decrypt if he has at least dk of the given attributes from each authority k. Our scheme can tolerate an arbitrary number of corrupt authoritites. We also show how to apply our techniques to achieve a multiauthority version of the large universe fine grained access control ABE presented by Gopal et al. [GPSW06].

Provably secure ciphertext policy ABE

Abstract: In ciphertext policy attribute-based encryption (CP-ABE), every secret key is associated with a set of attributes, and every ciphertext is associated with an access structure on attributes. Decryption is enabled if and only if the user's attribute set satisfies the ciphertext access structure. This provides fine-grained access control on shared data in many practical settings, e.g., secure database and IP multicast.In this paper, we study CP-ABE schemes in which access structures are AND gates on positive and negative attributes. Our basic scheme is proven to be chosen plaintext (CPA) secure under the decisional bilinear Diffie-Hellman (DBDH) assumption. We then apply the Canetti-Halevi-Katz technique to obtain a chosen ciphertext (CCA) secure extension using one-time signatures. The security proof is a reduction to the DBDH assumption and the strong existential unforgeability of the signature primitive.In addition, we introduce hierarchical attributes to optimize our basic scheme - reducing both ciphertext size and encryption/decryption time while maintaining CPA security. We conclude with a discussion of practical applications of CP-ABE.

Predicate Encryption Supporting Disjunctions, Polynomial Equations, and Inner Products.

Abstract: Predicate encryption is a new paradigm for public-key encryption that generalizes identity-based encryption and more. In predicate encryption, secret keys correspond to predicates and ciphertexts are associated with attributes; the secret key SK f corresponding to a predicate f can be used to decrypt a ciphertext associated with attribute I if and only if f(I)=1. Constructions of such schemes are currently known only for certain classes of predicates. We construct a scheme for predicates corresponding to the evaluation of inner products over ? N (for some large integer N). This, in turn, enables constructions in which predicates correspond to the evaluation of disjunctions, polynomials, CNF/DNF formulas, thresholds, and more. Besides serving as a significant step forward in the theory of predicate encryption, our results lead to a number of applications that are interesting in their own right.

Deterministic and efficiently searchable encryption

Abstract: We present as-strong-as-possible definitions of privacy, and constructions achieving them, for public-key encryption schemes where the encryption algorithm is deterministic. We obtain as a consequence database encryption methods that permit fast (i.e. sub-linear, and in fact logarithmic, time) search while provably providing privacy that is as strong as possible subject to this fast search constraint. One of our constructs, called RSA-DOAEP, has the added feature of being length preserving, so that it is the first example of a public-key cipher. We generalize this to obtain a notion of efficiently-searchable encryption schemes which permit more flexible privacy to search-time trade-offs via a technique called bucketization. Our results answer much-asked questions in the database community and provide foundations for work done there.

Preventing Location-Based Identity Inference in Anonymous Spatial Queries

Abstract: The increasing trend of embedding positioning capabilities (for example, GPS) in mobile devices facilitates the widespread use of location-based services. For such applications to succeed, privacy and confidentiality are essential. Existing privacy-enhancing techniques rely on encryption to safeguard communication channels, and on pseudonyms to protect user identities. Nevertheless, the query contents may disclose the physical location of the user. In this paper, we present a framework for preventing location-based identity inference of users who issue spatial queries to location-based services. We propose transformations based on the well-established K-anonymity concept to compute exact answers for range and nearest neighbor search, without revealing the query source. Our methods optimize the entire process of anonymizing the requests and processing the transformed spatial queries. Extensive experimental studies suggest that the proposed techniques are applicable to real-life scenarios with numerous mobile users.

Provably Secure Ciphertext Policy ABE.

Abstract: In ciphertext policy attribute-based encryption (CP-ABE), every secret key is associated with a set of attributes, and every ciphertext is associated with an access structure on attributes. Decryption is enabled if and only if the user’s attribute set satisfies the ciphertext access structure. This provides fine-grained access control on shared data in many practical settings, including secure databases and secure multicast. In this paper, we study CP-ABE schemes in which access structures are AND gates on positive and negative attributes. Our basic scheme is proven to be chosen plaintext (CPA) secure under the decisional bilinear Diffie-Hellman (DBDH) assumption. We then apply the Canetti-HaleviKatz technique to obtain a chosen ciphertext (CCA) secure extension using one-time signatures. The security proof is a reduction to the DBDH assumption and the strong existential unforgeability of the signature primitive. In addition, we introduce hierarchical attributes to optimize our basic scheme—reducing both ciphertext size and encryption/decryption time while maintaining CPA security. Finally, we propose an extension in which access policies are arbitrary threshold trees, and we conclude with a discussion of practical applications of CP-ABE.

Multi-Dimensional Range Query over Encrypted Data

Abstract: We design an encryption scheme called multi-dimensional range query over encrypted data (MRQED), to address the privacy concerns related to the sharing of network audit logs and various other applications. Our scheme allows a network gateway to encrypt summaries of network flows before submitting them to an untrusted repository. When network intrusions are suspected, an authority can release a key to an auditor, allowing the auditor to decrypt flows whose attributes (e.g., source and destination addresses, port numbers, etc.) fall within specific ranges. However, the privacy of all irrelevant flows are still preserved. We formally define the security for MRQED and prove the security of our construction under the decision bilinear Diffie-Hellman and decision linear assumptions in certain bilinear groups. We study the practical performance of our construction in the context of network audit logs. Apart from network audit logs, our scheme also has interesting applications for financial audit logs, medical privacy, untrusted remote storage, etc. In particular, we show that MRQED implies a solution to its dual problem, which enables investors to trade stocks through a broker in a privacy-preserving manner.

A Forward-Secure Public-Key Encryption Scheme

Abstract: Cryptographic computations are often carried out on insecure devices for which the threat of key exposure represents a serious concern. Forward security allows one to mitigate the damage caused by exposure of secret keys. In a forward-secure scheme, secret keys are updated at regular periods of time; exposure of the secret key corresponding to a given time period does not enable an adversary to "break" the scheme (in the appropriate sense) for any prior time period. We present the first constructions of (non-interactive) forward-secure public-key encryption schemes. Our main construction achieves security against chosen-plaintext attacks in the standard model, and all parameters of the scheme are poly-logarithmic in the total number of time periods. Some variants and extensions of this scheme are also given. We also introduce the notion of binary tree encryption and construct a binary tree encryption scheme in the standard model. Our construction implies the first hierarchical identity-based encryption scheme in the standard model. (The notion of security we achieve, however, is slightly weaker than that achieved by some previous constructions in the random oracle model.)

Reconciling Two Views of Cryptography (The Computational Soundness of Formal Encryption)

Abstract: Two distinct, rigorous views of cryptography have developed over the years, in two mostly separate communities. One of the views relies on a simple but effective formal approach; the other, on a detailed computational model that considers issues of complexity and probability. There is an uncomfortable and interesting gap between these two approaches to cryptography. This paper starts to bridge the gap, by providing a computational justification for a formal treatment of encryption.

Information management system

Abstract: An information management system is described comprising one or more workstations running applications to allow a user of the workstation to connect to a network, such as the Internet. Each application has an analyzer, which monitors transmission data that the application is about to transmit to the network or about to receive from the network and which determines an appropriate action to take regarding that transmission data. Such actions may be extracting data from the transmission data, such as passwords and usernames, digital certificates or eCommerce transaction details for storage in a database; ensuring that the transmission data is transmitted at an encryption strength appropriate to the contents of the transmission data; determining whether a check needs to be made as to whether a digital certificate received in transmission data is in force, and determining whether a transaction about to be made by a user of one of the workstations needs third party approval before it is made. The analyzer may consult a policy data containing a policy to govern the workstations in order to make its determination. The information management system provides many advantages in the eCommerce environment to on-line trading companies, who may benefit by being able to regulate the transactions made by their staff according to their instructions in a policy data, automatically maintain records of passwords and business conducted on-line, avoid paying for unnecessary checks on the validity of digital certificates and ensure that transmissions of data made by their staff are always protected at an agreed strength of encryption.

Chosen-ciphertext secure proxy re-encryption

Abstract: In a proxy re-encryption (PRE) scheme, a proxy is given special information that allows it to translate a ciphertext under one key into a ciphertext of the same message under a different key. The proxy cannot, however, learn anything about the messages encrypted under either key. PRE schemes have many practical applications, including distributed storage, email, and DRM. Previously proposed re-encryption schemes achieved only semantic security; in contrast, applications often require security against chosen ciphertext attacks. We propose a definition of security against chosen ciphertext attacks for PRE schemes, and present a scheme that satisfies the definition. Our construction is efficient and based only on the Decisional Bilinear Diffie-Hellman assumption in the standard model. We also formally capture CCA security for PRE schemes via both a game-based definition and simulation-based definitions that guarantee universally composable security. We note that, simultaneously with our work, Green and Ateniese proposed a CCA-secure PRE, discussed herein.

A Survey of Homomorphic Encryption for Nonspecialists

Abstract: Processing encrypted signals requires special properties of the underlying encryption scheme. A possible choice is the use of homomorphic encryption. In this paper, we propose a selection of the most important available solutions, discussing their properties and limitations.

Resistance of the double random phase encryption against various attacks

Abstract: Several attacks are proposed against the double random phase encryption scheme. These attacks are demonstrated on computer-generated ciphered images. The scheme is shown to be resistant against brute force attacks but susceptible to chosen and known plaintext attacks. In particular, we describe a technique to recover the exact keys with only two known plain images. We compare this technique to other attacks proposed in the literature.

Chosen-Ciphertext Secure Proxy Re-Encryption.

Abstract: In a proxy re-encryption (PRE) scheme, a proxy is given special information that allows it to translate a ciphertext under one key into a ciphertext of the same message under a dierent key. The proxy cannot, however, learn anything about the messages encrypted under either key. PRE schemes have many practical applications, including distributed storage, email, and DRM. Previously proposed re-encryption schemes achieved only semantic security; in contrast, applications often require security against chosen ciphertext attacks. We propose a denition of security against chosen ciphertext attacks for PRE schemes, and present a scheme that satises the denition. Our construction is ecient and based only on the Decisional Bilinear DieHellman assumption in the standard model. We also formally capture CCA security for PRE schemes via both a game-based denition and simulation-based denitions that guarantee universally composable security. We note that, simultaneously with our work, Green and Ateniese proposed a CCA-secure PRE, discussed herein.

Over-encryption: management of access control evolution on outsourced data

Abstract: Data outsourcing is emerging today as a successful paradigm allowing users and organizations to exploit external services for the distribution of resources. A crucial problem to be addressed in this context concerns the enforcement of selective authorization policies and the support of policy updates in dynamic scenarios. In this paper, we present a novel solution to the enforcement of access control and the management of its evolution. Our proposal is based on the application of selective encryption as a means to enforce authorizations. Two layers of encryption are imposed on data: the inner layer is imposed by the owner for providing initial protection, the outer layer is imposed by the server to reflect policy modifications. The combination of the two layers provides an efficient and robust solution. The paper presents a model, an algorithm for the management of the two layers, and an analysis to identify and therefore counteract possible information exposure risks.

Public key encryption with conjunctive keyword search and its extension to a multi-user system

Abstract: We study the problem of a public key encryption with conjunctive keyword search (PECK). The keyword searchable encryption enables a user to outsource his data to the storage of an untrusted server and to have the ability to selectively search his data without leaking information. The PECK scheme provides the document search containing each of several keywords over a public key setting. First, we construct an efficient PECK scheme whose security is proven over a decisional linear Diffie-Hellman assumption in the random oracle model. In comparison with previous schemes, our scheme has the shortest ciphertext size and private key size, and requires a comparable computation overhead. Second, we discuss problems related to the security proof of previous schemes and show they cannot guarantee complete security. Finally, we introduce a new concept called a multi-user PECK scheme, which can achieve an efficient computation and communication overhead and effectively manage the storage in a server for a number of users.

Self-protecting digital content

Abstract: Technologies are disclosed to transfer responsibility and control over security from player makers to content authors by enabling integration of security logic and content. An exemplary optical disc carries an encrypted digital video title combined with data processing operations that implement the title's security policies and decryption processes. Player devices include a processing environment (e.g., a real-time virtual machine), which plays content by interpreting its processing operations. Players also provide procedure calls to enable content code to load data from media, perform network communications, determine playback environment configurations, access secure nonvolatile storage, submit data to CODECs for output, and/or perform cryptographic operations. Content can insert forensic watermarks in decoded output for tracing pirate copies. If pirates compromise a player or title, future content can be mastered with security features that, for example, block the attack, revoke pirated media, or use native code to correct player vulnerabilities.

Identity-based broadcast encryption with constant size ciphertexts and private keys

Abstract: This paper describes the first identity-based broadcast encryption scheme (IBBE) with constant size ciphertexts and private keys. In our scheme, the public key is of size linear in the maximal size m of the set of receivers, which is smaller than the number of possible users (identities) in the system. Compared with a recent broadcast encryption system introduced by Boneh, Gentry and Waters (BGW), our system has comparable properties, but with a better efficiency: the public key is shorter than in BGW. Moreover, the total number of possible users in the system does not have to be fixed in the setup.

Channel Identification: Secret Sharing Using Reciprocity in Ultrawideband Channels

Abstract: To establish a secure communications link between any two transceivers, the communicating parties require some shared secret, or key, with which to encrypt the message so that it cannot be understood by an enemy observer. Using the theory of reciprocity for antennas and electromagnetic propagation, a key distribution method is proposed that uses the ultrawideband (UWB) channel pulse response between two transceivers as a source of common randomness that is not available to enemy observers in other locations. The maximum size of a key that can be shared in this way is characterized by the mutual information between the observations of two radios, and an approximation and upper bound on mutual information is found for a general multipath channel and examples given for UWB channel models. The exchange of some information between the parties is necessary to achieve these bounds, and various information-sharing strategies are considered and their performance is simulated. A qualitative assessment of the vulnerability of such a secret sharing system to attack from a radio in a nearby location is also given.

An advanced hybrid peer-to-peer botnet

Abstract: A "botnet" consists of a network of compromised computers controlled by an attacker ("botmaster"). Recently botnets have become the root cause of many Internet attacks. To be well prepared for future attacks, it is not enough to study how to detect and defend against the botnets that have appeared in the past. More importantly, we should study advanced botnet designs that could be developed by botmasters in the near future. In this paper, we present the design of an advanced hybrid peer-to-peer botnet. Compared with current botnets, the proposed botnet is harder to be shut down, monitored, and hijacked. It provides robust network connectivity, individualized encryption and control traffic dispersion, limited botnet exposure by each bot, and easy monitoring and recovery by its botmaster. Possible defenses against this advanced botnet are suggested.

Revealing skype traffic: when randomness plays with you

Abstract: Skype is a very popular VoIP software which has recently attracted the attention of the research community and network operators. Following a closed source and proprietary design, Skype protocols and algorithms are unknown. Moreover, strong encryption mechanisms are adopted by Skype, making it very difficult to even glimpse its presence from a traffic aggregate. In this paper, we propose a framework based on two complementary techniques to reveal Skypetraffic in real time. The first approach, based on Pearson'sChi-Square test and agnostic to VoIP-related trafficcharacteristics, is used to detect Skype's fingerprint from the packet framing structure, exploiting the randomness introduced at the bit level by the encryption process. Conversely, the second approach is based on a stochastic characterization of Skype traffic in terms of packet arrival rate and packet length, which are used as features of a decision process based on Naive Bayesian Classifiers.In order to assess the effectiveness of the above techniques, we develop an off-line cross-checking heuristic based on deep-packet inspection and flow correlation, which is interesting per se. This heuristic allows us to quantify the amount of false negatives and false positives gathered by means of the two proposed approaches: results obtained from measurements in different networks show that the technique is very effective in identifying Skype traffic. While both Bayesian classifier and packet inspection techniques are commonly used, the idea of leveraging on randomness to reveal traffic is novel. We adopt this to identify Skype traffic, but the same methodology can be applied to other classification problems as well.

Secure hybrid encryption from weakened key encapsulation

Abstract: We put forward a new paradigm for building hybrid encryption schemes from constrained chosen-ciphertext secure (CCCA) key-encapsulation mechanisms (KEMs) plus authenticated symmetric encryption. Constrained chosen-ciphertext security is a new security notion for KEMs that we propose. It has less demanding security requirements than standard CCCA security (since it requires the adversary to have a certain plaintext-knowledge when making a decapsulation query) yet we can prove that it is CCCA sufficient for secure hybrid encryption. Our notion is not only useful to express the Kurosawa-Desmedt public-key encryption scheme and its generalizations to hash-proof systems in an abstract KEM/DEM security framework. It also has a very constructive appeal, which we demonstrate with a new encryption scheme whose security relies on a class of intractability assumptions that we show (in the generic group model) strictly weaker than the Decision Diffie-Hellman (DDH) assumption. This appears to be the first practical public-key encryption scheme in the literature from an algebraic assumption strictly weaker than DDH.

Advances in cryptology - CRYPTO 2007 : 27th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 19-23, 2007 : proceedings

Abstract: Cryptanalysis I.- Practical Cryptanalysis of SFLASH.- Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5.- Secure Searching.- How Should We Solve Search Problems Privately?.- Public Key Encryption That Allows PIR Queries.- Invited Talk.- Information Security Economics - and Beyond.- Theory I.- Cryptography with Constant Input Locality.- Universally-Composable Two-Party Computation in Two Rounds.- Indistinguishability Amplification.- Lattices.- A Hybrid Lattice-Reduction and Meet-in-the-Middle Attack Against NTRU.- Improved Analysis of Kannan's Shortest Lattice Vector Algorithm.- Random Oracles.- Domain Extension of Public Random Functions: Beyond the Birthday Barrier.- Random Oracles and Auxiliary Input.- Hash Functions.- Security-Amplifying Combiners for Collision-Resistant Hash Functions.- Hash Functions and the (Amplified) Boomerang Attack.- Amplifying Collision Resistance: A Complexity-Theoretic Treatment.- Theory II.- How Many Oblivious Transfers Are Needed for Secure Multiparty Computation?.- Simulatable VRFs with Applications to Multi-theorem NIZK.- Cryptography in the Multi-string Model.- Quantum Cryptography.- Secure Identification and QKD in the Bounded-Quantum-Storage Model.- A Tight High-Order Entropic Quantum Uncertainty Relation with Applications.- Cryptanalysis II.- Finding Small Roots of Bivariate Integer Polynomial Equations: A Direct Approach.- A Polynomial Time Attack on RSA with Private CRT-Exponents Smaller Than N 0.073.- Encryption.- Invertible Universal Hashing and the TET Encryption Mode.- Reducing Trust in the PKG in Identity Based Cryptosystems.- Pirate Evolution: How to Make the Most of Your Traitor Keys.- Protocol Analysis.- A Security Analysis of the NIST SP 800-90 Elliptic Curve Random Number Generator.- A Generalization of DDH with Applications to Protocol Analysis and Computational Soundness.- Chernoff-Type Direct Product Theorems.- Public-Key Encryption.- Rerandomizable RCCA Encryption.- Deterministic and Efficiently Searchable Encryption.- Secure Hybrid Encryption from Weakened Key Encapsulation.- Multi-party Computation.- Scalable and Unconditionally Secure Multiparty Computation.- On Secure Multi-party Computation in Black-Box Groups.- A Note on Secure Computation of the Moore-Penrose Pseudoinverse and Its Application to Secure Linear Algebra.

New Lightweight DES Variants

Abstract: In this paper we propose a new block cipher, DESL (DES Lightweight), which is based on the classical DES (Data Encryption Standard) design, but unlike DES it uses a single S-box repeated eight times. On this account we adapt well-known DES S-box design criteria, such that they can be applied to the special case of a single S-box. Furthermore, we show that DESL is resistant against certain types of the most common attacks, i.e., linear and differential cryptanalyses, and the Davies-Murphy attack. Our hardware implementation results of DESL are very promising (1848 GE), therefore DESL is well suited for ultra-constrained devices such as RFID tags.

Fully collusion secure dynamic broadcast encryption with constant-size ciphertexts or decryption keys

Abstract: This paper puts forward new efficient constructions for public-key broadcast encryption that simultaneously enjoy the following properties: receivers are stateless; encryption is collusion-secure for arbitrarily large collusions of users and security is tight in the standard model; new users can join dynamically i.e. without modification of user decryption keys nor ciphertext size and little or no alteration of the encryption key. We also show how to permanently revoke any subgroup of users. Most importantly, our constructions achieve the optimal bound of O(1)-size either for ciphertexts or decryption keys, where the hidden constant relates to a couple of elements of a pairing-friendly group. Our broadcast-KEM trapdoor technique, which has independent interest, also provides a dynamic broadcast encryption system improving all previous efficiency measures (for both execution time and sizes) in the private-key setting.