Showing papers on "Plaintext-aware encryption published in 2008"

Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm

Abstract: An authenticated encryption scheme is a symmetric encryption scheme whose goal is to provide both privacy and integrity. We consider two possible notions of authenticity for such schemes, namely integrity of plaintexts and integrity of ciphertexts, and relate them, when coupled with IND-CPA (indistinguishability under chosen-plaintext attack), to the standard notions of privacy IND-CCA and NM-CPA (indistinguishability under chosen-ciphertext attack and nonmalleability under chosen-plaintext attack) by presenting implications and separations between all notions considered. We then analyze the security of authenticated encryption schemes designed by “generic composition,” meaning making black-box use of a given symmetric encryption scheme and a given MAC. Three composition methods are considered, namely Encrypt-and-MAC, MAC-then-encrypt, and Encrypt-then-MAC. For each of these and for each notion of security, we indicate whether or not the resulting scheme meets the notion in question assuming that the given symmetric encryption scheme is secure against chosen-plaintext attack and the given MAC is unforgeable under chosen-message attack. We provide proofs for the cases where the answer is “yes” and counter-examples for the cases where the answer is “no.”

Bounded Ciphertext Policy Attribute Based Encryption

Abstract: In a ciphertext policy attribute based encryption system, a user's private key is associated with a set of attributes (describing the user) and an encrypted ciphertext will specify an access policy over attributes A user will be able to decrypt if and only if his attributes satisfy the ciphertext's policy In this work, we present the first construction of a ciphertext-policy attribute based encryption scheme having a security proof based on a number theoretic assumption and supporting advanced access structures Previous CP-ABE systems could either support only very limited access structures or had a proof of security only in the generic group model Our construction can support access structures which can be represented by a bounded size access tree with threshold gates as its nodes The bound on the size of the access trees is chosen at the time of the system setup Our security proof is based on the standard Decisional Bilinear Diffie-Hellman assumption

Circular-Secure Encryption from Decision Diffie-Hellman

Abstract: We describe a public-key encryption system that remains secure even encrypting messages that depend on the secret keys in use. In particular, it remains secure under a "key cycle" usage, where we have a cycle of public/secret key-pairs (pk i ,sk i ) for i= 1,...,n, and we encrypt each sk i under ${\rm pk}_{(i \bmod n)+1}$. Such usage scenarios sometimes arise in key-management systems and in the context of anonymous credential systems. Also, security against key cycles plays a role when relating "axiomatic security" of protocols that use encryption to the "computational security" of concrete instantiations of these protocols. The existence of encryption systems that are secure in the presence of key cycles was wide open until now: on the one hand we had no constructions that provably meet this notion of security (except by relying on the random-oracle heuristic); on the other hand we had no examples of secure encryption systems that become demonstrably insecure in the presence of key-cycles of length greater than one. Here we construct an encryption system that is circular-secure against chosen-plaintext attacks under the Decision Diffie-Hellman assumption (without relying on random oracles). Our proof of security holds even if the adversary obtains an encryption clique, that is, encryptions of sk i under pk j for all 1 ≤ i,j≤ n. We also construct a circular counterexample: a one-way secure encryption scheme that breaks completely if an encryption cycle (of any size) is published.

Cryptanalysis of the public key encryption based on multiple chaotic systems

Abstract: Recently, Ranjan proposed a novel public key encryption technique based on multiple chaotic systems [Phys Lett 2005;95]. Unfortunately, Wang soon gave a successful attack on its special case based on Parseval’s theorem [Wang K, Pei W, Zhou L, et al. Security of public key encryption technique based on multiple chaotic system. Phys Lett A, in press]. In this letter, we give an improved example which can avoid the attack and point out that Wang cannot find the essential drawback of the technique. However, further experimental result shows Ruanjan’s encryption technique is inefficient, and detailed theoretic analysis shows that the complexity to break the cryptosystem is overestimated.

On Notions of Security for Deterministic Encryption, and Efficient Constructions without Random Oracles

Abstract: The study of deterministic public-key encryption was initiated by Bellare et al. (CRYPTO '07), who provided the "strongest possible" notion of security for this primitive (called PRIV) and constructions in the random oracle (RO) model. We focus on constructing efficient deterministic encryption schemes withoutrandom oracles. To do so, we propose a slightly weaker notion of security, saying that no partial information about encrypted messages should be leaked as long as each message is a-priori hard-to-guess given the others(while PRIV did not have the latter restriction). Nevertheless, we argue that this version seems adequate for many practical applications. We show equivalence of this definition to single-message and indistinguishability-based ones, which are easier to work with. Then we give general constructions of both chosen-plaintext (CPA) and chosen-ciphertext-attack (CCA) secure deterministic encryption schemes, as well as efficient instantiations of them under standard number-theoretic assumptions. Our constructions build on the recently-introduced framework of Peikert and Waters (STOC '08) for constructing CCA-secure probabilisticencryption schemes, extending it to the deterministic-encryption setting as well.

Deterministic Encryption: Definitional Equivalences and Constructions without Random Oracles

Abstract: We strengthen the foundations of deterministic public-key encryption via definitional equivalences and standard-model constructs based on general assumptions. Specifically we consider seven notions of privacy for deterministic encryption, including six forms of semantic security and an indistinguishability notion, and show them all equivalent. We then present a deterministic scheme for the secure encryption of uniformly and independently distributed messages based solely on the existence of trapdoor one-way permutations. We show a generalization of the construction that allows secure deterministic encryption of independent high-entropy messages. Finally we show relations between deterministic and standard (randomized) encryption.

On the security of a new image encryption scheme based on chaotic map lattices

Abstract: This paper reports a detailed cryptanalysis of a recently proposed encryption scheme based on the logistic map [A. Pisarchik et al., Chaos 16, 033118 (2006)]. Some problems are emphasized concerning the key space definition and the implementation of the cryptosystem using floating-point operations. It is also shown how it is possible to reduce considerably the key space through a ciphertext-only attack. Moreover, a timing attack allows for the estimation of part of the key due to the existent relationship between this part of the key and the encryption/decryption time. As a result, the main features of the cryptosystem do not satisfy the demands of secure communications. Some hints are offered to improve the cryptosystem under study according to those requirements.

Semantic security for the McEliece cryptosystem without random oracles

Abstract: In this paper, we formally prove that padding the plaintext with a random bit-string provides the semantic security against chosen plaintext attack (IND-CPA) for the McEliece (and its dual, the Niederreiter) cryptosystems under the standard assumptions. Such padding has recently been used by Suzuki, Kobara and Imai in the context of RFID security. Our proof relies on the technical result by Katz and Shin from Eurocrypt '05 showing "pseudorandomness" implied by the learning parity with noise (LPN) problem. We do not need the random oracles as opposed to the known generic constructions which, on the other hand, provide a stronger protection as compared to our scheme--against (adaptive) chosen ciphertext attack, i.e., IND-CCA(2). In order to show that the padded version of the cryptosystem remains practical, we provide some estimates for suitable key sizes together with corresponding workload required for successful attack.

Dynamic Threshold Public-Key Encryption

Abstract: This paper deals with threshold public-key encryptionwhich allows a pool of players to decrypt a ciphertext if a given threshold of authorized players cooperate. We generalize this primitive to the dynamic setting, where any user can dynamicallyjoin the system, as a possible recipient; the sender can dynamicallychoose the authorized set of recipients, for each ciphertext; and the sender can dynamicallyset the threshold tfor decryption capability among the authorized set. We first give a formal security model, which includes strong robustness notions, and then we propose a candidate achieving all the above dynamic properties, that is semantically secure in the standard model, under a new non-interactive assumption, that fits into the general Diffie-Hellman exponent framework on groups with a bilinear map. It furthermore compares favorably with previous proposals, a.k.a.threshold broadcast encryption, since this is the first threshold public-key encryption, with dynamic authorized set of recipients and dynamic threshold that provides constant-size ciphertexts.

Hidden-Vector Encryption with Groups of Prime Order

Abstract: Predicate encryption schemes are encryption schemes in which each ciphertext Ct is associated with a binary attribute vector and keys Kare associated with predicates. A key Kcan decrypt a ciphertext if and only if the attribute vector of the ciphertext satisfies the predicate of the key. Predicate encryption schemes can be used to implement fine-grained access control on encrypted data and to perform search on encrypted data. Hidden vector encryption schemes [Boneh and Waters --- TCC 2007] are encryption schemes in which each ciphertext is associated with a binary vector and each key Kis associated with binary vector with "don't care" entries (denoted with i¾?). Key Kcan decrypt ciphertext if and only if and agree for all ifor which $y_i e \star$. Hidden vector encryption schemes are an important type of predicate encryption schemes as they can be used to construct more sophisticated predicate encryption schemes (supporting for example range and subset queries). We give a construction for hidden-vector encryption from standard complexity assumptions on bilinear groups of prime order. Previous constructions were in bilinear groups of composite orderand thus resulted in less efficient schemes. Our construction is both payload-hiding and attribute-hiding meaning that also the privacy of the attribute vector, besides privacy of the cleartext, is guaranteed.

Efficient Chosen Ciphertext Secure Public Key Encryption under the Computational Diffie-Hellman Assumption

Abstract: Recently Cash, Kiltz, and Shoup [13] showed a variant of the Cramer-Shoup (CS) scheme [14] whose chosen-ciphertext (CCA) security relies on the computational Diffie-Hellman (CDH) assumption. The cost for this high security is that the size of ciphertexts is much longer than the CS scheme (which is based on the decisional Diffie-Hellman assumption). In this paper, we show how to achieve CCA-security under the CDH assumption without increasing the size of ciphertexts. We also show a more efficient scheme under the hashed Diffie-Hellman assumption. Both of our schemes are based on a certain broadcast encryption (BE) scheme while the Cash-Kiltz-Shoup scheme is based on the Twin DH problem. Of independent interest, we also show a generic method of constructing CCA-secure PKE schemes from BE schemes.

McEliece Cryptosystem Implementation: Theory and Practice

Abstract: Though it is old and considered fast, the implementation of McEliece public-key encryption scheme has never been thoroughly studied. We consider that problem here and we provide an implementation with a complete description of our algorithmic choices and parameters selection, together with the state of the art in cryptanalysis. This provides a reference for measuring speed and scalability of this cryptosystem. Compared with other, number-theory based, public key scheme, we demonstrate a gain of a factor at least 5 to 10.

CCA2 secure IBE: standard model efficiency through authenticated symmetric encryption

Abstract: We propose two constructions of chosen-ciphertext secure identity-based encryption (IBE) schemes. Our schemes have a security proof in the standard model, yet they offer performance competitive with all known random-oracle based schemes. The efficiency improvement is obtained by combining modifications of the IBE schemes by Waters [38] and Gentry [21] with authenticated symmetric encryption.

Tag-KEM/DEM: A New Framework for Hybrid Encryption

Abstract: This paper presents a novel framework for the generic construction of hybrid encryption schemes which produces more efficient schemes than the ones known before. A previous framework introduced by Shoup combines a key encapsulation mechanism (KEM) and a data encryption mechanism (DEM). While it is sufficient to require both components to be secure against chosen ciphertext attacks (CCA-secure), Kurosawa and Desmedt showed a particular example of KEM that is not CCA-secure but can be securely combined with a specific type of CCA-secure DEM to obtain a more efficient, CCA-secure hybrid encryption scheme. There are also many other efficient hybrid encryption schemes in the literature that do not fit into Shoup’s framework. These facts serve as motivation to seek another framework. The framework we propose yields more efficient hybrid scheme, and in addition provides insightful explanation about existing schemes that do not fit into the previous framework. Moreover, it allows immediate conversion from a class of threshold public-key encryption to a threshold hybrid one without considerable overhead, which may not be possible in the previous approach.

Towards key-dependent message security in the standard model

Abstract: Standard security notions for encryption schemes do not guarantee any security if the encrypted messages depend on the secret key. Yet it is exactly the stronger notion of security in the presence of key-dependent messages (KDM security) that is required in a number of applications: most prominently, KDM security plays an important role in analyzing cryptographic multi-party protocols in a formal calculus. But although often assumed, the mere existence of KDM secure schemes is an open problem. The only previously known construction was proven secure in the random oracle model. We present symmetric encryption schemes that are KDM secure in the standard model (i.e., without random oracles). The price we pay is that we achieve only a relaxed (but still useful) notion of key-dependent message security. Our work answers (at least partially) an open problem posed by Black, Rogaway, and Shrimpton. More concretely, our contributions are as follows: 1. We present a (stateless) symmetric encryption scheme that is information-theoretically secure in face of a bounded number and length of encryptions for which the messages depend in an arbitrary way on the secret key. 2. We present a stateful symmetric encryption scheme that is computationally secure in face of an arbitrary number of encryptions for which the messages depend only on the respective current secret state/key of the scheme. The underlying computational assumption is minimal: we assume the existence of one-way functions. 3. We give evidence that the only previously known KDM secure encryption scheme cannot be proven secure in the standard model (i.e., without random oracles).

Provably Secure Timed-Release Public Key Encryption

Abstract: A timed-release cryptosystem allows a sender to encrypt a message so that only the intended recipient can read it only after a specified time. We formalize the concept of a secure timed-release public-key cryptosystem and show that, if a third party is relied upon to guarantee decryption after the specified date, this concept is equivalent to identity-based encryption; this explains the observation that all known constructions use identity-based encryption to achieve timed-release security. We then give several provably-secure constructions of timed-release encryption: a generic scheme based on any identity-based encryption scheme, and two more efficient schemes based on the existence of cryptographically admissible bilinear mappings. The first of these is essentially as efficient as the Boneh-Franklin Identity-Based encryption scheme, and is provably secure and authenticated in the random oracle model; the final scheme is not authenticated but is provably secure in the standard model (i.e., without random oracles).

Embedding Compression in Chaos-Based Cryptography

Abstract: An algorithm for embedding compression in the Baptista-type chaotic cryptosystem is proposed. The lookup table used for encryption is determined adaptively by the probability of occurrence of plaintext symbols. As a result, more probable symbols will have a higher chance to be visited by the chaotic search trajectory. The required number of iterations is small and can be represented by a short code. The compression capability is thus achieved. Simulation results show that the compression performance on standard test files is satisfactory while the security is not compromised. Our scheme also guarantees that the ciphertext is not longer than the plaintext.

Identity-based threshold key-insulated encryption without random oracles

Abstract: With more and more cryptosystems being deployed on insecure environments such as mobile devices, key exposures appear to be unavoidable. This is perhaps the most devastating attack on a cryptosystem, since it typically means that security is entirely lost. This problem is especially hard to tackle in identity-based encryption (IBE) settings, where the public key is determined as a user's identity and is not desirable to be changed. In this paper, we extend Dodis et al.'s key-insulation idea and present a new paradigm named threshold key-insulation. The new paradigm not only greatly enhances the security of the system, but also provides flexibility and efficiency. To deal with the key-exposure problem in IBE settings, we further propose an identity-based threshold key-insulated encryption (IBTKIE) scheme. The proposed scheme is proved to be semantically secure without random oracles.

A New Image Encryption Algorithm Based on Multiple Chaos System

Abstract: Researching on chaos-based image encryption scheme is becoming increasingly popular; unfortunately, most of the algorithms proposed provide poor security because of their failure to resist attack. A new digital image encryption scheme based on variable parameters double logistic systems is presented. The subkey sequences are generated after optimizing and adjusting from the chaotic maps which have certain relation to the plaintext, which enhances the security of the cryptosystem. The analysis and the simulation results imply this encryption scheme possesses the features of large key spaces, sensitive key dependence, and good security. Especially this algorithm is able to effectively resist traditional attack.

Towards automated proofs for asymmetric encryption schemes in the random oracle model

Abstract: Chosen-ciphertext security is by now a standard security property for asymmetric encryption. Many generic constructions for building secure cryptosystems from primitives with lower level of security have been proposed. Providing security proofs has also become standard practice. There is, however, a lack of automated verification procedures that analyze such cryptosystems and provide security proofs. This paper presents an automated procedure for analyzing generic asymmetric encryption schemes in the random oracle model. It has been applied to several examples of encryption schemes among which the construction of Bellare-Rogaway 1993, of Pointcheval at PKC'2000 and REACT.

Homomorphic Encryption with CCA Security

Abstract: We address the problem of constructing public-key encryption schemes that meaningfully combine useful computability featureswith non-malleability. In particular, we investigate schemes in which anyone can change an encryption of an unknown message minto an encryption of T(m) (as a feature), for a specific set of allowed functions T, but the scheme is "non-malleable" with respect to all other operations. We formulate precise definitions that capture these intuitive requirements and also show relationships among our new definitions and other more standard ones (IND-CCA, gCCA, and RCCA). We further justify our definitions by showing their equivalence to a natural formulation of security in the Universally Composable framework. We also consider extending the definitions to features which combine multipleciphertexts, and show that a natural definition is unattainable for a useful class of features. Finally, we describe a new family of encryption schemes that satisfy our definitions for a wide variety of allowed transformations T, and which are secure under the standard Decisional Diffie-Hellman (DDH) assumption.

Public-Key Locally-Decodable Codes

Abstract: In this paper we introduce the notion of a Public-Key Encryption Scheme that is also a Locally-Decodable Error-Correcting Code (PKLDC). In particular, we allow any polynomial-time adversary to read the entire ciphertext, and corrupt a constant fraction of the bits of the entireciphertext. Nevertheless, the decoding algorithm can recover any bit of the plaintext with all but negligible probability by reading only a sublinear number of bits of the (corrupted) ciphertext. We give a general construction of a PKLDC from any Semantically-Secure Public Key Encryption (SS-PKE) and any Private Information Retrieval (PIR) protocol. Since Homomorphic encryption implies PIR, we also show a reduction from any Homomorphic encryption protocol to PKLDC. Applying our construction to the best known PIR protocol (that of Gentry and Ramzan), we obtain a PKLDC, which for messages of size nand security parameter kachieves ciphertexts of size $\mathcal{O}(n)$, public key of size $\mathcal{O}(n+k)$, and locality of size $\mathcal{O}(k^2)$. This means that for messages of length n= i¾?(k2 + i¾?), we can decode a bit of the plaintext from a corrupted ciphertext while doing computation sublinear in n.

An Image Encryption System by Cellular Automata with Memory

Abstract: In this paper, an Image Encryption System by special kind of cellular automata (cellular automata with memory) and also an appropriate transition function for the cryptosystem have been proposed. Also a lossy idea is used to present a secure cryptosystem. The use of lossy method provides a secure method and it is shown that the result is resistant to cryptanalysis attacks, especially known plaintext and chosen plaintext. When the original image is compared with the decrypted image by human visual system, it is not recognizable which one is decrypted and which one is the original image.

An Efficient RSA Public Key Encryption Scheme

Abstract: In this paper, we propose an efficient RSA public key encryption scheme, which is improved version of original RSA scheme. The proposed RSA encryption scheme is based on linear group over the ring of integer mod a composite modulus n which is the product of two distinct prime numbers. In the proposed scheme the original message and the encrypted message are h x h square matrices with entities in zn indicated via l(h, zn) . Since the original RSA Scheme is a block cipher in which the original message and cipher message are integer in the interval [0, n -1] for some integer modulus n. Therefore, in this paper, we generalize RSA encryption scheme in order to be implemented in the general linear group on the ring of integer mod n. Furthermore, the suggested encryption scheme has no restriction in encryption and decryption order and is claimed to be efficient, scalable and dynamic.

Efficient Certificate-Based Encryption in the Standard Model

Abstract: In this paper, we propose a new Certificate-Based Encryption (CBE) scheme which is fully secure in the standard model. We achieve chosen ciphertext (CCA) security directly without any transformation. When compared to all previous generic constructions (in either random oracle or standard model), our scheme is far more efficient than those schemes. When compared to the CBE scheme in [16] (which is the only concrete implementation secure in the standard model), we enjoy a great improvement in terms of space efficiency. Their scheme requires more than 160 group elements for the public parameters in order to gain an acceptable security. Our scheme just requires 5 group elements. In addition, the message space of our scheme is almost double as the one in [16]. A larger message space implies that it requires a smaller number of encryption operations of the same plaintext, resulting in a smaller overall ciphertext and overhead as well.