International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Papers from EPRINT 2005

Year
Venue
Title
2005
EPRINT
(De)Compositions of Cryptographic Schemes and their Applications to Protocols
The main result of this paper is that the Dolev-Yao model is a safe abstraction of the computational model for security protocols including those that combine asymmetric and symmetric encryption, signature and hashing. Moreover, message forwarding and private key transmission are allowed. To our knowledge this is the first result that deals with hash functions and the combination of these cryptographic primitives. A key step towards this result is a general definition of correction of cryptographic primitives, that unifies well known correctness criteria such as IND-CPA, IND-CCA, unforgeability etc.... and a theorem that allows to reduce the correctness of a composition of two cryptographic schemes to the correctness of each one.
2005
EPRINT
3C- A Provably Secure Pseudorandom Function and Message Authentication Code.A New mode of operation for Cryptographic Hash Function
We propose a new cryptographic construction called 3C, which works as a pseudorandom function (PRF), message authentication code (MAC) and cryptographic hash function. The 3C-construction is obtained by modifying the Merkle-Damgard iterated construction used to construct iterated hash functions. We assume that the compression functions of Merkle-Damgard iterated construction realize a family of fixed-length-input pseudorandom functions (FI-PRFs). A concrete security analysis for the family of 3C- variable-length-input pseudorandom functions (VI-PRFs) is provided in a precise and quantitative manner. The 3C- VI-PRF is then used to realize the 3C- MAC construction called one-key NMAC (O-NMAC). O-NMAC is a more efficient variant of NMAC and HMAC in the applications where key changes frequently and the key cannot be cached. The 3C-construction works as a new mode of hash function operation for the hash functions based on Merkle-Damgard construction such as MD5 and SHA-1. The generic 3C- hash function is more resistant against the recent differential multi-block collision attacks than the Merkle-Damgard hash functions and the extension attacks do not work on the 3C- hash function. The 3C-X hash function is the simplest and efficient variant of the generic 3C hash function and it is the simplest modification to the Merkle-Damgard hash function that one can achieve. We provide the security analysis for the functions 3C and 3C-X against multi-block collision attacks and generic attacks on hash functions. We combine the wide-pipe hash function with the 3C hash function for even better security against some generic attacks and differential attacks. The 3C-construction has all these features at the expense of one extra iteration of the compression function over the Merkle-Damgard construction.
2005
EPRINT
A 32-bit RC4-like Keystream Generator
In this paper we propose a new 32-bit RC4 like keystream generator. The proposed generator produces 32 bits in each iteration and can be implemented in software with reasonable memory requirements. Our experiments show that this generator is 3.2 times faster than original 8-bit RC4. It has a huge internal state and offers higher resistance against state recovery attacks than the original 8-bit RC4. We analyze the randomness properties of the generator using a probabilistic approach. The generator is suitable for high speed software encryption.
2005
EPRINT
A Chosen Ciphertext Attack on a Public Key Cryptosystem Based on Lyndon Words
In this paper, we present a chosen ciphertext attack against a public key cryptosysten based on Lyndon words \cite{sm}. We show that, provided that an adversary has access to a decryption oracle, a key equivalent to the secret key can be constructed efficiently, i.e. in linear time.
2005
EPRINT
A Computationally Sound Mechanized Prover for Security Protocols
We present a new mechanized prover for secrecy properties of cryptographic protocols. In contrast to most previous provers, our tool does not rely on the Dolev-Yao model, but on the computational model. It produces proofs presented as sequences of games; these games are formalized in a probabilistic polynomial-time process calculus. Our tool provides a generic method for specifying security properties of the cryptographic primitives, which can handle shared- and public-key encryption, signatures, message authentication codes, and hash functions. Our tool produces proofs valid for a number of sessions polynomial in the security parameter, in the presence of an active adversary. We have implemented our tool and tested it on a number of examples of protocols from the literature.
2005
EPRINT
A Construction of Public-Key Cryptosystem Using Algebraic Coding on the Basis of Superimposition and Randomness
In this paper, we present a new class of public-key cryptosystem (PKC) using algebraic coding on the basis of superimposition and randomness. The proposed PKC is featured by a generator matrix, in a characteristic form, where the generator matrix of an algebraic code is repeatedly used along with the generator matrix of a random code, as sub-matrices. This generator matrix, in the characteristic form, will be referred to as $K$-matrix. We show that the $K$-matrix yields the following advantages compared with the conventional schemes: \begin{description} \item [(i)] It realizes an abundant supply of PKCs, yielding more secure PKCs. \item [(i\hspace{-.1em}i)] It realizes a fast encryption and decryption process. \end{description}
2005
EPRINT
A Counter-based MAC Revisited: Towards Better Security
Bellare, Guerin, and Rogaway proposed a very efficient and secure message authentication scheme. By slightly modifying it, this article shows that the security is improved.
2005
EPRINT
A Dedicated Processor for the eta Pairing
The $\eta$ pairing is an efficient computation technique based on a generalization of the Duursma Lee method for calculating the Tate pairing. The pairing can be computed very efficiently on genus 2 hyperelliptic curves. In this paper it is demonstrated that this pairing operation is well suited to a dedicated parallel hardware implementation. An $\eta$ pairing processor is described in detail and the architectures required for such a system are discussed. Prototype implementation results are presented over a base field of $\mathbb{F}_{2^{103}}$ and the advantages of implementing the pairing on the dedicated processor are discussed.
2005
EPRINT
A Distinguish attack on COSvd Ciphers
Abstract: The COSvd Ciphers has been proposed by Filiol and others (2004). It is a strengthened version of COS stream cipher family denoted COSvd that has been adopted for at least one commercial standard. We propose a distinguish attack on this version, and prove that, it is distinguishable from a random stream. In the COSvd Cipher used one S-Box (10?8) on the final part of cipher. We focus on S-Box and use weakness this S-Box for distinguish attack. In addition, found a leak on HNLL that the sub s-boxes don?t select uniformly. We use this property for an Improve distinguish attack.
2005
EPRINT
A fast parallel scalar multiplication against side-channel analysis for elliptic curve cryptosystem over prime fields
The scalar multiplication is the dominant operation in Elliptic Curve Cryptosystems (ECC). In this paper, we propose a modified width?Cw window method to compute the scalar multiplication efficiently and securely against side?Cchannel analysis, based on the side?Cchannel atomicity introduced by Benoit Chevallier?CMames. Utilizing this window method, we propose a new parallel scalar multiplication algorithm, which is secure against side?Cchannel analysis and more efficient than existing ones.
2005
EPRINT
A Fuzzy Sketch with Trapdoor
In 1999, Juels and Wattenberg introduce an effective construction of Fuzzy Sketch, i.e. a way of handling errors into string verification. This allows them to consider data varying into time, such as, for instance, answers to a list of subjective questions. To this end, they utilize an Error Correcting Code. We here show how to embed a trapdoor into Fuzzy Sketches, reducing to authorized people the ability to correct errors and thus to verify the fuzzy equality to the Fuzzy Sketch.
2005
EPRINT
A High Speed Architecture for Galois/Counter Mode of Operation (GCM)
In this paper we present a fully pipelined high speed hardware architecture for Galois/Counter Mode of Operation (GCM) by analyzing the data dependencies in the GCM algorithm at the architecture level. We show that GCM encryption circuit and GCM authentication circuit have similar critical path delays resulting in an efficient pipeline structure. The proposed GCM architecture yields a throughput of 34 Gbps running at 271 MHz using a 0.18 um CMOS standard cell library.
2005
EPRINT
A Key Establishment IP-Core for Ubiquitous Computing
A most critical and complex issue with regard to constrained devices in the ubiquitous and pervasive computing setting is secure key exchange. The restrictions motivate the investigation and discussion of alternative solutions. We suggest a low hardware-complexity solution for authenticated symmetric key exchange, using a Tree Parity Machine Rekeying Architecture. An authenticated key exchange is formulated from within the tree parity machine interaction concept and requires only few transmissions. It averts a Man-In-The-Middle attack and the currently known attacks on the non-numbertheoretic on principle. A key exchange can be performed within a few milliseconds, given typical limited bandwidth wireless communication channels. A flexible rekeying functionality enables the exploitation of the achievable key exchange rates. Characteristics of a standard-cell ASIC design realization as IP-core in 0.18 micron CMOS-technology are evaluated.
2005
EPRINT
A lower bound on the higher order nonlinearity of algebraic immune functions
We extend the lower bound, obtained by M. Lobanov, on the first order nonlinearity of functions with given algebraic immunity, into a bound on the higher order nonlinearities.
2005
EPRINT
A Matching Lower Bound on the Minimum Weight of SHA-1 Expansion Code
Recently, Wang, Yin, and Yu have used a low weight codeword in the SHA-1 message expansion to show a better than brute force method to find collisions in SHA-1. The codeword they used has a (bit) weight of 25 in the last 60 of the 80 expanded words. In this paper we show, using a computer assisted method, that this is indeed the smallest weight codeword. In particular, we show that the minimum weight over GF2 of any non-zero codeword in the SHA-1 (linear) message expansion code, projected on the last 60 words, is at least 25.
2005
EPRINT
A Metric on the Set of Elliptic Curves over ${\mathbf F}_p$
Elliptic Curves over finite field have found application in many areas including cryptography. In the current article we define a metric on the set of elliptic curves defined over a prime field ${\mathbf F}_p, p>3$.
2005
EPRINT
A model and architecture for pseudo-random generation with applications to /dev/random
We present a formal model and a simple architecture for robust pseudorandom generation that ensures resilience in the face of an observer with partial knowledge/control of the generator's entropy source. Our model and architecture have the following properties: 1 Resilience: The generator's output looks random to an observer with no knowledge of the internal state. This holds even if that observer has complete control over data that is used to refresh the internal state. 2 Forward security: Past output of the generator looks random to an observer, even if the observer learns the internal state at a later time. 3 Backward security/Break-in recovery: Future output of the generator looks random, even to an observer with knowledge of the current state, provided that the generator is refreshed with data of sufficient entropy. Architectures such as above were suggested before. This work differs from previous attempts in that we present a formal model for robust pseudo-random generation, and provide a formal proof within this model for the security of our architecture. To our knowledge, this is the first attempt at a rigorous model for this problem. Our formal modeling advocates the separation of the *entropy extraction* phase from the *output generation* phase. We argue that the former is information-theoretic in nature, and could therefore rely on combinatorial and statistical tools rather than on cryptography. On the other hand, we show that the latter can be implemented using any standard (non-robust) cryptographic PRG. We also discuss the applicability of our architecture for applications such as /dev/(u)random in Linux and pseudorandom generation on smartcards.
2005
EPRINT
A New Approach to Counteract DPA Attacks on Block Ciphers
Since the publication of Differential Power Analysis (DPA) in 1998, many countermeasures have been published to counteract this very efficient kind of attacks. All these countermeasures follow the same approach : they try to make sensitive operations uncorrelated with the input. Such a method is very costly in terms of both timing and memory space. In this paper, we suggest a new approach where block ciphers are designed to inherently thwart DPA attacks. The idea we develop in this paper is based on a theoretical analysis of DPA attacks and it essentially consists in embedding existing iterated block ciphers in a secure layer. We analyse the security of our proposal and we show that it induces very small overheads.
2005
EPRINT
A New Efficient Algorithm for Solving Systems of Multivariate Polynomial Equations
The security of many recently proposed cryptosystems is based on the difficulty of solving large systems of quadratic multivariate polynomial equations. The classical algorithm for solving such a system is Buchberger's algorithm for constructing Gr\"{o}bner bases. Another algorithm for solving such a system is XL algorithm. For sparse system, Buchberger's algorithm benefits from sparsity of the system, but its complexity is impractical and hard to determine. XL could not make a good use of sparse structure of the system, since XL has no good strategy of choosing the multiply monomials. In this paper, based on Extended Dixon Resultants, a new algorithm DR is proposed to solve systems of multivariate polynomial equations. The basic idea of DR is to apply Extended Dixon Resultants method to system of multivariate polynomial equations, by taking $x_1 \ldots x_{n-1}$ as variables and $x_n$ as parameter. The time complexity of DR technique is evaluated, it seems to be polynomial when the system is sparse and $m=n$ and mixed volume is polynomial. As far as we know, it is the first algorithm which has better behavior than exhaustive search for some sparse systems over large field. Moreover, DR technique is compared with Buchberger's algorithm and XL technique in this paper. It is shown that DR is far more efficient than Buchberger's algorithm and XL when $m=n$. DR is a quite efficient algorithm, it makes a good use of the sparsity of the sparse system. Besides its efficiency, another advantage of DR is that its complexity is easy to determine.
2005
EPRINT
A New Efficient ID-Based Authenticated Key Agreement Protocol
Recently Eun-Kyung Ryu, Eun-Jun Yoon, and Kee-Young Yoo proposed an efficient ID-based authenticated key agreement with paring.They argued that it is secure and efficient. In this paper, we show this protocol is doesn't satisfy the Key-Compromise Impersonate property and it is not secure against key reveal attack. Then we propose our protocol from this protocol and shim's protocol, its security and efficiency was analyzed.
2005
EPRINT
A new key exchange protocol based on the decomposition problem
In this paper we present a new key establishment protocol based on the decomposition problem in non-commutative groups which is: given two elements w, w_1 of the platform group G and two subgroups A, B of G (not necessarily distinct), find elements a in A, b in B such that w_1 = a w b. Here we introduce two new ideas that improve the security of key establishment protocols based on the decomposition problem. In particular, we conceal (i.e., do not publish explicitly) one of the subgroups A, B, thus introducing an additional computationally hard problem for the adversary, namely, finding the centralizer of a given finitely generated subgroup.
2005
EPRINT
A New Protocol for Conditional Disclosure of Secrets And Its Applications
Many protocols that are based on homomorphic encryption are private only if a client submits inputs from a limited range $S$. Conditional disclosure of secrets (CDS) helps to overcome this restriction. In a CDS protocol for a set $S$, the client obtains server's secret if and only if the client's inputs belong to $S$ and thus the server can guard itself against malformed queries. We extend the existing CDS protocols to work over additively homomorphic cryptosystems for every set from $NP/poly$. The new construction is modular and easy to apply. As an example, we derive a new oblivious transfer protocol with log-squared communication and a millionaire's protocol with logarithmic communication. We also implement private, universally verifiable and robust multi-candidate electronic voting so that all voters only transmit an encryption of their vote. The only hardness assumption in all these protocols is that the underlying public-key cryptosystem is IND-CPA secure and the plaintext order does not have small factors.
2005
EPRINT
A New Rabin-type Trapdoor Permutation Equivalent to Factoring and Its Applications
Public key cryptography has been invented to overcome some key management problems in open networks. Although nearly all aspects of public key cryptography rely on the existence of trapdoor one-way functions, only a very few candidates of this primitive have been observed yet. In this paper, we introduce a new trapdoor one-way permutation based on the hardness of factoring integers of $p^2q$-type. We also propose a variant of this function with a different domain that provides some advantages for practical applications. To confirm this statement, we develop a simple hybrid encryption scheme based on our proposed trapdoor permutation that is CCA-secure in the random oracle model.
2005
EPRINT
A New Short Signature Scheme Without Random Oracles from Bilinear Pairings
In this paper, we propose a new signature scheme that is existentially unforgeable under a chosen message attack without random oracle. The security of our scheme depends on a new complexity assumption called the $k$+1 square roots assumption. We also discuss the relationship between the $k$+1 square roots assumption and some related problems and provide some conjectures. Moreover, the $k$+1 square roots assumption can be used to construct shorter signatures under the random oracle model. As some applications, a new chameleon hash signature scheme and a on-line/off-line signature scheme and a new efficient anonymous credential scheme based on the proposed signature scheme are presented.
2005
EPRINT
A new structural attack for GPT and variants
In this paper we look at the Gabidulin version of the McEliece cryptosystem (GPT) and its variants. We propose a new polynomial time attack on the private key, which is applicable to all variants proposed so far, breaking some of them completely.
2005
EPRINT
A Note on Secure Key Issuing in ID-based Cryptography
Most recently, Lee B. et al proposed a key issuing protocol for ID-based cryptography to solve the key escrow problem. However in this letter, we show that a malicious key generation center (KGC) can successfully attack the protocol to obtain users?? private keys. This means that in the protocol, the key escrow problem isn??t really removed.
2005
EPRINT
A Note on Shor's Quantum Algorithm for Prime Factorization
It's well known that Shor[1] proposed a polynomial time algorithm for prime factorization by using quantum computers. For a given number $n$, he gave an algorithm for finding the order $r$ of an element $x$ (mod $n$) instead of giving an algorithm for factoring $n$ directly. The indirect algorithm is feasible because factorization can be reduced to finding the order of an element by using randomization[2]. But a point should be stressed that the order of the number must be even. Actually, the restriction can be removed in a particular case. In this paper, we show that factoring RSA modulus (a product of two primes) only needs to find the order of $2$, whether it is even or not.
2005
EPRINT
A Note on the Kasami Power Function
This work is motivated by the observation that the function $\F{m}$ to $\F{m}$ defined by $x^d+(x+1)^d+a$ for some $a\in \F{m}$ can be used to construct difference sets. A desired condition is, that the function $\varphi _d(x):=x^d+(x+1)^d$ is a $2^s$-to-1 mapping. If $s=1$, then the function $x^d$ has to be APN. If $s>1$, then there is up to equivalence only one function known: The function $\varphi _d$ is a $2^s$-to-1 mapping if $d$ is the Gold parameter $d=2^k+1$ with $\gcd (k,m)=s$. We show in this paper, that $\varphi _d$ is also a $2^s$-to-1 mapping if $d$ is the Kasami parameter $d=2^{2k}-2^k+1$ with $\gcd (k,m)=s$ and $m/s$ odd. We hope, that this observation can be used to construct more difference sets.
2005
EPRINT
A note on the n-spendable extension of Ferguson's single-term off-line coins
We show that an adversary can over-spend a coin n(n+1)! times without being detected and identified in the n-spendable extension of Ferguson's single-term off-line coin, simply by permuting the witness messages in the three-move zero-knowledge proof payment protocol. We repair the detection scheme by adding a simple verification rule in the payment protocol. We repair the identification scheme by restricting the identity format.
2005
EPRINT
A plausible approach to computer-aided cryptographic proofs
This paper tries to sell a potential approach to making the process of writing and verifying our cryptographic proofs less prone to errors. Specifically, I advocate creating an automated tool to help us with the mundane parts of writing and checking common arguments in our proofs. On a high level, this tool should help us verify that two pieces of code induce the same probability distribution on some of their common variables. In this paper I explain why I think that such a tool would be useful, by considering two very different proofs of security from the literature and showing the places in those proofs where having this tool would have been useful. I also explain how I believe that this tool can be built. Perhaps surprisingly, it seems to me that the functionality of such tool can be implemented using only ``static code analysis'' (i.e., things that compilers do).
2005
EPRINT
A Practical Attack on the Root Problem in Braid Groups
Using a simple heuristic approach to the root problem in braid groups, we show that cryptographic parameters proposed in this context must be considered as insecure. In our experiments we can, often within seconds, extract the secret key of an authentication system based on the root problem in braid groups.
2005
EPRINT
A Presentation on VEST Hardware Performance, Chip Area Measurements, Power Consumption Estimates and Benchmarking in Relation to the AES, SHA-256 and SHA-512
A wide-sweeping multi-dimensional analysis and comparison between VEST and the hardware implementations of the AES, AES-HMAC and SHA-2 primitives.
2005
EPRINT
A Probabilistic Hoare-style logic for Game-based Cryptographic Proofs (Extended Version)
We extend a Probabilistic Hoare-style logic to formalize game-based cryptographic proofs. Our approach provides a systematic and rigorous framework, thus preventing errors from being introduced. We illustrate our technique by proving semantic security of ElGamal.
2005
EPRINT
A Provably Secure and Efficient Verifiable Shuffle based on a Variant of the Paillier Cryptosystem
We propose a variant of the Paillier cryptosystem that improves efficiency in encryption, re-encryption and decryption while preserving the homomorphic property. We then use this variant to construct a new verifiable shuffle system and prove its security. We show that the new shuffle scheme has the least number of rounds and exponentiations compared to all known shuffle schemes. Finally, we show how to construct a publicly verifiable mix-net using the shuffle system.
2005
EPRINT
A Public Key Cryptosystem Based on Singular Cubic Curve
An efficient and semantically secure public key cryptosystem based on singular cubic curve is proposed in this paper. It is about two times faster than the cryptosystem of David at the same security label and more efficient than the Koyama scheme at high security level. Further, the partially known plaintext attack and the linearly related plaintext attacks are analyzed and concluded that those are not possible in the proposed scheme.
2005
EPRINT
A QKD Protocol Extendable to Support Entanglement and Reduce Unauthorized Information Gain by Randomizing the Bases Lists with Key Values and Invalidate Explicit Privacy Amplification
This paper suggests an improvement to the BB84 scheme in Quantum key distribution. The original scheme has its weakness in letting quantifiably more information gain to an eavesdropper during public announcement of unencrypted bases lists. The security of the secret key comes at the expense of the final key length. We aim at exploiting the randomness of preparation (measurement) basis and the bit values encoded (observed), so as to randomize the bases lists before they are communicated over the public channel. A proof of security is given for our scheme and proven that our protocol results in lesser information gain by Eve in comparison with BB84 and its other extensions. Moreover, an analysis is made on the feasibility of our proposal as such and to support entanglement based QKD. The performance of our protocol is compared in terms of the upper and lower bounds on the tolerable bit error rate. We also quantify the information gain (by Eve) mathematically using the familiar approach of the concept of Shannon entropy. The paper models the attack by Eve in terms of interference in a multi-access quantum channel. Besides, this paper also hints at the invalidation of a separate privacy amplification step in the "prepare-and-measure" protocols in general.
2005
EPRINT
A Scalable, Delegatable Pseudonym Protocol Enabling Ownership Transfer of RFID Tags
The ability to link two different sightings of the same Radio Frequency Identification (RFID) tag enables invasions of privacy. The problem is aggravated when an item, and the tag attached to it, changes hands during the course of its lifetime. After such an ownership transfer, the new owner should be able to read the tag but the old owner should not. We address these issues through an RFID pseudonym protocol. Each time it is queried, the RFID tag emits a different pseudonym using a pseudo-random function. Without consent of a special Trusted Center that shares secrets with the tag, it is infeasible to map the pseudonym to the tag's real identity. We present a scheme for RFID pseudonyms that works with legacy, untrusted readers, requires only one message from tag to reader, and is scalable: decoding tag pseudonyms takes work logarithmic in the number of tags. Our scheme further allows for time-limited delegation, so that we can give an RFID reader the power to disambiguate a limited number of pseudonyms without further help from the Trusted Center. We show how RFID pseudonyms facilitate the transfer of ownership of RFID tags between mutually distrustful parties. Our scheme requires only limited cryptographic functionality from the tag: we need a pseudo-random function (PRF) and the ability to update tag state or to generate random numbers. Tag storage and communication requirements are modest: we give example parameters for a deployment of one million tags in which each tag stores only $128$ bits, makes $6$ PRF evaluations, and sends $158$ bits each time it is read.
2005
EPRINT
A Secret Sharing Scheme for Preventing the Cheaters from Acquiring the Secret
In this paper, we propose a secret sharing scheme which prevents the cheaters from recovering the secret when the honest participants cannot, with high probability. The scheme is a (k, n) threshold scheme providing protection against less than k cheaters. It is efficient in terms of share sizes for the participants. Furthermore the total size of the individual shares per participant is less than twice the size of the secret itself. The cheaters can do successful cheating with a probability 1/t, which can be adjusted without significantly increasing the total size of the individual shares. Such a scheme can be deployed in thin client fat server systems where the server has reasonable computational power and there is a high level of mistrust among the users.
2005
EPRINT
A Secure Scheme for Authenticated Encryption
The paper proposes a new scheme of authenticated encryption that is either publicly verifiable or not publicly verifiable depending on the quantity of information the recipient released. This property would give recipient much flexibility in many applications. This scheme combines the ElGamal encryption with Schnorr signature. Considering the security goal of signature, the resultant scheme is at least as secure as that of the combined signature scheme. The security goal of encryption is examined under the chosen ciphertext attack, it is proven directly related to the security of signature. Furthermore, this new scheme is also secure against one-more-decryption attack. This novel security goal may be valuable in the applications of private information retrieval.
2005
EPRINT
A Sender Verifiable Mix-Net and a New Proof of a Shuffle
We introduce the first El Gamal based mix-net in which each mix-server partially decrypts and permutes its input, i.e., no re-encryption is necessary. An interesting property of the construction is that a sender can verify non-interactively that its message is processed correctly. We call this sender verifiability. We prove the security of the mix-net in the UC-framework against static adversaries corrupting any minority of the mix-servers. The result holds under the decision Diffie-Hellman assumption, and assuming an ideal bulletin board and an ideal zero-knowledge proof of knowledge of a correct shuffle. Then we construct the first proof of a decryption-permutation shuffle, and show how this can be transformed into a zero-knowledge proof of knowledge in the UC-framework. The protocol is sound under the strong RSA-assumption and the discrete logarithm assumption. Our proof of a shuffle is not a variation of existing methods. It is based on a novel idea of independent interest, and we argue that it is at least as efficient as previous constructions.
2005
EPRINT
A sequence approach to constructing perfect hash families
A linear $(q^d,q,t)$-perfect hash family of size $s$ in a vector space $V$ of order $q^d$ over a field $F$ of order $q$ consists of a set $\phi_1,\ldots,\phi_s$ of linear functionals from $V$ to $F$ with the following property: for all $t$ subsets $X\subseteq V$ there exists $i\in\{1,\ldots,s\}$ such that $\phi_i$ is injective when restricted to $F$. A linear $(q^d,q,t)$-perfect hash family of minimal size $d(t-1)$ is said to be {\em optimal}. In this paper we extend the theory for linear perfect hash families based on sequences developed by Blackburn and Wild. We develop techniques which we use to construct new optimal linear $(q^2,q,5)$-perfect hash families and $(q^4,q,3)$-perfect hash families. The sequence approach also explains a relationship between linear $(q^3,q,3)$-perfect hash families and linear $(q^2,q,4)$-perfect hash families.
2005
EPRINT
A Share-Correctable Protocol for the Shamir Threshold Scheme and Its Application to Participant Enrollment
Verifiable secret sharing schemes proposed so far can only allow participants to verify whether their shares are correct or not. In this paper, we propose a new protocol which can allow participants not only to verify the correctness of their shares but also to revise the faulty shares. It is achieved in a cooperative way by participants, but without any assistance from the dealer. This protocol, to the best of our knowledge, is the first one providing such kind of ability. Correcting shares by participants instead of the dealer is important in many situations. In addition, this protocol is also useful for adding new participants without the dealer's assistance.
2005
EPRINT
A Simple and Provably Good Code for SHA Message Expansion
We develop a new computer assisted technique for lower bounding the minimum distance of linear codes similar to those used in SHA-1 message expansion. Using this technique, we prove that a modified SHA-1 like code has minimum distance at least 82, and that too in just the last 64 of the 80 expanded words. Further the minimum weight in the last 60 words (last 48 words) is at least 75 (52 respectively). We propose a new compression function which is identical to SHA-1 except for the modified message expansion code. We argue that the high minimum weight of the message expansion code makes the new compression function resistant to recent differential attacks.
2005
EPRINT
A Simplified Quadratic Frobenius Primality Test
The publication of the quadratic Frobenius primality test by Grantham, 1998 has stimulated a lot of researchin this area. In this test as well as in the Miller-Rabin test a composite number may be declared as probably prime. Repeating several tests decreases that error probability. While most research papers in this subject focus on minimising the error probability as a function of the number of tests (or, more generally, of the computational effort) asymptotically, we present a simplified variant SQFT of the quadratic Frobenius test. This test is so simple that it can easily be implemented on a smart card. During prime number generation, a large number of composite numbers must be tested before a (probable) prime is found. Therefore we need a fast test, such as the Miller-Rabin test with a small basis, to rule out most prime candidates quickly before a promising candidate will be tested with a more sophisticated variant of the QFT. Our test SQFT makes optimum use of the information gathered by a previous Miller-Rabin test. It has run time equivalent to two Miller-Rabin tests; and it achieves a worst-case error probability of $2^{-12t}$ with $t$ tests. Most cryptographic standards require an average-case error probability of at most $2^{-80}$ or $2^{-100}$, when prime numbers are generated in public key systems. Our test SQFT achieves an average-case error probability of $2^{-134}$ with two test rounds for $500-$bit primes. We also present a more sophisticated version SQFT3 of our test that has run time and worst-case error probability comparable to the test EQFTwc by Damg\aa rd and Frandsen, 2003, in all cases. Our test SQFT3 avoids the computation of cubic residuosity symbols, as required in the test EQFTwc.
2005
EPRINT
A sufficient condition for key-privacy
The notion of key privacy for encryption schemes was defined formally by Bellare, Boldyreva, Desai and Pointcheval in Asiacrypt 2001. This notion seems useful in settings where anonymity is important. In this short note we describe a (very simple) sufficient condition for key privacy. In a nutshell, a scheme that provides data privacy is guaranteed to provide also key privacy if the distribution of a *random encryption of a random message* is independent of the public key that is used for the encryption.
2005
EPRINT
A Suite of ID-Based Threshold Ring Signature Schemes with Different Levels of Anonymity
Since the introduction of Identity-based (ID-based) cryptography by Shamir in 1984, numerous ID-based signature schemes have been proposed. In 2001, Rivest et al. introduced ring signature that provides irrevocable signer anonymity and spontaneous group formation. In recent years, ID-based ring signature schemes have been proposed and all of them are based on bilinear pairings. In this paper, we propose the first ID-based threshold ring signature scheme that is not based on bilinear pairings. We also propose the first ID-based threshold `linkable' ring signature scheme. We emphasize that the anonymity of the actual signers is maintained even against the private key generator (PKG) of the ID-based system. Finally we show how to add identity escrow to the two schemes. Due to the different levels of signer anonymity they support, the schemes proposed in this paper actually form a suite of ID-based threshold ring signature schemes which is applicable to many real-world applications with varied anonymity requirements.
2005
EPRINT
A Survey on ID-Based Cryptographic Primitives
ID-based cryptosystem has been, for a few years, the most active area of research and currently is of great interest to the cryptographic society. In this work we survey three fundamental ID-based cryptographic primitives Digital Signature, Encryption and Key Agreement, which are based on the mathematical concepts Integer Factorization, Quadratic Residues and Bilinear Pairings. We review several schemes along with their efficiency and security considerations. The survey helps in understanding the research work carried out in the area of ID-based cryptosystems from the year 1984 to 2004.
2005
EPRINT
A Uniform Framework for Cryptanalysis of the Bluetooth $E_0$ Cipher
In this paper we analyze the $E_0$ cipher, which is the encryption system used in the Bluetooth specification. We suggest a uniform framework for cryptanalysis of the $E_0$ cipher. Our method requires 128 known bits of the keystream in order to recover the initial state of the LFSRs, which reflects the secret key of this encryption engine. In one setting, our framework reduces to an attack of D. Bleichenbacher. In another setting, our framework is equivalent to an attack presented by Fluhrer and Lucks. Our best attack can recover the initial state of the LFSRs after solving $2^{86}$ boolean linear systems of equations, which is roughly equivalent to the results obtained by Fluhrer and Lucks.
2005
EPRINT
A Universally Composable Scheme for Electronic Cash
We propose a scheme for electronic cash based on symmetric primitives. The scheme is secure in the framework for universal composability assuming the existence of a symmetric CCA2-secure encryption scheme, a CMA-secure signature scheme, and a family of one-way, collision-free hash functions. In particular, the security proof is not in the random-oracle model. Due to its high efficiency, the scheme is well-suited for devices such as smart-cards and mobile phones. We also show how the proposed scheme can be used as a group signature scheme with one-time keys.
2005
EPRINT
A Verifiable Secret Shuffle of Homomorphic Encryptions
We suggest an honest verifier zero-knowledge argument for the correctness of a shuffle of homomorphic encryptions. A shuffle consists of a rearrangement of the input ciphertexts and a re-encryption of them. One application of shuffles is to build mix-nets. Our scheme is more efficient than previous schemes in terms of both communication and computational complexity. Indeed, the HVZK argument has a size that is independent of the actual cryptosystem being used and will typically be smaller than the size of the shuffle itself. Moreover, our scheme is well suited for the use of multi-exponentiation techniques and batch-verification. Additionally, we suggest a more efficient honest verifier zero-knowledge argument for a commitment containing a permutation of a set of publicly known messages. We also suggest an honest verifier zero-knowledge argument for the correctness of a combined shuffle-and-decrypt operation that can be used in connection with decrypting mix-nets based on ElGamal encryption. All our honest verifier zero-knowledge arguments can be turned into honest verifier zero-knowledge proofs. We use homomorphic commitments as an essential part of our schemes. When the commitment scheme is statistically hiding we obtain statistical honest verifier zero-knowledge arguments, when the commitment scheme is statistically binding we obtain computational honest verifier zero-knowledge proofs.
2005
EPRINT
A Weak-Randomizer Attack on RSA-OAEP with e = 3
Coppersmith's heuristic algorithm for finding small roots of bivariate modular equations can be applied against low-exponent RSA-OAEP if its randomizer is weak. An adversary that knows the randomizer can recover the entire plaintext message, provided it is short enough for Coppersmith's algorithm to work. In practice, messages are symmetric cipher keys and these are potentially short enough for certain sets of key sizes. Weak randomizers could arise in constrained smart cards or in kleptographic implementations. Because RSA's major use is transporting symmetric keys, this attack is a potential concern. In this respect, OAEP's design is more fragile than necessary, because a secure randomizer is critical to prevent a total loss of secrecy, not just a loss of semantic security or chosen-ciphertext security. Countermeasures and more robust designs that have little extra performance cost are proposed and discussed.
2005
EPRINT
Accumulators from Bilinear Pairings and Applications to ID-based Ring Signatures and Group Membership Revocation
We propose a dynamic accumulator scheme from bilinear pairings, whose security is based on the Strong Diffie-Hellman assumption. We show applications of this accumulator in constructing an identity-based (ID-based) ring signature scheme with constant-size signatures and its interactive counterpart, and providing membership revocation to group signature, traceable signature and identity escrow schemes and anonymous credential systems. The ID-based ring signature scheme and the group signature scheme have extremely short signature sizes. The size of our group signatures with membership revocation is only half the size of the well-known ACJT00 scheme, which does not provide membership revocation. The schemes do not require trapdoor, so system parameters can be shared by multiple groups belonging to different organizations. All schemes proposed are provably secure in formal models. We generalize the definition of accumulators to model a wider range of practical accumulators. We provide formal models for ID-based ad-hoc anonymous identification schemes and identity escrow schemes with membership revocation, based on existing ones.
2005
EPRINT
Adaptable Group-Oriented Signature
A new type of signature is presented in this paper, named adaptable group-oriented signature. In contrast with traditional group-oriented signature, the new one laid a strong emphasis on how to improve the signer??s efficiency. In fact, this new type of group-oriented signature can be seen as a type of designated verifier signature. In contrast with the ordinary designated verifier signature, it does not designate one member but several members to independently verify the signature. The designated members, who can independently verify the signature, come into a group. This scheme can ensure the anonymity of the verifiers. This type of signature can be used in such system that the compute resource is limited, such as the broadcast protocols of the mobile telephone in the mobile networks.
2005
EPRINT
Additive Proofs of Knowledge - A New Notion For Non-Interactive Proofs
In this paper, we study the opacity property of verifiably encrypted signatures (VES) of Boneh et al. (proposed in Eurocrypt 2003). Informally, opacity implies that although some given aggregate signatures can verified, no useful information about the individual signatures is leaked. However, the very fact that an aggregate signature can be verified leaks certain information - that the individual signature is indeed well-formed. Apart from this, is there any other information leaked? In this paper, we show that there is absolutely no other information leaked about the individual signatures when the aggregation contains only two signatures. In more formal terms, we show that VES are Zero-Knowledge (ZK). We then extend the ZK property of VES to propose efficient Additive Non-Interactive Witness-Indistinguishable (A-NIWI) proofs. Intuitively an A-NIWI proof can be considered as a Proof of Knowledge (PoK) of another A-NIWI proof.
2005
EPRINT
Adversarial Model for Radio Frequency Identification
Radio Frequency Identification (RFID) systems aim to identify objects in open environments with neither physical nor visual contact. They consist of transponders inserted into objects, of readers, and usually of a database which contains information about the objects. The key point is that authorised readers must be able to identify tags without an adversary being able to trace them. Traceability is often underestimated by advocates of the technology and sometimes exaggerated by its detractors. Whatever the true picture, this problem is a reality when it blocks the deployment of this technology and some companies, faced with being boycotted, have already abandoned its use. Using cryptographic primitives to thwart the traceability issues is an approach which has been explored for several years. However, the research carried out up to now has not provided satisfactory results as no universal formalism has been defined. In this paper, we propose an adversarial model suitable for RFID environments. We define the notions of existential and universal untraceability and we model the access to the communication channels from a set of oracles. We show that our formalisation fits the problem being considered and allows a formal analysis of the protocols in terms of traceability. We use our model on several well-known RFID protocols and we show that most of them have weaknesses and are vulnerable to traceability.
2005
EPRINT
AES side channel attack protection using random isomorphisms
General method of side-channel attacks protection, based on random cipher isomorphisms is presented. Isomorphic ciphers produce common outputs for common inputs. Cipher isomorphisms can be changed independently on transmitting and receiving sides. Two methods of RIJNDAEL protection are considered. The first one is based on random commutative isomorphisms of underlying structure. The set of field F256 isomorphisms consists of 30 subsets; each of them has 8 commutative elements presented as Galois group elements. This allows increasing the strength with respect to side channel attacks about 32 times, the encryption ratio decreases slightly. This method has relatively small efficiency. The second method is based on cipher byte affine isomorphisms s(x)= Lx+a, and allows in practice eliminate side-channel attacks. The rate of this method is approximately the same as in previous case. The most convenient affine isomorphisms are involutions. Method of such affine isomorphisms generation is presented.
2005
EPRINT
almost enumeration of 8-variable bent functions
Bent functions are important cryptographic Boolean functions. In order to enumerate eight-variable bent functions, we solve the following three key problems. Firstly, under the action of $AGL(7,2)$, we almost completely classify $R(4,7)/R(2,7)$. Secondly, we construct all seven-variable \emph{plateaued} functions from the orbits of $R(4,7)/R(2,7)$. Thirdly, we present a fast algorithm to expand \emph{plateaued} function into bent functions. Based on the results above, it is feasible to enumerate eight-variable bent functions in practice.
2005
EPRINT
An Active Attack Against HB+ - A Provably Secure Lightweight Authentication Protocol
Much research has focused on providing RFID tags with lightweight cryptographic functionality. The HB+ authentication protocol was recently proposed and claimed to be secure against both passive and active attacks. In this note we propose a linear-time active attack against HB+.
2005
EPRINT
An Algebraic Masking Method to Protect AES Against Power Attacks
The central question in constructing a secure and efficient masking method for AES is to address the interaction between additive masking and the inverse S-box of Rijndael. All recently proposed methods to protect AES against power attacks try to avoid this problem and work by decomposing the inverse in terms of simpler operations that are more easily protected against DPA by generic methods. In this paper, for the first time, we look at the problem in the face, and show that this interaction is not as intricate as it seems. In fact, any operation, even complex, can be directly protected against DPA of any given order, if it can be embedded in a group that has a compact representation. We show that a secure computation of a whole masked inverse can be done directly in this way, using the group of homographic transformations over the projective space (but not exactly, with some non-trivial technicalities). This is used to propose a general high-level algebraic method to protect AES against power attacks of any given order.
2005
EPRINT
An Anonymous Authentication Scheme for Trusted Computing Platform
The Trusted Computing Platform is the industrial initiative to implement computer security. However, privacy protection is a critical problem that must be solved in Trusted Computing Platform. In this paper, we propose a simple and efficient method to implement anonymous authentication in such setting. The new scheme is proved to be secure under the strong RSA assumption and decisional Diffie-Hellman assumption.
2005
EPRINT
An Approach Towards Rebalanced RSA-CRT with Short Public Exponent
Based on the Chinese Remainder Theorem (CRT), Quisquater and Couvreur proposed an RSA variant, RSA-CRT, to speedup RSA decryption. According to RSA-CRT, Wiener suggested another RSA variant, Rebalanced RSA-CRT, to further speedup RSA-CRT decryption by shifting decryption cost to encryption cost. However, such an approach will make RSA encryption very time-consuming because the public exponent e in Rebalanced RSA-CRT will be of the same order of magnitude as ?p(N). In this paper we study the following problem: does there exist any secure variant of Rebalanced RSA-CRT, whose public exponent e is much shorter than ?p(N)? We solve this problem by designing a variant of Rebalanced RSA-CRT with d_{p} and d_{q} of 198 bits. This variant has the public exponent e=2^511+1 such that its encryption is about 3 times faster than that of the original Rebalanced RSA-CRT.
2005
EPRINT
An Attack on CFB Mode Encryption As Used By OpenPGP
This paper describes an adaptive-chosen-ciphertext attack on the Cipher Feedback (CFB) mode of encryption as used in OpenPGP. In most circumstances it will allow an attacker to determine 16 bits of any block of plaintext with about $2^{15}$ oracle queries for the initial setup work and $2^{15}$ oracle queries for each block. Standard CFB mode encryption does not appear to be affected by this attack. It applies to a particular variation of CFB used by OpenPGP. In particular it exploits an ad-hoc integrity check feature in OpenPGP which was meant as a "quick check" to determine the correctness of the decrypting symmetric key.
2005
EPRINT
An Authentication Protocol For Mobile Agents Using Bilinear Pairings
A mobile agent is a mobile program capable of maintaining its execution states as it migrates between different execution platforms. A key security problem in the mobile agent paradigm is that of trust: How to ensure that the past itinerary (of execution platforms) claimed by the agent is correct. This is necessary in order to establish a reasonable level of trust for the agent before granting execution privileges. In this paper we describe a protocol using bilinear pairings that enables trust relationships to be formed between agent platforms in an ad-hoc manner without actively involving any trusted third party. This protocol can be used to authenticate agents before granting execution privileges. The main idea behind our approach is the concept of `one-way' chaining. Our scheme has chosen ciphertext security assuming the hardness of the Bilinear Diffie Hellman Problem (BDHP).
2005
EPRINT
An Effective Method to Implement Group Signature with Revocation
This paper presents an effective method to integrate the revocation mechanism into some group signature schemes that are based on the strong RSA assumption. The mechanism enables the group manager to either update a group member's certificates, or revoke a group member. More specifically, a generic method has been proposed for the protocols of sign, verify, and revocation. We demonstrate the effectiveness of the method by applying it to a well known group signature scheme. The new construction has better performance while enjoying an efficient revocation mechanism.
2005
EPRINT
An Efficient CDH-based Signature Scheme With a Tight Security Reduction
At Eurocrypt'03, Goh and Jarecki showed that, contrary to other signature schemes in the discrete-log setting, the EDL signature scheme has a tight security reduction, namely to the Computational Diffie-Hellman (CDH) problem, in the Random Oracle (RO) model. They also remarked that EDL can be turned into an off-line/on-line signature scheme using the technique of Shamir and Tauman, based on chameleon hash functions. In this paper, we propose a new signature scheme that also has a tight security reduction to CDH but whose resulting signatures are smaller than EDL signatures. Further, similarly to the Schnorr signature scheme (but contrary to EDL), our signature is naturally efficient on-line: no additional trick is needed for the off-line phase and the verification process is unchanged. For example, in elliptic curve groups, our scheme results in a 25% improvement on the state-of-the-art discrete-log based schemes, with the same security level. This represents to date the most efficient scheme of any signature scheme with a tight security reduction in the discrete-log setting.
2005
EPRINT
An Efficient ID-KEM Based On The Sakai-Kasahara Key Construction
We describe an identity based key encapsulation mechanism (ID-KEM). It is possible to use this ID-KEM to build a secure identity based encryption scheme using the techniques of Bentahar et al. The resulting encryption scheme has a number of performance advantages over existing methods.
2005
EPRINT
An Efficient Solution to The Millionaires' Problem Based on Homomorphic Encryption
We proposed a two-round protocol for solving the Millionaires' Problem in the setting of semi-honest parties. Our protocol uses either multiplicative or additive homomorphic encryptions. Previously proposed protocols used additive or XOR homomorphic encryption schemes only. The computation and communication costs of our protocol are in the same asymptotic order as those of the other efficient protocols. Nevertheless, since multiplicative homomorphic encryption scheme is more efficient than an additive one practically, our construction saves computation time and communication bandwidth in practicality.
2005
EPRINT
An Efficient Variant of RSA Cryptosystem with Semantic Security
An ecient variant of RSA cryptosystem was proposed by Cesar . He called it Rprime RSA. The Rprime RSA is a combination of Mprime RSA and Rebalanced RSA. Although the decryption speed of Rprime RSA is 27 times faster than the standard RSA and 8 times faster than the QC RSA in theoretically, yet due to the large encryption exponent, the encryption process becomes slower than the standard RSA. In this paper we tried to improve the eciency of encryption process with less compromising with the decryption speed. In addition the proposed scheme is semantically secure.
2005
EPRINT
An ID-Based Key Agreement Scheme from pairing
We propose a two-party identity-based key agreement and key agreement with confirmation from pairing that can be used with escrow mode or without escrow mode.,It can also be used between users of different KGC (Key Generation Centre).We will show that the our scheme is a secure key agreement in the mode proposed by Bellare and Rogaway[2],and we will show that the scheme has the attribute of Known Key-Security ,Key-Compromise-Impersonation, Unknown-Key-Share, Perfect-Forward-Secrecy and Key-Control.
2005
EPRINT
An Improved and Efficient Countermeasure against Power Analysis Attacks
Recently new types of differential power analysis attacks (DPA) against elliptic curve cryptosystems (ECC) and RSA systems have been introduced. Most existing countermeasures against classical DPA attacks are vulnerable to these new DPA attacks which include refined power analysis attacks (RPA), zero-value point attacks (ZPA), and doubling attacks. The new attacks are different from classical DPA in that RPA uses a special point with a zero-value coordinate, while ZPA uses auxiliary registers to locate a zero value. So, Mamiya et al proposed a new countermeasure against RPA, ZPA, classical DPA and SPA attacks using a basic random initial point. His countermeasure works well when applied to ECC, but it has some disadvantages when applied to general exponentiation algorithms (such as RSA and ElGamal) due to an inverse computation. This paper presents an efficient and improved countermeasure against the above new DPA attacks by using a random blinding concept on the message different from Mamiya's countermeasure and show that our proposed countermeasure is secure against SPA based Yen's power analysis which can break Coron's simple SPA countermeasure as well as Mamiya's one. The computational cost of the proposed scheme is very low when compared to the previous methods which rely on Coron's simple SPA countermeasure. Moreover this scheme is a generalized countermeasure which can be applied to ECC as well as RSA system.
2005
EPRINT
An Improved Elegant Method to Re-initialize Hash Chains
Hash chains are widely used in various cryptographic systems such as electronic micropayments and one-time passwords etc. However, hash chains suffer from the limitation that they have a finite number of links which when used up requires the system to re-initialize new hash chains. So system design has to reduce the overhead when hash chains are re-initialized. Recently, Vipul Goyal proposed an elegant one-time-signature-based method to re-initialize hash chains, in this efficient method an infinite number of finite length hash chains can be tied together so that hash chains can be securely re-initialized in a non-repudiable manner. Vipul Goyal??s method is improved in this paper to reach a little more efficient method, which, more importantly, is a natural extension of the concept of conventional hash chains.
2005
EPRINT
An Improved Power Analysis Attack Against Camellia's Key Schedule
This paper presents an improved simple power analysis attack against the key schedule of Camellia. While the original attack required an exact determination of the Hamming weight of intermediate data values based on power measurements, in this paper, two variants of the simple power analysis attack are presented and shown to be tolerant of errors that might occur in the Hamming weight determinations. In practical applications of the attack such errors are likely to occur due to noise and distortion in the power measurements and their mapping to the Hamming weights of the data. Further, we propose a practical method to evaluate the susceptibility of other block ciphers to simple power analysis attacks. To resist these attacks, the required design rationale of key schedules and several practical countermeasures are suggested.
2005
EPRINT
An infinite class of quadratic APN functions which are not equivalent to power mappings
We exhibit an infinite class of almost perfect nonlinear quadratic polynomials from $\mathbb{F}_{2^n}$ to $\mathbb{F}_{2^n}$ ($n\geq 12$, $n$ divisible by 3 but not by 9). We prove that these functions are EA-inequivalent to any power function. In the forthcoming version of the present paper we will proof that these functions are CCZ-inequivalent to any Gold function and to any Kasami function, in particular for $n=12$, they are therefore CCZ-inequivalent to power functions.
2005
EPRINT
Analysis of Affinely Equivalent Boolean Functions
By walsh transform, autocorrelation function, decomposition, derivation and modification of truth table, some new invariants are obtained. Based on invariant theory, we get two results: first a general algorithm which can be used to judge if two boolean functions are affinely equivalent and to obtain the affine equivalence relationship if they are equivalent. For example, all 8-variable homogenous bent functions of degree 3 are classified into 2 classes; second, the classification of the Reed-Muller code $R(4,6)/R(1,6),R(3,7)/R(1,7),$ which can be used to almost enumeration of 8-variable bent functions.
2005
EPRINT
Analyzing Unlinkability of Some Group Signatures
Miyaji et.al proposed a fully functional(i.e., satisfying unforgeability, exculpability,anonymity, traceability, unlinkability, and revocability.) group signature over only known-order groups, that is based only on Discrete logarithm related assumptions, specifically, multiple DLP they proposed in the same paper [MU04]. In this paper, we point out their scheme and an improved scheme [ZZW05] do not have unlinkability.
2005
EPRINT
Anonymous Signature Schemes
Digital signature is one of the most important primitives in public key cryptography. It provides authenticity, integrity and non-repudiation to many kinds of applications. On signer privacy however, it is generally unclear or suspicious of whether a signature scheme itself can guarantee the anonymity of the signer. In this paper, we give some affirmative answers to it. We formally define the signer anonymity for digital signature and propose some schemes of this type. We show that a signer anonymous signature scheme can be very useful by proposing a new anonymous key exchange protocol which allows a client Alice to establish a session key with a server Bob securely while keeping her identity secret from eavesdroppers. In the protocol, the anonymity of Alice is already maintained when Alice sends her signature to Bob in clear, and no additional encapsulation or mechanism is needed for the signature. We also propose a method of using anonymous signature to solve the collusion problem between organizers and reviewers of an anonymous paper review system.
2005
EPRINT
Another look at HMQV
HMQV is a `hashed variant' of the MQV key agreement protocol. It was recently introduced by Krawczyk, who claimed that HMQV has very significant advantages over MQV: (i) a security proof under reasonable assumptions in the (extended) Canetti-Krawczyk model for key exchange; and (ii) superior performance in some situations. In this paper we demonstrate that HMQV is insecure by presenting realistic attacks in the Canetti-Krawczyk model that recover a victim's static private key. We propose HMQV-1, a patched version of HMQV that resists our attacks (but does not have any performance advantages over MQV). We also identify the fallacies in the security proof for HMQV, critique the security model, and raise some questions about the assurances that proofs in this model can provide.
2005
EPRINT
Append-Only Signatures
We present a new primitive--Append-only Signatures (AOS)--with the property that any party given an AOS signature aossig[M_1] on message M_1 can compute aossig[M_1||M_2] for any message M_2, where M_1||M_2 is the concatenation of M_1 and M_2. We define the security of AOS, present concrete AOS schemes, and prove their security under standard assumptions. In addition, we find that despite its simple definition, AOS is equivalent to Hierarchical Identity-based Signatures (HIBS) through efficient and security-preserving reductions. Finally, we show direct applications of AOS to problems in network security. Our investigations indicate that AOS is both useful in practical applications and worthy of further study as a cryptographic primitive.
2005
EPRINT
Attack on Okamoto et al.'s New Short Signature Schemes
We present an attack on a new short signature scheme from bilinear pairing proposed by Okamoto $et$ $al.$ at ITCC'05. We show that any one can derive the secret key of the signer from any two message-signature pairs and so can forge the signer's signature for any message. This means the scheme is totally broken.
2005
EPRINT
Authenticated Encryption Mode of VEST Ciphers
This paper demonstrates operation of the authenticated encryption mode in VEST ciphers. All VEST ciphers operating in the authenticated encryption mode with infinite error propagation provide keyed message authentication at the same speed as their keystream generation, with negligible overhead and maintaining their security ratings.
2005
EPRINT
Basic Theory in Construction of Boolean Functions with Maximum Possible Annihilator Immunity
So far there is no systematic attempt to construct Boolean functions with maximum annihilator immunity. In this paper we present a construction keeping in mind the basic theory of annihilator immunity. This construction provides functions with the maximum possible annihilator immunity and the weight, nonlinearity and algebraic degree of the functions can be properly calculated under certain cases. The basic construction is that of symmetric Boolean functions and applying linear transformation on the input variables of these functions,one can get a large class of non-symmetric functions too. Moreover, we also study several other modifications on the basic symmetric functions to identify interesting non symmetric functions with maximum annihilator immunity. In the process we also present an algorithm to compute the Walsh spectra of a symmetric Boolean function with $O(n^2)$ time and $O(n)$ space complexity.
2005
EPRINT
Batch Verification of Validity of Bids in Homomorphic E-auction
Bid opening in e-auction is efficient when a homomorphic secret sharing function is employed to seal the bids and homomorphic secret reconstruction is employed to open the bids. However, this high efficiency is based on an assumption: the bids are valid (e.g. within a special range). An undetected invalid bid can compromise correctness and fairness of the auction. Unfortunately, validity verification of the bids is ignored in the auction schemes employing homomorphic secret sharing (called homomorphic auction in this paper). In this paper, an attack against the homomorphic auction in the absence of bid validity check is presented and a necessary bid validity check mechanism is proposed. Then a batch cryptographic technique is introduced and applied to improve the efficiency of bid validity check.
2005
EPRINT
Benes and Butterfly schemes revisited
In~\cite{AV96}, W. Aiello and R. Venkatesan have shown how to construct pseudo-random functions of $2n$ bits $\rightarrow 2n$ bits from pseudo-random functions of $n$ bits $\rightarrow n$ bits. They claimed that their construction, called ``Benes'', reaches the optimal bound ($m\ll 2^n$) of security against adversaries with unlimited computing power but limited by $m$ queries in an adaptive chosen plaintext attack (CPA-2). However a complete proof of this result is not given in~\cite{AV96} since one of the assertions of~\cite{AV96} is wrong. Due to this, the proof given in~\cite{AV96} is valid for most attacks, but not for all the possible chosen plaintext attacks. In this paper we will in a way fix this problem since for all $\varepsilon>0$, we will prove CPA-2 security when $m\ll 2^{n(1-\varepsilon)}$. However we will also see that the probability to distinguish Benes functions from random functions is sometime larger than the term in $\frac{m^2}{2^{2n}}$ given in~\cite{AV96}. One of the key idea in our proof will be to notice that, when $m\gg2^{2n/3}$ and $m\ll2^n$, for large number of variables linked with some critical equalities, the average number of solutions may be large (i.e. $\gg1$) while, at the same time, the probability to have at least one such critical equalities is negligible (i.e. $\ll1$).\\ \textbf{Key Words}: Pseudo-random functions, unconditional security, information-theoretic primitive, design of keyed hash functions.
2005
EPRINT
Blind Attacks on Engineering Samples
In addition to its usual complexity assumptions, cryptography silently assumes that information can be physically protected in a single location. As we now know, real-life devices are not ideal and confidential information leaks through different physical channels.\smallskip Whilst most aspects of side channel leakage (cryptophthora) are now well understood, no attacks on totally unknown algorithms are known to date. This paper describes such an attack.\smallskip By {\sl totally unknown} we mean that no information on the algorithm's mathematical description (including the plaintext size), the microprocessor or the chip's power consumption model is available to the attacker.\smallskip We successfully experimented the attack on a commercially available device produced by a non-European smart-card manufacturer.
2005
EPRINT
Block ciphers sensitive to Groebner Basis Attacks
We construct and analyze Feistel and SPN ciphers that have a sound design strategy against linear and differential attacks but for which the encryption process can be described by very simple polynomial equations. For a block and key size of 128 bits, we present ciphers for which practical Groebner basis attacks can recover the full cipher key requiring only a minimal number of plaintext/ciphertext pairs. We show how Groebner bases for a subset of these ciphers can be constructed with neglegible computational effort. This reduces the key recovery problem to a Groebner basis conversion problem. By bounding the running time of a Groebner basis conversion algorithm, FGLM, we demonstrate the existence of block ciphers resistant against differential and linear cryptanalysis but vulnerable against Groebner basis attacks.
2005
EPRINT
Boneh-Franklin Identity Based Encryption Revisited
The first practical identity based encryption (IBE) scheme was proposed by Boneh and Franklin. In this work we point out that there is a flawed step in the security reduction exhibited by the authors. Fortunately, it is possible to fix it without changing the scheme or the underlying assumption. In the second place, we introduce a variant of the seminal IBE scheme which allows a more efficient security reduction. The new scheme is simpler, and has more compact ciphertexts than Boneh-Franklin's proposal, while keeping the computational cost. Finally, we observe that the flawed step pointed out here is present in several works, and that our techniques can be applied to obtain tighter reductions for previous relevant schemes.
2005
EPRINT
Bounds on Birthday Attack Times
We analyze a generic birthday attack where distinct inputs to some function $f$ are selected until two of the inputs map through $f$ to the same output, meaning that the attack has succeeded. We give tight bounds on the probability of attack success after a given number of inputs are selected as well as tight bounds on the expected number of inputs that must be selected for the attack to succeed. The types of functions considered include random functions with uniformly random outputs, random functions whose outputs have some arbitrary (biased) probability distribution, concrete functions that are balanced (all outputs have the same number of pre-images), and arbitrary concrete functions. In each case the bounds are given in terms of the probability ($1/\beta$) that a pair of inputs give the same output, which is different for each type of function. The expected number of steps required to complete a birthday attack in all cases is between $0.7\sqrt{\beta}$ and $2\sqrt{\beta}$. In some cases tighter bounds than this are given. Compared to previous work in this area, the analysis here gives tighter bounds and is more applicable to the most efficient practical methods used to carry out birthday attacks, such as a generalization of Pollard's rho-method and parallel collision search. However, significant challenges remain in proving bounds for these methods.
2005
EPRINT
Breaking and Repairing Trapdoor-free Group Signature Schemes from Asiacrypt 2004
Group signature schemes allow a member of a group to sign messages anonymously on behalf of the group. In the case of later dispute, a designated group manager can revoke the anonymity and identify the originator of a signature. In Asiacrypt 2004, Nguyen and Safavi-Naini proposed a group signature scheme that has a constant-size public key and signature length, and more importantly, their group signature scheme does not require trapdoor. Their scheme is very efficient and the sizes of signatures are shorter compared to the existing schemes that were proposed earlier. In this paper, we point out that Nguyen and Safavi-Naini's scheme is insecure. In particular, we provide a cryptanalysis of the scheme that allows a non-member of the group to sign on behalf of the group. The resulting group signature can convince any third party that a member of the group has indeed generated such a signature, although none of the members has done it. Therefore, in the case of dispute, the group manager cannot identify who has signed the message. We also provide a new scheme that does not suffer against this problem.
2005
EPRINT
Breaking RSA May Be As Difficult As Factoring
If factoring is hard, this paper shows that straight line programs cannot efficiently solve the low public exponent RSA problem. More precisely, no efficient algorithm can take an RSA public key as input and then output a straight line program that efficiently solves the low public exponent RSA problem for the given public key --- unless factoring is easy.
2005
EPRINT
Broadcast Authentication With Hashed Random Preloaded Subsets
We introduce a novel cryptographic paradigm of broadcast authentication with ``preferred'' verifiers (BAP). With BAP, the message source explicitly targets a set of one or more verifiers. For an attacker, forging authentication data of a source, for purposes of fooling preferred verifiers may be substantially more difficult than fooling other (non-preferred) verifiers. We investigate broadcast authentication (BA) with \textit{hashed random preloaded subsets} (HARPS), which caters for such a distinction. HARPS, provides for efficient broadcast authentication, with and without preferred verifiers.
2005
EPRINT
BROADCAST ENCRYPTION $\pi$
We propose a new broadcast encryption scheme $\pi$ based on the idea of `one key per each punctured interval'. Let $N$ and $r$ be the numbers of total users and revoked users, respectively. In our scheme with $p$-punctured $c$-intervals, the transmission overhead is asymptotically {\normalsize$\frac r{p+1}$} as $r$ grows. We also introduce two variants of our scheme to improve the efficiency for small $r$. Our scheme is very flexible with two parameters $p$ and $c$. We may take $p$ as large as possible if a user device allows a large key storage, and set $c$ as small as possible if the storage size and the computing power is limited. Our scheme also possesses another remarkable feature that any number of new users can join at any time without key refreshment, which is not possible in other known practical schemes.
2005
EPRINT
Broadcast Encryption with Random Key Pre-distribution Schemes
Broadcast encryption (BE) deals with the problem of establishing a secret, shared by $g=G-r$ \textit{privileged} nodes, among a set $G$ nodes. Specifically, a set of $r$ \textit{revoked} nodes are denied access to the secret. Many schemes to address this problem, based on key pre-distribution schemes (KPS), have been proposed in the literature. Most state-of-the-art methods employ tree-based techniques. However, \textit{random} key pre-distribution schemes (RKPS), which have received a lot of attention in the recent past (especially in the context of ad hoc and sensor network security), also cater for BE. In this paper we analyze the performance of BE using RKPSs. While in most tree-based methods the source of the broadcast is assumed to be the root of the tree (unless asymmetric cryptographic primitives can be used), BE using RKPSs caters for BE by \textit{peers} - without the need for asymmetric cryptography. Furthermore, unlike most BE schemes where the identities of the revoked nodes have to be explicitly specified, BE using RKPSs allow for protecting the identities of the revoked nodes, which could be a useful property in application scenarios where privacy is a crucial issue.
2005
EPRINT
Browser Model for Security Analysis of Browser-Based Protocols
Currently, many industrial initiatives focus on web-based applications. In this context an important requirement is that the user should only rely on a standard web browser. Hence the underlying security services also rely solely on a browser for interaction with the user. Browser-based identity federation is a prominent example of such a protocol. Unfortunately, very little is still known about the security of browser-based protocols, and they seem at least as error-prone as standard security protocols. In particular, standard web browsers have limited cryptographic capabilities and thus new protocols are used. Furthermore, these protocols require certain care by the user in person, which must be modeled. In addition, browsers, unlike normal protocol principals, cannot be assumed to do nothing but execute the given security protocol. In this paper, we lay the theoretical basis for the rigorous analysis and security proofs of browser-based security protocols. We formally model web browsers, secure browser channels, and the security-relevant browsing behavior of a user as automata. As a first rigorous security proof of a browser-based protocol we prove the security of password-based user authentication in our model. This is not only the most common stand-alone type of browser authentication, but also a fundamental building block for more complex protocols like identity federation.
2005
EPRINT
Building Better Signcryption Schemes with Tag-KEMs
Signcryption schemes aim to provide all of the advantages of simultaneously signing and encrypting a message. Recently, Dent and Bj{\o}rstad investigated the possibility of constructing provably secure signcryption schemes using hybrid KEM-DEM techniques. We build on this work by showing that more efficient insider secure hybrid signcryption schemes can be built using Tag-KEMs. To prove the effectiveness of this construction, we will provide several examples of secure signcryption Tag-KEMs, including a brand new construction based on the Chevallier-Mames signature scheme which has the tightest known security reductions for both confidentiality and unforgeability.
2005
EPRINT
Burmester-Desmedt Tree-Based Key Transport Revisited: Provable Security
A tree-based key transport protocol is presented which can be seen as a generalizing variant of the star- and tree-based protocols proposed by Burmester and Desmedt at EUROCRYPT '94. Our scheme does not rely on the availability of globally verifiable signatures or arbitrary point-to-point connections, and its security against active adversaries is proven in the standard model under the Decision Diffie Hellman assumption.
2005
EPRINT
Cache attacks and Countermeasures: the Case of AES
We describe several software side-channel attacks based on inter-process leakage through the state of the CPU's memory cache. This leakage reveals memory access patterns, which can be used for cryptanalysis of cryptographic primitives that employ data-dependent table lookups. The attacks allow an unprivileged process to attack other processes running in parallel on the same processor, despite partitioning methods such as memory protection, sandboxing and virtualization. Some of our methods require only the ability to trigger services that perform encryption or MAC using the unknown key, such as encrypted disk partitions or secure network links. Moreover, we demonstrate an extremely strong type of attack, which requires knowledge of neither the specific plaintexts nor ciphertexts, and works by merely monitoring the effect of the cryptographic process on the cache. We discuss in detail several such attacks on AES, and experimentally demonstrate their applicability to real systems, such as OpenSSL and Linux's dm-crypt encrypted partitions (in the latter case, the full key can be recovered after just 800 writes to the partition, taking 65 milliseconds). Finally, we describe several countermeasures which can be used to mitigate such attacks.
2005
EPRINT
Candidate One-Way Functions and One-Way Permutations Based on Quasigroup String Transformations
In this paper we propose a definition and construction of a new family of one-way candidate functions ${\cal R}_N:Q^N \rightarrow Q^N$, where $Q=\{0,1,\ldots,s-1\}$ is an alphabet with $s$ elements. Special instances of these functions can have the additional property to be permutations (i.e. one-way permutations). These one-way functions have the property that for achieving the security level of $2^n$ computations in order to invert them, only $n$ bits of input are needed. The construction is based on quasigroup string transformations. Since quasigroups in general do not have algebraic properties such as associativity, commutativity, neutral elements, inverting these functions seems to require exponentially many readings from the lookup table that defines them (a Latin Square) in order to check the satisfiability for the initial conditions, thus making them natural candidates for one-way functions.
2005
EPRINT
Characteristics of Key-Dependent S-Boxes: the Case of Twofish
In this paper we analyze and discuss the cryptographic robustness of key-dependent substitution boxes (KDSBs); these can be found in some symmetric-key algorithms such as Khufu, Blowfish, and the AES finalist Twofish. We analyze KDSBs in the framework of composite permutations, completing the theory developed by O'Connor. Under the basic assumption that KDSBs are built choosing permutations randomly from the symmetric group $S_{2^m}$ by means of the key, the expressions of their linear and differential characteristics are derived. These results are used as a statistical tool to show that Twofish KDSBs, although very efficient, can be easily distinguished from truly randomly built KDSBs. We also analyze the motivations that lead to this previously unknown property; it can be concluded that the efficiency of the construction and the small computational complexity of Twofish KDSBs, although very desirable, cannot be easily obtained together with the highest level of security.
2005
EPRINT
Choosing Parameter Sets for NTRUEncrypt with NAEP and SVES-3
We present, for the first time, an algorithm to choose parameter sets for NTRUEncrypt that give a desired level of security. Note: This is an expanded version of a paper presented at CT-RSA 2005.
2005
EPRINT
Classification of Cubic $(n-4)$-resilient Boolean Functions
Carlet and Charpin classified in \cite{CC04} the set of cubic $(n-4)$-resilient Boolean functions into four different types with respect to the Walsh spectrum and the dimension of the linear space. Based on the classification of $RM(3,6)/RM(1,6)$, we completed the classification of the cubic $(n-4)$-resilient Boolean function by deriving the corresponding ANF and autocorrelation spectrum for each of the four types. In the same time, we solved an open problem of \cite{CC04} by proving that all plateaued cubic $(n-4)$-resilient Boolean functions have dimension of the linear space equal either to $n-5$ or $n-6$.
2005
EPRINT
Colliding X.509 Certificates
We announce the construction of a pair of valid X.509 certificates with identical signatures.
2005
EPRINT
Collision Attack on XTR and a Countermeasure with a Fixed Pattern
Public-key cryptosystem (PKC) is one of inevitable key technologies in order to accomplish fruitful security applications in ubiquitous computing systems. The ubiquitous computer only has scarce computational resources (like Smart cards, RFID, Sensor Network), however, so that the light weight PKC is necessary for those miniaturized low-power devices. Recently, XTR is considered as one of good candidates for more energy efficient cryptosystems. Among XTR exponentiation algorithms, the most efficient one is the Improved XTR Single Exponentiation (XTR-ISE) proposed by Stam-Lenstra. Thus among the family of XTR algorithms, XTR-ISE is the most efficient one suitable for ubiquitous computer. Even though the security of such devices against side channel attacks is very dangerous, there are few works on side channel attacks against XTR-ISE. In this paper we propose a new collision attack on XTR-ISE, derived from the structural properties of XTR-ISE. The analysis complexity of the proposed one is about 2^{40} where the key size is 160-bit, which is 55% improvement from the previously best known analysis of Page-Stam. We also propose a novel countermeasure using a fixed pattern which is secure against SPA. We deploy a variant of Euclidean algorithm whose one of the registers is a monotone decreasing function with odd value. From our estimation of the efficiency of the proposed method, XTR exponentiation, computing Tr(g^n) with Tr(g) and n, takes 11.2log_2n multiplications in F_{p^2}. In the sense of both efficiency and security the proposed countermeasure is the best one among the previous countermeasures- it is about 30% faster.
2005
EPRINT
Collision-Resistant usage of MD5 and SHA-1 via Message Preprocessing
A series of recent papers have demonstrated collision attacks on popularly used hash functions, including the widely deployed MD5 and SHA-1 algorithm. To assess this threat, the natural response has been to evaluate the extent to which various protocols actually depend on collision resistance for their security, and potentially schedule an upgrade to a stronger hash function. Other options involve altering the protocol in some way. This work suggests a different option. We present several simple message pre-processing techniques and show how the techniques can be combined with MD5 or SHA-1 so that applications are no longer vulnerable to the known collision attacks. For some applications, this may a viable alternative to upgrading the hash function.
2005
EPRINT
Collisions in the Original Version of a Chaotic Hash Function
At the Crypto 2005 rump session, a new hash function based upon a chaotic map was presented. We display several messages that collide to the same output for this hash function.
2005
EPRINT
Collusion Resistant Broadcast Encryption With Short Ciphertexts and Private Keys
We describe two new public key broadcast encryption systems for stateless receivers. Both systems are fully secure against any number of colluders. In our first construction both ciphertexts and private keys are of constant size (only two group elements), for any subset of receivers. The public key size in this system is linear in the total number of receivers. Our second system is a generalization of the first that provides a tradeoff between ciphertext size and public key size. For example, we achieve a collusion resistant broadcast system for n users where both ciphertexts and public keys are of size O(sqrt(n)) for any subset of receivers. We discuss several applications of these systems.
2005
EPRINT
Comment on cryptanalysis of Tseng et al.??s authenticated encryption schemes
Recently, Xie and Yu proposed a forgery attack on the Tseng et al??s authenticated encryption schemes and showed that their schemes are not secure in two cases: the specified verifier substitutes his secret key, or the signer generates the signature with these schemes for two or more specified verifiers. In addition, Xie and Yu made a small modification for the Tseng et al??s schemes and claimed that the modified schemes can satisfy the security requirement. However, we show that the modified schemes are still insecure.
2005
EPRINT
Comments on ``Distributed Symmetric Key Management for Mobile Ad hoc Networks" from INFOCOM 2004
In IEEE INFOCOM 2004, Chan proposed a distributed key management scheme for mobile ad hoc networks, and deduced the condition under which the key sets distributed to the network nodes can form a cover-free family (CFF), which is the precondition that the scheme can work. In this paper, we indicate that the condition is falsely deduced. Furthermore, we discuss whether CFF is capable for key distributions in ad hoc networks.
2005
EPRINT
Comments on Weaknesses in Two Group Diffie-Hellman Key Exchange Protocols
In [3], Tang presented two password guessing attacks such as off-line and undetectable on-line dictionary attacks against password-based group Diffie-Hellman key exchange protocols by Byun and Lee [2]. In this paper, we present countermeasures for two attacks by Tang.
2005
EPRINT
Comments: Insider attack on Cheng et al.'s pairing-based tripartite key agreement protocols
Recently, Cheng et al. proposed two tripartite key agreement protocols from pairings: one is certificate-based and the other is identity-based (ID-based). In this article, we show that the two schemes are vulnerable to the insider impersonation attack and the ID-based scheme even discloses the entities?? private keys. Solutions to this problem are discussed.
2005
EPRINT
Compact E-Cash
This paper presents efficient off-line anonymous e-cash schemes where a user can withdraw a wallet containing 2^l coins each of which she can spend unlinkably. Our first result is a scheme, secure under the strong RSA and the y-DDHI assumptions, where the complexity of the withdrawal and spend operations is O(l+k) and the user's wallet can be stored using O(l+k) bits, where k is a security parameter. The best previously known schemes require at least one of these complexities to be O(2^l k). In fact, compared to previous e-cash schemes, our whole wallet of 2^l coins has about the same size as one coin in these schemes. Our scheme also offers exculpability of users, that is, the bank can prove to third parties that a user has double-spent. We then extend our scheme to our second result, the first e-cash scheme that provides traceable coins without a trusted third party. That is, once a user has double spent one of the 2^l coins in her wallet, all her spendings of these coins can be traced. We present two alternate constructions. One construction shares the same complexities with our first result but requires a strong bilinear map assumption that is only conjectured to hold on MNT curves. The second construction works on more general types of elliptic curves, but the price for this is that the complexity of the spending and of the withdrawal protocols becomes O(lk) and O(lk + k^2) bits, respectively, and wallets take O(lk) bits of storage. All our schemes are secure in the random oracle model.
2005
EPRINT
Compact Group Signatures Without Random Oracles
We present the first efficient group signature scheme that is provably secure without random oracles. We achieve this result by combining provably secure hierarchical signatures in bilinear groups with a novel adaptation of the recent Non-Interactive Zero Knowledge proofs of Groth, Ostrovsky, and Sahai. The size of signatures in our scheme is logarithmic in the number of signers; we prove it secure under the Computational Diffie-Hellman and the Subgroup Decision assumptions in the model of Bellare, Micciancio, and Warinshi, as relaxed by Boneh, Boyen, and Shacham.
2005
EPRINT
Computation of Tate Pairing for Supersingular Curves over characteristic 5 and 7
We compute Tate pairing over supersingular elliptic curves via the generic BGhES\cite{BGES} method for $p=5,7$. In those cases, the point multiplication by $p$ is efficiently computed by the Frobenius endomorphism. The function in a cycle can be efficiently computed by the method of continued fraction.
2005
EPRINT
Computationally sound implementations of equational theories against passive adversaries
In this paper we study the link between formal and cryptographic models for security protocols in the presence of a passive adversary. In contrast to other works, we do not consider a fixed set of primitives but aim at results for an arbitrary equational theory. We define a framework for comparing a cryptographic implementation and its idealization w.r.t. various security notions. In particular, we concentrate on the computational soundness of static equivalence, a standard tool in cryptographic pi calculi. We present a soundness criterion, which for many theories is not only sufficient but also necessary. Finally, we establish new soundness results for the Exclusive Or, as well as a theory of ciphers and lists.
2005
EPRINT
Computationally Sound Verification of Security Protocols Using Diffie-Hellman Exponentiation
Recently, it has been proved that computational security can be automatically verified using the Dolev-Yao abstraction. We extend these results by adding a widely used component for cryptographic protocols: Diffie-Hellman exponentiation. Thus our main result is: if the Decisional Diffie-Hellman assumption is verified and the cryptographic primitives used to implement the protocol are secure, then safety in the symbolic world implies safety in the computational world. Therefore, it is possible to prove automatically safety in the computational world.
2005
EPRINT
Concurrent Blind Signatures without Random Oracles
We present a blind signature scheme that is efficient and provably secure without random oracles under concurrent attacks utilizing only four moves of short communication. The scheme is based on elliptic curve groups for which a bilinear map exists and on extractable and equivocable commitments. The unforgeability of the employed signature scheme is guaranteed by the LRSW assumption while the blindness property of our scheme is guaranteed by the Decisional Linear Diffie-Hellman assumption. We prove our construction secure under the above assumptions as well as Paillier's DCR assumption in the concurrent attack model of Juels, Luby and Ostrovsky from Crypto '97 using a common reference string. Our construction is the first efficient construction for blind signatures in such a concurrent model without random oracles. We present two variants of our basic protocol: first, a blind signature scheme where blindness still holds even if the public-key generation is maliciously controlled; second, a blind signature scheme that incorporates a ``public-tagging'' mechanism. This latter variant of our scheme gives rise to a partially blind signature with essentially the same efficiency and security properties as our basic scheme.
2005
EPRINT
Concurrent Composition of Secure Protocols in the Timing Model
In the setting of secure multiparty computation, a set of mutually distrustful parties wish to securely compute some joint function of their inputs. In the stand-alone case, it has been shown that {\em every} efficient function can be securely computed. However, in the setting of concurrent composition, broad impossibility results have been proven for the case of no honest majority and no trusted setup phase. These results hold both for the case of general composition (where a secure protocol is run many times concurrently with arbitrary other protocols) and self composition (where a single secure protocol is run many times concurrently). In this paper, we investigate the feasibility of obtaining security in the concurrent setting, assuming that each party has a local clock and that these clocks proceed at approximately the same rate. We show that under this mild timing assumption, it is possible to securely compute {\em any} multiparty functionality under concurrent \emph{self} composition. We also show that it is possible to securely compute {\em any} multiparty functionality under concurrent {\em general} composition, as long as the secure protocol is run only with protocols whose messages are delayed by a specified amount of time. On the negative side, we show that it is impossible to achieve security under concurrent general composition with no restrictions whatsoever on the network (like the aforementioned delays), even in the timing model.
2005
EPRINT
Concurrent Zero Knowledge without Complexity Assumptions
We provide unconditional constructions of concurrent statistical zero-knowledge proofs for a variety of non-trivial problems (not known to have probabilistic polynomial-time algorithms). The problems include Graph Isomorphism, Graph Nonisomorphism, Quadratic Residuosity, Quadratic Nonresiduosity, a restricted version of Statistical Difference, and approximate versions of the (coNP forms of the) Shortest Vector Problem and Closest Vector Problem in lattices. For some of the problems, such as Graph Isomorphism and Quadratic Residuosity, the proof systems have provers that can be implemented in polynomial time (given an NP witness) and have \tilde{O}(log n) rounds, which is known to be essentially optimal for black-box simulation. To our best of knowledge, these are the first constructions of concurrent zero-knowledge protocols in the asynchronous model (without timing assumptions) that do not require complexity assumptions (such as the existence of one-way functions).
2005
EPRINT
Conditionally Verifiable Signatures
We introduce a new digital signature model, called conditionally verifiable signature (CVS), which allows a signer to specify and convince a recipient under what conditions his signature would become valid and verifiable; the resulting signature is not publicly verifiable immediately but can be converted back into an ordinary one (verifiable by anyone) after the recipient has obtained proofs, in the form of signatures/endorsements from a number of third party witnesses, that all the specified conditions have been fulfilled. A fairly wide set of conditions could be specified in CVS. The only job of the witnesses is to certify the fulfillment of a condition and none of them need to be actively involved in the actual signature conversion, thus protecting user privacy. It is guaranteed that the recipient cannot cheat as long as at least one of the specified witnesses does not collude. We formalize the concept of CVS and give a generic CVS construction based on any CPA-secure identity based encryption (IBE) scheme. Theoretically, we show that the existence of IBE with indistinguishability under a chosen plaintext attack (a weaker notion than the standard one) is necessary and sufficient for the construction of a secure CVS.\footnote{Due to page limit, some proofs are omitted here but could be found in the full version \cite{CB05ibecvs}.}
2005
EPRINT
Conjunctive Keyword Search on Encrypted Data with Completeness and Computational Privacy
We introduce mechanisms for secure keyword searches on a document server. We propose protocols with computational privacy, query correctness assurances and minimal or no leaks: the server either correctly executes client queries or (if it behaves maliciously) is immediately detected. The client is then provided with strong assurances proving the authenticity and completeness of server replies. This is different from existing research efforts, where a cooperating, non-malicious server behavior is assumed. We also strengthen the privacy guarantees. The oblivious search protocol not only hides (from the server) the outsourced data but also does not leak client access patterns, the queries themselves, the association between previously searched keywords and returned documents or between newly added documents and their corresponding keywords (not even in encrypted form). This comes naturally at the expense of additional computation costs which we analyze in the context of today's off the shelf hardware. In a reasonable scenario, a single CPU off-the-shelf PC can easily handle hundreds of such oblivious searches per minute.
2005
EPRINT
Constant Round Dynamic Group Key Agreement
We present a fully symmetric constant round authenticated group key agreement protocol in dynamic scenario. Our proposed scheme achieves forward secrecy and is provably secure under DDH assumption in the security model of Bresson {\em et al.} providing, we feel, better security guarantee than previously published results. The protocol is efficient in terms of both communication and computation power.
2005
EPRINT
Constant-Round Multiparty Computation Using a Black-Box Pseudorandom Generator
We present a constant-round protocol for general secure multiparty computation which makes a {\em black-box} use of a pseudorandom generator. In particular, the protocol does not require expensive zero-knowledge proofs and its communication complexity does not depend on the computational complexity of the underlying cryptographic primitive. Our protocol withstands an active, adaptive adversary corrupting a minority of the parties. Previous constant-round protocols of this type were only known in the semi-honest model or for restricted classes of functionlities.
2005
EPRINT
Constant-Size Hierarchical Identity-Based Signature/Signcryption without Random Oracles
We construct the first constant-size hierarchical identity-based signature (HIBS) without random oracles - the signature size is $O(\lambda_s)$ bits, where $\lambda_s$ is the security parameter, and it is independent of the number of levels in the hierarchy. We observe that an efficient hierarchical identity-based signcryption (HIBSC) scheme without random oracles can be compositioned from our HIBS and Boneh, Boyen, and Goh's hierarchical identity-based encryption (HIBE). We further optimize it to a constant-factor efficiency improvement. This is the first constant-size HIBSC without random oracles.
2005
EPRINT
Correlation-Resistant Storage via Keyword-Searchable Encryption
We consider the problem of using untrusted components to build correlation-resistant survivable storage systems that protect file replica locations, while allowing nodes to continuously re-distribute files throughout the network. The principal contribution is a chosen-ciphertext secure, searchable public key encryption scheme which allows for dynamic re-encryption of ciphertexts, and provides for node-targeted searches based on keywords or other identifiers. The scheme is provably secure under the SXDH assumption which holds in certain subgroups of elliptic curves, and a closely related assumption that we introduce.
2005
EPRINT
Countering chosen-ciphertext attacks against noncommutative polly cracker-type cryptosystems
In [2], Stanislav Bulygin presents a chosen-ciphertext attack against certain instances of noncommutative polly cracker-type cryptosystems which were proposed in [7] and [9]. In this article, we present generalized versions of this attack, which can be used against virtually all polly cracker-type cryptosystems. We then present a simple but effective techique to counter these attacks. We also present a technique to counter an adaptive chosen-ciphertext attack which was first described by Neil Koblitz in [8].
2005
EPRINT
Cryptanalysis of One Fair E-cash System
One fair e-cash system was proposed in [1]. In this paper, we show that the system is insecure. Besides, we point out that there are two drawbacks. One is that those integer intervals for $s_i (i=1, \cdots, 9)$ are unappropriate. The other is that the datum $s_3$ in signature data is redundant. Moreover, we give a minute description of the technique to shun the challenge in the scheme. We think the method is a little interesting.
2005
EPRINT
Cryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05
An ad-hoc anonymous identification scheme is a new multi-user cryptographic primitive that allows participants from a user population to form ad hoc groups, and then prove membership anonymously in such groups. Recently, Nguyen \cite{Lan05} proposed an ID-based ad-hoc anonymous identification scheme from bilinear pairings. However, in this paper, we propose an attack on Nguyen's ID-based ad-hoc anonymous identification scheme. We show that any one can impersonate a valid group member to perform the anonymous identification protocol successfully. Furthermore, we propose a solution to improve this scheme against our attack.
2005
EPRINT
Cryptanalysis of a 32-bit RC4-like Stream Cipher
Nawaz, Gupta and Gong recently proposed a 32-bit RC4-like stream cipher. In this paper, we show that the keystream generated from their stream cipher is not random. The keystream can be distinguished from random with only about 100 outputs (3200 bits) in 2 milliseconds on Intel Centrino 1.6GHz processor.
2005
EPRINT
Cryptanalysis of an anonymous wireless authentication and conference key distribution scheme
In this paper we analyse an anonymous wireless authentication and conference key distribution scheme which is also designed to provide mobile participants with user identification privacy during the conference call. The proposed scheme consists of three sub-protocols: the Call Set-Up Authentication Protocol, the Hand-Off Authentication Protocol, and the Anonymous Conference Call Protocol. We show that the proposed scheme suffers from a number of security vulnerabilities.
2005
EPRINT
Cryptanalysis of Hiji-bij-bij (HBB)
In this paper, we show several known-plaintext attacks on the stream cipher HBB which was proposed recently at INDOCRYPT 2003. The cipher can operate either as a classical stream cipher (in the B mode) or as an asynchronous stream cipher (in the SS mode). In the case of the SS mode, we present known-plaintext attacks recovering 128-bit key with the complexity 2^66 and 256-bit key with the complexity 2^67. In the case of B mode with 256-bit key, we show a known-plaintext attack recovering the whole plaintext with the complexity 2^140. All attacks need only a small part of the plaintext to be known.
2005
EPRINT
Cryptanalysis of improvement of digital signature with message recovery using self-certified public keys and its variants
In 2003, Tseng et al. proposed a self-certified public key signature with message recovery, which gives two advantages: one is that the signer??s public key can simultaneously be authenticated in verifying the signature and the other one is that only the specified verifier can recover the message. Lately, Xie and YU proposed an attack to the Tseng et al.??s scheme under the cases: the specified verifier substitutes his secret key or two or more specified verifiers cooperatively forge the signer??s signature. About the same time, Shao also proposed another insider forgery attack to break the Tseng et al.??s scheme. In addition, he claimed the Tseng et al.??s scheme without the properties of non-repudiation and forward security. Therefore, he proposed an improved scheme to overcome the weakness. In this paper, we will show that the Shao??s improved scheme is still insecure against the insider forgery attack. A specified verifier can forge many different valid signatures with the same message to the other verifiers who cooperatively provide their secret keys. Furthermore, we give a small modification to overcome this weakness.
2005
EPRINT
Cryptanalysis of Sfinks
Sfinks is an LFSR-based stream cipher submitted to ECRYPT call for stream ciphers by Braeken, Lano, Preneel et al. The designers of Sfinks do not to include any protection against algebraic attacks. They rely on the so called "Algebraic Immunity", that relates to the complexity of a simple algebraic attack, and ignores other algebraic attacks. As a result, Sfinks is insecure.
2005
EPRINT
Cryptanalysis of the Yang -Wang's password authentication schemes
In 1999, Yang and shieh proposed two password authentication schemes using smart cards. But in 2003, Sun and Yeh indicated that their schemes are subject to the forgery attack. So in 2005, Yang and Wang proposed an improvement of Yang and Shieh??s schemes to resist against Sun and Yeh??s attack. However in this paper, we will point out that Yang and Wang??s schemes still suffer from the forgery attack. Because in their schemes, one can masquerade as a legal user and cheat the remote server successfully in the authentication phase.
2005
EPRINT
Cryptanalysis of Two ID-based Authenticated Key Agreement Protocols from Pairings
Recently, a number of ID-based two-party authenticated key agreement protocols which make of bilinear pairings have been proposed \cite {CJL,MB,Sh,S,X}. In this paper, we show that the Xie's protocol \cite {X} does not provide implicit key authentication and key-compromise impersonation resilience. Also, we point out the vulnerability of the Choi {\it et al}'s protocol \cite {CJL} against signature forgery attacks.
2005
EPRINT
Cryptanalysis of two identification schemes based on an ID-based cryptosystem
Two identification schemes based on the Maurer-Yacobi ID-based cryptosystem are analysed and shown to suffer from serious security problems.
2005
EPRINT
Cryptanalysis on Chang-Yang-Hwang Protected Password Change Protocol
Recently, Chang et al. proposed an authenticated key agreement and protected password change scheme. They claimed that their scheme is simple and efficient. However, in this letter we point out that their protected password change protocol is insecure under the denial-of-service attack and the dictionary attack in some situations.
2005
EPRINT
Cryptographer's Toolkit for Construction of $8$-Bit Bent Functions
Boolean functions form basic building blocks in various cryptographic algorithms. They are used for instance as filters in stream ciphers. Maximally non-linear (necessarily non-balanced) Boolean functions with an even number of variables are called bent functions. Bent functions can be modified to get balanced highly non-linear Boolean functions. Recently the first author has demonstrated how bent functions can be studied in a recursive framework of certain integer-valued functions. Based on this new approach we describe the practical systematic construction of $8$-bit bent functions. We outline also how to compute the number of all $8$-bit bent functions.
2005
EPRINT
CRYPTOGRAPHIC MERSENNE TWISTER AND FUBUKI STREAM/BLOCK CIPHER
We propose two stream ciphers based on a non-secure pseudorandom number generator (called the mother generator). The mother generator is here chosen to be the Mersenne Twister (MT), a widely used 32-bit integer generator having 19937 bits of internal state and period $2^19937-1$. One proposal is CryptMT, which computes the accumulative product of the output of MT, and use the most significant 8 bits as a secure random numbers. Its period is proved to be $2^19937-1$, and it is 1.5-2.0 times faster than the most optimized AES in counter-mode. The other proposal, named Fubuki, is designed to be usable also as a block cipher. It prepares nine different kinds of encryption functions (bijections from blocks to blocks), each of which takes a parameter. Fubuki encrypts a sequence of blocks (= a plain message) by applying these encryption functions iteratedly to each of the blocks. Both the combination of the functions and their parameters are pseudorandomly chosen by using its mother generator MT. The key and the initial value are passed to the initialization scheme of MT.
2005
EPRINT
Cryptographic Protocols to Prevent Spam
This is a survey of mechanisms to control or prevent spam, with emphsis on cryptographic protocols. We also present a new cryptographic protocol, Secure Automated Resolution Protocol, which can be used to penalize spammers (and for other applications).
2005
EPRINT
CRYPTOGRAPHY BASED ON CHAOTIC SYNCHRONIZATION: ROUND III
This paper discusses cryptography based on the property of chaotic synchronization. Specifically, it is about Round III of such a cryptographic method. Round I showed the feasibility of using chaotic synchronization for cryptography. Round II consisted of a method to counter attack. This paper is Round III and shows how to counter the counter attacks. First, we show numerical evidence that synchronization is possible between two Lorenz systems if one system sends information about $x_0$ at a slower rate. The second system evolves on its own, except that when it receives a signal from the first system, it replaces its own value of $y_0$ by the received $x_0$. We have found that the two systems eventually synchronize, but often after a long time. Therefore, we have devised a technique to speed-up this synchronization. Once this is done, it is possible for the authorized receiver (with the possession of the initial super-key) to keep synchronizing with slowly sampled inputs, whereas the known methods of Round II do not help an eavesdropper.
2005
EPRINT
Cryptography In the Bounded Quantum-Storage Model
We initiate the study of two-party cryptographic primitives with unconditional security, assuming that the adversary's {\em quantum}memory is of bounded size. We show that oblivious transfer and bit commitment can be implemented in this model using protocols where honest parties need no quantum memory, whereas an adversarial player needs quantum memory of size at least $n/2$ in order to break the protocol, where $n$ is the number of qubits transmitted. This is in sharp contrast to the classical bounded-memory model, where we can only tolerate adversaries with memory of size quadratic in honest players' memory size. Our protocols are efficient, non-interactive and can be implemented using today's technology. On the technical side, a new entropic uncertainty relation involving min-entropy is established.
2005
EPRINT
Cryptography in Theory and Practice: The Case of Encryption in IPsec
This paper studies the gaps that exist between cryptography as studied in theory, as defined in standards, as implemented by software engineers, and as actually consumed by users. Our focus is on IPsec, an important and widely-used suite of protocols providing security at the IP layer of network communications. Despite well-known results in theoretical cryptography highlighting the vulnerabilities of unauthenticated encryption, the IPsec standards currently mandate its support. We present evidence that such ``encryption-only'' configurations are in fact still often selected by users in practice, even with strong warnings advising against this in the IPsec standards. We then describe a variety of attacks against such configurations and report on their successful implementation in the case of the Linux kernel implementation of IPsec. Our attacks are realistic in their requirements, highly efficient, and recover the complete contents of IPsec-protected datagrams. Our attacks still apply when integrity protection is provided by a higher layer protocol, and in some cases even when it is supplied by IPsec itself. Finally in this paper, we reflect on the reasons why this unsatisfactory situation persists, and make some recommendations for the future development of IPsec and cryptographic software in general.
2005
EPRINT
David Chaum's Voter Verification using Encrypted Paper Receipts
In this document, we provide an exposition of David Chaum's voter verification method that uses encrypted paper receipts. This document provides simply an exposition of the protocol, and does not address any of the proofs covered in Chaum's papers.
2005
EPRINT
Democratic Group Signatures on Example of Joint Ventures
In the presence of economic globalization joint venture is one of the most common and effective means of conducting business internationally. By building joint ventures companies form strategic alliances that help them to enter new economic markets and further their business goals in a cooperative effort without loosing own independence. Upon building a joint venture company, two or more "parent" companies agree to share capital, technology, human ressources, risks and rewards in a formation of a new entity under shared control by a "board of directors", which consists of representatives of "parent" companies. The establishment of such shared control is tricky and relies generally on the "trust, but verify" relationship, i.e., companies trust the information they receive from prospective partners, but it is a good business practice to verify the facts. In this paper we focus on the issue of the shared financial control in a joint venture. We consider the mostly preferred form of the control where every member of the board is able to issue payment orders on behalf of the joint venture, but at the same time representatives of other companies, should be able to monitor the accounting to achieve fairness in the spending of shared funds. For this form of the shared control we propose a new secure group-oriented signature scheme, called a {\it democratic group signature} scheme, which results from the modification of the standard notion of group signatures by eliminating the role of the group manager. We also show that existing schemes, e.g., ring and group signatures, cannot be used to realize the required shared control based on the "trust, but verify" relationship.
2005
EPRINT
Deniable Authentication with RSA and Multicasting
A deniable authentication scheme using RSA is described and proven secure in the random oracle model. A countermeasure to a well-known attack on efficient deniable authentication to multiple recipients is describe and proven secure.
2005
EPRINT
Derandomization in Cryptography
We give two applications of Nisan--Wigderson-type ("non-cryptographic") pseudorandom generators in cryptography. Specifically, assuming the existence of an appropriate NW-type generator, we construct: A one-message witness-indistinguishable proof system for every language in NP, based on any trapdoor permutation. This proof system does not assume a shared random string or any setup assumption, so it is actually an "NP proof system." A noninteractive bit commitment scheme based on any one-way function. The specific NW-type generator we need is a hitting set generator fooling nondeterministic circuits. It is known how to construct such a generator if ETIME = DTIME(2^O(n)) has a function of nondeterministic circuit complexity 2^\Omega(n) (Miltersen and Vinodchandran, FOCS `99). Our witness-indistinguishable proofs are obtained by using the NW-type generator to derandomize the ZAPs of Dwork and Naor (FOCS `00). To our knowledge, this is the first construction of an NP proof system achieving a secrecy property. Our commitment scheme is obtained by derandomizing the interactive commitment scheme of Naor (J. Cryptology, 1991). Previous constructions of noninteractive commitment schemes were only known under incomparable assumptions.
2005
EPRINT
Design and Analysis of a Robust and Efficient Block Cipher using Cellular Automata
Cellular Automaton (CA) has been shown to be capable of generating complex and random patterns out of simple rules. There has been constant efforts of applying CA to develop ciphers, but the attempts have not been successful. This paper describes how repeated application of simple CA transforms may be used to achieve confusion and diffusion, needed in block ciphers. The components have been evaluated for their robustness against conventional cryptanalysis and the results have been found to be comparable to standards. Finally, the parts are assembled in an unconventional way to construct a self-invertibe CA based round, which is resistant against linear and differential cryptanalysis and yet can be efficiently implemented.
2005
EPRINT
Design of near-optimal pseudorandom functions and pseudorandom permutations in the information-theoretic model
In this paper we will extend the Benes and Luby-Rackoff constructions to design various pseudo-random functions and pseudo-random permutations with near optimal information-theoretic properties. An example of application is when Alice wants to transmit to Bob some messages against Charlie, an adversary with unlimited computing power, when Charlie can receive only a percentage $\tau$ of the transmitted bits. By using Benes, Luby-Rackoff iterations, concatenations and fixing at 0 some values, we will show in this paper how to design near optimal pseudo-random functions for all values of $\tau$. Moreover we will show how to design near optimal pseudo-random permutations when $\tau$ can have any value such that the number of bits obtained by Charlie is smaller than the square root of all the transmitted bits.
2005
EPRINT
Deterministic Identity-Based Signatures for Partial Aggregation
Aggregate signatures are a useful primitive which allows to aggregate into a single and constant-length signature many signatures on different messages computed by different users. Specific proposals of aggregate signature schemes exist only for PKI-based scenarios. For identity-based scenarios, where public keys of the users are directly derived from their identities, the signature schemes proposed up to now do not seem to allow constant-length aggregation. We provide an intermediate solution to this problem, by designing a new identity-based signature scheme which allows aggregation when the signatures to be aggregated come all from the same signer. The new scheme is deterministic and enjoys some better properties than the previous proposals. We formally prove that the scheme is unforgeable, in the random oracle model, assuming that the Computational co-Diffie-Hellman problem is hard to solve.
2005
EPRINT
Diffie-Hellman key exchange protocol and non-abelian nilpotent groups
In this paper we study a key exchange protocol similar to Diffie-Hellman key exchange protocol using abelian subgroups of the automorphism group of a non-abelian nilpotent group. We also generalize group no.92 of Hall-Senior table \cite{halltable}, for arbitrary prime $p$ and show that for those groups, the group of central automorphisms commute. We use these for the key exchange we are studying.
2005
EPRINT
Diffie-Hellman Key Exchange Protocol, Its Generalization and Nilpotent Groups
This dissertation has two chapters. In the first chapter we talk about the discrete logarithm problem, more specifically we concentrate on the Diffie-Hellman key exchange protocol. We survey the current state of security for the Diffie-Hellman key exchange protocol. We also motivate the reader to think about the Diffie-Hellman key exchange in terms of group automorphisms. In the second chapter we study two key exchange protocols similar to the Diffie-Hellman key exchange protocol using an abelian subgroup of the automorphism group of a nonabelian group. We also generalize group no.~92 of the Hall-Senior table, for arbitrary prime $p$ and study the automorphism group of these generalized group. We show that for those groups, the group of central automorphisms is an abelian group. We use these central automorphisms for the key exchange we are studying. We also develop a signature scheme.
2005
EPRINT
Direct Chosen Ciphertext Security from Identity-Based Techniques
We describe a new encryption technique that is secure in the standard model against adaptive chosen ciphertext (CCA2) attacks. We base our method on two very efficient Identity-Based Encryption (IBE) schemes without random oracles due to Boneh and Boyen, and Waters. Unlike previous CCA2-secure cryptosystems that use IBE as a black box, our approach is endogenous, very simple, and compact. It makes direct use of the underlying IBE structure, and requires no cryptographic primitive other than the IBE scheme itself. This conveys several advantages. We achieve shorter ciphertext size than the best known instantiations of the other methods, and our technique is as efficient as the Boneh and Katz method (and more so than that of Canetti, Halevi, and Katz). Further, our method operates nicely on hierarchical IBE, and since it allows the validity of ciphertexts to be checked publicly, it can be used to construct systems with non-interactive threshold decryption. In this paper we describe two main constructions: a full encryption system based on the Waters adaptive-ID secure IBE, and a KEM based on the Boneh-Boyen selective-ID secure IBE. Both systems are shown CCA2-secure in the standard model, the latter with a tight reduction. We discuss several uses and extensions of our approach, and draw comparisons with other schemes that are provably secure in the standard model.
2005
EPRINT
Distinguishing Stream Ciphers with Convolutional Filters
This paper presents a new type of distinguisher for the shrinking generator and the alternating-step generator with known feedback polynomial and for the multiplexor generator. For the former the distinguisher is more efficient than existing ones and for the latter it results in a complete breakdown of security. The distinguisher is conceptually very simple and lends itself to theoretical analysis leading to reliable predictions of its probability of success.
2005
EPRINT
Distributed Phishing Attacks
We identify and describe a new type of phishing attack that circumvents what is probably today's most efficient defense mechanism in the war against phishing, namely the shutting down of sites run by the phisher. This attack is carried out using what we call a distributed phishing attack (DPA). The attack works by a per-victim personalization of the location of sites collecting credentials and a covert transmission of credentials to a hidden coordination center run by the phisher. We show how our attack can be simply and efficiently implemented and how it can increase the success rate of attacks while at the same time concealing the tracks of the phisher. We briefly describe a technique that may be helpful to combat DPAs.
2005
EPRINT
DSAC: An Approach to Ensure Integrity of Outsourced Databases using Signature Aggregation and Chaining
Database outsourcing is an important emerging trend which involves data owners delegating their data management needs to an external service provider. In this model, a service provider hosts clients' databases and offers mechanisms to create, store, update and access (query) outsourced databases. Since a service provider is almost never fully trusted, security and privacy of outsourced data are important concerns. A core security requirement is the integrity and authenticity of outsourced databases. Whenever someone queries a hosted database, the results must be demonstrably authentic (with respect to the actual data owner) to ensure that the data has not been tampered with. Furthermore, the results must carry a proof of completeness which will allow the querier to verify that the server has not omitted any valid tuples that match the query predicate. Notable prior research (\cite{DpGmMcSs00, McNgDpGmKwSs02, PanTan04}) focused on so-called \textit{Authenticated Data Structures}. Another prior approach involved the use of special digital signature schemes. In this paper, we extend the state-of-the-art to provide both authenticity and completeness guarantees of query replies. Our work also analyzes the new approach for various base query types and compares the new approach with Authenticated Data Structures.\footnote{We also point out some possible security flaws in the approach suggested in the recent work of \cite{PanTan04}.}
2005
EPRINT
Duality between Multiplication and Modular Reduction
This paper presents a duality between the classical optimally speeded up multiplication algorithm and some "fast" reduction algorithm. For this, the multiplier is represented by the unique signed digit representation with minimal Hamming weight using Reitwiesner's multiplier recoding algorithm. In fact, the present paper proves that this optimal multiplier recoding technique naturally translates into a canonical modular reduction technique. The other direction is shown as well. Thus, the resulting reduction algorithm is optimal with respect to its average-time complexity as well. Besides these two new results, our proof of the transfer-theorem serves another interesting purpose: The reason that the considered reduction algorithm from \cite{Sedlak} is so unknown might lie in the fact that it is rather un-intuitive and no proper understanding was available so far. Therefore, our proper mathematical derivation/explanation solves this lack of understanding.
2005
EPRINT
Dynamic Group Key Agreement in Tree-Based Setting
We present a provably secure tree based authenticated group key agreement protocol in dynamic scenario. Bilinear pairing and multi-signature are at the heart of our protocol. We prove that our protocol is provably secure in the standard security model of Bresson et al. An appropriate modification of Katz-Yung approach to tree based setting is adopted while proving its security against active adversaries. The protocol has an in-built hierarchical structure that makes it desirable for certain applications.
2005
EPRINT
Dynamic k-Times Anonymous Authentication
k-times anonymous authentication (k-TAA) schemes allow members of a group to be anonymously authenticated by application providers for a bounded number of times. k-TAA has application in e-voting, e-cash, electronic coupons and anonymous trial browsing of content. In this paper, we extend k-TAA model to dynamic k-TAA in which application providers can independently grant or revoke users from their own groups and so have the required control on their clients. We give a formal model for dynamic k-TAA, propose a dynamic k-times anonymous authentication scheme from bilinear pairing, and prove its security. We also construct an ordinary k-TAA from the dynamic scheme and show communication efficiency of the schemes compared to the previously proposed schemes.
2005
EPRINT
Effective Polynomial Families for Generating More Pairing-Friendly Elliptic Curves
Finding suitable non-supersingular elliptic curves becomes an important issue for the growing area of pairing-based cryptosystems. For this purpose, many methods have been proposed when embedding degree k and cofactor h are taken different values. In this paper we propose a new method to find pairing-friendly elliptic curves without restrictions on embedding degree k and cofactor h. We propose the idea of effective polynomial families for finding the curves through different kinds of Pell equations or special forms of D(x)V^2(x). In addition, we discover some efficient families which can be used to build pairing-friendly elliptic curves over extension fields, e.g. Fp^2 and Fp^4.
2005
EPRINT
Efficient Arithmetic on Subfield Elliptic Curves over Small Odd Characteristics
In elliptic curve cryptosystems, scalar multiplications performed on the curves have much effect on the efficiency of the schemes, and many efficient methods have been proposed. In particular, recoding methods of the scalars play an important role in the performance of the algorithm used. For integer radices, non-adjacent form (NAF) and its generalizations (e.g., generalized non-adjacent form (GNAF) and radix-$r$ non-adjacent form ($r$NAF) \cite{CL73,TYW04}) are proposed for minimizing the non-zero densities in the representations of the scalars. On the other hand, for subfield elliptic curves, Frobenius-adic expansions of the scalars can be used for improving efficiency (\cite{Sma99+}). Unfortunately, there are only a few methods apply the techniques of NAF or its analogue to Frobenius-adic expansion, namely $\tau$-adic NAF techniques (\cite{Kob98,Sol00,BMX04} and \cite{GLS01}) for Koblitz curves and hyperelliptic Koblitz curves. In this paper, we try to combine these techniques, namely recoding methods for reducing non-zero density and Frobenius-adic expansion, and propose two new efficient recoding methods of scalars for more general family of subfield elliptic curves over odd characteristics. We also prove that the non-zero densities for the new methods are same as those for original GNAF and $r$NAF. As a result, the speed of the proposed schemes improve between 12.5{\%} and 79{\%} over that for previously known schemes.
2005
EPRINT
Efficient Broadcast Encryption Scheme with Log-Key Storage
In this paper, we present a broadcast encryption scheme with efficient transmission cost under the \emph{log-key} restriction. Given $n$ users and $r$ revoked users, our scheme has the transmission cost of $O(r)$ and requires the storage of $O(\log n)$ keys at each receiver. These are optimal complexities in broadcast encryptions using one-way hash functions (or pseudo-random generators.) To achieve these complexities, the stratified subset difference (SSD) scheme and the $\overline{B1}$ scheme were introduced by Goodrich et al. and Hwang et al. respectively. However, their schemes have the disadvantage that transmission cost increases linearly according to the number of stratifications. By assigning the related keys between stratifications, our scheme remedies the defect and achieves very efficient transmission cost even in an environment where the key storage is restricted. To the best of our knowledge, our scheme has the most efficient transmission cost in the existing schemes with log-key storage. In addition, our result is comparable to other schemes that allow a large key storage.
2005
EPRINT
Efficient Certificateless Public Key Encryption
Certificateless public key cryptography was introduced to overcome the key escrow limitation of the identity-based cryptography. Most of the existing certificateless public key encryption schemes are based on Boneh and Franklin's identity-based encryption scheme (BF-IBE). In this paper, we construct a new certificateless public key encryption scheme from the efficient SK-IBE which has been proved to be IND-ID-CCA secure. The new scheme is more efficient on computation complexity or published public key information than the existing schemes.
2005
EPRINT
Efficient Certificateless Public Key Encryption
In [3] Al-Riyami and Paterson introduced the notion of "Certificateless Public Key Cryptography" and presented an instantiation. In this paper, we revisit the formulation of certificateless public key encryption and construct a more efficient scheme and then extend it to an authenticated encryption.
2005
EPRINT
Efficient Comb Elliptic Curve Multiplication Methods Resistant to Power Analysis
Elliptic Curve Cryptography (ECC) has found wide applications in smart cards and embedded systems. Point multiplication plays a critical role in ECC. Many efficient point multiplication methods have been proposed. One of them is the comb method which is much more efficient than other methods if precomputation points are calculated in advance or elsewhere. Unfortunately, Many efficient point multiplication methods including the comb method are vulnerable to power-analysis attacks. Various algorithms to make elliptic curve point multiplication secure to power-analysis attacks have been proposed recently, such as the double-and-add-always method, M\"{o}ller's window method, Okeya et al.'s odd-only window method, and Hedabou et al.'s comb method. In this paper, we first present a novel comb recoding algorithm which converts an integer to a sequence of signed, odd-only comb bit-columns. Using this recoding algorithm, we then present several comb methods, both Simple Power Analysis (SPA)-nonresistant and SPA-resistant, for point multiplication. These comb methods are more efficient than the original SPA-nonresistant comb method and Hedabou et al.'s SPA-resistant comb method. Our comb methods inherit the advantage of a comb method, running much faster than M\"{o}ller's window method and Okeya et al.'s odd-only window method, as well as other window methods such as the efficient signed $m$-ary window method, if only the evaluation phase is taken into account. Combined with randomization projective coordinates or other randomization techniques and certain precautions in selecting elliptic curves and parameters, our SPA-resistant comb methods are resistant to all power-analysis attacks.
2005
EPRINT
Efficient Compilers for Authenticated Group Key Exchange
In this paper we propose two compilers which are designed to transform a group key exchange protocol secure against any passive adversary into an authenticated group key exchange protocol with key confirmation which is secure against any passive adversary, active adversary, or malicious insider. We show that the first proposed compiler gives protocols that are more efficient than those produced by the compiler of Katz and Yung. The second proposed compiler further reduces the computational complexity of the output protocols by using a Trusted Third Party (TTP). We moreover show that, although the protocols produced by the novel compilers have lower computational complexity than the protocols produced by the Katz-Yung compiler, the protocols nevertheless achieve key confirmation, unlike the protocols output by the Katz-Yung compiler.
2005
EPRINT
Efficient Computation of the Tate Pairing on Hyperelliptic Curves for Cryptosystems
In this paper, we suggest to use the curve $\curve, b=0 \mbox{ or } 1$ over $\Ftn$ for a secure and efficient pairing-based cryptosystems. For this curve, we develop efficient algorithms to compute the Tate pairing and give an implementation result of Tate paring on the curve $H_0$.
2005
EPRINT
Efficient Delegation of Pairing Computation
Pairing computation requires a lot of efforts for portable small devices such as smart cards. It was first considered concretely by Chevallier-Mames et al. that the cards delegate computation of pairings to a powerful device. In this paper, we propose more efficient protocols than those of Chevallier-Mames et al. in two cases, and provide two new variants that would be useful in real applications.
2005
EPRINT
Efficient Doubling on Genus 3 Curves over Binary Fields
The most important and expensive operation in a hyperelliptic curve cryptosystem (HECC) is scalar multiplication by an integer k, i.e., computing an integer k times a divisor D on the Jacobian. Using some recoding algorithms for scalar $k$, we can reduce a number of divisor class additions during the process of computing scalar multiplication. So divisor doubling will account for the main part in all kinds of scalar multiplication algorithms. In order to accelerate the genus 3 HECC over binary fields we investigate how to compute faster doubling in this paper. By constructing birational transformation of variables, we derive explicit doubling formulae for all types of defining equations of the curve. For each type of curve, we analyze how many field operations are needed. So far all proposed curves are secure, though they are more special types. Our results allow to choose curves from a large enough variety which have extremely fast doubling needing only one third the time of an addition in the best case. Furthermore, an actual implementation of the new formulae on a Pentium-M processor shows its practical relevance.
2005
EPRINT
Efficient hardware for the Tate pairing calculation in characteristic three
In this paper the benefits of implementation of the Tate pairing computation in dedicated hardware are discussed. The main observation lies in the fact that arithmetic architectures in the extension field $GF(3^{6m})$ are good candidates for parallelization, leading to a similar calculation time in hardware as for operations over the base field $GF(3^m)$. Using this approach an architecture for the hardware implementation of the Tate pairing calculation based on a modified Duursma-Lee algorithm is proposed.
2005
EPRINT
Efficient Identity-Based and Authenticated Key Agreement Protocol
Several identity based and authenticated key agreement protocols have been proposed in recent years and all of them have been shown to be non-secure. It remains an open question to design secure identity based and authenticated key agreement protocols. In this paper, we propose an efficient identity-based and authenticated key agreement protocol IDAK using Weil/Tate pairing. A security model for identity based key agreement protocol is established and the security properties of IDAK are proved in this model with random oracle. In particular, it is shown that the IDAK protocol possesses all characteristics that a secure key agreement should have.
2005
EPRINT
Efficient Identity-Based Encryption with Tight Security Reduction
In a famous paper of Crypto'01, Boneh and Franklin proposed the first identity-based encryption scheme (IBE), around fifteen years after the concept was introduced by Shamir. Their scheme security (more precisely, the notion of resistance against an IND-ID-CCA attacker) relies in the random oracle model. However, the reduction is far from being tight, and notably depends on the number of extractions queries. In this paper, we present an efficient modification to the Boneh-Franklin scheme that provides a tight reduction. Our scheme is basically an IBE under two keys, one of which is (randomly) detained by the recipient. It can be viewed as a continuation of an idea introduced by Katz and Wang; we will however show how our construction improves this last scheme. Our scheme features a tight reduction to the list bilinear Diffie-Hellman (LBDH) problem, which can be itself reduced tightly either to the gap bilinear Diffie-Hellman (GBDH) or the decisional bilinear Diffie-Hellman (DBDH) problems. Furthermore, for a relaxed notion of tightness (called weak-tightness) that we introduce and discuss in our paper, we show that there is a weakly tight reduction from our scheme to the computational bilinear Diffie-Hellman (CBDH) problem. Our scheme is very efficient, as one can precompute most of the quantity involved in the encryption process. Furthermore, the ciphertext size is very short: for proposed parameters, they are |M|+330 bits long.
2005
EPRINT
Efficient Identity-Based Key Encapsulation to Multiple Parties
We introduce the concept of identity based key encapsulation to multiple parties (mID-KEM), and define a security model for it. This concept is the identity based analogue of public key KEM to multiple parties. We also analyse possible mID-KEM constructions, and propose an efficient scheme based on bilinear pairings. We prove our scheme secure in the random oracle model under the Gap Bilinear Diffie-Hellman assumption.
2005
EPRINT
Efficient Mutual Data Authentication Using Manually Authenticated Strings
Solutions for an easy and secure setup of a wireless connection between two devices are urgently needed for WLAN, Wireless USB, Bluetooth and similar standards for short range wireless communication. In this paper we analyse the SAS protocol by Vaudenay and propose a new three round protocol MA-3 for mutual data authentication based on a cryptographic commitment scheme and short manually authenticated out-of-band messages. We show that non-malleability of the commitment scheme is essential for the security of the SAS and the MA-3 schemes and that extractability or equivocability do not imply non-malleability. We also give new proofs of security for the SAS and MA-3 protocols and suggestions how to instantiate the MA-3 protocol in practise.
2005
EPRINT
Efficient reduction of 1 out of $n$ oblivious transfers in random oracle model
We first present a protocol which reduces 1-out-of-$n$ oblivious transfer OT$_l^m$ to 1-out-of-$n$ oblivious transfer OT$_m^k$ for $n>2$ in random oracle model, and show that the protocol is secure against malicious sender and semi-honest receiver. Then, by employing a cut-and-choose technique, we obtain a variant of the basic protocol which is secure against a malicious receiver.
2005
EPRINT
Efficient Scalar Multiplication by Isogeny Decompositions
On an elliptic curve, the degree of an isogeny corresponds essentially to the degrees of the polynomial expressions involved in its application. The multiplication--by--$\ell$ map $[\ell]$ has degree~$\ell^2$, therefore the complexity to directly evaluate $[\ell](P)$ is $O(\ell^2)$. For a small prime $\ell\, (= 2, 3)$ such that the additive binary representation provides no better performance, this represents the true cost of application of scalar multiplication. If an elliptic curves admits an isogeny $\varphi$ of degree $\ell$ then the costs of computing $\varphi(P)$ should in contrast be $O(\ell)$ field operations. Since we then have a product expression $[\ell] = \hat{\varphi}\varphi$, the existence of an $\ell$-isogeny $\varphi$ on an elliptic curve yields a theoretical improvement from $O(\ell^2)$ to $O(\ell)$ field operations for the evaluation of $[\ell](P)$ by na\"ive application of the defining polynomials. In this work we investigate actual improvements for small $\ell$ of this asymptotic complexity. For this purpose, we describe the general construction of families of curves with a suitable decomposition $[\ell] = \hat{\varphi}\varphi$, and provide explicit examples of such a family of curves with simple decomposition for~$[3]$. Finally we derive a new tripling algorithm to find complexity improvements to triplication on a curve in certain projective coordinate systems, then combine this new operation to non-adjacent forms for $\ell$-adic expansions in order to obtain an improved strategy for scalar multiplication on elliptic curves.
2005
EPRINT
Elliptic Curves for Pairing Applications
In this paper we address the question of representing the discriminant of an imaginary quadratic field with respect to the basis of a cyclotomic field. This representation allows us to parameterize new families of ordinary elliptic curves over finite prime fields suitable for pairing applications. In particular these curves have small discriminants greater than four and arbitrary embedding degree. Computational results are presented which support the theoretical findings.
2005
EPRINT
Elliptic Curves with Low Embedding Degree
Motivated by the needs of the {\it pairing based cryptography\/}, Miyaji, Nakabayashi and Takano have suggested a construction of so-called MNT elliptic curves with low embedding degree. We give some heuristic arguments which suggest that there are only about $z^{1/2+o(1)}$ of MNT curves with complex multiplication discriminant up to $z$. We also show that there are very few finite fields over which elliptic curves with small embedding degree and small complex multiplication discriminant may exist (regardless of the way they are constructed).
2005
EPRINT
Enforcing Confinement in Distributed Storage and a Cryptographic Model for Access Control
This work is concerned with the security of the standard T10 OSD protocol, a capability-based protocol for object stores designed by the OSD SNIA working group. The Object Store security protocol is designed to provide access control enforcement in a distributed storage setting such as a Storage Area Network (SAN) environment. In this work we consider in particular the ability of the OSD protocol to enforce *confinement*, which is the property that even misbehaving participants can not leak secret information across predefined boundaries. We observe that being a "pure capability" protocol, the plain vanilla OSD protocol is incapable of enforcing confinement. We show, however, that given a trustworthy infrastructure for authentication and secure channels, the protocol can be used in a manner that achieves the desired property (and does not require any change in the message format). Thus we demonstrate that object stores can in principle be used in a standard fashion in applications that require protection against leakage of secret data. Having identified a problem and proposed a solution, we proceed to prove formally that the proposed protocol indeed meets all its security goals. In the process we refine common cryptographic models in order to be able to reason about confinement, and then devise a precise model for a distributed capability-based access-control mechanism. To our knowledge, this is the first time such a model for access-control is defined in a cryptographic setting, and defining it highlights what can and cannot be achieved by such mechanisms.
2005
EPRINT
Enhanced password-based key establishment protocol
In this paper we analyse a password-based authenticated key establishment protocol due to Laih, Ding and Huang, which enables a user to authenticate himself to a server and negotiate a shared session key. This protocol is also designed to guarantee that a human being is actually involved in an ongoing protocol execution. However we show that the protocol suffers from offline dictionary attacks. We propose an enhanced password-based authenticated key establishment protocol which is secure against offline dictionary attacks, and that possesses an additional feature guaranteeing that a user is involved in each protocol execution.
2005
EPRINT
Enhancing CK-Model for Key Compromise Impersonation Resilience and Identity-based Key Exchange
In 2001, Canetti and Krawczyk proposed a security model (CK-model) for authentication protocols. They also gave an indistinguishability-based definition for key exchange protocols. Since then the model has almost exclusively been used for analyzing key exchange protocols, although it can be applied to authentication protocols in general. The model not only captures a large class of attacks but also provides a modular approach to the design of authentication protocols. However, the model does not capture the property of Key Compromise Impersonation (KCI) Resilience. Until now, analysis concerning this property has mostly been done heuristically and restricted to key exchange protocols only. Previous attempts on formalizing KCI have mostly been done in some ad hoc manner and additional proofs have to be given, specifically for the security of KCI resilience. In this paper, we propose an extension to the CK-model, which allows, for the first time, the KCI attacks to be considered in authentication protocols in general, rather than restricted to key exchange protocols, and no more additional proofs are required specifically for KCI security. With the revival of interest in identity-based (ID-based) cryptography, there have been many new ID-based key exchange protocols proposed. Despite the fact that some of them have been proven in some restricted versions of a model proposed by Bellare and Rogaway in 1993 and some others have been proven in the original CK-model, there is no rigorous model specifically for ID-based key exchange security. In particular, forward secrecy against compromised Key Generation Server (KGS-FS) has never been captured even though this notion is more important and stronger than the perfect forward secrecy in ID-based key exchange. For this, we further extend our model to ID-based setting and capture the property of KGS-FS for ID-based key exchange security.
2005
EPRINT
Enhancing the MD-Strengthening and Designing Scalable Families of One-Way Hash Algorithms
One-way hash algorithms are an indispensable tool in data security. Over the last decade or so a number of one-way hash algorithms have been designed and many of them have been used in numerous applications. Recent progress in cryptanalytic attacks on one-way hash algorithms by Wang and co-workers, however, has brought up the urgency of research into new and more secure algorithms. The goal of this paper is two-folded. On one hand we propose a simple technique to affix authentication tags to messages prior to being hashed by an iterative one-way hash algorithm with the aim of increasing the overall security of the algorithm against cryptanalytic attacks. One the other hand we advocate the importance of a system oriented approach towards the design and deployment of new families of one-way hash algorithms that support greater scalability and facilitate migration to newer member algorithms upon the compromise of deployed ones. We base our observations on a common sense premise that there is no specific one-way hash algorithm can remain secure forever and it will eventually be broken by a cryptanalytic attack faster than exhaustive research.
2005
EPRINT
Equivalent Keys in Multivariate Quadratic Public Key Systems
Multivariate Quadratic public key schemes have been suggested back in 1985 by Matsumoto and Imai as an alternative for the RSA scheme. Since then, several other schemes have been proposed, for example Hidden Field Equations, Unbalanced Oil and Vinegar schemes, and Stepwise Triangular Schemes. All these schemes have a rather large key space for a secure choice of parameters. Surprisingly, the question of equivalent keys has not been discussed in the open literature until recently. In this article, we show that for all basic classes mentioned above, it is possible to reduce the private --- and hence the public --- key space by several orders of magnitude. For the Matsumoto-Imai scheme, we are even able to show that the reductions we found are the only ones possible, i.e., that these reductions are tight. While the theorems developed in this article are of independent interest themselves as they broaden our understanding of Multivariate Quadratic public key systems, we see applications of our results both in cryptanalysis and in memory efficient implementations of MQ-schemes.
2005
EPRINT
Errors in Computational Complexity Proofs for Protocols
Proofs are invaluable tools in assuring protocol implementers about the security properties of protocols. However, several instances of undetected flaws in the proofs of protocols (resulting in flawed protocols) undermine the credibility of provably-secure protocols. In this work, we examine several protocols with claimed proofs of security by Boyd & Gonzalez Nieto (2003), Jakobsson & Pointcheval (2001), and Wong & Chan (2001), and an authenticator by Bellare, Canetti, & Krawczyk (1998). Using these protocols as case studies, we reveal previously unpublished flaws in these protocols and their proofs. We hope our analysis will enable similar mistakes to be avoided in the future.
2005
EPRINT
Evolutionary Design of Trace Form Bent Functions
In order to design bent functions, evolutionary algorithm based on truth table, algebraic normal form or Walsh spectra are already known. Evolutionary algorithm based on trace function form is not known to authors' knowledge. In this paper, we give an evolutionary algorithm based on the trace representation of boolean function. With the algorithm, we constructed many bent functions and made some analysis work. First we observe that all 4 affinely inequivalent bent classes in 6-variable can be written as the linear sum of 2 or 3 monomial trace functions. We make a conclusion that affine transform can be used to change the linear span, which lead to a method constructing perfect nonlinear s-box of non-Niho type; Second, we find that some exponents take more chances to construct bent functions while some exponents take less. By this observation, we give each exponent a cost function, which make our algorithm more efficient than exhaustive searching algorithm or random algorithm. This is also the advantage over the algorithms based on the algebraic normal form, truth table, or Walsh spectra because we don't know what kinds of algebraic normal form, truth table, Walsh spectra are more possible to be used to construct bent functions; Third, we classify the obtained bent functions into affinely inequivalent classes and the number of classes is reported.
2005
EPRINT
Exact Maximum Expected Differential and Linear Probability for 2-Round Advanced Encryption Standard (AES)
Provable security of a block cipher against differential~/ linear cryptanalysis is based on the \emph{maximum expected differential~/ linear probability} (MEDP~/ MELP) over $T \geq 2$ core rounds. Over the past few years, several results have provided increasingly tight upper and lower bounds in the case $T=2$ for the Advanced Encryption Standard (AES). We show that the \emph{exact} value of the 2-round MEDP~/ MELP for the AES is equal to the best known lower bound: $53/2^{34} \approx 1.656 \times 2^{-29}$~/ $109,953,193/2^{54} \approx 1.638 \times 2^{-28}$. This immediately yields an improved upper bound on the AES MEDP~/ MELP for $T \geq 4$, namely $\left( 53/2^{34} \right)^4 \approx 1.881 \times 2^{-114}$~/ $\left( 109,953,193/2^{54} \right)^4 \approx 1.802 \times 2^{-110}$.
2005
EPRINT
Examining Indistinguishability-Based Proof Models for Key Establishment Protocols
We examine various indistinguishability-based proof models for key establishment protocols, namely the Bellare & Rogaway (1993, 1995), the Bellare, Pointcheval, & Rogaway (2000), and the Canetti & Krawczyk (2001) proof models. We then consider several variants of these proof models, identify several subtle differences between these variants and models, and compare the relative strengths of the notions of security between the models. For each of the pair of relations between the models (either an implication or a non-implication), we provide proofs or counter-examples to support the observed relations. We also reveal a drawback with the original formulation of the Bellare, Pointcheval, & Rogaway (2000) model, whereby the Corrupt query is not allowed. As a case study, we use the Abdalla & Pointcheval (2005) three-party password-based key exchange protocol (3PAKE), which carries a proof of security in the Bellare, Pointcheval, & Rogaway (2000) model. We reveal a previously unpublished flaw in the protocol, and demonstrate that this attack would not be captured in the model due to the omission of the Corrupt query.
2005
EPRINT
Exclusion-Intersection Encryption and Its Application to Searchable Encryption
Identity (or identifier) based encryption has shown to be a useful cryptographic schema enabling secure yet flexible role-based access control. In this paper, we propose a new notion named as {\em exclusion-intersection encryption}: the sender can specify the targeted groups that are legitimated and interested in reading the documents in the encryption algorithm; there exists a trusted key generation centre generating {\em intersection} private decryption keys on request. This special private key can only be used to decrypt the ciphertext which is of all the specified groups' interests, its holders are {\em excluded} from reading the documents targeted to any subset of the groups (e.g. the ciphertext of only a single group's interest). One of the applications of this new notion is to support an ad-hoc joint project of two groups which needs extra helpers that are not from either group. Another interesting application of the proposed scheme is an encrypted audit log that supports conjunctive field keyword searching, which is the first in the literature.
2005
EPRINT
Explicit Construction of Secure Frameproof Codes
$\Gamma$ is a $q$-ary code of length $L$. A word $w$ is called a descendant of a coalition of codewords $w^{(1)}, w^{(2)}, \dots, w^{(t)}$ of $\Gamma$ if at each position $i$, $1 \leq i \leq L$, $w$ inherits a symbol from one of its parents, that is $w_i \in \{ w^{(1)}_i, w^{(2)}_i, \dots, w^{(t)}_i \}$. A $k$-secure frameproof code ($k$-SFPC) ensures that any two disjoint coalitions of size at most $k$ have no common descendant. Several probabilistic methods prove the existance of codes but there are not many explicit constructions. Indeed, it is an open problem in [J. Staddon et al., IEEE Trans. on Information Theory, 47 (2001), pp. 1042--1049] to construct explicitly $q$-ary 2-secure frameproof code for arbitrary $q$. In this paper, we present several explicit constructions of $q$-ary 2-SFPCs. These constructions are generalisation of the binary inner code of the secure code in [V.D. To et al., Proceeding of IndoCrypt'02, LNCS 2551, pp. 149--162, 2002]. The length of our new code is logarithmically small compared to its size.
2005
EPRINT
Exponential Memory-Bound Functions for Proof of Work Protocols
In Year 2005, Internet users were twice more likely to receive unsolicited electronic messages, known as spams, than regular emails. Proof of work protocols are designed to deter such phenomena and other denial-of-service attacks by requiring computed stamps based on hard-to-solve problems with easy-to-verify solutions. As cpu-intensive computations are badly hit over time by Moore's law, memory-bound computations have been suggested to deal with heterogeneous hardware. We introduce new practical, optimal, proven and possibly memory-bound functions suitable to these protocols, in which the client-side work to compute the response is intrinsically exponential with respect to the server-side work needed to set or check the challenge. One-way non-interactive solution-verification variants are also presented. Although simple implementations of such functions are bound by memory latency, optimized versions are shown to be bound by memory bandwidth instead.
2005
EPRINT
Extracting bits from coordinates of a point of an elliptic curve
In the classic Diffie-Hellman protocol based on a generic group $\G$, Alice and Bob agree on a common secret $K_{AB}$ (master secret) which is indistinguishable from another element of $\G$ but not from a random bits-string of the same length. In this paper, we present a new deterministic method to extract bits from $K_{AB}$ when $\G$ is an elliptic curve defined over a quadratic extension of a finite field. In the last section, we show that it is also possible to extract a few bits when $\G$ is an elliptic curve defined over a prime field.
2005
EPRINT
F-HASH: Securing Hash Functions Using Feistel Chaining
The Feistel structure is well-known as a good structure for building block ciphers, due to its property of invertibility. It can be made non-invertible by fixing the left half of the input to 0, and by discarding the left half of the output bits. It then becomes suitable as a hash function construction. This paper uses the structure to build a hash function called F-Hash, which is immune to recent attack styles. In this paper, a more precise evaluation method, based upon conditional probability, is given.
2005
EPRINT
Fast Elliptic Curve Point Multiplication using Double-Base Chains
Among the various arithmetic operations required in implementing public key cryptographic algorithms, the elliptic curve point multiplication has probably received the maximum attention from the research community in the last decade. Many methods for efficient and secure implementation of point multiplication have been proposed. The efficiency of these methods mainly depends on the representation one uses for the scalar multiplier. In the current work we propose an efficient algorithm based on the so-called double-base number system. We introduce the new concept of double-base chains which, if manipulated with care, can significantly reduce the complexity of scalar multiplication on elliptic curves. Besides we have adopted some other measures to further reduce the operation count. Our algorithm compares favorably against classical and other similar approaches.
2005
EPRINT
Fast generators for the Diffie-Hellman key agreement protocol and malicious standards
The Diffie-Hellman key agreement protocol is based on taking large powers of a generator of a prime-order cyclic group. Some generators allow faster exponentiation. We show that to a large extent, using the fast generators is as secure as using a randomly chosen generator. On the other hand, we show that if there is some case in which fast generators are less secure, then this could be used by a malicious authority to generate a standard for the Diffie-Hellman key agreement protocol which has a hidden trapdoor.
2005
EPRINT
Fast genus 2 arithmetic based on Theta functions
In 1986, D. V. Chudnovsky and G. V. Chudnovsky proposed to use formulae coming from Theta functions for the arithmetic in Jacobians of genus 2 curves. We follow this idea and derive fast formulae for the scalar multiplication in the Kummer surface associated to a genus 2 curve, using a Montgomery ladder. Our formulae can be used to design very efficient genus 2 cryptosystems that should be faster than elliptic curve cryptosystems in some hardware configurations.
2005
EPRINT
Faster Pairings using an Elliptic Curve with an Efficient Endomorphism
The most significant pairing-based cryptographic protocol to be proposed so far is undoubtedly the Identity-Based Encryption (IBE) protocol of Boneh and Franklin. In their paper \cite{boneh-franklin} they give details of how their scheme might be implemented in practise on certain supersingular elliptic curves of prime characteristic. They also point out that the scheme could as easily be implemented on certain special non-supersingular curves for the same level of security. An obvious question to be answered is -- which is most efficient? Motivated by the work of Gallant, Lambert and Vanstone \cite{gallant-lambert-vanstone} we demonstrate that, perhaps counter to intuition, certain ordinary curves closely related to the supersingular curves originally recommended by Boneh and Franklin, provide better performance. We illustrate our technique by implementing the fastest pairing algorithm to date (on elliptic curves of prime characteristic) for contemporary levels of security. We also point out that many of the non-supersingular families of curves recently discovered and proposed for use in pairing-based cryptography can also benefit (to an extent) from the same technique.
2005
EPRINT
Feistel Schemes and Bi-Linear Cryptanalysis
In this paper we introduce the method of bi-linear cryptanalysis(BLC), designed specifically to attack Feistel ciphers. It allows to construct periodic biased characteristics that combine for an arbitrary number of rounds. In particular, we present a practical attack on DES based on a 1-round invariant, the fastest known based on such invariant, and about as fast as the best Matsui's attack. For ciphers similar to DES, based on small S-boxes, we claim that BLC is very closely related to LC, and we do not expect to find a bi-linear attack much faster than by LC. Nevertheless we have found bi-linear characteristics that are strictly better than the best Matsui's result for 3, 7, 11 and more rounds of DES. We also study s5DES substantially stronger than DES against LC, yet for BLC we exhibit several unexpectedly strong biases, stronger even than existing for DES itself. For more general Feistel schemes there is no reason whatsoever for BLC to remain only a small improvement over LC. We present a construction of a family of practical ciphers based on a big Rijndael-type S-box that are strongly resistant against linear cryptanalysis (LC) but can be easily broken by BLC, even with 16 or more rounds.
2005
EPRINT
Finding MD5 Collisions ? a Toy For a Notebook
One of the major cryptographic "break-through" of the recent years was a discovery of collisions for a set of hash functions (MD4, MD5, HAVAL-128, RIPEMD) by the Chinese cryptographers in August 2004 [1]. Their authors (Wang et al.) kept the algorithm secret, however. We have found a way to generate the first message block of the collision about 1000 - 2000 times faster than the Chinese team - that corresponds to reaching the first colliding block in 2 minutes using a common notebook. The same computation phase took the Chinese team about an hour using an IBM P690 supercomputer. On the other hand, the Chinese team was 2 - 80 times faster when computing the second message block of their collisions. Therefore, our and the Chinese methods probably differs in both parts of the computation. Overall, our method is about 3 - 6 times faster. More specifically, finding the first (complete) collision took 8 hours using a notebook PC (Intel Pentium 1.6 GHz). That should be a warning towards persisting usage of MD5. Note that our method works for any initialization vector. In the appendix, we show new examples of collisions for a standard and chosen initialization vectors.
2005
EPRINT
Finding MD5 Collisions on a Notebook PC Using Multi-message Modifications
In this paper, we summarize the results achieved during our brief three months long research on collisions of the MD5 hash function. Being inspired by the results announced by Wang et al. [1] we independently developed methods for finding collisions which work for any initialization value and which are quicker than the methods presented in [1, 8]. It enables us to find a MD5 collision on a standard notebook PC roughly in 8 hours [7]. Independently on [1, 8], we discovered and propose several multi-message modification methods, which are more effective than methods described in [1, 8]. We show their principle.
2005
EPRINT
First Steps Toward a Cryptography-Aware Language and Compiler
When developing secure, high-performance cryptographic software, the programmer is presented with a wide range of problems. Not only must they be conversant with pertinent scientific results, they must efficiently translate said results into a practical context. Unlike when writing normal programs, they are given little help from either the language or compiler: both are typically too general purpose to offer domain specific optimisation or analysis that would save the programmer time and reduce the potential for error. As a step toward solving this problem we present CAO, a cryptography-aware domain-specific language and associated compiler system. Rather than being a panacea, we pitch CAO as a mechanism for transferring and automating the expert knowledge of cryptographers into a form which is accessible to anyone writing security conscious software.
2005
EPRINT
Flexible Framework for Secret Handshakes (Multi-Party Anonymous and Un-observable Authentication)
In the society increasingly concerned with the erosion of privacy, privacy-preserving techniques are becoming very important. This motivates research in cryptographic techniques offering built-in privacy. A secret handshake is a protocol whereby participants establish a secure, anonymous and unobservable communication channel only if they are members of the same group. This type of ``private" authentication is a valuable tool in the arsenal of privacy-preserving cryptographic techniques. Prior research focused on 2-party secret handshakes with one-time credentials. This paper breaks new ground on two accounts: (1) it shows how to obtain secure and efficient secret handshakes with reusable credentials, and (2) it represents the first treatment of group (or {\em multi-party}) secret handshakes, thus providing a natural extension to the secret handshake technology. An interesting new issue encountered in multi-party secret handshakes is the need to ensure that all parties are indeed distinct. (This is a real challenge since the parties cannot expose their identities.) We tackle this and other challenging issues in constructing GCD -- a flexible framework for secret handshakes. The proposed framework lends itself to many practical instantiations and offers several novel and appealing features such as self-distinction and strong anonymity with reusable credentials. In addition to describing the motivation and step-by-step construction of the framework, this paper provides a thorough security analysis and illustrates two concrete framework instantiations.
2005
EPRINT
Formal Notions of Anonymity for Peer-to-peer Networks
Providing anonymity support for peer-to-peer (P2P) overlay networks is critical. Otherwise, potential privacy attacks (e.g., network address traceback) may deter a storage source from providing the needed data. In this paper we use this practical application scenario to verify our observation that network-based anonymity can be modeled as a complexity based cryptographic problem. We show that, if the routing process between senders and recipients can be modeled as abstract entities, network-based anonymity becomes an analogy of cryptography. In particular, perfect anonymity facing an unbounded traffic analyst corresponds to Shannon's perfect secrecy facing an unbounded cryptanalyst. More importantly, in this paper we propose Probabilistic Polynomial Route (PPR) model, which is a new polynomially-bounded anonymity model corresponding to the Probabilistic Polynomial Time (PPT) model in cryptography. Afterwards, network-based anonymity attacks are with no exception in BPP. This phenomenon has not been discovered in previous anonymity research.
2005
EPRINT
Foundations and Applications for Secure Triggers
Imagine there is certain content we want to maintain private until some particular event occurs, when we want to have it automatically disclosed. Suppose furthermore, that we want this done in a (possibly) malicious host. Say, the confidential content is a piece of code belonging to a computer program that should remain ciphered and then ``be triggered'' (i.e., deciphered and executed) when the underlying system satisfies a preselected condition which must remain secret after code inspection. In this work we present different solutions for problems of this sort, using different ``declassification'' criteria, based on a primitive we call {\em secure triggers}. We establish the notion of secure triggers in the universally-composable security framework of [Canetti~2001] and introduce several examples. Our examples demonstrate that a new sort of obfuscation is possible. Finally, we motivate its use with applications in realistic scenarios.
2005
EPRINT
FOX Algorithm Implementation: a hardware design approach
Encryption algorithms are becoming more necessary to ensure data is securely transmitted over insecure communication channels. FOX is a recently developed algorithm and its structure is based on the already proven IDEA (International Data Encryption Algorithm) cipher. FOX is a symmetric (private key) block cipher. Its top-level structure uses the Lai-Massey scheme and the round functions used in the scheme are substitution permutation networks (SPN). Its flexibility lies in the fact that it can be efficiently implemented in hardware and software. We report some of the first results of implementing the cipher on an FPGA.
2005
EPRINT
Further Constructions of Almost Resilient Functions
Almost resilient function is the generalization of resilient function and have important applications in multiple authenticate codes and almost security cryptographic Boolean functions.In this paper,some secondary constructions are provided.In particular, the theorem $3$ in {\cite {ke}} is improved. As $\varepsilon $-almost$(n,1,k)$-CI functions plays an important role in the secondary constructions, we concluded some properties and constructions. Specially we presented a spectrum characterization of balanced almost CI function, which can be used to identify a balanced almost CI function by computing its walsh spectra.
2005
EPRINT
Fuzzy Universal Hashing and Approximate Authentication
Traditional data authentication systems are sensitive to single bit changes and so are unsuitable for message spaces that are naturally fuzzy where similar messages are considered the same or at least indistinguishable. In this paper, we study unconditional secure approximate authentication. We generalize traditional universal hashing to fuzzy universal hashing and use it to construct secure approximate authentication for multiple messages.
2005
EPRINT
Games and the Impossibility of Realizable Ideal Functionality
A cryptographic primitive or a security mechanism can be specified in a variety of ways, such as a condition involving a game against an attacker, construction of an ideal functionality, or a list of properties that must hold in the face of attack. While game conditions are widely used, an ideal functionality is appealing because a mechanism that is indistinguishable from an ideal functionality is therefore guaranteed secure in any larger system that uses it. We relate ideal functionalities to games by defining the \textit{set} of ideal functionalities associated with a game condition and show that under this definition, which reflects accepted use and known examples, bit commitment, a form of group signatures, and some other cryptographic concepts do not have any realizable ideal functionality.
2005
EPRINT
Generalizations of RSA public key cryptosystems
In this paper, for given $N=pq$ with $p$ and $q$ different primes and a unimodular polynomial with coefficients in ${\Bbb Z}$ mod $N$, we give a public key cryptosystem. When the degree of the polynomial is $1$, the system is just the famous RSA system. And when the degree bigger than $1$, the system is usually more secure than the original RSA systems. Some part-correct systems are introduced so that the period of any message in these systems under the Simmons attack are bigger than that of any message in the RSA system.
2005
EPRINT
Generic Constructions of Identity-Based and Certificateless KEMs
We extend the concept of key encapsulation mechanisms to the primitives of ID-based and certificateless encryption. We show that the natural combination of ID-KEMs or CL-KEMs with data encapsulation mechanisms results in encryption schemes which are secure in a strong sense. In addition, we give generic constructions of ID-KEMs and CL-KEMs, as well as specific instantiations, which are provably secure.
2005
EPRINT
Generic On-Line/Off-Line Threshold Signatures
We propose on-line/off-line threshold signature schemes, in which the bulk of signature computation can take place ``off-line" during lulls in service requests. Such precomputation can help systems using threshold signatures quickly respond to requests. For example, tests of the Pond distributed file system showed that computation of a threshold RSA signature consumes roughly 86% of the time required to service writes to small files. Because a large number of writes in file systems are for small files, threshold signatures form a performance bottleneck in Pond and similar systems. We apply the ``hash-sign-switch" paradigm of Shamir and Tauman and the distributed key generation protocol of Gennaro et al. to convert any existing secure threshold digital signature scheme into a threshold on-line/off-line signature scheme. Our construction is fully distributed and requires no trusted dealers. We show that the straightforward attempt at proving security of the resulting construction runs into a subtlety that does not arise for Shamir and Tauman's construction. We resolve the subtlety and prove our signature scheme secure against a static adversary in the partially synchronous communication model under the one-more-discrete-logarithm assumption. The on-line phase of our scheme is efficient: computing a signature takes one round of communication and a few modular multiplications in the common case.
2005
EPRINT
Geometric Cryptosystem
In this paper we propose a new class of cryptosystems that utilizes metric continuity. The geometric cryptosystem considered in this paper as the main example of metric cryptosystems has a number of interesting properties such as resistance to several basic cryptographic attacks, efficiency and detection of transmission errors.
2005
EPRINT
Group Signature where Group Manager, Members and Open Authority are Identity-Based
We present the first group signature scheme with provable security and signature size $O(\lambda)$ bits where the group manager, the group members, and the Open Authority (OA) are all identity-based. We use the security model of Bellare, Shi, and Zhang, except to add three identity managers for manager, members, and OA respectively, and we discard the Open Oracle. Our construction uses identity-based signatures summarized in Bellare, Namprempre, and Neven for manager, Boneh and Franklin's IBE for OA, and we extend Bellare et al.'s group signature construction by verifiably encrypt an image of the member public key, instead of the public key itself. The last innovation is crucial in our efficiency; otherwise, Camenisch and Damgard's verifiable encryption would have to be used resulting in lower efficiency.
2005
EPRINT
Group Signatures with Efficient Concurrent Join
A group signature is a basic privacy mechanism. The group joining operation is a critical component of such a scheme. To date all secure group signature schemes either employed a trusted-party aided join operation or a complex joining protocol requiring many interactions between the prospective user and the Group Manager (GM). In addition no efficient scheme employed a join protocol proven secure against adversaries that have the capability to dynamically initiate multiple concurrent join sessions during an attack. This work presents the first efficient group signature scheme with a simple Joining protocol that is based on a ``single message and signature response'' interaction between the prospective user and the GM. This single-message and signature-response registration paradigm where no other actions are taken, is the most efficient possible join interaction and was originally alluded to in 1997 by Camenisch and Stadler, but its efficient instantiation remained open till now. The fact that joining has two short communication flows and does not require secure channels is highly advantageous: for example, it allows users to easily join by a proxy (i.e., a security officer of a company can send a file with all registration requests in his company and get back their certificates for distribution back to members of the company). It further allows an easy and non-interactive global system re-keying operation as well as straightforward treatment of multi-group signatures. We present a strong security model for group signatures (the first explicitly taking into account concurrent join attacks) and an efficient scheme with a single-message and signature-response join protocol. The present manuscript is a full version containing proofs, minor corrections as well as a more flexible and efficient protocol construction compared to the proceedings version.
2005
EPRINT
Handling Expected Polynomial-Time Strategies in Simulation-Based Security Proofs
The standard class of adversaries considered in cryptography is that of {\em strict} polynomial-time probabilistic machines. However, {\em expected} polynomial-time machines are often also considered. For example, there are many zero-knowledge protocols for which the only known simulation techniques run in expected (and not strict) polynomial time. In addition, it has been shown that expected polynomial-time simulation is {\em essential} for achieving constant-round black-box zero-knowledge protocols. This reliance on expected polynomial-time simulation introduces a number of conceptual and technical difficulties. In this paper, we develop techniques for dealing with expected polynomial-time adversaries in simulation-based security proofs.
2005
EPRINT
HB++: a Lightweight Authentication Protocol Secure against Some Attacks
At Crypto'05, Juels and Weis introduce HB+, an enhancement of the Hopper and Blum (HB) authentication protocol. This protocol HB+ is proven secure against active attacks, though preserving HB's advantages: mainly, requiring so few resources to run that it can be implemented on an RFID tag. However, in a wider adversarial model, Gilbert, Robshaw and Sibert exhibit a very effective attack against HB+. We here show how a modification of the HB+ protocol thwarts Gilbert et al's attack. The resulting protocol, HB++, remains a good candidate for RFID tags authentication.
2005
EPRINT
Herding Hash Functions and the Nostradamus Attack
In this paper, we develop a new attack on Damg{\aa}rd-Merkle hash functions, called the \emph{herding attack}, in which an attacker who can find many collisions on the hash function by brute force can first provide the hash of a message, and later ``herd'' any given starting part of a message to that hash value by the choice of an appropriate suffix. We introduce a new property which hash functions should have--Chosen Target Forced Prefix (CTFP) preimage resistance--and show the distinction between Damg{\aa}rd-Merkle construction hashes and random oracles with respect to this property. We describe a number of ways that violation of this property can be used in arguably practical attacks on real-world applications of hash functions. An important lesson from these results is that hash functions susceptible to collision-finding attacks, especially brute-force collision-finding attacks, cannot in general be used to prove knowledge of a secret value
2005
EPRINT
Hidden Exponent RSA and Efficient Key Distribution
In this paper we propose a variant of RSA public key scheme, called ``Hidden Exponent RSA''. Based on this new scheme, we devised an efficient key distribution/management scheme for secure communication among devices in the context of pervasive computing, with emphasis on the simplicity and efficiency of the protocol. We show the new scheme is secure under the strong RSA assumption.
2005
EPRINT
Hierarchical Identity Based Encryption with Constant Size Ciphertext
We present a Hierarchical Identity Based Encryption (HIBE) system where the ciphertext consists of just three group elements and decryption requires only two bilinear map computations, independent of the hierarchy depth. Encryption is as efficient as in other HIBE systems. We prove that the scheme is selective-ID secure in the standard model and fully secure in the random oracle model. Our system has a number of applications: it gives very efficient forward secure public key and identity based cryptosystems (where ciph ertexts are short), it converts the NNL broadcast encryption system into an efficient public key broadcast system, and it provides an efficient mechanism for encrypting to the future. The system also supports limited delegation where users can be given restricted private keys that only allow delegation to certain descendants. Sublinear size private keys can also be achieved at the expense of some ciphertext expansion.
2005
EPRINT
HMQV: A High-Performance Secure Diffie-Hellman Protocol
The MQV protocol of Law, Menezes, Qu, Solinas and Vanstone is possibly the most efficient of all known authenticated Diffie-Hellman protocols that use public-key authentication. In addition to great performance, the protocol has been designed to achieve a remarkable list of security properties. As a result MQV has been widely standardized, and has recently been chosen by the NSA as the key exchange mechanism underlying ``the next generation cryptography to protect US government information." One question that has not been settled so far is whether the protocol can be proven secure in a rigorous model of key-exchange security. In order to provide an answer to this question we analyze the MQV protocol in the Canetti-Krawczyk model of key exchange. Unfortunately, we show that MQV fails to a variety of attacks in this model that invalidate its basic security as well as many of its stated security goals. On the basis of these findings, we present HMQV, a carefully designed variant of MQV, that provides the same superb performance and functionality of the original protocol but for which all the MQV's security goals can be formally proved to hold in the random oracle model under the computational Diffie-Hellman assumption. We base the design and proof of HMQV on a new form of ``challenge-response signatures", derived from the Schnorr identification scheme, that have the property that both the challenger and signer can compute the {\em same} signature; the former by having chosen the challenge and the latter by knowing the private signature key. REVISION: In http://eprint.iacr.org/2005/205, Menezes [32] describes some shortcomings in our analysis that lead to the need for a prime-order verification of public DH values in the protocol. Some of Menezes's claims are correct and some other are not. We keep the originally posted paper here but add a {\em Preface} section (preceding the introduction) that briefly explains these findings and their implications to our results. In essence, the provability of HMQV and its security superiority relative to MQV remain valid; even computation-wise, after adding the verification steps where needed, HMQV is as efficient as (and in some cases even more efficient than) MQV
2005
EPRINT
How To Exchange Secrets with Oblivious Transfer
The original paper does not have an abstract. This is a scanned version of the original hand written manuscript of this paper. It appeared in print as a Harvard University Technical Report, but at some point the university ran out of copies. At that time copies of the hand written version started to circulate, and were the only ones available. As access to these copies has become difficult I have scanned my copy of the paper and I'm posting it on the web for others to read. *Note that the manuscript has a different title, but the paper is most commonly (if not only) cited with this title. Thus, I assume that it should continue to be cited in this manner with reference to the original technical report.
2005
EPRINT
How to Generate Universally Verifiable Signatures in Ad-Hoc Networks
This paper addresses the problem of making signatures of one domain (an ad-hoc network) available in another domain (the Internet). Universal verifiability is a highly desirable property when signed documents need to be permanently non-repudiable so as to prevent dishonest signers from disavowing signatures they have produced. As a practical solution, we construct a new signature scheme where a valid signature should be generated by a couple of distinct signing keys. In the random oracle model, the signature scheme is provably secure in the sense of existential unforgeability under adaptive chosen message attacks assuming the hardness of the computational Diffie-Hellman problem in the Gap Diffie-Hellman groups.
2005
EPRINT
How To Play Almost Any Mental Game Over The Net --- Concurrent Composition via Super-Polynomial Simulation
We construct a secure protocol for any multi-party functionality that remains secure (under a relaxed definition of security) when executed concurrently with multiple copies of itself and other protocols. We stress that we do *not* use any assumptions on existence of trusted parties, common reference string, honest majority or synchronicity of the network. The relaxation of security, introduced by Prabhakaran and Sahai (STOC '04), is obtained by allowing the ideal-model simulator to run in *quai-polynomial* (as opposed to polynomial) time. Quasi-polynomial simulation suffices to ensure security for most applications of multi-party computation. Furthermore, Lindell (FOCS '03, TCC' 04) recently showed that such a protocol is *impossible* to obtain under the more standard definition of *polynomial-time* simulation by an ideal adversary. Our construction is the first such protocol under reasonably standard cryptographic assumptions. That is, existence of a hash function collection that is collision resistent with respect to circuits of subexponential size, and existence of trapdoor permutations that are secure with respect to circuits of quasi-polynomial size. We introduce a new technique: ``protocol condensing''. That is, taking a protocol that has strong security properties but requires *super-polynomial* communication and computation, and then transforming it into a protocol with *polynomial* communication and computation, that still inherits the strong security properties of the original protocol. Our result is obtained by combining this technique with previous techniques of Canetti, Lindell, Ostrovsky, and Sahai (STOC '02) and Pass (STOC '04).
2005
EPRINT
How to Shuffle in Public
We show how to public-key obfuscate two commonly used shuffles: decryption shuffles which permute and decrypt ciphertexts, and re-encryption shuffles which permute and re-encrypt ciphertexts. Given a trusted party that samples and obfuscates a shuffle \emph{before} any ciphertexts are received, this reduces the problem of constructing a mix-net to verifiable joint decryption. We construct a decryption shuffle from any additively homomorphic cryptosystem and show how it can be public-key obfuscated. This construction does not allow efficient distributed verifiable decryption. Then we show how to public-key obfuscate: a decryption shuffle based on the Boneh-Goh-Nissim (BGN) cryptosystem, and a re-encryption shuffle based on the Paillier cryptosystem. Both constructions allow \emph{efficient} distributed verifiable decryption. In the Paillier case we identify and exploit a previously overlooked ``homomorphic'' property of the cryptosystem. Finally, we give a distributed protocol for sampling and obfuscating each of the above shuffles and show how it can be used in a trivial way to construct a universally composable mix-net. Our constructions are practical when the number of senders $N$ is reasonably small, e.g. $N=350$ in the BGN case and $N=2000$ in the Paillier case.
2005
EPRINT
How to Split a Shared Secret into Shared Bits in Constant-Round
We show that if a set of players hold shares of a value $a\in Z_p$ for some prime $p$ (where the set of shares is written $[a]_p$), it is possible to compute, in constant round and with unconditional security, sharings of the bits of $a$, i.e.~compute sharings $[a_0]_p, \ldots, [a_{l-1}]_p$ such that $l = \lceil \log_2(p) \rceil$, $a_0, \ldots, a_{l-1} \in \{0,1\}$ and $a = \sum_{i=0}^{l-1} a_i 2^i$. Our protocol is secure against active adversaries and works for any linear secret sharing scheme with a multiplication protocol. This result immediately implies solutions to other long-standing open problems, such as constant-round and unconditionally secure protocols for comparing shared numbers and deciding whether a shared number is zero. The complexity of our protocol is $O(l \log(l))$ invocations of the multiplication protocol for the underlying secret sharing scheme, carried out in $O(1)$.
2005
EPRINT
I-HARPS: An Efficient Key Pre-distribution Scheme
We introduce an efficient random key pre-distribution scheme (RKPS) whose performance is 2 to 3 \textit{orders of magnitude} better than schemes of comparable complexity in the literature. This dramatic improvement is achieved by increasing \textit{insecure} storage complexity (for example using external flash memory). The proposed scheme is a combination of the Kerberos-like key distribution scheme (KDS) proposed by Leighton and Micali, and random key pre-distribution schemes based on subset intersections. We also investigate a simple security policy, DOWN (decrypt only when necessary) (which along with very reasonable assurances of tamper resistance / read-proofness could ensures that no more than \textit{one} secret an be exposed by tampering with a node), and its effect on the security of key pre-distribution schemes. The proposed scheme lends itself well for efficient implementation of the DOWN policy, and therefore in practice could be a secure and efficient alternative to more complex conventional key distribution schemes.
2005
EPRINT
ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks
ID-based encryption allows for a sender to encrypt a message to an identity without access to a public key certificate. Based on the bilinear pairing, Boneh and Franklin proposed the first practical ID-based encryption scheme and used the padding technique of Fujisaki-Okamto to extend it to be a chosen ciphertext secure version. In this letter, we would like to use another padding technique to propose a new ID-based encryption scheme secure against chosen ciphertext attacks. The security of our scheme is based on the Gap bilinear Diffie-Hellman assumption in the random oracle model.
2005
EPRINT
ID-based Restrictive Partially Blind Signatures and Applications
Restrictive blind signatures allow a recipient to receive a blind signature on a message not known to the signer but the choice of message is restricted and must conform to certain rules. Partially blind signatures allow a signer to explicitly include necessary information (expiration date, collateral conditions, or whatever) in the resulting signatures under some agreement with receiver. Restrictive partially blind signatures incorporate the advantages of these two blind signatures. The existing restrictive partially blind signature scheme was constructed under certificate-based (CA-based) public key systems. In this paper we follow Brand's construction to propose the first identity-based (ID-based) restrictive blind signature scheme from bilinear pairings. Furthermore, we first propose an ID-based restrictive partially blind signature scheme, which is provably secure in the random oracle model. As an application, we use the proposed signature scheme to build an untraceable off-line electronic cash system followed Brand's construction.
2005
EPRINT
ID-based signature and Key-insulated threshold signature
Identity-based (simply ID-based) cryptosystem was proposed in order to simplify key management procedures of certificate-based public key infrastructures. In 2003 Sakai and Kasahara proposed a new ID-based encryption scheme (SK-IBE). In our paper, it is intended to build a new ID-based signature (IBS) scheme which shares the same system parameters with SK-IBE. SK-IBE and our signature scheme yield a new complete ID-based public key cryptosystem. The proposed signature scheme is provably secure against existential forgery for adaptive chosen message and identity attack in the random oracle model based on a reasonably well-explored hardness assumption. Another contribution of this paper is that we first propose the notion of key-insulated threshold signature and present a generic method for constructing key-insulated threshold signature scheme.
2005
EPRINT
Identity-Based Key Agreement with Unilateral Identity Privacy Using Pairings
In most of the existing identity-based key agreement schemes, it is usually assumed that either the communicated parties know each other's identifier before the protocol starts or their identifiers are transferred along with the protocol messages. However, these schemes are not suitable for use in many real-world applications aimed to achieve unilateral identity privacy, which means that one communicating party does not want to expose his identifier to an outsider while his partner cannot know his identifier in advance. In this paper, we propose an efficient identity-based two-party key agreement scheme with unilateral identity privacy using pairing, and formally analyze its security in a modified Bellare-Rogaway key agreement security model.
2005
EPRINT
Improve the Behavior of XL Family by Reducing the Excrescent Multiply Monomials
The XL (EXTENDED LINEARIZATION) is an equation-solving algorithm ,which is used as direct attacks against multivariate Public-Key Cryptosystems and as final stages for many algebraic cryptanalysis used today. XL produces lots excrescent multiply monomials in the solving process. The original equations multiplied by excrescent monomials are worthless for solving equations, what's more they increase the complexity of computation. In this paper the behavior of XL is analyzed, and a new version of XL called RXL to handle this problem is presented. In RXL, part of XL's excrescent multiply monomials are removed before Gaussian Elimination, so, RXL is more efficient than XL. The experimental results show that RXL need only about 75\% computation of XL. It is easy to extend our method to the existing XL's variants, and all algorithms of XL family are improved.
2005
EPRINT
Improved Collision Attack on Hash Function MD5
In this paper, we present a fast attack algorithm to find two-block collision of hash function MD5. The algorithm is based on the two-block collision differential path of MD5 that was presented by Wang et al. in EUROCRYPT 2005[6]. We found that the derived conditions for the desired differential path in [6] were not sufficient to guarantee the differential path to hold and that some conditions could be relaxed to enlarge the collision set. By using technique of small range searching and omitting the computing steps to check the characteristics in algorithm, we can speed up the attack of MD5 efficiently. Compared with the Advanced Message Modification technique [5,6], the small range searching technique can correct 4 more conditions for the first iteration differential and 3 more conditions for the second iteration differential, thus improving the probability and the complexity to find collisions. The whole attack on the MD5 can be accomplished within 5 hours using a PC with Pen-tium4 1.70GHZ CPU.
2005
EPRINT
Improved Collision Attack on MD4
In this paper, we propose an attack method to find collisions of MD4 hash function. This attack is the improved version of the attack which was invented by Xiaoyun Wang et al [1]. We were able to find collisions with probability almost 1, and the average complexity to find a collision is upper bounded by three times of MD4 hash operations. This result is improved compared to the original result of [1] where the probability were from $2^{-6}$ to $2^{-2}$, and the average complexity to find a collision was upper bounded by $2^8$ MD4 hash operations. We also point out the lack of sufficient conditions and imprecise modifications for the original attack in [1].
2005
EPRINT
Improved Collision Attack on MD5
In EUROCRYPT2005, a collision attack on MD5 was proposed by Wang et al. In this attack, conditions which are sufficient to generate collisions (called ``sufficient condition") are introduced. This attack raises the success probability by modifing messages to satisfy these conditions. In this attack, 37 conditions cannot be satisfied even messages are modified. Therefore, the complexity is $2^{37}$. After that, Klima improved this result. Since 33 conditions cannot be satisfied in his method, the complexity is $2^{33}$. In this paper, we propose new message modification techniques which are more efficient than attacks proposed so far. In this method, 29 conditions cannot be satisfied. However, this method is probabilistic, and the probability that this method work correctly is roughly 1/2. Therefore, the complexity of this attack is $2^{30}$. Furthermore, we propose a more efficient collision search algorithm than that of Wang et al. By using this algorithm, the total complexity is reduced into roughly 5/8.
2005
EPRINT
Improved Integral Cryptanalysis of FOX Block Cipher
FOX is a new family of block ciphers presented recently, which is based upon some results on proven security and has high performances on various platforms. In this paper, we construct some distinguishers between 3-round FOX and a random permutation of the blocks space. By using integral attack and collision-searching techniques, the distinguishers are used to attack on 4, 5, 6 and 7-round of FOX64, 4 and 5-round FOX128. The attack is more efficient than previous integral attack on FOX. The complexity of improved integral attack is $2^{77.6}$ on 4-round FOX128, $2^{205.6}$ against 5-round FOX128 respectively. For FOX64, the complexity of improved integral attack is $2^{45.4}$ on 4-round FOX64, $2^{109.4}$ against 5-round FOX64, $2^{173.4}$ against 6-round FOX64, $2^{237.4}$ against 7-round FOX64 respectively. Therefore, 4-round FOX64/64, 5-round FOX64/128, 6-round FOX64/192, 7-round FOX64/256 and 5-round FOX128/256 are not immune to the attack in this paper.
2005
EPRINT
Improved Proxy Re-Encryption Schemes with Applications to Secure Distributed Storage
In 1998, Blaze, Bleumer, and Strauss (BBS) proposed an application called atomic proxy re-encryption, in which a semi-trusted proxy converts a ciphertext for Alice into a ciphertext for Bob without seeing the underlying plaintext. We predict that fast and secure re-encryption will become increasingly popular as a method for managing encrypted file systems. Although efficiently computable, the wide-spread adoption of BBS re-encryption has been hindered by considerable security risks. Following recent work of Ivan and Dodis, we present new re-encryption schemes that realize a stronger notion of security and we demonstrate the usefulness of proxy re-encryption as a method of adding access control to the SFS read-only file system. Performance measurements of our experimental file system demonstrate that proxy re-encryption can work effectively in practice.
2005
EPRINT
Improvement of Manik et al.??s remote user authentication scheme
In 2005, Manik et al. propose a novel remote user authentication scheme using bilinear pairings which allows a valid user to login to the remote system but prohibits too many users to login with the same login-ID. It also provides a flexible password change function. In this paper, we will show that this remote user authentication scheme is not secure, an adversary can always pass the authentication.
2005
EPRINT
Index Calculus in Class Groups of Plane Curves of Small Degree
We present a novel index calculus algorithm for the discrete logarithm problem (DLP) in degree 0 class groups of curves over finite fields. A heuristic analysis of our algorithm indicates that asymptotically for varying q, ``essentially all'' instances of the DLP in degree 0 class groups of curves represented by plane models of a fixed degree d over $\mathbb{F}_q$ can be solved in an expected time of $\tilde{O}(q^{2 -2/(d-2)})$. A particular application is that heuristically, ``essentially all'' instances of the DLP in degree 0 class groups of non-hyperelliptic curves of genus 3 (represented by plane curves of degree 4) can be solved in an expected time of $\tilde{O}(q)$. We also provide a method to represent ``sufficiently general'' (non-hyperelliptic) curves of genus $g \geq 3$ by plane models of degree $g+1$. We conclude that on heuristic grounds the DLP in degree 0 class groups of ``sufficiently general'' curves of genus $g \geq 3$ (represented initially by plane models of bounded degree) can be solved in an expected time of $\tilde{O}(q^{2 -2/(g-1)})$.
2005
EPRINT
Inoculating Multivariate Schemes Against Differential Attacks
We demonstrate how to prevent differential attacks on multivariate public key cryptosystems using the Plus (+) method of external perturbation. In particular, we prescribe adding as few as 10 Plus polynomials to the Perturbed Matsumoto-Imai (PMI) cryptosystem when $g=1$ and $r=6$, where $\theta$ is the Matsumoto-Imai exponent, $n$ is the message length, $g=\gcd{(\theta,n)}$, and $r$ is the internal perturbation dimension; or as few as $g+10$ when $g \neq 1$. The external perturbation does not significantly decrease the efficiency of the system, and in fact has the additional benefit of resolving the problem of finding the true plaintext among several preimages of a given ciphertext. We call this new scheme the Perturbed Matsumoto-Imai-Plus (PMI+) cryptosystem.
2005
EPRINT
Intrusion-Resilience via the Bounded-Storage Model
We introduce a new method of achieving intrusion-resilience in the cryptographic protocols. More precisely we show how to preserve security of such protocols, even if a malicious program (e.g. a virus) was installed on a computer of an honest user (and it was later removed). The security of our protocols relies on the assumption that the amount of data that the adversary can transfer from the infected machine is limited (however, we allow the adversary to perform any efficient computation on user's private data, before deciding on what to transfer). We focus on two cryptographic tasks, namely: authenticated key exchange and entity authentication. Our method is based on the results from the Bounded-Storage Model.
2005
EPRINT
Intrusion-Resilient Authentication in the Limited Communication Model
We describe a general technique for building authentication systems that resist compromises at the client side. We derive this resistance by storing key information on hardware fast enough for valid use but too slow for an intruder (e.g., a virus) to capture much of the key before being detected and removed. We give formal models for two types of protocols: user authentication and authenticated session-key generation. The first can be used for physical authentication tokens, e.g., used for gaining access to a building. The second can be used for conducting secure remote sessions on laptops that are occasionally infected by viruses. We present and analyze protocols for each of these tasks and describe how they can be implemented. With one example setting of parameters, in the case of user authentication, we are able to guarantee security for 6 months using a device storing 384MB, and in the key generation protocol, a 128GB drive guarantees that an adversary would need 700 days to compromise the key information. The model for intrusion resilience considered in this paper was first introduced by Dagon et al. \cite{DLL05} and motivated by the bounded storage model for cryptography \cite{Mau92}. Recently Dziembowski \cite{Dzi05} independently developed this model, and studied the same problems as the ones addressed in this paper. Our user authentication protocol is essentially the same as that of \cite{Dzi05}, while our authenticated session-key generation protocol builds on that of \cite{Dzi05}.
2005
EPRINT
Intrusion-Resilient Secure Channels
We propose a new secure communication primitive called an \emph{Intrusion-Resilient Channel (IRC)} that limits the damage resulting from key exposures and facilitates recovery. We define security against passive but mobile and highly adaptive adversaries capable of exposing even expired past secrets. We describe an intuitive channel construction using (as a black box) existing public key cryptosystems. The simplicity of the construction belies the technical challenges in its security proof. Additionally, we outline a general strategy for proving enhanced security for two-party protocols when an IRC is employed to secure all communication. Specifically, given a protocol proved secure against adversaries with restricted access to protocol messages, we show how the use of an IRC allows some of these adversary restrictions to be lifted. Once again, proving the efficacy of our intuitive approach turns out to be non-trivial. We demonstrate the strategy by showing that the intrusion-resilient signature scheme of [IR02] can be made secure against adversaries that expose even expired secrets.
2005
EPRINT
Is it possible to have CBE from CL-PKE?
Recently, Al-Riyami and Paterson proposed a generic conversion from CL-PKE (Certificateless Public Key Encryption) to CBE (Certificate Based Encryption) and claimed that the derived CBE scheme is secure and even more efficient than the original scheme of Gentry. In this paper, we show that their conversion is wrong due to the flaw of the security proof. It leads the new concrete CBE scheme by Al-Riyami and Paterson to be invalidated. In addition, our result supports the impossibility to relate both notions in any directions.
2005
EPRINT
Is SHA-1 conceptually sound?
We argue that if the message expansion code of SHA-1 is replaced by a linear code with a better minimum distance, then the resulting hash function is collision resistant. To support this argument, we characterize the disturbance vectors which are used to build local collision attacks as a linear code. This linear code is the xor-sum of two codes, the message expansion code and a linear code representing the underlying block cipher in SHA-1. We also show that the following constraint satisfaction problem is $\np$-hard. The constraints are restricted to being XOR constraints, or Majority constraints on at most three variables each. The instances are further restricted by requiring that the constraints can be listed in a sequence C_1, C_2,...,C_m, such that for every constraint C_i, two of the variables in it occur only in constraints C_j, with |j-i|< 48. This problem is similar to the problem modeling the one-way function property of SHA-1.
2005
EPRINT
Kaweichel, an Extension of Blowfish for 64-Bit Architectures
In this paper, the block cipher Kaweichel is presented. It is an extension of Blowfish for 64-bit architectures. The aim is to use the commonplace instructions of modern microprocessors. A main objective was to harden against known attacks on Blowfish. The author does not claim intellectual property on Kaweichel and the cipher will remain unpatented. A C reference implementation is available on the web.
2005
EPRINT
Keeping Denial-of-Service Attackers in the Dark
We consider the problem of overcoming (Distributed) Denial of Service (DoS) attacks by realistic adversaries that have knowledge of their attack's successfulness, e.g., by observing service performance degradation, or by eavesdropping on messages or parts thereof. A solution for this problem in a high-speed network environment necessitates lightweight mechanisms for differentiating between valid traffic and the attacker's packets. The main challenge in presenting such a solution is to exploit existing packet filtering mechanisms in a way that allows fast processing of packets, but is complex enough so that the attacker cannot efficiently craft packets that pass the filters. We show a protocol that mitigates DoS attacks by adversaries that can eavesdrop and (with some delay) adapt their attacks accordingly. The protocol uses only available, efficient packet filtering mechanisms based mainly on (addresses and) port numbers. Our protocol avoids the use of fixed ports, and instead performs `pseudo-random port hopping'. We model the underlying packet-filtering services and define measures for the capabilities of the adversary and for the success rate of the protocol. Using these, we provide a novel rigorous analysis of the impact of DoS on an end-to-end protocol, and show that our protocol provides effective DoS prevention for realistic attack and deployment scenarios.
2005
EPRINT
Key Derivation and Randomness Extraction
Key derivation refers to the process by which an agreed upon large random number, often named master secret, is used to derive keys to encrypt and authenticate data. Practitioners and standardization bodies have usually used the random oracle model to get key material from a Diffie-Hellman key exchange. However, proofs in the standard model require randomness extractors to formally extract the entropy of the random master secret into a seed prior to derive other keys. This paper first deals with the protocol $\Sigma_0$, in which the key derivation phase is (deliberately) omitted, and security inaccuracies in the analysis and design of the Internet Key Exchange (IKE version 1) protocol, corrected in IKEv2. They do not endanger the practical use of IKEv1, since the security could be proved, at least, in the random oracle model. However, in the standard model, there is not yet any formal global security proof, but just separated analyses which do not fit together well. The first simplification is common in the theoretical security analysis of several key exchange protocols, whereas the key derivation phase is a crucial step for theoretical reasons, but also practical purpose, and requires careful analysis. The second problem is a gap between the recent theoretical analysis of HMAC as a good randomness extractor (functions keyed with public but random elements) and its practical use in IKEv1 (the key may not be totally random, because of the lack of clear authentication of the nonces). Since the latter problem comes from the probabilistic property of this extractor, we thereafter review some \textit{deterministic} randomness extractors and suggest the \emph{'Twist-AUgmented'} technique, a new extraction method quite well-suited for Diffie-Hellman-like scenarios.
2005
EPRINT
Key Mixing in Block Ciphers through Addition modulo $2^n$
The classical technique to perform key mixing in block ciphers is through exclusive-or (exor). In this paper we show that when the $n$-bit key is mixed in a block cipher of size $n$ bits via addition modulo $2^n$, the bias of the linear approximations falls exponentially fast. Experimental results have been provided to show that such a scheme cannot be cryptanalyzed using Linear Cryptanalysis.
2005
EPRINT
Key Regression: Enabling Efficient Key Distribution for Secure Distributed Storage
The Plutus file system introduced the notion of key rotation as a means to derive a sequence of temporally-related keys from the most recent key. In this paper we show that, despite natural intuition to the contrary, key rotation schemes cannot generically be used to key other cryptographic objects; in fact, keying an encryption scheme with the output of a key rotation scheme can yield a composite system that is insecure. To address these shortcomings, we introduce a new cryptographic object called a key regression scheme, and we propose three constructions that are provably secure under standard cryptographic assumptions. We implement key regression in a secure file system and empirically show that key regression can significantly reduce the bandwidth requirements of a content publisher under realistic workloads using lazy revocation. Our experiments also serve as the first empirical evaluation of either a key rotation or key regression scheme.
2005
EPRINT
Key-dependent Message Security under Active Attacks -- BRSIM/UC-Soundness of Symbolic Encryption with Key Cycles
Key-dependent message security, short KDM security, was introduced by Black, Rogaway and Shrimpton to address the case where key cycles occur among encryptions, e.g., a key is encrypted with itself. It was mainly motivated by key cycles in Dolev-Yao models, i.e., symbolic abstractions of cryptography by term algebras, and a corresponding soundness result was later shown by Ad\~{a}o et al. However, both the KDM definition and this soundness result do not allow the general active attacks typical for Dolev-Yao models and for security protocols in general. We extend these definitions so that we can obtain a soundness result under active attacks. We first present a definition AKDM as a KDM equivalent of authenticated symmetric encryption, i.e., it provides chosen-ciphertext security and integrity of ciphertexts even for key cycles. However, this is not yet sufficient for the desired soundness, and thus we give a definition DKDM that additionally allows limited dynamic revelation of keys. We show that this is sufficient for soundness, even in the strong sense of blackbox reactive simulatability (BRSIM)/UC and including joint terms with other operators. We also present constructions of schemes secure under the new definitions, based on current KDM-secure schemes. Moreover, we explore the relations between the new definitions and existing ones for symmetric encryption in detail, in the sense of implications or separating examples for almost all cases.
2005
EPRINT
Knapsack Diffie-Hellman: A New Family of Diffie-Hellman
Diffie-Hellman problems have been widely involved in the design of various cryptographic protocols. Its general family is based on the discrete logarithm over a finite field. Since 2000, its another family which is based on elliptic curve discrete logarithm as well as bilinear pairing, e.g. Weil or Tate pairing, has been attracted significant studies. Thereafter, various cryptographic protocols have been proposed using Diffie-Hellman problem associated with bilinear pairings. This paper we will present a new family of Diffie-Hellman problem by utilizing subset sum problem. It is named as Knapsack Diffie-Hellman Problems with bilinear pairings. We will propose a number of definitions on the family and then analyze their relationships.
2005
EPRINT
Lightweight Key Exchange and Stream Cipher based solely on Tree Parity Machines
Alternative security solutions are considered in science and industry, motivated by the strong restrictions as they are often present in embedded security scenarios -- especially in a RFID setting. We investigate a low hardware-complexity cryptosystem for lightweight symmetric key exchange and stream cipher based on Tree Parity Machines. The speed of a key exchange is basically only limited by the channel capacity as is the stream cipher throughput. This work significantly improves and extends previously published results on TPMRAs. Again, characteristics of standard-cell ASIC design realizations as IP-core in 0.18-micrometer-CMOS technology are evaluated.
2005
EPRINT
LILI-II is not Broken
In this note we point out that a recently published attack on the LILI-II stream cipher does not do better than generic time-memory tradeoff techniques (which generalise exhaustive search and apply to any 128-bit key cipher). Thus we assert that LILI-II remains unbroken.
2005
EPRINT
Limits of the Cryptographic Realization of Dolev-Yao-style XOR
The abstraction of cryptographic operations by term algebras, called Dolev-Yao models, is essential in almost all tool-supported methods for proving security protocols. Recently significant progress was made in proving that such abstractions can be sound with respect to actual cryptographic realizations and security definitions. The strongest results show this in the sense of reactive simulatability/UC, a notion that essentially means retention of arbitrary security properties under arbitrary active attacks and in arbitrary protocol environments, with only small changes to both abstractions and natural implementations. However, these results are so far restricted to cryptographic systems like encryption and signatures which essentially only have constructors and destructors, but no further algebraic properties. Typical modern tools and complexity results around Dolev-Yao models also allow more algebraic operations. The first such operation considered is typically XOR because of its clear structure and cryptographic usefulness. We show that it is impossible to extend the strong soundness results to XOR, at least not with remotely the same generality and naturalness as for the core cryptographic systems. On the positive side, we show the soundness of an XOR model and realization under passive attacks.
2005
EPRINT
Linkability of Several Blind Signature Schemes
The unlinkability is an important security property that blind signature schemes should satisfy. But we find that the several blind signature schemes [1,2,3] are linkable. The Signer can derive a link between a protocol view and a valid blind signature. They are not secure.
2005
EPRINT
Logcrypt: Forward Security and Public Verification for Secure Audit Logs
Logcrypt provides strong cryptographic assurances that data stored by a logging facility before a system compromise cannot be modified after the compromise without detection. We build on prior work by showing how log creation can be separated from log verification, and describing several additional performance and convenience features not previously considered.
2005
EPRINT
Loud and Clear: Human-Verifiable Authentication Based on Audio
Secure pairing of electronic devices that lack any previous association is a challenging problem which has been considered in many contexts and in various flavors. In this paper, we investigate an alternative and complementary approach--the use of the audio channel for human-assisted authentication of previously un-associated devices. We develop and evaluate a system we call Loud-and-Clear (L&C) which places very little demand on the human user. L&C involves the use of a text-to-speech (TTS) engine for vocalizing a robust-sounding and syntactically-correct (English-like) sentence derived from the hash of a device's public key. By coupling vocalization on one device with the display of the same information on another device, we demonstrate that L&C is suitable for secure device pairing (e.g., key exchange) and similar tasks. We also describe several common use cases, provide some performance data for our prototype implementation and discuss the security properties of L&C.
2005
EPRINT
Meta Ring Signature
In this paper, we propose a new concept ``Meta Ring Signature''. Suppose that a signature text work as a public key, we may achive a new digital signature ``Meta Signature'' such that, the signer of a signature text, in this paper we call basic signature, can sign on to another message by using the basic signature text as the public key of Meta signature scheme. First, we present a concept of Meta Ring Signature such that both basic signature and meta signature are Ring Signature.
2005
EPRINT
Minimal Assumptions for Efficient Mercurial Commitments
Mercurial commitments were introduced by Chase et al. (Eurocrypt 2005) and form a key building block for constructing zero-knowledge sets (introduced by Micali, Rabin and Kilian (FOCS'03)}). Unlike regular commitments, which are strictly binding, mercurial commitments allow for certain amount of (limited) freedom. The notion of Chase et al. also required that mercurial commitments should be equivocable given a certain trapdoor, although the notion is interesting even without this condition. While trivially implying regular (trapdoor) commitments, it was not clear from the prior work if the converse was true: Chase et al. gave several constructions of mercurial commitments from various incompatible assumptions, leaving open if they can be built from any (trapdoor) commitment scheme, and, in particular, from any one-way function. We give an affirmative answer to this question, by giving two simple constructions of mercurial commitments from any trapdoor bit commitment scheme. By plugging in various (trapdoor) bit commitment schemes, we get *all* the efficient constructions from Chase et al. and Micali et al., as well as several immediate new constructions. Our results imply that (a) ** mercurial commitments can be viewed as surprisingly simple variations of regular (trapdoor) commitments ** (and, thus, can be built from one-way functions and, more efficiently, from a variety of other assumptions); and (b) ** the existence of zero-knowledge sets is equivalent to the existence of collision-resistant hash functions ** (moreover, the former can be efficiently built from the latter and trapdoor commitments). Of independent interest, we also give a stronger and yet much simpler definition of mercurial commitments than that of Chase et al. (which is also met by our constructions). Overall, we believe that our results eludicate the notion of mercurial commitments, and better explain the rational following the previous constructions of mercurial commitments.
2005
EPRINT
Minimality of the Hamming Weight of the \tau-NAF for Koblitz Curves and Improved Combination with Point Halving
In order to efficiently perform scalar multiplications on elliptic Koblitz curves, expansions of the scalar to a complex base associated with the Frobenius endomorphism are commonly used. One such expansion is the $\tau$-adic NAF, introduced by Solinas. Some properties of this expansion, such as the average weight, are well known, but in the literature there is no proof of its {\em optimality}, i.e.~that it always has minimal weight. In this paper we provide the first proof of this fact. Point halving, being faster than doubling, is also used to perform fast scalar multiplications on generic elliptic curves over binary fields. Since its computation is more expensive than that of the Frobenius, halving was thought to be uninteresting for Koblitz curves. At PKC 2004, Avanzi, Ciet, and Sica combined Frobenius operations with one point halving to compute scalar multiplications on Koblitz curves using on average 14\% less group additions than with the usual $\tau$-and-add method without increasing memory usage. The second result of this paper is an improvement over their expansion, that is simpler to compute, and optimal in a suitable sense, i.e.\ it has minimal Hamming weight among all $\tau$-adic expansions with digits $\{0,\pm1\}$ that allow one halving to be inserted in the corresponding scalar multiplication algorithm. The resulting scalar multiplication requires on average 25\% less group operations than the Frobenius method, and is thus 12.5\% faster than the previous known combination.
2005
EPRINT
Mixing properties of triangular feedback shift registers
The purpose of this note is to show that Markov chains induced by non-singular triangular feedback shift registers and non-degenerate sources are rapidly mixing. The results may directly be applied to the post-processing of random generators and to stream ciphers in CFB mode.
2005
EPRINT
Modeling Insider Attacks on Group Key-Exchange Protocols
Protocols for authenticated key exchange (AKE) allow parties within an insecure network to establish a common session key which can then be used to secure their future communication. It is fair to say that group AKE is currently less well understood than the case of two-party AKE; in particular, attacks by malicious insiders --- a concern specific to the group setting --- have so far been considered only in a relatively ``ad-hoc'' fashion. The main contribution of this work is to address this deficiency by providing a formal, comprehensive model and definition of security for group AKE which automatically encompasses insider attacks. We do so by defining an appropriate ideal functionality for group AKE within the universal composability (UC) framework. As a side benefit, any protocol secure with respect to our definition is secure even when run concurrently with other protocols, and the key generated by any such protocol may be used securely in any subsequent application. In addition to proposing this definition, we show that the resulting notion of security is strictly stronger than the one proposed by Bresson, et al. (termed ``AKE-security''), and that our definition implies all previously-suggested notions of security against insider attacks. We also show a simple technique for converting any AKE-secure protocol into one secure with respect to our definition.
2005
EPRINT
More Compact E-Cash with Efficient Coin Tracing
In 1982, Chaum \cite{Chaum82} pioneered the anonymous e-cash which finds many applications in e-commerce. In 1993, Brands \cite{Brands93apr,Brands93,Brands93tm} and Ferguson \cite Ferguson93c,Ferguson93} published on single-term offline anonymous e-cash which were the first practical e-cash. Their constructions used blind signatures and were inefficient to implement multi-spendable e-cash. In 1995, Camenisch, Hohenberger, and Lysyanskaya \cite{CaHoLy05} gave the first compact $2^\ell$-spendable e-cash, using zero-knowledge-proof techniques. They left an open problem of the simultaneous attainment of $O(1)$-unit wallet size and efficient coin tracing. The latter property is needed to revoke {\em bad} coins from over-spenders. In this paper, we solve \cite{CaHoLy05}'s open problem, and thus enable the first practical compact e-cash. We use a new technique whose security reduces to a new intractability Assumption: the {\em Decisional Harmonic-Relationed Diffie-Hellman (DHRDH) Assumption}.
2005
EPRINT
More short signatures without random oracles
We construct three new signatures and prove their securities without random oracles. They are motivated, respectively, by Boneh and Boyen's, Zhang, et al.'s, and Camenisch and Lysyanskaya's signatures without random oracles. The first two of our signatures are as short as Boneh and Boyen's (resp. Zhang, et al.'s} state-of-the-art short signatures. Our third signature is reducible to a modified LRSW Assumption but without their hypothesized external signing oracle. New and interesting variants of the q-SDH Assumption, the q-SR (Square Root) Assumption are also presented. New and independently interesting proof techniques extending the two-mode technique of Boneh and Boyen are used, including a combined three-mode simulation and rewinding in the standard model.
2005
EPRINT
Multiparty Computation Based on Connectivity of Graphs
In this paper, we contribute the construction of practical perfect multiparty computation protocols based on the connectivity of graphs.
2005
EPRINT
Multiple forgery attacks against Message Authentication Codes
Some message authentication codes (MACs) are vulnerable to multiple forgery attacks, in which an attacker can gain information that allows her to succeed in forging multiple message/tag pairs. This property was first noted in MACs based on universal hashing, such as the Galois/Counter Mode (GCM) of operation for block ciphers. However, we show that CBC-MAC and HMAC also have this property, and for some parameters are more vulnerable than GCM. We present multiple-forgery attacks against these algorithms, then analyze the security against these attacks by using the expected number of forgeries. We compare the different MACs using this measure. This document is a pre-publication draft manuscript.
2005
EPRINT
Multivariate Quadratic Polynomials in Public Key Cryptography
This thesis gives an overview of Multivariate Quadratic polynomial equations and their use in public key cryptography. In the first chapter, some general terms of cryptography are introduced. In particular, the need for public key cryptography and alternative schemes is motivated, i.e., systems which neither use factoring (like RSA, Rivest-Shamir-Adleman) nor the discrete logarithm (like ECC, elliptic curve cryptography). This is followed by a brief introduction of finite fields and a general discussion about Multivariate Quadratic systems of equations and ways of representing them. In this context, affine transformations and their representations are also discussed. After these tools are introduced, they are used to show how Multivariate Quadratic equations can be used for signature and encryption applications. In addition, the problem of Multivariate Quadratic polynomial equations is put into perspective and a link with the theory of NP-completeness is established. The second chapter concludes with the two related problems "isomorphism of polynomials" and "minimal rank" of the sum of matrices. Both prove useful in the cryptanalysis of Multivariate Quadratic systems. The main part of this thesis is about concrete trapdoors for the problem of Multivariate Quadratic public key systems. We can show that all such systems fall in one of the following four classes: unbalanced oil and vinegar systems (UOV), stepwise triangular systems (STS), Matsumoto-Imai Scheme A (MIA), and hidden field equations (HFE). Moreover, we demonstrate the use of several modifiers. In order to evaluate the security of these four basic trapdoors and their modifiers, we review some cryptanalytic results. In particular, we were able to develop our own contributions in this field by demonstrating an affine approximation attack and an attack using Gr"obner base computations against the UOV class. Moreover, we derived a key recovery and inversion attack against the STS class. Using our knowledge of the HFE class, we develop two secure versions of the signature scheme Quartz. Another important part of this thesis is the study of the key space of Multivariate Quadratic public key systems. Using special classes of affine transformations, denoted ``sustainers", we are able to show that all four basic classes have some redundancy in their key spaces and hence, have a smaller key space than previously expected. In particular for the UOV and the STS class, this reduction proves quite dramatic. For HFE and MIA, we only find some minor redundancies. Moreover, we are able to show that our results for MIA are the only ones possible, i.e., there are no other redundancies than the one we describe in this thesis. In addition, we extend our results to several important variations of HFE and MIA, namely HFE-, HFEv, HFEv-, and MIA-. They have been used in practice for the construction of signature schemes, namely Quartz and Sflash. In order to demonstrate the practical relevance of Multivariate Quadratic constructions and also of our taxonomy, we show some concrete examples. In particular, we consider the NESSIE submissions Flash, Sflash, and Quartz and discuss their advantages and disadvantages. Moreover, we describe some more recent developments, namely the STS-based schemes enhanced TTS, Tractable Rational Maps, and Rainbow. Then we move on to some application domains for Multivariate Quadratic public key systems. In particular, we see applications in the area of product activation keys, electronic stamps and fast one-way functions. Finally, we suggest some new schemes. In particular, we give a generalisation of MIA to odd characteristics and also investigate some other trapdoors like STS and UOV with the branching and the homogenisation modifiers. All in all, we believe that Multivariate Quadratic polynomial systems are a very practical solution to the problem of public key cryptography. At present, it is not possible to use them for encryption. However, we are confident that it will be possible to overcome this problem soon and use Multivariate Quadratic constructions both for encrypting and signing.
2005
EPRINT
Murakami-Kasahara ID-based Key Sharing Scheme Revisited ---In Comparison with Maurer-Yacobi Schemes---
In Sept.1990, the present authors firstly discussed DLP over composite number and presented an ID-based Key Sharing Scheme referred to as MK1. In 1991, Maurer and Yacobi presented a scheme, referred to as MY, which is similar to our scheme, MK1. Unfortunately the schemes MK1 and MY are not secure. In Dec.1990, the present authors presented a secure ID-based key sharing scheme referred to as MK2. With a rapid progress of computer power for the last 15 years, our proposed scheme would have more chance to be applied practically. Regrettably, it has not been widely known that (i) the schemes MY and MK1 are not secure, (ii) there exists a secure scheme, MK2. In this paper, we shall review MK2 and clarify the difference between MK2 and other schemes from the standpoint of security.
2005
EPRINT
N-adic Summation-Shrinking Generator. Basic properties and empirical evidences
The need of software-flexible stream ciphers has led to several alternative proposals in the last few years. One of them is a new Pseudo Random Number Generator (PRNG), named N-adic Summation-Shrinking (NSumSG), which architecture is described in this paper. It uses N-1 parallel working slave summation generators and one N-adic summation generator, controlling the nonlinearity in the generator. The implementation, some properties and statistical tests of NSumSG are given. The results from statistical analysis show that the sequence generated by NSumSG is uniform, scalable, uncompressible, whit large period; consistent and unpredictable. This gives the reason consider the NSumSG as suitable for a particular cryptographic application.
2005
EPRINT
Narrow T-functions
T-functions were introduced by Klimov and Shamir in a series of papers during the last few years. They are of great interest for cryptography as they may provide some new building blocks which can be used to construct efficient and secure schemes, for example block ciphers, stream ciphers or hash functions. In the present paper, we define the narrowness of a T-function and study how this property affects the strength of a T-function as a cryptographic primitive. We define a new data strucure, called a solution graph, that enables solving systems of equations given by T-functions. The efficiency of the algorithms which we propose for solution graphs depends significantly on the narrowness of the involved T-functions. Thus the subclass of T-functions with small narrowness appears to be weak and should be avoided in cryptographic schemes. Furthermore, we present some extensions to the methods of using solution graphs, which make it possible to apply these algorithms also to more general systems of equations, which may appear, for example, in the cryptanalysis of hash functions.
2005
EPRINT
Nonlinearity of the Round Function
In the paper we present the results which enable to calculate the nonlinearity of round functions with quite large dimensions e.g. 32x32 bits, which are used in some block ciphers. This can be applied to improve the resistance of these ciphers against linear cryptanalysis. The involved method of calculating the nonlinearity is rested on the notion of multi-dimensional Walsh transform. At the end we give the application to linear cryptanalysis of the TGR block cipher.
2005
EPRINT
Normal Basis Multiplication Algorithms for GF(2n) (Full Version)
In this paper, we propose a new normal basis multiplication algorithm for GF(2n). This algorithm can be used to design not only fast software algorithms but also low complexity bit-parallel multipliers in some GF(2n)s. Especially, for some values of n that no Gaussian normal basis exists in GF(2n), i.e., 8|n, this algorithm provides an alternative way to construct low complexity normal basis multipliers. Two improvements on a recently proposed software normal basis multiplication algorithm are also presented. Time and memory complexities of these normal basis multiplication algorithms are compared with respect to software performance. It is shown that they have some specific behavior in different applications. For example, GF(2571) is one of the five binary fields recommended by NIST for ECDSA (Elliptic Curve Digital Signature Algorithm) applications. In this field, our experiments show that the new algorithm is even faster than the polynomial basis Montgomery multiplication algorithm: 525 us v. 819 us.
2005
EPRINT
Oblivious Transfer and Linear Functions
We study unconditionally secure 1-out-of-2 Oblivious Transfer (1-2 OT). We first point out that a standard security requirement for 1-2 OT of bits, namely that the receiver only learns one of the bits sent, holds if and only if the receiver has no information on the XOR of the two bits. We then generalize this to 1-2 OT of strings and show that the security can be characterized in terms of binary linear functions. More precisely, we show that the receiver learns only one of the two strings sent if and only if he has no information on the result of applying any binary linear function (which non-trivially depends on both inputs) to the two strings. We then argue that this result not only gives new insight into the nature of 1-2 OT, but it in particular provides a very powerful tool for analyzing 1-2 OT protocols. We demonstrate this by showing that with our characterization at hand, the reduceability of 1-2 OT (of strings) to a wide range of weaker primitives follows by a very simple argument. This is in sharp contrast to previous literature, where reductions of 1-2 OT to weaker flavors have rather complicated and sometimes even incorrect proofs.
2005
EPRINT
On Boolean functions with maximum algebraic immunity
In this paper two important issues in theory of algebraic attacks are addressed. We first provide a theoretical framework for better understanding of design rationale in construction of Boolean functions with maximum algebraic immunity. Based on these results, an iterative design of functions with maximum possible algebraic immunity is proposed. In contrast to known constructions, our method generates balanced functions of maximum degree and high nonlinearity, that is functions satisfying all main cryptographic criteria. Additionally, functions in this class have a low implementation cost due to a small number of terms in the ANF. Secondly, for a given Boolean function, a novel algorithm for deciding the existence of annihilators of small degree is presented. The algorithm utilizes the known methods in a slightly different manner which results in a significantly reduced complexity of computation.
2005
EPRINT
On a (Flawed) Proposal to Build More Pairing-Friendly Curves
In a recent letter, Cui, Duan and Chan propose a generalisation of the Scott-Barreto method to build a larger family of MNT curves, and they claim that their proposal is also applicable to other curve construction methods. Here we show that the Cui-Duan-Chan technique is irrecoverably flawed.
2005
EPRINT
On a Traitor Tracing Scheme from ACISP 2003
At ACISP 2003 conference, Narayanan, Rangan and Kim proposed a secret-key traitor tracing scheme used for pay TV system. In this note, we point out a flaw in their scheme.
2005
EPRINT
On affine rank of spectrum support for plateaued function
The plateaued functions have a big interest for the studying of bent functions and by the reason that many cryptographically important functions are plateaued. In this paper we study the possible values of the affine rank of spectrum support for plateaued functions. We consider for any positive integer $h$ plateaued functions with a spectrum support of cardinality $4^h$ (the cardinality must have such form), give the bounds on the affine rank for such functions and construct functions where the affine rank takes all integer values from $2h$ till $2^{h+1}-2$. We solve completely the problem for $h=2$, namely, we prove that the affine rank of any plateaued function with a spectrum support of cardinality $16$ is $4$, $5$ or $6$.
2005
EPRINT
On an authentication scheme based on the Root Problem in the braid group
Lal and Chaturvedi proposed two authentication schemes based on the difficulty of the Root Problem in the braid group. We point out that the first scheme is not really as secure as the Root Problem, and describe an efficient way to crack it. The attack works for any group.
2005
EPRINT
On Anonymity of Group Signatures
A secure group signature is required to be anonymous, that is, given two group signatures generated by two different members on the same message or two group signatures generated by the same member on two different messages, they are indistinguishable except for the group manager. In this paper we prove the equivalence of a group signature's anonymity and its indistinguishability against chosen ciphertext attacks if we view a group signature as an encryption of member identity. Particularly, we prove ACJT's group signature is IND-CCA2 secure, so ACJT's scheme is anonymous in the strong sense. The result is an answer to an open question in literature.
2005
EPRINT
On Computable Isomorphisms in Efficient Asymmetric Pairing Based Systems
In this paper we examine the hard problems underlying asymmetric pairings, their precise relationships and how they affect a number of existing protocols. Furthermore, we present a new model for the elliptic curve groups used in asymmetric pairings, which allows both an efficient pairing and an efficiently computable isomorphism.
2005
EPRINT
On Constructing Parallel Pseudorandom Generators from One-Way Functions
We study pseudorandom generator (PRG) constructions G^f : {0,1}^l -> {0,1}^{l+s} from one-way functions f : {0,1}^n \to {0,1}^m. We consider PRG constructions of the form G^f(x) = C(f(q_{1}) ... f(q_{poly(n)})) where C is a polynomial-size constant depth circuit (i.e. AC^0) and C and the q's are generated from x arbitrarily. We show that every black-box PRG construction of this form must have stretch s bounded as s < l ( log^{O(1)} n)/ m + O(1) = o(l). This holds even if the PRG construction starts from a one-to-one function f : {0,1}^n \to {0,1}^m where m < 5n. This shows that either adaptive queries or sequential computation are necessary for black-box PRG constructions with constant factor stretch (i.e. s = \Omega(l)) from one-way functions, even if the functions are one-to-one. On the positive side we show that if there is a one-way function f : {0,1}^n \to {0,1}^m that is regular (i.e. the number of preimages of f(x) depends on |x| but not on x) and computable by polynomial-size constant depth circuits then there is a PRG : {0,1}^l \to {0,1}^{l+1} computable by polynomial-size constant depth circuits. This complements our negative result above because one-to-one functions are regular. We also study constructions of average-case hard functions starting from worst-case hard ones, i.e. hardness amplifications. We show that if there is an oracle procedure Amp^f in the polynomial time hierarchy (PH) such that Amp^f is average-case hard for every worst-case hard f, then there is an average-case hard function in PH \emph{unconditionally}. Bogdanov and Trevisan (FOCS '03) and Viola (CCC'03) show related but incomparable negative results.
2005
EPRINT
On Constructing Universal One-Way Hash Functions from Arbitrary One-Way Functions
A fundamental result in cryptography is that a digital signature scheme can be constructed from an arbitrary one-way function. A proof of this somewhat surprising statement follows from two results: first, Naor and Yung defined the notion of universal one-way hash functions and showed that the existence of such hash functions implies the existence of secure digital signature schemes. Subsequently, Rompel showed that universal one-way hash functions could be constructed from arbitrary one-way functions. Unfortunately, despite the importance of the result, a complete proof of the latter claim has never been published. In fact, a careful reading of Rompel's original conference publication reveals a number of errors in many of his arguments which have (seemingly) never been addressed. We provide here what is --- as far as we know --- the first complete write-up of Rompel's proof that universal one-way hash functions can be constructed from arbitrary one-way functions.
2005
EPRINT
On Designatedly Verified (Non-interactive) Watermarking Schemes
Although many watermarking schemes consider the case of universal verifiability, it is undesirable in some applications. Designated verification is a possible solution for this problem. Watermarking scheme with (non-interactive) designated verification through non-invertible schemes was proposed by Lee et al in 2003, to resolve multiple watermarking problem. Yoo et al [14] proposed a very similar watermarking scheme. In this paper, we propose a cryptanalytic attack on both of these schemes that allows a dishonest watermarker to send illegal watermarked images and to convince the designated verifier or customer that received watermarked images are valid. We modify the above schemes to overcome the attack. Further, we also propose a new robust watermarking scheme with (non-interactive) designated verification through non-invertible watermarks. Interestingly, our scheme can be extended for joint copyright protection (security of ownership rights for images to be owned by more than one entity).
2005
EPRINT
On Efficient Key Agreement Protocols
A class of efficient key agreement protocols proposed by Boyd is examined. An attack is demonstrated on a round-optimal example protocol of this class, and a simple countermeasure is suggested. The whole class is known to be vulnerable to an attack proposed by Bauer, Berson and Feiertag. A new class of key agreement protocols without this vulnerability but having the same advantages in efficiency is identified, and a number of concrete protocols are suggested.
2005
EPRINT
On Error Correction in the Exponent
Given a corrupted word $\w = (w_1, \ldots, w_n)$ from a Reed-Solomon code of distance $d$, there are many ways to efficiently find and correct its errors. But what if we are instead given $(g^{w_1}, \ldots, g^{w_n})$ where $g$ generates some large cyclic group --- can the errors still be corrected efficiently? This problem is called \emph{error correction in the exponent}, and though it arises naturally in many areas of cryptography, it has received little attention. We first show that \emph{unique decoding} and \emph{list decoding} in the exponent are no harder than the computational Diffie-Hellman (CDH) problem in the same group. The remainder of our results are negative: * Under mild assumptions on the parameters, we show that \emph{bounded-distance decoding} in the exponent, under $e=d-k^{1-\epsilon}$ errors for any $\epsilon > 0$, is as hard as the discrete logarithm problem in the same group. * For \emph{generic} algorithms (as defined by Shoup, Eurocrypt 1997) that treat the group as a ``black-box,'' we show lower bounds for decoding that exactly match known algorithms. Our generic lower bounds also extend to decisional variants of the decoding problem, and to groups in which the decisional Diffie-Hellman (DDH) problem is easy. This suggests that hardness of decoding in the exponent is a qualitatively new assumption that lies ``between'' the DDH and CDH assumptions.
2005
EPRINT
On estimating the lattice security of NTRU
This report explicitly refutes the analysis behind a recent claim that NTRUEncrypt has a bit security of at most 74 bits. We also sum up some existing literature on NTRU and lattices, in order to help explain what should and what should not be classed as an improved attack against the hard problem underlying NTRUEncrypt. We also show a connection between Schnorr's RSR technique and exhaustively searching the NTRU lattice.
2005
EPRINT
On Exact Algebraic [Non-]Immunity of S-boxes Based on Power Functions
In this paper we are interested in algebraic immunity of several well known highly-nonlinear vectorial Boolean functions (or S-boxes), designed for block and stream ciphers. Unfortunately, ciphers that use such S-boxes may still be vulnerable to so called "algebraic attacks" proposed recently by Courtois, Pieprzyk, Meier, Armknecht, et al. These attacks are not always feasible in practice but are in general very powerful. They become possible, if we regard the S-boxes, no longer as highly-nonlinear functions of their inputs, but rather exhibit (and exploit) much simpler algebraic equations, that involve both input and the output bits. Instead of complex and "explicit" Boolean FUNCTIONS we have then simple and "implicit" algebraic RELATIONS that can be combined to fully describe the secret key of the system. In this paper we look at the number and the type of relations that do exist for several well known components. We wish to correct or/and complete several inexact results on this topic that were presented at FSE 2004. We also wish to bring a theoretical contribution. One of the main problems in the area of algebraic attacks is to prove that some systems of equations (derived from some more fundamental equations), are still linearly independent. We give a complete proof that the number of linearly independent equations for the Rijndael S-box (derived from the basic equation XY=1) is indeed as reported by Courtois and Pieprzyk. It seems that nobody has so far proven this fundamental statement.
2005
EPRINT
On Fairness in Simulatability-based Cryptographic Systems
Simulatability constitutes the cryptographic notion of a secure refinement and has asserted its position as one of the fundamental concepts of modern cryptography. Although simulatability carefully captures that a distributed protocol does not behave any worse than an ideal specification, it however does not capture any form of liveness guarantees, i.e., that something good eventually happens in the protocol. We show how one can extend the notion of simulatability to comprise liveness guarantees by imposing specific fairness constraints on the adversary. As the common notion of fairness based on infinite runs and eventual message delivery is not suited for reasoning about polynomial-time, cryptographic systems, we propose a new definition of fairness that enforces the delivery of messages after a polynomial number of steps. We provide strengthened variants of this definition by granting the protocol parties explicit guarantees on the maximum delay of messages. The variants thus capture fairness with explicit timeout signals, and we further distinguish between fairness with local timeouts and fairness with global timeouts. We compare the resulting notions of fair simulatability, and provide separating examples that help to classify the strengths of the definitions and that show that the different definitions of fairness imply different variants of simulatability.
2005
EPRINT
On Finding Roots Without Factoring and A Special Purpose Factoring Algorithm
For any integer $n$, some side information exists that allows roots of certain polynomials modulo $n$ to be found efficiently (in polynomial time). The quartics $q_{u,a,b}(x) = x^4 - 4ux^3 - 2ax^2 -(8b + 4ua)x + a^2 - 4ub$, where $a$ and $b$ are some fixed integers, can be solved with probability approximately $\frac{1}{4}$ over integers $u$ chosen randomly from in $\{0,1,\dots,n-1\}$. The side information depends on $a$ and $b$, and is derivable from the factorization of $n$. The side information does not necessarily seem to reveal the factorization of $n$. For certain other polynomials, such as $p_u(x) = x^3 - u$, it is an important unsolved problem of theoretical cryptology whether there exists an algorithm for finding roots that does not also reveal the factorization of $n$. Cheng's special-purpose factoring algorithm is also reviewed and some extensions suggested.
2005
EPRINT
On High-Rate Cryptographic Compression Functions
The security of iterated hash functions relies on the properties of underlying compression functions. We study highly efficient compression functions based on block ciphers. We propose a model for high-rate compression functions, and give an upper bound for the rate of any collision resistant compression function in our model. In addition, we show that natural generalizations of constructions by Preneel, Govaerts, and Vandewalle to the case of rate-$2$ compression functions are not collision resistant.
2005
EPRINT
On highly nonlinear S-boxes and their inability to thwart DPA attacks (completed version)
Prouff has introduced recently, at FSE 2005, the notion of transparency order of S-boxes. This new characteristic is related to the ability of an S-box, used in a cryptosystem in which the round keys are introduced by addition, to thwart single-bit or multi-bit DPA attacks on the system. If this parameter has sufficiently small value, then the S-box is able to withstand DPA attacks without that ad-hoc modifications in the implementation be necessary (these modifications make the encryption about twice slower). We prove lower bounds on the transparency order of highly nonlinear S-boxes. We show that some highly nonlinear functions (in odd or even numbers of variables) have very bad transparency orders: the inverse functions (used as S-box in the AES), the Gold functions and the Kasami functions (at least under some assumption).
2005
EPRINT
On Obfuscating Point Functions
We study the problem of obfuscation in the context of point functions (also known as delta functions). A point function is a Boolean function that assumes the value 1 at exactly one point. Our main results are as follows: - We provide a simple construction of efficient obfuscators for point functions for a slightly relaxed notion of obfuscation - wherein the size of the simulator has an inverse polynomial dependency on the distinguishing probability - which is nonetheless impossible for general circuits. This is the first known construction of obfuscators for a non-trivial family of functions under general computational assumptions. Our obfuscator is based on a probabilistic hash function constructed from a very strong one-way permutation, and does not require any set-up assumptions. Our construction also yields an obfuscator for point functions with multi-bit output. - We show that such a strong one-way permutation - wherein any polynomial-sized circuit inverts the permutation on at most a polynomial number of inputs - can be realized using a random permutation oracle. We prove the result by improving on the counting argument used in [GT00]; this result may be of independent interest. It follows that our construction yields obfuscators for point functions in the non-programmable random permutation oracle model (in the sense of [N02]). Furthermore, we prove that an assumption like the one we used is necessary for our obfuscator construction. - Finally, we establish two impossibility results on obfuscating point functions which indicate that the limitations on our construction (in simulating only adversaries with single-bit output and in using non-uniform advice in our simulator) are in some sense inherent. The first of the two results is a consequence of a simple characterization of functions that can be obfuscated against general adversaries with multi-bit output as the class of functions that are efficiently and exactly learnable using membership queries. We stress that prior to this work, what is known about obfuscation are negative results for the general class of circuits [BGI01] and positive results in the random oracle model [LPS04] or under non-standard number-theoretic assumptions [C97]. This work represents the first effort to bridge the gap between the two for a natural class of functionalities.
2005
EPRINT
On Proofs of Security for Certificateless Cryptosystems
Certificateless public-key encryption has recently been proposed as an attractive alternative to certificate-based and identity-based encryption schemes. The attraction of certificateless PKE is that it combines the implicit public key authentication of an identity-based scheme with the escrow-free property of a certificate-based scheme. However, all the certificateless schemes that have been thusfar presented have either had the security proved in a reduced security model, or have relied on the random oracle model. Indeed, some authors have gone as far as suggesting that it is impossible to prove the full security of a certificateless scheme in the standard model. This paper examines this claim and comes to the conclusion that, while some provable security techniques may be denied to us, there is no reason why the security of a certificateless scheme cannot be proven in the standard model.
2005
EPRINT
On public-key cryptosystems based on combinatorial group theory
We analyze and critique the public-key cryptosystem, based on combinatorial group theory, that was proposed by Wagner and Magyarik in 1984. This idea is actually not based on the word problem but on another, generally easier, premise problem. Moreover, the idea of the Wagner-Magyarik system is vague, and it is difficult to find a secure realization of this idea. We describe a public-key cryptosystem inspired in part by the Wagner-Magyarik idea, but we also use group actions on words.
2005
EPRINT
On Resistance of DES to Related-Key Differential Cryptanalysis
The key schedule of the Data Encryption Standard is analyzed, and it is shown that the properties of the permuted choice PC-2 transformation and the number of bits that are left shifted during the key generation are critical for the security of the algorithm. More precisely, we were able to mount a low complexity related-key attack on DES with slightly modified key schedule although no related-key attack is known for the original algorithm.
2005
EPRINT
On Security of Koyama Schemes
Attack is possible upon all three RSA analogue PKCs based on singular cubic curves given by Koyama. While saying so, Seng et al observed that the scheme become insecure if a linear relation is known between two plaintexts. In this case, attacker has to compute greatest common divisor of two polynomials corresponding to those two plaintexts. However, the computation of greatest common divisor of two polynomials is not efficient. For the reason, the degree e of both polynomials, an encryption exponent, is quite large. In this paper, we propose an algorithm, which makes the attack considerably efficient. Subsequently we identify isomorphic attack on the Koyama schemes by using the isomorphism between two singular cubic curves.
2005
EPRINT
On Security Proof of McCullagh-Barreto's Key Agreement Protocol and its Variants
McCullagh and Barreto presented an identity-based authenticated key agreement protocol in CT-RSA 2005. Their protocol was found to be vulnerable to a key-compromise impersonation attack. In order to recover the weakness, McCullagh and Barreto, and Xie proposed two variants of the protocol respectively. In each of these works, a security proof of the proposed protocol was presented. In this paper, we revisit these three security proofs and show that all the reductions in these proofs are invalid, because the property of indistinguishability between their simulation and the real world was not held. As a replacement, we slightly modify the McCullagh and Barreto's second protocol and then formally analyse the security of the modified scheme in the Bellare-Rogaway key agreement model.
2005
EPRINT
On the (In)security of Stream Ciphers Based on Arrays and Modular Addition (Full Version)
Stream ciphers play an important role in symmetric cryptology because of their suitability in high speed applications where block ciphers fall short. A large number of fast stream ciphers or pseudorandom bit generators (PRBG's) can be found in the literature that are based on arrays and simple operations such as modular additions, rotations and memory accesses (e.g. RC4, RC4A, Py, Py6, ISAAC etc.). This paper investigates the security of array-based stream ciphers (or PRBG's) against certain types of distinguishing attacks in a unified way. We argue, counter-intuitively, that the most useful characteristic of an array, namely, the association of array-elements with unique indices, may turn out to be the origins of distinguishing attacks if adequate caution is not maintained. In short, an adversary may attack a cipher simply exploiting the dependence of array-elements on the corresponding indices. Most importantly, the weaknesses are not eliminated even if the indices and the array-elements are made to follow uniform distributions separately. Exploiting these weaknesses we build distinguishing attacks with reasonable advantage on five recent stream ciphers (or PRBG's), namely, Py6 (2005, Biham \emph{et al.}), IA, ISAAC (1996, Jenkins Jr.), NGG, GGHN (2005, Gong \emph{et al.}) with data complexities $2^{68.61}$, $2^{32.89}$, $2^{16.89}$, $2^{32.89}$ and $2^{32.89}$ respectively. In all the cases we worked under the assumption that the key-setup algorithms of the ciphers produced uniformly distributed internal states. We only investigated the mixing of bits in the keystream generation algorithms. In hindsight, we also observe that the previous attacks on the other array-based stream ciphers (e.g. Py, etc.), can also be explained in the general framework developed in this paper. We hope that our analyses will be useful in the evaluation of the security of stream ciphers based on arrays and modular addition.
2005
EPRINT
On the affine classification of cubic bent functions
We consider cubic boolean bent functions, each cubic monomial of which contains the same variable. We investigate canonical forms of these functions under affine transformations of variables. In particular, we refine the affine classification of cubic bent functions of 8 variables.
2005
EPRINT
On the Algebraic Immunity of Symmetric Boolean Functions
In this paper, we analyse the algebraic immunity of symmetric Boolean functions. We identify a set of lowest degree annihilators for symmetric functions and propose an efficient algorithm for computing the algebraic immunity of a symmetric function. The existence of several symmetric functions with maximum algebraic immunity is proven. In this way, a new class of function which have good implementation properties and maximum algebraic immunity is found. We also investigate the existence of symmetric functions with high nonlinearity and reasonable order of algebraic immunity. Finally, we give suggestions how to use symmetric functions in a stream cipher.
2005
EPRINT
On the Automatic Construction of Indistinguishable Operations
An increasingly important design constraint for software running on ubiquitous computing devices is security, particularly against physical methods such as side-channel attack. One well studied methodology for defending against such attacks is the concept of indistinguishable functions which leak no information about program control flow since all execution paths are computationally identical. However, the constructing such functions by hand is laborious and error prone as their complexity increases. We investigate techniques for automating this process and find that effective solutions can be constructed with only minor amounts of computational effort.
2005
EPRINT
On the binary sequences with high $GF(2)$ linear complexities and low $GF(p)$ linear complexities
Klapper [1] showed that there are binary sequences of period $q^n-1$ ($q$ is a prime power $p^m$, $p$ is an odd prime) with the maximal possible linear complexity $q^n-1$ when considered as sequences over $GF(2)$, while the sequences have very low linear complexities when considered as sequences over $GF(p)$. This suggests that the binary sequences with high $GF(2)$ linear complexities and low $GF(p)$ linear complexities are note secure in cryptography. In this note we give some simple constructions of the binary sequences with high $GF(2)$ linear complexities and low $GF(p)$ linear complexities. We also prove some lower bounds on the $GF(p)$ linear complexities of binary sequences and a lower bound on the number of the binary sequences with high $GF(2)$ linear complexities and low $GF(p)$ linear complexities .
2005
EPRINT
On the Boolean functions With Maximum Possible Algebraic Immunity : Construction and A Lower Bound of the Count
This paper gives a construction method which can get a large class of Boolean functions with maximum algebraic immunity(AI) from one such giving function. Our constructions get more functions than any previous construction. The cryptographic properties, such as balance, algebraic degree etc, of those functions are studied. It shows that we can construct Boolean functions with better cryptographic properties, which gives the guidance for the design of Boolean functions to resist algebraic attack, and helps to design good cryptographic primitives of cryptosystems. From these constructions, we show that the count of the Boolean functions with maximum AI is bigger than ${2^{2^{n-1}}}$ for $n$ odd, bigger than ${2^{2^{n-1}+\frac{1}{2}\binom{n}{\frac{n}{2}} }}$ for $n$ even, which confirms the computer simulation result that such boolean functions are numerous. As far as we know, this is the first bound about this count.
2005
EPRINT
On the Entropy of Arcfour Keys
This paper is a copy of IBM Research Report RZ 3019 published in 1998, which was a study of some issues related to keys of Arcfour. At the time of writing Arcfour was the common pseudonym used for RC4. Quite of a few of the results in the paper have now been superseded. We have submitted this paper to the IACR eprint archive mainly for reference purposes, since IBM research reports are not indexed in general by Google and other search engines.
2005
EPRINT
On the Hardware Implementation of the MICKEY-128 Stream Cipher
Encryption algorithms are becoming more necessary to ensure the securely transmitted data over insecure communication channels. MICKEY-128 is a recently developed stream cipher with two major advantages: (i) the low hardware complexity, which results in small area and (ii) the high level of security. FPGA device was used for the performance demonstration. Some of the first results of implementing the stream cipher on an FPGA are reported. A maximum throughput equal to 170 Mbps can be achieved, with a clock frequency of 170 MHz.
2005
EPRINT
On The Indistinguishability-Based Security Model of Key Agreement Protocols-Simple Cases
Since Bellare and Rogway's work [15], the indistinguishability-based security models of authenticated key agreement protocols in simple cases have been evolving for ten years. In this report, we review and organize the models under a unified framework with some new extensions. By providing a new ability (the Coin query) to adversaries and redefining two key security notions, the framework fully exploits an adversary's capability and can be used to prove all the commonly required security attributes of key agreement protocols with key confirmation. At the same time, the Coin query is also used to define a model which can be used to heuristically evaluate the security of a large category of authenticated protocols without key confirmation. We use the models to analyze a few pairing-based authenticated key agreement protocols.
2005
EPRINT
On the Key Schedule of Blowfish
In this article the author shows that for the block cipher Blowfish, the subkeys for the third and fourth round do not depend on the first 64 bits of the userkey
2005
EPRINT
On the Notion of Statistical Security in Simulatability Definitions
We investigate the definition of statistical security (i.e., security against unbounded adversaries) in the framework of reactive simulatability. This framework allows to formulate and analyze multi-party protocols modularly by providing a composition theorem for protocols. However, we show that the notion of statistical security, as defined by Backes, Pfitzmann and Waidner for the reactive simulatability framework, does not allow for secure composition of protocols. This in particular invalidates the proof of the composition theorem. We give evidence that the reason for the non-composability of statistical security is no artifact of the framework itself, but of the particular formulation of statistical security. Therefore, we give a modified notion of statistical security in the reactive simulatability framework. We prove that this notion allows for secure composition of protocols. As to the best of our knowledge, no formal definition of statistical security has been fixed for Canetti's universal composability framework, we believe that our observations and results can also help to avoid potential pitfalls there.
2005
EPRINT
On the relationship between squared pairings and plain pairings
In this paper, we investigate the relationship between the squared Weil/Tate pairing and the plain Weil/Tate pairing. Along these lines, we first show that the squared pairing for arbitrary chosen point can be transformed into a plain pairing for the trace zero point which has a special form to compute them more efficiently. This transformation requires only a cost of some Frobenius actions. Additionally, we show that the squared Weil pairing can be computed more efficiently for trace zero point and derive an explicit formula for the 4th powered Weil pairing as an optimized version of the Weil pairing.
2005
EPRINT
On the security and the efficiency of the Merkle signature scheme
This paper builds on the multi-time signature scheme proposed by Merkle. We prove that the original scheme is existentially unforgeable under adaptive chosen message attack. Moreover, we present an improved version which has three advantages: It is provably forward secure. The number of signatures that can be made with one private key is --- in a practical sense --- unlimited. Finally, the cost for key generation is kept low. The theoretical exposition is complemented by experimental data about the efficiency of the improved Merkle signature scheme.
2005
EPRINT
On the Security of a Certificateless Public-Key Encryption
Certificateless public-key cryptosystem is a recently proposed attractive paradigm using public key cryptosystem, which avoids the key escrow inherent in identity-based public-key cryptosystems, and does not need certificates to generate trust in public keys. In 2005, Al-Riyami and Paterson proposed a new certificateless public-key encryption scheme and proved its security in the random oracle model. This paper shows that their scheme is vulnerable to adaptive chosen ciphertext attacks, and presents a countermeasure to overcome such a security flaw.
2005
EPRINT
On the Security of A Group Signature Scheme
As a special digital signature, a group signature scheme al- lows a group member to sign message on behalf of the group in an anony-mous and unlinkability way, In case of a dispute, the group manager can reveal the actual identity of signer. Anonymity and unlinkability are basic properties of group signature, which distinguish other signature scheme. Recently, based on the work of Camenisch and Lysyanskaya, which is known to be the most e?cient scheme so far, E.Y.Choi et.al propose an e?cient group signature scheme with member revocation at TrustBus 2005. Unfortunately, in this work we show that the scheme has linkability, Namely, any one can distinguish whether two di?erent group signatures are produced by the same signer, and that the revo- cation manager cannot trace the actual identity of a signer by a group signature. Finally, we give the corresponding attack to the scheme.
2005
EPRINT
On the Security of a Group Signature Scheme with Strong Separability
A group signature scheme allows a group member of a given group to sign messages on behalf of the group in an anonymous and unlinkable fashion. In case of a dispute, however, a designated group manager can reveal the signer of a valid group signature. Many applications of group signatures require that the group manager can be split into a membership manager and a revocation manager. Such a group signature scheme with strong separability was proposed in paper [1]. Unfortunately, the scheme is insecure which has been shown in [2][3][4]. In this paper we show that the scheme is untraceable by a simple and direct attack. Besides, we show its universal forgeability by a general attack which only needs to choose five random numbers. We minutely explain the technique to shun the challenge in the scheme.
2005
EPRINT
On the Security of Encryption Modes of MD4, MD5 and HAVAL
MD4 is a cryptographic hash function introduced in 1990 by Rivest. After MD4 was proposed, several hash functions such as MD5, HAVAL, RIPEMD, RIPEMD-160, SHA-1 and SHA-256 were designed based on the MD4 structure. In this paper, we cryptanalyze the compression functions of MD4, MD5 and 4-, 5-pass HAVAL in encryption modes. We exploit the recently proposed related-key rectangle and boomerang techniques to show non-randomness of MD4, MD5 and 4-, 5-pass HAVAL and to distinguish them from a randomly chosen cipher. The attacks are highly practical and have been confirmed by our experiments.
2005
EPRINT
On the Security of Kaweichel
In this report the block cipher Kaweichel is examined with regard to linear and differential cryptanalysis. As a result of this investigation new versions with a reduced number of rounds are proposed.
2005
EPRINT
On the security of some password-based key agreement schemes
In this paper we show that two potential security vulnerabilities exist in the strong password-only authenticated key exchange scheme due to Jablon. Two standardised schemes based on Jablon's scheme, namely the first password-based key agreement mechanism in ISO/IEC FCD 11770-4 and the scheme BPKAS-SPEKE in IEEE P1363.2 also suffer from one or both of these security vulnerabilities. We further show that other password-based key agreement mechanisms, including those in ISO/IEC FCD 11770-4 and IEEE P1363.2, also suffer from these two security vulnerabilities. Finally, we propose means to remove these security vulnerabilities.
2005
EPRINT
On the Statistically Optimal Divide and Conquer Correlation Attack on the Shrinking Generator
The shrinking generator is a well-known key stream generator composed of two LFSR?s, LFSRx and LFSRc, where LFSRx is clock-controlled according to the regularly clocked LFSRc. In this paper we investigate the minimum required length of the output sequence for successful reconstruction of the LFSRx initial state in an optimal probabilistic divide and conquer correlation attack. We extract an exact expression for the joint probability of the prefix of length m of the output sequence of LFSRx and prefix of length n of the output sequence of the generator. Then we use computer simulation to compare our probability measure and two other probability measures, previousely proposed in [5] and [3], in the sense of minimum required output length. Our simulation results show that our measure reduces the required output length.
2005
EPRINT
On Universal Composable Security of Time-Stamping Protocols
Time-stamping protocols, which assure that a document was existed at a certain time, are applied to some useful and practical applications such as electronic patent applications and so on. There are two major time-stamping protocols, the simple protocol and the linking protocol. In the former, a time-stamp authority issues a time-stamp token that is the digital signature of the concatenated value of a hashed message and the present time. In the latter, the time-stamp authority issues a time-stamp token that is the hash value of the concatenated value of a hashed message and the previous hash value. Although security requirements and analysis for above time-stamping protocols has been discussed, there are no strict cryptographic security notions for them. In this paper, we reconsider the security requirements for time-stamping protocols and define security notions for them, in a universally composable security sense, which was proposed by Canetti. We also show that these notions can be achieved using combinations of a secure key exchange protocol, a secure symmetric encryption scheme, and a secure digital signature scheme.
2005
EPRINT
One-Time HNP or Attacks on a Flawed El Gamal Revisited
We present a modification of the well-known hidden number problem (HNP) which we refer to as a one-time HNP (OT-HNP). We also present an algorithm for solving such a problem together with its formal analysis. We show then that carefully designed instances of OT-HNP can be used to break certain flawed implementations of public key schemes efficiently. We work, for instance, with Nguyen?s attack on El Gamal?s signature scheme in the GNU Privacy Guard of version 1.2.3. The technique employed there was not based on HNP, since it was supposed that more than one signature would be necessary, which seemed to be a wastage. We will see, however, that by using OT-HNP one signature is still far enough, while retaining certain elegance of the HNP approach. We also present an experimental confirmation of this result.
2005
EPRINT
One-Time Signatures Revisited: Have They Become Practical?
One-time signatures have been known for more than two decades, and have been studied mainly due to their theoretical value. Recent works motivated us to examine the practical use of one-time signatures in high-performance applications. In this paper we describe FMTseq - a signature scheme that merges recent improvements in hash tree traversal into Merkle's one-time signature scheme. Implementation results show that the scheme provides a signature speed of up to 35 times faster than a 2048-bit RSA signature scheme, for about one million signatures, and a signature size of only a few kilobytes. We provide an analysis of practical parameter selection for the scheme, and improvements that can be applied in more specific scenarios.
2005
EPRINT
One-Way Signature Chaining - A New Paradigm For Group Cryptosystems
In this paper, we describe a new cryptographic primitive called \emph{(One-Way) Signature Chaining}. Signature chaining is essentially a method of generating a chain of signatures on the same message by different users. Each signature acts as a ``link'' of the chain. The \emph{one-way}-ness implies that the chaining process is one-way in the sense that more links can be easily added to the chain. However, it is computationally infeasible to remove any intermediate links without removing all the links. The signatures so created are called chain signatures. We give precise definitions of chain signatures and discuss some applications in trust transfer. We also present a practical construction of a CS scheme that is secure under the Computational Diffie-Hellman (CDH) assumption in bilinear maps.
2005
EPRINT
One-Wayness Equivalent to General Factoring
This paper shows the first practical semantically secure public-key encryption scheme such that its one-wayness is equivalent to {\it general} factoring in the {\it standard} model (in the sense of IND-CPA). Next our proof technique is applied to Rabin-Paillier encryption scheme and a variant of RSA-Paillier encryption scheme to prove their exactly tight one-wayness.
2005
EPRINT
Overview of Key Agreement Protocols
The emphasis of this paper is to focus on key agreement. To this aim, we address a self-contained, up-to-date presentation of key agreement protocols at high level. We have attempted to provide a brief but fairly complete survey of all these schemes.
2005
EPRINT
Pairing-Based Cryptography at High Security Levels
In recent years cryptographic protocols based on the Weil and Tate pairings on elliptic curves have attracted much attention. A notable success in this area was the elegant solution by Boneh and Franklin of the problem of efficient identity-based encryption. At the same time, the security standards for public key cryptosystems are expected to increase, so that in the future they will be capable of providing security equivalent to 128-, 192-, or 256-bit AES keys. In this paper we examine the implications of heightened security needs for pairing-based cryptosystems. We first describe three different reasons why high-security users might have concerns about the long-term viability of these systems. However, in our view none of the risks inherent in pairing-based systems are sufficiently serious to warrant pulling them from the shelves. We next discuss two families of elliptic curves E for use in pairing-based cryptosystems. The first has the property that the pairing takes values in the prime field F_p over which the curve is defined; the second family consists of supersingular curves with embedding degree k=2. Finally, we examine the efficiency of the Weil pairing as opposed to the Tate pairing and compare a range of choices of embedding degree k, including k=1 and k=24.
2005
EPRINT
Pairing-based identification schemes
We propose four different public-key identification schemes that make use of bilinear pairings, and prove their security under certain computational assumptions. Each of the schemes is more efficient and/or more secure than any known pairing-based identification scheme.
2005
EPRINT
Pairing-Based Two-Party Authenticated Key Agreement Protocol
To achieve secure data communications, two parties should be authenticated by each other and agree on a secret session key by exchanging messages over an insecure channel. In this paper, based on the bilinear pairing, we present a new two-party authenticated key agreement protocol, and use the techniques from provable security to examine the security of our protocol within Bellare-Rogaway model.
2005
EPRINT
Pairing-Friendly Elliptic Curves of Prime Order
Previously known techniques to construct pairing-friendly curves of prime or near-prime order are restricted to embedding degree $k \leqslant 6$. More general methods produce curves over $\F_p$ where the bit length of $p$ is often twice as large as that of the order $r$ of the subgroup with embedding degree $k$; the best published results achieve $\rho \equiv \log(p)/\log(r) \sim 5/4$. In this paper we make the first step towards surpassing these limitations by describing a method to construct elliptic curves of prime order and embedding degree $k = 12$. The new curves lead to very efficient implementation: non-pairing cryptosystem operations only need $\F_p$ and $\F_{p^2}$ arithmetic, and pairing values can be compressed to one \emph{sixth} of their length in a way compatible with point reduction techniques. We also discuss the role of large CM discriminants $D$ to minimize $\rho$; in particular, for embedding degree $k = 2q$ where $q$ is prime we show that the ability to handle $\log(D)/\log(r) \sim (q-3)/(q-1)$ enables building curves with $\rho \sim q/(q-1)$.
2005
EPRINT
Parallel and Concurrent Security of the HB and HB+ Protocols
At Crypto 2005, Juels and Weis (building on work of Hopper and Blum) proposed and analyzed two shared-key authentication protocols --- HB and HB+ --- whose extremely low computational cost makes them attractive for low-cost devices such as radio-frequency identification (RFID) tags. Security of these protocols is based on the conjectured hardness of the ``learning parity with noise'' (LPN) problem: the HB protocol is proven secure against a passive (eavesdropping) adversary, while the HB+ protocol is proven secure against active attacks. Juels and Weis prove security of these protocols only for the case of sequential executions, and explicitly leave open the question of whether security holds also in the case of parallel or concurrent executions. In addition to guaranteeing security against a stronger class of adversaries, a positive answer to this question would allow the HB+ protocol to be parallelized, thereby reducing its round complexity from super-logarithmic (in the security parameter) to 3. Using a recent result by Regev (STOC 2005) regarding the LPN problem, we answer the aforementioned question in the affirmative and prove security of the HB and HB+ protocols under parallel/concurrent executions. Applying Regev's result also yields what we find to be substantially simpler security proofs for these protocols which are also more complete in that they explicitly address the dependence of the soundness error on the number of iterations.
2005
EPRINT
Partial Hiding in Public-Key Cryptography
This paper explores the idea of partially exposing sections of the private key in public-key cryptosystems whose security is based on the intractability of factorising large integers. It is proposed to allow significant portions of the private key to be publicly available, reducing the amount of data which must be securely hidden. The ``secret'' data could be XORed with an individual's biometric reading in order to maintain a high level of security, and we suggest using iris templates for this purpose. Finally, we propose an implementation of this system for RSA, and consider the potential risks and advantages associated with such a scheme.
2005
EPRINT
Partially Fixed Point Multiplication
A new technique is proposed in which bandwidth and memory are together used to reduce both the number of point additions and doublings required in computing random point multiplication. Using the proposed technique, we show that a significant speed-up can be obtained at the cost of slightly increased bandwidth. In addition, we show that the proposed technique is well-suited for parallel processing.
2005
EPRINT
Partitioned Cache Architecture as a Side-Channel Defence Mechanism
Recent research has produced a number of viable side-channel attack methods based on the data-dependant behaviour of microprocessor cache memory. Most proposed defence mechanisms are software based and mainly act to increase the attackers workload rather than obviate the attack entirely. In this paper we investigate the use of a configurable cache architecture to provide hardware assisted defence. By exposing the cache to the processor and allowing it to be dynamically configured to match the needs of a given application, we provide opportunity for higher performance as well as security.
2005
EPRINT
Pass-thoughts: Authenticating With Our Minds
We present a novel idea for user authentication that we call pass-thoughts. Recent advances in Brain-Computer Interface (BCI) technology indicate that there is potential for a new type of human-computer interaction: a user transmitting thoughts directly to a computer. The goal of a pass-thought system would be to extract as much entropy as possible from a user?s brain signals upon ?transmitting? a thought. Provided that these brain signals can be recorded and processed in an accurate and repeatable way, a pass-thought system might provide a quasi two-factor, changeable, authentication method resilient to shoulder-surfing. The potential size of the space of a pass-thought system would seem to be unbounded in theory, due to the lack of bounds on what composes a thought, although in practice it will be finite due to system constraints. In this paper, we discuss the motivation and potential of pass-thought authentication, the status quo of BCI technology, and outline the design of what we believe to be a currently feasible pass-thought system. We also briefly mention the need for general exploration and open debate regarding ethical considerations for such technologies.
2005
EPRINT
PEKE, Probabilistic Encryption Key Exchange, 10 Years Later, Including the PEKEv1.25 Specifications
This document revisits the PEKE (Probabilistic Encryption Key Exchange) cryptosystem and proposes the enhanced PEKEv1.25 that performs a hash computation on the original PEKE output in order to improve the security assurance and to broaden the field of use. For a key establishment application where only the server side publishes a long-term public key and can adequately protect the private key counterpart from implementation attacks, we claim that PEKE is unsurpassed in security and efficiency, among the finite field arithmetic cryptosystems (e.g. RSA and finite field Diffie-Hellman). We use an original definition for the type of key encapsulation service provided by PEKE, hoping that this abstract definition captures the characteristics of the protocol and usage context. However, we only suggest that related security proofs are encouraging for the security of PEKE.
2005
EPRINT
Perfect Non-Interactive Zero Knowledge for NP
Non-interactive zero-knowledge (NIZK) systems are fundamental cryptographic primitives used in many constructions, including CCA2-secure cryptosystems, digital signatures, and various cryptographic protocols. What makes them especially attractive, is that they work equally well in a concurrent setting, which is notoriously hard for interactive zero-knowledge protocols. However, while for interactive zero-knowledge we know how to construct statistical zero-knowledge argument systems for all NP languages, for non-interactive zero-knowledge, this problem remained open since the inception of NIZK in the late 1980's. Here we resolve two problems regarding NIZK: - we construct the first perfect NIZK argument system for any NP language. - we construct the first UC-secure NIZK protocols for any NP language in the presence of a dynamic/adaptive adversary. While it was already known how to construct efficient prover computational NIZK proofs for any NP language, the known techniques yield large common reference strings and large NIZK proofs. As an additional implication of our techniques, we considerably reduce both the size of the common reference string and the size of the proofs.
2005
EPRINT
Performance Improvements and a Baseline Parameter Generation Algorithm for NTRUSign
The original presentation of the NTRUSign signature scheme gave a set of parameters that were claimed to give 80 bits of security, but did not give a general recipe for generating parameter sets to a specific level of security. In line with recent research on NTRUEncrypt, this paper presents an outline of such a recipe for NTRUSign. We also present certain technical advances upon which we intend to build in subsequent papers.
2005
EPRINT
Picking Virtual Pockets using Relay Attacks on Contactless Smartcard Systems
A contactless smartcard is a smartcard that can communicate with other devices without any physical connection, using Radio-Frequency Identifier (RFID) technology. Contactless smartcards are becoming increasingly popular, with applications like credit-cards, national-ID, passports, physical access. The security of such applications is clearly critical. A key feature of RFID-based systems is their very short range: typical systems are designed to operate at a range of ~10cm. In this study we show that contactless smartcard technology is vulnerable to relay attacks: An attacker can trick the reader into communicating with a victim smartcard that is very far away. A ``low-tech'' attacker can build a pick-pocket system that can remotely use a victim contactless smartcard, without the victim's knowledge. The attack system consists of two devices, which we call the ``ghost'' and the ``leech''. We discuss basic designs for the attacker's equipment, and explore their possible operating ranges. We show that the ghost can be up to 50m away from the card reader---3 orders of magnitude higher than the nominal range. We also show that the leech can be up to 50cm away from the the victim card. The main characteristics of the attack are: orthogonality to any security protocol, unlimited distance between the attacker and the victim, and low cost of the attack system.
2005
EPRINT
Polyhedrons over Finite Abelian Groups and Their Cryptographic Applications
We are using the group-theory methods for justification of algebraic method in cryptanalysis. The obtained results are using for investigation of Boolean functions cryptographic properties.
2005
EPRINT
Powered Tate Pairing Computation
In this paper, we introduce a powered Tate pairing on a supersingular elliptic curve that has the same shortened loop as the modified Tate pairing using the eta pairing approach by Barreto et al. The main significance of our approach is to remove the condition which the latter should rely on. It implies that our method is simpler and potentially general than the eta pairing approach, although they are equivalent in most practical cases.
2005
EPRINT
Practical Group Signatures without Random Oracles
We provide a construction for a group signature scheme that is provably secure in a universally composable framework, within the standard model with trusted parameters. Our proposed scheme is fairly simple and its efficiency falls within small factors of the most efficient group signature schemes with provable security in any model (including random oracles). Security of our constructions require new cryptographic assumptions, namely the Strong LRSW, EDH, and Strong SXDH assumptions. Evidence for any assumption we introduce is provided by proving hardness in the generic group model. Our second contribution is the first definition of security for group signatures based on the simulatability of real protocol executions in an ideal setting that captures the basic properties of unforgeability, anonymity, unlinkability, and exculpability for group signature schemes.
2005
EPRINT
Practical Lattice Basis Sampling Reduction
We propose a practical sampling reduction algorithm for lattice bases based on work by Schnorr as well as two even more effective generalizations. We report the empirical behaviour of these algorithms. We describe how Sampling Reduction allows to stage lattice attacks against the NTRU cryptosystem with smaller BKZ parameters than before and conclude that therefore the recommeded NTRU security parameters offer $\leq 74$ Bit security.
2005
EPRINT
Preliminary Analysis of DHA-256
DHA-256 was presented at the Cryptographic Hash Workshop hosted by NIST in November 2005. DHA-256 (Double Hash Algorithm) was proposed to enhance the security of SHA-256. We present a preliminary analysis of the message expansion and give an alternative 9-step local collision for DHA-256.
2005
EPRINT
Preventing Attacks on Machine Readable Travel Documents (MRTDs)
After the terror attacks of 9/11, the U.S. Congress passed legislation that requires in the US Visa Waiver Program to begin issuing issuing machine readable passports that are tamper resistant and incorporate biometric and document authentication identifiers. The International Civil Aviation Organization (ICAO) has issued specifications for Machine Readable Travel Documents (MRTD) that are equipped with a smart card processor to perform biometric identification of the holder. Some countries, such as the United States, will issue machine readable passports that serve only as passports. Other countries, such as the United Kingdom, intend to issue more sophisticated, multi-application passports that can also serve as national identity cards. We have conducted a detailed security analysis of these specificationsm, and we illustrate possible scenarios that could cause a compromise in the security and privacy of holders of such travel documents. Finally, we suggest improved cryptographic protocols and high-assurance smart card operating systems to prevent these compromises and to support electronic visas as well as passports.
2005
EPRINT
PRF Domain Extension Using DAGs
We prove a general domain extension theorem for pseudo-random functions (PRFs). Given a PRF $F$ from $n$ bits to $n$ bits, it is well known that employing $F$ in a chaining mode (CBC-MAC) yields a PRF on the bigger domain. Viewing each application of $F$ in this chaining mode to be a node in a graph, and the chaining as the edges between the nodes, the resulting graph is just a line graph. In this paper, we show that the underlying graph can be an arbitrary directed acyclic graph (DAG), and the resulting function on the larger domain is still a PRF. The only requirement on the graph is that it have unique source and sink nodes, and no two nodes have the same set of incident nodes. A new highly parallelizable MAC construction follows which has a critical path of only $3+\log ^{*} n $ applications of $F$.\\ \hspace*{0.1in} If we allow Galois field arithmetic, we can consider edge colored DAGs, where the colors represent multiplication in the field by the color number. We prove an even more general theorem, where the only restriction on the colored DAGs is that if two nodes ($u$ and $v$) have the same set of incident nodes $W$, then at least one $w$ in $W$ is incident on $u$ and $v$ with a different colored edge. PMAC (parallelizable message authentication \cite{black}) is a simple example of such graphs. The general thoerem allows one to have further optimizations over PMAC, and many modes which deal with variable lengths.
2005
EPRINT
Primal-Dual Distance Bounds of Linear Codes with Application to Cryptography
Let $N(d,d^\perp)$ denote the minimum length $n$ of a linear code $C$ with $d$ and $d^{\bot}$, where $d$ is the minimum Hamming distance of $C$ and $d^{\bot}$ is the minimum Hamming distance of $C^{\bot}$. In this paper, we show a lower bound and an upper bound on $N(d,d^\perp)$. Further, for small values of $d$ and $d^\perp$, we determine $N(d,d^\perp)$ and give a generator matrix of the optimum linear code. This problem is directly related to the design method of cryptographic Boolean functions suggested by Kurosawa et al.
2005
EPRINT
Privacy-Preserving Polling using Playing Cards
Visualizing protocols is not only useful as a step towards understanding and ensuring security properties, but is also a beneficial tool to communicate notions of security to decision makers and technical people outside the field of cryptography. We present a simple card game that is a visualization for a secure protocol for private polling where it is simple to see that individual responses cannot be traced back to a respondent, and cheating is irrational. We use visualization tricks to illustrate a somewhat complex protocol, namely the Cryptographic Randomized Response Technique protocol of Lipmaa et al. While our tools --- commitments and cut-and-choose --- are well known, our construction for oblivious transfer using playing cards is new. As part of visualizing the protocol, we have been able to show that, while cut-and-choose protocols normally get more secure with an increasing number of choices, the protocol we consider --- surprisingly --- does not. This is true for our visualization of the protocol and for the real protocol.
2005
EPRINT
Probabilistic Opacity for a Passive Adversary and its Application to Chaum's Voting Scheme
A predicate is opaque for a given system, if an adversary will never be able to establish truth or falsehood of the predicate for any observed computation. This notion has been essentially introduced and studied in the context of transition systems whether describing the semantics of programs, security protocols or other systems. In this paper, we are interested in studying opacity in the probabilistic computational world. Indeed, in other settings, as in the Dolev-Yao model for instance, even if an adversary is $99\%$ sure of the truth of the predicate, it remains opaque as the adversary cannot conclude for sure. In this paper, we introduce a computational version of opacity in the case of passive adversaries called cryptographic opacity. Our main result is a composition theorem: if a system is secure in an abstract formalism and the cryptographic primitives used to implement it are secure, then this system is secure in a computational formalism. Security of the abstract system is the usual opacity and security of the cryptographic primitives is IND-CPA security. To illustrate our result, we give two applications: a short and elegant proof of the classical Abadi-Rogaway result and the first computational proof of Chaum's visual electronic voting scheme.
2005
EPRINT
Probability distributions of Correlation and Differentials in Block Ciphers
In this paper, we derive the probability distributions of difference propagation probabilities and input-output correlations for random functions and block ciphers, for several of them for the first time. We show that these parameters have distributions that are well-studied in the field of probability such as the normal, Poisson, Gamma and extreme value distributions. For Markov ciphers there exists a solid theory that expresses bounds on the complexity of differential and linear cryptanalysis in terms of average difference propagation probabilities and average correlations, where the average is taken over the keys. The propagation probabilities and correlations exploited in differential and linear cryptanalysis actually depend on the key and hence so does the attack complexity. The theory of Markov ciphers does not make statements on the distributions of these fixed-key properties but rather makes the assumption that their values will be close to the average for the vast majority of keys. This assumption is made explicit in the form of the hypothesis of stochastic equivalence. In this paper, we study the distributions of propagation properties that are relevant in the resistance of {\em key-alternating ciphers} against differential and linear cryptanalysis. Key-alternating ciphers are basically iterative ciphers where round keys are applied by an XOR operation in between unkeyed rounds and are a sub-class of Markov ciphers. We give the distributions of fixed-key difference propagation probability and fixed-key correlation of iterative ciphers. We show that for key-alternating ciphers, the hypothesis of stochastic equivalence can be discarded. In its place comes the explicit formulation of the distribution of fixed-key \emph{differential probability (DP)} of a differential in terms of its \emph{expected differential probability (EDP)} and the distribution of the fixed-key \emph{linear probability} (or rather \emph{potential}) (\emph{LP}) of a linear approximation (or hull) in terms of its \emph{expected linear probability (ELP)}. Here the ELP and EDP are defined by disregarding the key schedule of the block cipher and taking the average over independently selected round keys, instead of over all cipher keys. Proving these distributions requires no assumptions standardly made in Markov cipher theory as perfectly uniform behavior, independently acting rounds or the technique of averaging over keys. For key-alternating ciphers, we show that if the EDP is equal to $2^{-n}$ with $n$ the block length, the fixed-key DP has a distribution that is very close to that in a random $n$-bit cipher. The same holds for the ELP and the corresponding fixed-key LP. Finally we present a technique for computing bounds on the EDP based on the distribution of probabilities of differential characteristics and of the ELP based on the distribution of LP of linear characteristics.
2005
EPRINT
Prompted User Retrieval of Secret Entropy: The Passmaze Protocol
A prompting protocol permits users to securely retrieve secrets with greater entropy than passwords. The retrieved user secrets can have enough entropy to be used to derive cryptographic keys.
2005
EPRINT
Provable Efficient Certificateless Public Key Encryption
Certificateless public key cryptography was introduced to overcome the key escrow limitation of the identity-based cryptography. It combines the advantages of the identity-based cryptography and the traditional PKI. Recently, Dae Hyun Yum1 and Pil Joong Lee have proposed a generic series construction model of certificateless public key encryption (CL-PKE) which is built from generic primitives: identity-based encryption and public key encryption. However, this model pays much attention on the generic construction and neglects the nice properties of the bilinear pairings. In this paper, we propose an efficient CL-PKE scheme which is based on the nice algebraic properties of Weil pairing. The scheme works in a kind of parallel model and it is more efficient on computation or published public key information than the existing schemes.
2005
EPRINT
Proxy Re-Signatures: New Definitions, Algorithms, and Applications
In 1998, Blaze, Bleumer, and Strauss (BBS) proposed proxy re-signatures, in which a semi-trusted proxy acts as a translator between Alice and Bob. To translate, the proxy converts a signature from Alice into a signature from Bob on the same message. The proxy, however, does not learn any signing key and cannot sign arbitrary messages on behalf of either Alice or Bob. Since the BBS proposal, the proxy re-signature primitive has been largely ignored, but we show that it is a very useful tool for sharing web certificates, forming weak group signatures, and authenticating a network path. We begin our results by formalizing the definition of security for a proxy re-signature. We next substantiate the need for improved schemes by pointing out certain weaknesses of the original BBS proxy re-signature scheme which make it unfit for most practical applications. We then present two secure proxy re-signature schemes based on bilinear maps. Our first scheme relies on the Computational Diffie-Hellman (CDH) assumption; here the proxy can translate from Alice to Bob and vice-versa. Our second scheme relies on the CDH and 2-Discrete Logarithm (2-DL) assumptions and achieves a stronger security guarantee -- the proxy is only able to translate in one direction. Constructing such a scheme has been an open problem since proposed by BBS in 1998. Furthermore in this second scheme, even if the delegator and the proxy collude, they cannot sign on behalf of the delegatee. Both schemes are efficient and secure in the random oracle model.
2005
EPRINT
Public Key Encryption with Keyword Search Revisited
The public key encryption with keyword search (PEKS) scheme recently proposed by Boneh, Di Crescenzo, Ostrovsky, and Persiano enables one to search encrypted keywords without compromising the security of the original data. In this paper, we address three important issues of a PEKS scheme, ``refreshing keywords'', ``removing secure channel'', and ``processing multiple keywords'', which have not been considered in Boneh et. al.'s paper. We argue that care must be taken when keywords are used frequently in the PEKS scheme as this situation might contradict the security of PEKS. We then point out the inefficiency of the original PEKS scheme due to the use of the secure channel. We resolve this problem by constructing an efficient PEKS scheme that removes secure channel. Finally, we propose a PEKS scheme that encrypts multiple keywords efficiently.
2005
EPRINT
Py (Roo): A Fast and Secure Stream Cipher using Rolling Arrays
Py (pronounced Roo, a shorthand for Kangaroo) is a new stream cipher designed especially for the Ecrypt stream cipher contest. It is based on a new kind of primitive, which we call Rolling Arrays. It also uses various other ideas from many types of ciphers, including variable rotations and permutations. In some sense, this design is a kind of a new type of rotor machine, which is specially designed with operations that are very efficient in software. The allowed stream size is $2^{64}$ bytes in each stream (or $2^{40}$ in the smaller version Py6). The security claims of the cipher are that no key recovery attacks can be performed with complexity smaller than that of exhaustive search, and distinguishing attacks are also impractical with a similar complexity. The speed of the cipher is impressively fast, as it is more than 2.5 times faster than RC4 on a Pentium III (with less than 2.9 cycles/byte when implemented with the API of NESSIE and tested with the NESSIE software).
2005
EPRINT
Reconciling CA-Oblivious Encryption, Hidden Credentials, OSBE and Secret Handshakes
We compare four recent systems which have often been cited together, yet which have significant, subtle differences. We argue that the systems are not as interchangeable as several authors have suggested, attempt to correct common misconceptions about the systems, and suggest several potentially rich avenues of future work.
2005
EPRINT
Recursive Constructions of Secure Codes and Hash Families Using Difference Function Families
To protect copyrighted digital data against piracy, codes with different secure properties such as frameproof codes, secure frameproof codes, codes with identifiable parent property (IPP codes), traceability codes (TA codes) are introduced. In this paper, we study these codes together with related combinatorial objects called separating and perfect hash families. We introduce for the first time the notion of difference function families and use these difference function families to give generalized recursive techniques that can be used for any kind of secure codes and hash families. We show that some previous recursive techniques are special cases of these new techniques.
2005
EPRINT
Rediscovery of Time Memory Tradeoffs
Some of the existing time memory tradeoff attacks (TMTO) on specific systems can be reinterpreted as methods for inverting general oneway functions. We apply these methods back to specific systems in ways not considered before. This provides the following startling results. No streamcipher can provide security equal to its key length; some important blockcipher modes of operations are vulnerable to TMTO; and no hash function can provide preimage resistance equal to its digest length.
2005
EPRINT
Relations Among Notions of Security for Identity Based Encryption Schemes
Identity based encryption (IBE) schemes have been flourishing since the very beginning of this century. In IBE it is widely believed that proving the security of a scheme in the sense of IND-ID-CCA2 is sufficient to claim the scheme is also secure in the senses of both SS-ID-CCA2 and NM-ID-CCA2. The justification for this belief is the relations among indistinguishability (IND), semantic security (SS) and non-malleability (NM). But these relations are proved only for conventional public key encryption (PKE) schemes in historical works. The fact is that between IBE and PKE, there exists a difference of special importance, i.e. only in IBE the adversaries can perform a particular attack, namely the chosen identity attack. This paper shows that security proved in the sense of IND-ID-CCA2 is validly sufficient for implying security in any other sense in IBE. This is to say the security notion, IND-ID-CCA2, captures the essence of security for all IBE schemes. To achieve this intention, we first describe formal definitions of the notions of security for IBE, and then present the relations among IND, SS and NM in IBE, along with rigorous proofs. All of these results are proposed with the consideration of the chosen identity attack.
2005
EPRINT
Relations amount Statistical Security Notions - or - Why Exponential Adversaries are Unlimited
In the context of Universal Composability, we introduce the concept of universal environments and simulators. Then, Universal Composability is equivalent to Universal Composability wrt. universal environments and simulators. We prove the existence of universal environments and simulators and investigate their computational complexity. From this, we get a number of consequences: First, we see that for polynomial-time protocols, exponential adversarial entities are as powerful as unlimited ones. Further, for a large class of protocols (those with bounded communication-complexity) we can show that UC and specialised-simulator UC coincide in the case of statistical security, i.e., that it is does not matter whether the simulator is chosen in dependence of the environment or not. This also implies that for the Universal Composition Theorem for polynomial-time protocols specialised-simulator UC is sufficient. This result is the last piece needed to find all implications and non-implications between the notions of UC, specialised-simulator UC, O(1)-bounded and polynomially-bounded general composability for polynomial-time protocols in the cases of perfect, statistical and polynomial security. Finally, we introduce the notion of bounded-risk UC, which allows to give explicit security guarantees for concrete security parameters and show that in the above case also this variant coincides with UC.
2005
EPRINT
Representing small identically self-dual matroids by self-dual codes
The matroid associated to a linear code is the representable matroid that is defined by the columns of any generator matrix. The matroid associated to a self-dual code is identically self-dual, but it is not known whether every identically self-dual representable matroid can be represented by a self-dual code. This open problem was proposed by Cramer et al ("On Codes, Matroids and Secure Multi-Party Computation from Linear Secret Sharing Schemes", Crypto 2005), who proved it to be equivalent to an open problem on the complexity of multiplicative linear secret sharing schemes. Some contributions to its solution are given in this paper. A new family of identically self-dual matroids that can be represented by self-dual codes is presented. Besides, we prove that every identically self-dual matroid on at most eight points is representable by a self-dual code.
2005
EPRINT
Resource Fairness and Composability of Cryptographic Protocols
We introduce the notion of {\em resource-fair} protocols. Informally, this property states that if one party learns the output of the protocol, then so can all other parties, as long as they expend roughly the same amount of resources. As opposed to similar previously proposed definitions, our definition follows the standard simulation paradigm and enjoys strong composability properties. In particular, our definition is similar to the security definition in the universal composability (UC) framework, but works in a model that allows any party to request additional resources from the environment to deal with dishonest parties that may prematurely abort. In this model we specify the ideally fair functionality as allowing parties to ``invest resources'' in return for outputs, but in such an event offering all other parties a fair deal. (The formulation of fair dealings is kept independent of any particular functionality, by defining it using a ``wrapper.'') Thus, by relaxing the notion of fairness, we avoid a well-known impossibility result for fair multi-party computation with corrupted majority; in particular, our definition admits constructions that tolerate arbitrary number of corruptions. We also show that, as in the UC framework, protocols in our framework may be arbitrarily and concurrently composed. Turning to constructions, we define a ``commit-prove-fair-open'' functionality and design an efficient resource-fair protocol that securely realizes it, using a new variant of a cryptographic primitive known as ``time-lines.'' With (the fairly wrapped version of) this functionality we show that some of the existing secure multi-party computation protocols can be easily transformed into resource-fair protocols while preserving their security.
2005
EPRINT
Results on Rotation Symmetric Bent Functions
In this paper we analyze the combinatorial properties related to the Walsh spectra of rotation symmetric Boolean functions on even number of variables. These results are then applied in studying rotation symmetric bent functions.
2005
EPRINT
Results on Rotation Symmetric Boolean Functions on Even Number Variable
Construction of Boolean functions with cryptographic properties is an important and difficult work. In this paper, we concentrate on rotation symmetric Boolean functions(RSBFs), which are invariant under circular translation of indices. Recent research show that this class of Boolean function is rich in functions of cryptographic signifinance. In this paper, we consider the RSBFs on even number variable. We show that the matrix $_n\mathcal{A}$ may result in a better form after rearrange the representative elements. This allows us to improved the search strategy. At last, some combinaatorial results about ${\mathcal P}_n^{1}$ , which only apear in the case $n$ even, are presented in the case $n=2p$, $p$ be odd prime.
2005
EPRINT
Revised: Block Cipher Based Hash Function Construction From PGV
Preneel, Govaerts, and Vandewalle[12] considered the 64 most basic ways to construct a hash function from a block cipher, and regarded 12 of these 64 schemes as secure. Black, Pogaway and Shrimpton[3] proved that, in black-box model, the 12 schemes that PGV singled out as secure really are secure and given tight upper and lower bounds on their collision resistance. And also they pointed out, by stepping outside of the Merkle-Damgard[5] approach to analysis, an additional 8 of the 64 schemes are just as collision resistant as the first group of schemes. In this paper we point out that the 12 compression functions that PGV singled out are free start collision resistant and others are not, the additional 8 compression functions are only fix start collision resistant as singled out by BRS, the hash functions based on those 20 schemes are fix start collision resistant, the upper bound of collision resistance and preimage resistant are given based on conditional probability of compression function, not based on assumption of random oracle model, the bounds have more practical value than the bounds given by BRS. In view point of collision resistant, the best 4 schemes are not among the 12 schemes singled by PGV, and among the 8 schemes point out by BRS, and block cipher E itself is the best compression to build a collision resistant hash function. At the end of the paper, two recommend structure of block cipher based hash function are given, and a prove of their securities are also given.
2005
EPRINT
Revisiting Oblivious Signature-Based Envelopes
Secure, anonymous and unobservable communication is becoming increasingly important due to the gradual erosion of privacy in many aspects of everyday life. This prompts the need for various anonymity- and privacy-enhancing techniques, e.g., group signatures, anonymous e-cash and secret handshakes. In this paper, we investigate an interesting and practical cryptographic construct Oblivious Signature-Based Envelopes (OS-BEs) recently introduced in [15]. OSBEs are very useful in anonymous communication since they allow a sender to communicate information to a receiver such that the receiver s rights (or roles) are unknown to the sender. At the same time, a receiver can obtain the information only if it is authorized to access it. This makes OSBEs a natural fit for anonymity-oriented and privacy-preserving applications, such as Automated Trust Negotiation and Oblivious Subscriptions. Previous results yielded three OSBE constructs: one based on RSA and two based on Identity-Based Encryption (IBE). Our work focuses on the ElGamal signature family: we succeed in constructing practical and secure OSBE schemes for several well-known signature schemes, including: Schnorr, Nyberg-Rueppel, ElGamal and DSA. As experiments with the prototype implementation il-lustrate, our schemes are more efficient than previous techniques. Furthermore, we show that some OSBE schemes, despite offering affiliation privacy for the receiver, introduce no additional cost over schemes that do not offer this feature.
2005
EPRINT
Ring Signatures without Random Oracles
Since the formalization of ring signature by Rivest, Shamir and Tauman in 2001, there are lots of variations appeared in the literature. Almost all of the variations rely on the random oracle model for security proof. In this paper, we propose a ring signature scheme based on bilinear pairings, which is proven to be secure against chosen message attack without using the random oracle model. It is one of the first in the literature to achieve this security level.
2005
EPRINT
Ring Signatures: Stronger Definitions, and Constructions without Random Oracles
Ring signatures, first introduced by Rivest, Shamir, and Tauman, enable a user to sign a message so that a ring of possible signers (of which the user is a member) is identified, without revealing exactly which member of that ring actually generated the signature. In contrast to group signatures, ring signatures are completely ``ad-hoc'' and do not require any central authority or coordination among the various users (indeed, users do not even need to be aware of each other); furthermore, ring signature schemes grant users fine-grained control over the level of anonymity associated with any particular signature. This paper has two main areas of focus. First, we examine previous definitions of security for ring signature schemes and suggest that most of these prior definitions are too weak, in the sense that they do not take into account certain realistic attacks. We propose new definitions of anonymity and unforgeability which address these threats, and give separation results proving that our new notions are strictly stronger than previous ones. Second, we show the first constructions of ring signature schemes in the standard model. One scheme is based on generic assumptions and satisfies our strongest definitions of security. Two additional schemes are more efficient, but achieve weaker security guarantees and more limited functionality.
2005
EPRINT
Scaling security in pairing-based protocols
In number theoretic cryptography there is always the problem of scaling-up security to a higher level. This usually means increasing the size of the modulus, from, say 1024 bits to 2048 bits. In pairing-based cryptography however another option is available, keeping the modulus constant and increasing instead the embedding degree. This has a big potential advantage in smart-card and embedded applications -- security can be scaled up while continuing to use the same sized calculations. For example a cryptographic co-processor which does 512-bit modular multiplications can be directly re-used in the higher security setting. Here we investigate the scaling-up issue in the context of prime characteristic non-supersingular elliptic curves. We also confirm the observation that at higher levels of security a slightly modified Weil pairing becomes more efficient than the Tate pairing.
2005
EPRINT
Scholten Forms and Elliptic/Hyperelliptic Curves with Weak Weil Restrictions
In this paper, we show explicitly the classes of elliptic and hyperelliptic curves of low genera defined over extension fields, which have weak coverings, i.e. their Weil restrictions can be attacked by either index calculus attacks to hyperelliptic curves or Diem's recent attack to non-hyperelliptic curves. In particular, we show how to construct such coverings from these curves and analyze density of the curves for them such construction is possible.
2005
EPRINT
Searchable Encryption Revisited: Consistency Properties, Relation to Anonymous IBE, and Extensions
We identify and fill some gaps with regard to consistency (the extent to which false positives are produced) for public-key encryption with keyword search (PEKS). We define computational and statistical relaxations of the existing notion of perfect consistency, show that the scheme of Boneh et al. in Eurocrypt 2004 is computationally consistent, and provide a new scheme that is statistically consistent. We also provide a transform of an anonymous IBE scheme to a secure PEKS scheme that, unlike the previous one, guarantees consistency. Finally, we suggest three extensions of the basic notions considered here, namely anonymous HIBE, public-key encryption with temporary keyword search, and identity-based encryption with keyword search.
2005
EPRINT
Searchable Keyword-Based Encryption
To solve the problem of searching on encrypted data, many keyword search schemes have been proposed in recent years. The goal of such schemes is to enable a user to give an untrusted storage server the ability only to test whether an encrypted document contains a few keywords without learning anything else about the document. In this paper, we are concerned with decrypting the searched results as well as searching for desired documents. In the previously proposed schemes, except for the work by Waters et al.[WBDS04], a user decrypts searched documents using his private key, $A_{priv}$, or a symmetric key. Our another goal is to enable a user to give a proxy the ability to decrypt only the ciphertexts containing desired keywords, but not other ciphertexts. We propose a new mechanism, Searchable Keyword-Based Encryption (SKBE) which satisfies both the above goals. As a result of adding the delegation of decryption ability, our mechanism works more securely and efficiently in several applications, such as email gateways, secure audit logs, and decryption key delegation systems, than any of the previously proposed schemes. We formalize this mechanism, define its security model and propose an efficient construction whose security is proved in a random oracle model under the Bilinear Diffie-Hellman Inversion assumption. The scheme is constructed based on the Public Key Encryption with Conjunctive Field Keyword Search scheme in [PKL04] by using a hybrid encryption technique.
2005
EPRINT
Secret color images sharing schemes based on XOR operation
This paper presents two new constructions for the secret color images sharing schemes .One is a (n, n) threshold scheme, which can be constructed based on XOR operation. The other is a (2, n) threshold scheme, which can be constructed by using AND and XOR operations. The two schemes have no pixel expansion, and the time complexity for constructing shared images is O(k1n), excluding the time needed for generating n distinct random matrices (here k1 is the size of the shared image). The reconstructed images can be obtained in the two schemes by using the XOR operation alone. The relative differences of the two schemes are 1 and 1/2, respectively. The time complexity of the recovered images is O(k1n) and O(2k1), respectively. The two schemes also provide perfect secrecy.
2005
EPRINT
Secret sharing on the $d$-dimensional cube
We prove that for $d>1$ the information rate of the perfect secret sharing scheme based on the edge set of the $d$-dimensional cube is exactly $2/d$. Using the technique developed, we also prove that the information rate of the infinite $d$-dimensional lattice is $1/d$.
2005
EPRINT
Secret sharing schemes on graphs
Given a graph $G$, a perfect secret sharing scheme based on $G$ is a method to distribute a secret data among the vertices of $G$, the participants, so that a subset of participants can recover the secret if they contain an edge of $G$, otherwise they can obtain no information regarding the secret. The average information rate is the ratio of the size of the secret and the average size of the share a participant must remember. The information rate of $G$ is the supremum of the information rates realizable by perfect secret sharing schemes. We construct a graph on $n$ vertices with average information rate below $4/\log n$. We obtain this result by determining, up to a constant factor, the average information rate of the $d$/dimensional cube.
2005
EPRINT
Secure and {\sl Practical} Identity-Based Encryption
In this paper, we present a variant of Waters' Identity-Based Encryption scheme with a much smaller public-key size (only a few kilobytes). We show that this variant is semantically secure against passive adversaries in the standard model.\smallskip In essence, the new scheme divides Waters' public key size by a factor $\ell$ at the cost of (negligibly) reducing security by $\ell$ bits. Therefore, our construction settles an open question asked by Waters and constitutes the first fully secure {\sl practical} Identity-Based Encryption scheme.
2005
EPRINT
Secure Delegation of Elliptic-Curve Pairing
In this paper we describe a simple protocol for securely delegating elliptic-curve pairings. A computationally limited device (typically a smart-card) will delegate the computation of the pairing e(A,B) to a more powerful device (for example a PC), in such a way that: 1. the powerful device learns nothing about the points being paired (A and B), nor about the pairing?s result e(A,B), 2. and the limited device is able to detect when the powerful device is cheating. We also describe more efficient variants of our protocol when one of the points or both are already known, and further efficiency gains when constant points are used.
2005
EPRINT
Secure Group Key Establishment Revisited
We examine the popular proof models for group key establishment of Bresson et al. and point out missing security properties that are present in some models for two-party key establishment. These properties are actually of more importance in group key establishments due to the possibility of malicious insiders. We show that established group key establishment schemes from CRYPTO 2003 and ASIACRYPT 2004 do not fully meet these new requirements. Next to giving a formal definition of these extended security properties, we prove a variant of the explored proposal from ASIACRYPT 2004 secure in this stricter sense.
2005
EPRINT
Secure Human-Computer Identification (Interface) Systems against Peeping Attacks: SecHCI
This paper focuses on human-computer identification systems against peeping attacks, in which adversaries can observe (and even control) interactions between humans (provers) and computers (verifiers). Real cases on peeping attacks were reported by Ross J. Anderson ten years before. Fixed passwords are insecure to peeping attacks since adversaries can simply replay the observed passwords. Some identification techniques can be used to defeat peeping attacks, but auxiliary devices must be used and such devices are also insecure against peeping attacks if they are lost or stolen. Although more and more people get to know risks from peeping attacks, a practical solution has not been found. This paper first gives a comprehensive review on peeping attacks and related issues, and then points out some basic design principles. Two general structures of secure human-computer identification systems are proposed against peeping attacks. A concrete SecHCI protocol and its various implementations are given, and a real Web service is developed for demonstration. The security and usability of the proposed protocol are investigated in detail. Although the usability of the proposed protocol is not yet sufficiently good, we believe that some design skills of the proposed protocol are useful for future work on SecHCI.
2005
EPRINT
Secure Key-Updating for Lazy Revocation
We consider the problem of efficient key management and user revocation in cryptographic file systems that allow shared access to files. A performance-efficient solution to user revocation in such systems is lazy revocation, a method that delays the re-encryption of a file until the next write to that file. We formalize the notion of key-updating schemes for lazy revocation, an abstraction to manage cryptographic keys in file systems with lazy revocation, and give a security definition for such schemes. We give two composition methods that combine two secure key-updating schemes into a new secure scheme that permits a larger number of user revocations. We prove the security of two slightly modified existing constructions and propose a novel binary tree construction that is also provable secure in our model. Finally, we give a systematic analysis of the computational and communication complexity of the three constructions and show that the novel construction improves the previously known constructions.
2005
EPRINT
Secure Stochastic Multi-party Computation for Combinatorial Problems and a Privacy Concept that Explicitely Factors out Knowledge about the Protocol
High levels of security often imply that the computation time should be independent of the value of involved secrets. When the expected answer of the solver is either a solution or unsatisfiable, then the previous assumption leads to algorithms that take always the computation time of the worst case. This is particularly disturbing for NP-hard combinatorial problems. In this work we start from the observation that sometimes (specially for hard problems) users find it acceptable to receive as answer either a solution, the answer unsatisfiable or a failure with meaning don't know. More exactly users accept incomplete solvers. As argued in [Silaghi,Flairs 05], for certain problems privacy reasons lead users to prefer having an answer meaning don't know even when the secure multi-party computation could have proven unsatisfiable (to avoid revealing that all alternatives are infeasible). While the solution proposed there is slower than complete algorithms, here we show secure stochastic solutions that are faster than complete solvers, allowing to address larger problem instances. Two new refined concepts of privacy are introduced, namely 'requested t-privacy' that factors out treatment of knowledge of the protocol in t-privacy, and a slightly weaker version called 'non-uniform requested t-privacy'. In the last section we discuss arithmetic circuits for complete and stochastic solutions to constraint optimization problems.
2005
EPRINT
Security Analysis of KEA Authenticated Key Exchange Protocol
KEA is a Diffie-Hellman based key-exchange protocol developed by NSA which provides mutual authentication for the parties. It became publicly available in 1998 and since then it was neither attacked nor proved to be secure. We analyze the security of KEA and find that the original protocol is susceptible to a class of attacks. On the positive side, we present a simple modification of the protocol which makes KEA secure. We prove that the modified protocol, called KEA+, satisfies the strongest security requirements for authenticated key-exchange and that it retains some security even if a secret key of a party is leaked. Our security proof is in the random oracle model and uses the Gap Diffie-Hellman assumption. Finally, we show how to add a key confirmation feature to KEA+ (we call the version with key confirmation KEA+C) and discuss the security properties of KEA+C.
2005
EPRINT
Security and Privacy Issues in E-passports
Within the next year, travelers from dozens of nations may be carrying a new form of passport in response to a mandate by the United States government. The e-passport, as it is sometimes called, represents a bold initiative in the deployment of two new technologies: Radio-Frequency Identification (RFID) and biometrics. Important in their own right, e-passports are also the harbinger of a wave of next-generation ID cards: several national governments plan to deploy identity cards integrating RFID and biometrics for domestic use. We explore the privacy and security implications of this impending worldwide experiment in next-generation authentication technology. We describe privacy and security issues that apply to e-passports, then analyze these issues in the context of the International Civil Aviation Organization (ICAO) standard for e-passports.
2005
EPRINT
Security notions for disk encryption
We define security goals and attack models for disk encryption, and prove several relationships between the resulting security notions, and some general results about disk encryption. We give concrete constructions for every security notion along with security proofs. Finally, we briefly discuss the security of some implementations and standards for disk encryption.
2005
EPRINT
Security Notions for Identity Based Encryption
Identity Based Encryption (IBE) has attracted a lot of attention since the publication of the scheme by Boneh and Franklin. So far, only indistinguishability based security notions have been considered in the literature, and it has not been investigated whether these definitions are appropriate. For this purpose, we define the goals of semantic security and non-malleability for IBE. We then compare the security notions resulting from combining those goals with the attacks previously considered in the literature (full and selective-identity attacks), providing either an implication or a separation. Remarkably, we show that the strongest security levels with respect to selective-identity attacks (i.e. chosen-ciphertext security) do not imply the weakest full-identity security level (i.e. one-wayness). With the aim of comprehensiveness, notions of security for IBE in the context of encryption of multiple messages and/or to multiple receivers are finally presented, as well as their relationship with the standard IBE security notion. The results obtained substantiate indistinguishability against full-identity chosen ciphertext attacks as the appropriate security notion for IBE.
2005
EPRINT
Security Proof of "Efficient and Leakage-Resilient Authenticated Key Transport Protocol Based on RSA"
In this paper, we prove the security of the {\sf RSA-AKE} protocol \cite{SKI05} in the random oracle model. The proof states that the {\sf RSA-AKE} protocol is secure against an adversary who gets the client's stored secret \emph{or} the server's RSA private key.\footnote{The protocol is the same as \cite{SKI05}, but we corrected the security proof partially. The attacks appeared in \cite{TM05} are no longer available in the proof since the adversary has access to either the client's stored secret or the server's private key, not both of them.} To our best knowledge, the {\sf RSA-AKE} protocol is the most efficient among their kinds (i.e., RSA and password based AKE protocols). The other security properties and efficiency measurements of the {\sf RSA-AKE} protocol remain the same as in \cite{SKI05}.
2005
EPRINT
Security Proof of Sakai-Kasahara's Identity-Based Encryption Scheme
Identity-based encryption (IBE) is a special asymmetric encryption method where a public encryption key can be an arbitrary identifier and the corresponding private decryption key is created by binding the identifier with a system's master secret. In 2003 Sakai and Kasahara proposed a new IBE scheme, which has the potential to improve performance. However, to our best knowledge, the security of their scheme has not been properly investigated. This work is intended to build confidence in the security of the Sakai-Kasahara IBE scheme. In this paper, we first present an efficient IBE scheme that employs a simple version of the Sakai-Kasahara scheme and the Fujisaki-Okamoto transformation, which we refer to as SK-IBE. We then prove that SK-IBE has chosen ciphertext security in the random oracle model based on a reasonably well-explored hardness assumption.
2005
EPRINT
Security properties of two provably secure conference key agreement protocols
In this paper we analyse the security of two authenticated group key agreement schemes based on the group key agreement protocol of Burmester and Desmedt. One scheme was proposed by Burmester and Desmedt, and uses a separate authentication scheme to achieve authentication among the participants. We show that this scheme suffers from a number of security vulnerabilities. The other scheme was generated using the general protocol compiler of Katz and Yung. We show that in some circumstances, even if key confirmation is implemented, this scheme still suffers from insider attacks (which are not covered by the security model used by Katz and Yung).
2005
EPRINT
Security Weakness in a Three-Party Password-Based Key Exchange Protocol Using Weil Pairing
Recently, Wen, Lee, and Hwang proposed a three-party password-authenticated key exchange protocol making use of the Weil pairing. The protocol was claimed to be provably secure. But despite the claim of provable security, the protocol is in fact insecure in the presence of an active adversary. We demonstrate this by presenting an attack that completely compromises the authentication mechanism of the protocol. Consequently, the proof of security for the protocol is invalidated.
2005
EPRINT
Seifert's RSA Fault Attack: Simplified Analysis and Generalizations
Seifert recently described a new fault attack against an implementation of RSA signature verification. Here we give a simplified analysis of Seifert's attack and gauge its practicality against RSA moduli of practical sizes. We suggest an improvement to Seifert's attack which has the following consequences: if an adversary is able to cause random faults in only 4 bits of a 1024-bit RSA modulus stored in a device, then there is a greater than 50% chance that they will be able to make that device accept a signature on a message of their choice. For 2048-bit RSA, 6 bits suffice.
2005
EPRINT
Short (resp. Fast) CCA2-Fully-Anonymous Group Signatures using IND-CPA-Encrypted Escrows
In the newest and strongest security models for group signatures \cite{BMW03,BellareShZh05,KiayiasYu04}, attackers are given the capability to query an Open Oracle, $\oo$, in order to obtain the signer identity of the queried signature. This oracle mirrors the Decryption Oracle in security experiments involving encryption schemes, and the security notion of CCA2-full-anonymity for group signatures mirrors the security notion of IND-CCA2-security for encryption schemes. Most group signatures escrows the signer identity to a TTP called the {\em Open Authority (OA)} by encrypting the signer identity to OA. Methods to efficiently instantiate $O(1)$-sized CCA2-fully-anonymous group signatures using IND-CCA2-secure encryptions, such as the Cramer-Shoup scheme or the twin encryption scheme, exist \cite{BMW03,BellareShZh05,KiayiasYu04,NguyenSN04}. However, it has long been suspected that IND-CCA2-secure encryption to OA is an overkill, and that CCA2-fully-anonymous group signature can be constructed using only IND-CPA-secure encryptions. Here, we settle this issue in the positive by constructing CCA2-fully-anonymous group signatures from IND-CPA-secure encryptions for the OA, without ever using IND-CCA2-secure encryptions. Our technique uses a single ElGamal or similar encryption plus Dodis and Yampolskiy \cite{DodisYa05}'s VRF (Verifiable Random Function). The VRF provides a sound signature with zero-knowledge in both the signer secret and the signer identity, while it simultaneously defends active $\oo$-query attacks. The benefits of our theoretical advance is improved efficiency. Instantiations in pairings result in the shortest CCA2-fully-anonymous group signature at 11 rational points or $\approx 1870$ bits for 170-bit curves. It is 27\% shorter (and slightly faster) than the previous fastest \cite{BBS04,KiayiasYu04} at 15 rational points. Instantiations in the strong RSA framework result in the fastest CCA2-fully-anonymous group signature at 4 multi-base exponentiations for 1024-bit RSA. It is 25\% faster than the previous fastest at 5 multi-base exponentiations \cite{ACJT00,CL02,KiayiasYu04}.
2005
EPRINT
Side Channel Attacks on Implementations of Curve-Based Cryptographic Primitives
The present survey deals with the recent research in side channel analysis and related attacks on implementations of cryptographic primitives. The focus is on software contermeasures for primitives built around algebraic groups. Many countermeasures are described, together with their extent of applicability, and their weaknesses. Some suggestions are made, conclusion are drawn, some directions for future research are given. An extensive bibliography on recent developments concludes the survey.
2005
EPRINT
Side-Channel Attacks: Ten Years After Its Publication and the Impacts on Cryptographic Module Security Testing
Side-channel attacks are easy-to-implement whilst powerful attacks against cryptographic implementations, and their targets range from primitives, protocols, modules, and devices to even systems. These attacks pose a serious threat to the security of cryptographic modules. In consequence, cryptographic implementations have to be evaluated for their resistivity against such attacks and the incorporation of different countermeasures has to be considered. This paper surveys the methods and techniques employed in these attacks, the destructive effects of such attacks, the countermeasures against such attacks and evaluation of their feasibility and applicability. Finally, the necessity and feasibility of adopting this kind of physical security testing and evaluation in the development of FIPS 140-3 standard are explored. This paper is not only a survey paper, but also more a position paper.
2005
EPRINT
Signature from a New Subgroup Assumption
We present a new signature whose security is reducible to a new assumptions about subgroups, the {\em Computational Conjugate Subgroup Members (CCSM) Assumption}, in the random oracle model.
2005
EPRINT
Simple and Provable Secure Strong Designated Verifier Signature Schemes
In this paper, we introduce a simple strong-designated verifier signature (SDVS) scheme which is much more efficient than previously proposed SDVS schemes. In addition, with only one more parameter published by the signer, this scheme can provide signer's forward security. That is, the consistency of a signature cannot be verified by any third party even if he/she knows a signer's private key. Thus the privacy of a signer's identity is protected independently in each signature, if the designated verifier's private key has not been disclosed. In addition, this scheme can be easily modified to a designated verifier signcryption scheme with virtually no additional cost. We will also show that the proposed scheme is provably secure in the random oracle model.
2005
EPRINT
Simple Pseudorandom Number Generator with Strengthened Double Encryption (Cilia)
A new cryptographic pseudorandom number generator Cilia is presented. It hashes real random data using an iterative hash function to update its secret state, and it generates pseudorandom numbers using a block cipher. Cilia is a simple algorithm that uses an improved variant of double encryption with additional security to generate pseudorandom numbers, and its performance is similar to double encryption. Futhermore, cryptanalytic attacks are presented.
2005
EPRINT
Skipping, Cascade, and Combined Chain Schemes for Broadcast Encryption
We develop a couple of new methods to reduce transmission overheads in broadcast encryption. The methods are based on the idea of assigning {\it one key per each partition using one-way key chains} after partitioning the users. One method adopts {\it skipping chains} on partitions containing up to $p$ revoked users and the other adopts {\it cascade chains} on partitions with layer structure. The scheme using the former reduces the transmission overhead down to $\frac r{p+1}$ asymptotically as $r$ grows, and the scheme using the latter keeps the transmission overhead very small when $r$ approaches 0, where $r$ is the number of revoked users. Combining the two schemes, we propose a new broadcast encryption scheme with least transmission overhead. Our schemes also possess a remarkable feature that any number of new users can join at any time without key update, which is not available for most of known practical schemes.
2005
EPRINT
Small Secure Sketch for Point-Set Difference
A secure sketch is a set of published data that can help to recover the original biometric data after they are corrupted by permissible noises, and by itself does not reveal much information about the original. Several constructions have been proposed for different metrics, and in particular, set difference. We observe that in many promising applications, set difference alone is insufficient to model the noises. We propose to look into point-set difference, which measures noises that not only remove/introduce new feature points in the biometric objects, but may also perturb the points. In this paper, we first give an improvement for set difference construction that can be extended to multi-sets, where the sketch is small and there is an efficient decoding algorithm. We next give a sketch for point-set difference in both one and two-dimensional spaces. By using results in almost k-wise independence, the size of the sketch is reduced to near-optimal.
2005
EPRINT
Smashing SMASH
We present a collision attack on the recently proposed hash function SMASH. The attack uses negligible resources and we conjecture that it works for all hash functions built following the design method of SMASH.
2005
EPRINT
Solutions to Key Exposure Problem in Ring Signature
In this paper, we suggest solutions to the key exposure problem in ring signature. In particular, we propose the first forward secure ring signature scheme and the first key-insulated ring signature schemes. Both constructions allow a $(t,n)$-threshold setting. That is, even $t$ secret keys are compromised, the validity of all forward secure ring signatures generated in the past is still preserved. In the other way, the compromise of up to all secret keys does not allow any adversary to generate a valid key-insulated ring signature for the remaining time periods.
2005
EPRINT
Some Analysis of Radix-r Representations
We deal with the radix-r representation used for the scalar multiplication of pairing-based cryptosystems with characteristic r. Our goal of this paper is to present some invariant properties about the signed radix-r representation; (1) approximation formulae for the average significant length and the average hamming weight of gNAF and wrNAF representation, (2) some classification formulae of equivalent classes called as Cutting Lemma, Collision Lemma, and Search Space Theorem. We also analyze the security of signed radix-r representations in the sense of side channel attacks, and to this end we propose a secure countermeasure.
2005
EPRINT
Some Explicit Formulae of NAF and its Left-to-Right Analogue
Non-Adjacent Form (NAF) is a canonical form of signed binary representation of integers. We present some explicit formulae of NAF and its left-to-right analogue (FAN) for randomly chosen n-bit integers. Interestingly, we prove that the zero-run length appeared in FAN is asymptotically 16/7, which is longer than that of the standard NAF. We also apply the proposed formulae to the speed estimation of elliptic curve cryptosystems.
2005
EPRINT
Some properties of an FSE 2005 Hash Proposal
We consider the hash function proposals by Mridul et al.\ presented at FSE 2005. For the proposed $2n$-bit compression functions it is proved that collision attacks require $\Omega(2^{2n/3})$ queries of the functions in question. In this note it is shown that with ${\cal O}(2^{n/3})$ queries one can distinguish the proposed compression functions from a randomly chosen $2n$-bit function with very good probability. Finally we note that our results do not seem to contradict any statements made the designers of the compression functions.
2005
EPRINT
Some thoughts on Collision Attacks in the Hash Functions MD5, SHA-0 and SHA-1
The design principle of Merkle-Damg{\aa}rd construction is collision resistance of the compression function implies collision resistance of the hash function. Recently multi-block collisions have been found on the hash functions MD5, SHA-0 and SHA-1 using differential cryptanalysis. These multi-block collisions raise several questions on some definitions and properties used in the hash function literature. In this report, we take a closer look at some of the literature in cryptographic hash functions and give our insights on them. We bring out some important differences between the 1989's Damg{\aa}rd's hash function and the hash functions that followed it. We conclude that these hash functions did not consider the pseudo-collision attack in their design criteria. We also doubt whether these hash functions achieve the design principle of Merkle-Damg{\aa}rd's construction. We formalise some definitions on the properties of hash functions in the literature.
2005
EPRINT
Some Thoughts on Time-Memory-Data Tradeoffs
In this paper we show that Time-Memory tradeoff by Hellman may be extended to Time-Memory-Key tradeoff thus allowing attacks much faster than exhaustive search for ciphers for which typically it is stated that no such attack exists. For example, as a result AES with 128-bit key has only 85-bit security if $2^{43}$ encryptions of an arbitrary fixed text under different keys are available to the attacker. Such attacks are generic and are more practical than some recent high complexity chosen related-key attacks on round-reduced versions of AES. They constitute a practical threat for any cipher with 80-bit or shorter keys and are marginally practical for 128-bit key ciphers. We also show that UNIX password scheme even with carefully generated passwords is vulnerable to practical tradeoff attacks. Finally we also demonstrate a combination of rainbow tables with the time-memory-data tradeoff which results in a new tradeoff curve.
2005
EPRINT
Soundness and Completeness of Formal Logics of Symmetric Encryption
We consider expansions of the Abadi-Rogaway logic of indistinguishability of formal cryptographic expressions. The formal language of this logic uses a box as notation for indecipherable strings, through which formal equivalence is defined. We expand the logic by considering different kinds of boxes corresponding to equivalence classes of formal ciphers. We consider not only computational, but also purely probabilistic, information-theoretic interpretations. We present a general, systematic treatment of the expansions of the logic for symmetric encryption. We establish general soundness and completeness theorems for the interpretations. We also present applications to specific settings not covered in earlier works: a purely probabilistic one that interprets formal expressions in One-Time Pad, and computational settings of the so-called type 2 (which-key revealing) cryptosystems based on computational complexity.
2005
EPRINT
SPA Resistant Left-to-Right Integer Recodings
We introduce two new left-to-right integer recodings which can be used to perform scalar multiplication with a fixed sequence of operations. These recodings make it possible to have a simple power analysis resistant implementation of a group-based cryptosystem without using unified formulas or introducing dummy operations. This approach is very useful for groups in which the doubling step are less expensive than the addition step, for example with hyperelliptic curves over binary fields or elliptic curves with mixed coordinates.
2005
EPRINT
Special Polynomial Families for Generating More Suitable Elliptic Curves for Pairing-Based Cryptosystems
Constructing non-supersingular elliptic curves for pairing-based cryptosystems have attracted much attention in recent years. The best previous technique builds curves with p = lg(q)/lg(r) = 1 (k = 12) and p = lg(q)/lg(r) = 1.25 (k = 24). When k > 12, most of the previous works address the question by representing r(x) as a cyclotomic polynomial. In this paper, we propose a new method to find more pairing-friendly elliptic curves with arbitrary embedding degree k by certain special polynomial families. The new method generates curves with lg(q)/lg(r) = 1 (k > 48) by random forms of r(x). Different representations of r(x) allow us to obtain many new families of pairing-friendly elliptic curves. In addition, we propose a equation to illustrate how to obtain small values of p by choosing appropriate forms of discriminant D and trace t. Numerous parameters of certain pairing-friendly elliptic curves are presented with support for the theoretical conclusions.
2005
EPRINT
Speeding Up Pairing Computation
In this note, we describe how to achieve a simple yet substantial speed up of Miller's algorithm, when not using denominator elimination, and working over quadratic extension fields.
2005
EPRINT
Spreading Alerts Quietly and the Subgroup Escape Problem
We introduce a new cryptographic primitive called the blind coupon mechanism (BCM). In effect, the BCM is an authenticated bit-commitment, which is AND-homomorphic. It has not been known how to construct such commitments before. We show that the BCM has natural and important applications. In particular, we use it to construct a mechanism for transmitting alerts undetectably in a message-passing system of n nodes. Our algorithms allow an alert to quickly propagate to all nodes without its source or existence being detected by an adversary, who controls all message traffic. Our proofs of security are based on a new subgroup escape problem, which seems hard on certain groups with bilinear pairings and on elliptic curves over the ring Zn.
2005
EPRINT
Statistical Multiparty Computation Based on Random Walks on Graphs
With respect to a special class of access structures based on connectivity of graphs, we start from a linear secret sharing scheme and turn it into a secret sharing scheme with perfect security and exponentially small error probability by randomizing the reconstruction algorithm through random walks on graphs. It reduces the polynomial work space to logarithmic. Then we build the corresponding statistical multiparty computation protocol by using the secret sharing scheme. The results of this paper also imply the inherent connections and influences among secret sharing, randomized algorithms, and secure multi-party computation.
2005
EPRINT
Steganography with Imperfect Samplers
The goal of steganography is to pass secret messages by disguising them as innocent-looking covertexts. Real world stegosystems are often broken because they make invalid assumptions about the system's ability to sample covertexts. We examine whether it is possible to weaken this assumption. By modeling the covertext distribution as a stateful Markov process, we create a sliding scale between real world and provably secure stegosystems. We also show that insufficient knowledge of past states can have catastrophic results.
2005
EPRINT
Stream Cipher Design based on Jumping Finite State Machines
This paper presents a new way of constructing binary cascade clock-controlled LFSR sequence generators as building blocks for stream ciphers. In these constructions the bottleneck of multiple clocking shift registers is removed, resulting in so called jump-controlled sequence generators, that operate in a single clock pulse and are most efficient to implement. The constructions make use of special properties of irreducible polynomials over finite fields. This paper also aims at giving insight into the mathematical theory behind the constructions. To this end, theory is developed and many of the rich set of properties of irreducible polynomials over GF(2), such as periods, jump indices and the number and cardinalities of various classes of polynomials are presented.
2005
EPRINT
Strict Avalanche Criterion Over Finite Fields
Boolean functions on $GF(2)$ which satisfy the Strict Avalanche Criterion ($SAC$) play an important role in the art of information security. In this paper, we extend the conception $SAC$ to finite fields $GF(p)$. A necessary and sufficient condition is given by using spectral analysis. Also, based on an interesting permutation polynomial theorem, we prove various facts about ($n-1$)-th order $SAC$ functions on $GF(p)$. We also construct many such functions.
2005
EPRINT
Tag-KEM/DEM: A New Framework for Hybrid Encryption
This paper presents a novel framework for the generic construction of hybrid encryption schemes which produces more efficient schemes than the ones known before. A previous framework introduced by Shoup combines a key encapsulation mechanism (KEM) and a data encryption mechanism (DEM). While it is sufficient to require both components to be secure against chosen ciphertext attacks (CCA-secure), Kurosawa and Desmedt showed a particular example of KEM that is not CCA-secure but can be securely combined with a specific type of CCA-secure DEM to obtain a more efficient, CCA-secure hybrid encryption scheme. There are also many other efficient hybrid encryption schemes in the literature that do not fit Shoup's framework. These facts serve as motivation to seek another framework. The framework we propose yields more efficient hybrid scheme, and in addition provides insightful explanation about existing schemes that do not fit into the previous framework. Moreover, it allows immediate conversion from a class of threshold public-key encryption to a hybrid one without considerable overhead, which may not be possible in the previous approach.
2005
EPRINT
Tamper-Evident Digital Signatures: Protecting Certification Authorities Against Malware
We introduce the notion of tamper-evidence for digital signature generation in order to defend against attacks aimed at covertly leaking secret information held by corrupted network nodes. This is achieved by letting observers (which need not be trusted) verify the absence of covert channels by means of techniques we introduce herein. We call our signature schemes tamper-evident since any deviation from the protocol is immediately detectable. We demonstrate our technique for RSA-PSS and DSA signature schemes and how the same technique can be applied to Feige-Fiat-Shamir (FFS) and Schnorr signature schemes. Our technique does not modify the distribution of the generated signature transcripts, and has only a minimal overhead in terms of computation, communication, and storage. Keywords. covert channel, malware, observer, subliminal channel, tamper-evident, undercover
2005
EPRINT
Tate pairing computation on the divisors of hyperelliptic curves for cryptosystems
In recent papers \cite{Bar05} and \cite{CKL}, Barreto et al and Choie et al worked on hyperelliptic curves $H_b$ defined by $y^2+y = x^5 + x^3 + b$ over a finite field $\Ftn$ with $b=0$ or $1$ for a secure and efficient pairing-based cryptosystems. We find a completely general method for computing the Tate-pairing over divisor class groups of the curves $H_b$ in a very explicit way. In fact, the Tate-pairing is defined over the entire divisor class group of a curve, not only over the points on a curve. So far only pointwise approach has been made in ~\cite{Bar05} and ~\cite{CKL} for the Tate-pairing computation on the hyperelliptic curves $H_b$ over $\Ftn$. Furthermore, we obtain a very efficient algorithm for the Tate pairing computation over divisors by reducing the cost of computing. We also find a crucial condition for divisor class group of hyperelliptic curve to have a significant reduction of the loop cost in the Tate pairing computation.
2005
EPRINT
Taxonomy of Public Key Schemes based on the problem of Multivariate Quadratic equations
Multivariate quadratic systems can be used to construct both secure and efficient public key schemes. In this article, we introduce the necessary mathematical tools to deal with multivariate quadratic systems, present an overview of important schemes known so far and outline how they fit into a taxonomy of only four basic schemes and some generic modifiers. Moreover, we suggest new constructions not previously considered. In this context, we propose some open problems and new research directions in the field of multivariate quadratic schemes.
2005
EPRINT
Techniques for random maskin in hardware
A new technique for Boolean random masking of the logic AND operation in terms of NAND logic gates is presented and its potential for masking arbitrary cryptographic functions is pointed out. The new technique is much more efficient than a previously known technique, recently applied to AES. It is also applied for masking the integer addition. In addition, new techniques for the conversions from Boolean to arithmetic random masking and vice versa are developed. They are hardware oriented and do not require additional random bits. Unlike the previous, software-oriented techniques showing a substantial difference in the complexity of the two conversions, they have a comparable complexity being about the same as that of one integer addition only. All the techniques proposed are in theory secure against the first-order differential power analysis on the logic gate level. They can be applied in hardware implementations of various cryptographic functions, including AES, (keyed) SHA-1, IDEA, and RC6.
2005
EPRINT
The Best Differential Characteristics and Subtleties of the Biham-Shamir Attacks on DES
In about every book about cryptography, we learn that the plaintext complexity of differential cryptanalysis on DES is 2^47, as reported by Biham and Shamir. Yet few people realise that in a typical setting this estimation is not exact and too optimistic. In this note we show that the two "best" differentials for DES used by Biham and Shamir are NOT the best differentials that exist in DES. For approximations over many rounds such as used in the Biham-Shamir attack from the best characteristic is in fact a third, different differential already given by Knudsen. A more detailed analysis shows that on average the best differential attack on DES remains the Biham-Shamir attack, because it can exploit two differentials at the same time and their propagation probabilities are related. However for a typical fixed DES key, the attack requires on average about 2^48.34 chosen plaintexts and not 2^47 as initially claimed. In addition, if the key is changing frequently during the attack, then in fact Biham and Shamir initial figure of 2^47 is correct. We were surprised to find out that (with differential cryptanalysis) it is easier to break DES with a changing key, than for one fixed key.
2005
EPRINT
The conjugacy problem and related problems in lattice-ordered groups
We study, from a constructive computational point of view, the techniques used to solve the conjugacy problem in the "generic" lattice-ordered group Aut(R) of order automorphisms of the real line. We use these techniques in order to show that for each choice of parameters f,g in Aut(R), the equation xfx=g is effectively solvable in Aut(R).
2005
EPRINT
The Cramer-Shoup Encryption Scheme is Plaintext Aware in the Standard Model
In this paper we examine the security criteria for a KEM and a DEM that are su?cient for the overall hybrid encryption scheme to be plaintext-aware in the standard model. We apply this theory to the Cramer-Shoup hybrid scheme acting on ?xed length messages and deduce that the Cramer-Shoup scheme is plaintext-aware in the standard model. This answers a previously open conjecture of Bellare and Palacio on the existence of plaintext-aware encryption schemes.
2005
EPRINT
The Equivalence Between the DHP and DLP for Elliptic Curves Used in Practical Applications, Revisited
The theoretical equivalence between the DLP and DHP problems was shown by Maurer in 1994. His work was then reexamined by Muzereau et al. for the special case of elliptic curves used in practical cryptographic applications. This paper improves on the latter and tries to get the tightest possible reduction in terms of computational equivalence, using Maurer's method.
2005
EPRINT
The Full Abstraction of the UC Framework
We prove that security in the Universal Composability framework (UC) is equivalent to security in the probabilistic polynomial time calculus ppc. Security is defined under active and adaptive adversaries with synchronous and authenticated communication. In detail, we define an encoding from machines in UC to processes in ppc and show it is fully abstract with respect to UC-security and ppc-security, i.e., we show a protocol is UC-secure iff its encoding is ppc-secure. However, we restrict security in ppc to be quantified not over all possible contexts, but over those induced by UC-environments under encoding. This result is not overly-simplifying security in ppc, since the threat and communication models we assume are meaningful in both practice and theory.
2005
EPRINT
The Ideal-Cipher Model, Revisited: An Uninstantiable Blockcipher-Based Hash Function
The Ideal-Cipher Model of a blockcipher is a well-known and widely-used model dating back to Shannon and has seen frequent use in proving the security of various cryptographic objects and protocols. But very little discussion has transpired regarding the meaning of proofs conducted in this model or regarding the model's validity. In this paper, we briefly discuss the implications of proofs done in the ideal-cipher model, then show some limitations of the model analogous to recent work regarding the Random-Oracle Model. In particular, we extend work by Canetti, Goldreich and Halevi, and a recent simplification by Maurer, Renner, and Holenstein, to exhibit a blockcipher-based hash function that is provably-secure in the ideal-cipher model but trivially insecure when instantiated by any blockcipher.
2005
EPRINT
The Misuse of RC4 in Microsoft Word and Excel
In this report, we point out a serious security flaw in Microsoft Word and Excel. The stream cipher RC4 with key length up to 128 bits is used in Microsoft Word and Excel to protect the documents. But when an encrypted document gets modified and saved, the initialization vector remains the same and thus the same keystream generated from RC4 is applied to encrypt the different versions of that document. The consequence is disastrous since a lot of information of the document could be recovered easily.
2005
EPRINT
The Pelican MAC Function
At FSE 2005 we presented a new MAC Construction called Alred and a Specific Instance Alpha-MAC. In the presentation we announced a variant of Alpha-MAC under the (working) name Beta-MAC, that can be seen as an optimized version of Alpha-MAC. We have renamed Beta-MAC to Pelican and present its design in this paper. Pelican is based on Rijndael and a factor 2.5 more efficient than CBC-MAC with Rijndael, while providing a comparable claimed security level.
2005
EPRINT
The Program Counter Security Model: Automatic Detection and Removal of Control-Flow Side Channel Attacks
We introduce new methods for detecting control-flow side channel attacks, transforming C source code to eliminate such attacks, and checking that the transformed code is free of control-flow side channels. We model control-flow side channels with a program counter transcript, in which the value of the program counter at each step is leaked to an adversary. The program counter transcript model captures a class of side channel attacks that includes timing attacks and error disclosure attacks. We further show that the model formalizes previous ad hoc approaches to preventing side channel attacks. We then give a dynamic testing procedure for finding code fragments that may reveal sensitive information by key-dependent behavior, and we show our method finds side channel vulnerabilities in real implementations of IDEA and RC5, in binary modular exponentiation, and in the lsh implementation of the ssh protocol. Further, we propose a generic source-to-source transformation that produces programs provably secure against control-flow side channel attacks. We implemented this transform for C together with a static checker that conservatively checks x86 assembly for violations of program counter security; our checker allows us to compile with optimizations while retaining assurance the resulting code is secure. We then measured our technique's effect on the performance of binary modular exponentiation and real-world implementations in C of RC5 and IDEA: we found it has a performance overhead of at most 5X and a stack space overhead of at most 2X. Our approach to side channel security is practical, generally applicable, and provably secure against an interesting class of side channel attacks.
2005
EPRINT
The topology of covert conflict
Often an attacker tries to disconnect a network by destroying nodes or edges, while the defender counters using various resilience mechanisms. Examples include a music industry body attempting to close down a peer-to-peer file-sharing network; medics attempting to halt the spread of an infectious disease by selective vaccination; and a police agency trying to decapitate a terrorist organisation. Albert, Jeong and Barabasi famously analysed the static case, and showed that vertex-order attacks are effective against scale-free networks. We extend this work to the dynamic case by developing a framework based on evolutionary game theory to explore the interaction of attack and defence strategies. We show, first, that naive defences don't work against vertex-order attack; second, that defences based on simple redundancy don't work much better, but that defences based on cliques work well; third, that attacks based on centrality work better against clique defences than vertex-order attacks do; and fourth, that defences based on complex strategies such as delegation plus clique resist centrality attacks better than simple clique defences. Our models thus build a bridge between network analysis and evolutionary game theory, and provide a framework for analysing defence and attack in networks where topology matters. They suggest definitions of efficiency of attack and defence, and may even explain the evolution of insurgent organisations from networks of cells to a more virtual leadership that facilitates operations rather than directing them. Finally, we draw some conclusions and present possible directions for future research.
2005
EPRINT
The Vector Decomposition Problem for Elliptic and Hyperelliptic Curves
The group of m-torsion points on an elliptic curve, for a prime number m, forms a two-dimensional vector space. It was suggested and proven by Yoshida that under certain conditions the vector decomposition problem (VDP) on a two-dimensional vector space is at least as hard as the computational Diffie-Hellman problem (CDHP) on a one-dimensional subspace. In this work we show that even though this assessment is true, it applies to the VDP for m-torsion points on an elliptic curve only if the curve is supersingular. But in that case the CDHP on the one-dimensional subspace has a known sub-exponential solution. Furthermore, we present a family of hyperelliptic curves of genus two that are suitable for the VDP.
2005
EPRINT
The Weil pairing on elliptic curves over C
To help motivate the Weil pairing, we discuss it in the context of elliptic curves over the field of complex numbers.
2005
EPRINT
Theoretical cryptanalysis of the Klimov-Shamir number generator TF-1
The internal state of the Klimov-Shamir number generator TF-1 consists of four words of size w bits each, whereas its intended strength is 2^{2w}. We exploit an asymmetry in its output function to show that the internal state can be recovered after having 2^w outputs, using 2^{1.5w} operations. For w=32 the attack is practical, but for their recommended w=64 it is only of theoretical interest.
2005
EPRINT
Threshold Ring Signatures Efficient for Large Sets of Signers
The anonymity provided by the threshold ring signature scheme proposed by Bresson et al (Crypto'02) is perfect. However, its complexity is prohibitively large even for relatively small sets of signers. We propose use of threshold schemes based on covering designs that are efficient for large groups of signers. The cost we pay is non-perfect anonymity.
2005
EPRINT
Tight bound between nonlinearity and algebraic immunity
We obtain tight bound between nonlinearity and algebraic immunity of a Boolean function and construct balanced functions that achive this bound for all possible values of parameters.
2005
EPRINT
Tight Reductions among Strong Die-Hellman Assumptions
We derive some tight equivalence reductions between several Strong Die-Hellman (SDH) assumptions.
2005
EPRINT
Time-Data-Memory Trade-Off Based Cryptanalysis of Certain Broadcast Encryption Schemes
This paper points out to a generic vulnerability of certain broadcast encryption schemes. This vulnerability can be effectively explored assuming chosen plaintext attacks, and in some cases even under ciphertext only attack. The developed methods for cryptanalysis are based on an attacking approach not taken into account in the security evaluations of the reported broadcast encryption schemes. The proposed attacks are based on employment of a dedicated time-data-memory trade-off approach for cryptanalysis. Two algorithms for cryptanalysis are proposed and their main characteristics regarding the complexity and required sample are pointed out. The algorithms are applied for cryptanalysis of particular recently reported broadcast encryption schemes implying that their security is far below the claimed ones.
2005
EPRINT
TMD-Tradeoff and State Entropy Loss Considerations of Streamcipher MICKEY
We give three weaknesses of a recently proposed streamcipher MICKEY. A small class of weak keys is found and we show time-memory-data tradeoff is applicable. We also show that the state update function reduces entropy of the internal state as it is iterated, resulting in keystreams that start out differently but become merged together towards the end.
2005
EPRINT
TMTO With Multiple Data: Analysis and New Single Table Trade-offs
Time/memory trade-off (TMTO) was introduced by Hellman and later studied by many other authors. The effect of multiple data in Hellman TMTO was studied by Biryukov and Shamir (BS). We continue the analysis of the general multiple data TMTO started in BS. The trade-offs of Babbage and Golic (BG) and Biryukov-Shamir are obtained as special cases. Further, the general analysis is carried out under different conditions including that of Hellman optimality (online time equal to memory). Our main contribution is to identify a new class of single table multiple data trade-offs which cannot be obtained either as BG or BS trade-off. In certain cases, these new trade-offs can provide more desirable parameters than the BG or the BS methods. We consider the analysis of the rainbow method of Oechslin and show that for multiple data, the TMTO curve of the rainbow method is inferior to the TMTO curve of the Hellman method. The costs of the rainbow method and the Hellman+DP method can be comparable if the size of the search space is small and the cost of one table look-up is relatively high.
2005
EPRINT
Towards computationally sound symbolic analysis of key exchange protocols
We present a cryptographically sound formal method for proving correctness of key exchange protocols. Our main tool is a fragment of a symbolic protocol logic. We demonstrate that proofs of key agreement and key secrecy in this logic imply simulatability in Shoup's secure multi-party framework for key exchange. As part of the logic, we present cryptographically sound abstractions of CMA-secure digital signatures and a restricted form of Diffie-Hellman exponentiation, which is a technical result of independent interest. We illustrate our method by constructing a proof of security for a simple authenticated Diffie-Hellman protocol.
2005
EPRINT
Towards Security Two-part Authenticated Key Agreement Protocols
We first present a new security 2-AK protocol, which is more secure and more efficient than previously proposed ones. Meanwhile, we point that Xie's ID-2-AK protocol modified from McCullagh-Barreto in CT-RSA 2005 doesn't provide protection against KCI attack likewise, and finally utilize the modular arithmetic, first proposed in MQV and also used in Kim, to get a modified new ID-2-AK protocol. On second thoughts, we give another ID-2-AK protocol utilizing the operation of addition in finite field like our forenamed 2-AK protocol. The two ID-2-AK protocols are in possession of all the desired security attributes. We also compare our new protocols with others in terms of computational cost and security properties.
2005
EPRINT
Tree Parity Machine Rekeying Architectures for Embedded Security
Nonclassical cryptographic technologies are considered in science and industry to provide alternative security solutions. They are motivated by the strong restrictions as they are often present in embedded security scenarios and in applications of pervasive computing. We investigate a low hardware-complexity cryptosystem for lightweight symmetric key exchange, based on two new Tree Parity Machine Rekeying Architectures (TPMRAs). The speed of a key exchange is basically only limited by the channel capacity. This work significantly improves and extends previously published results on TPMRAs. We evaluate characteristics of standard-cell ASIC design realizations as IP-core in 0.18-micrometer-CMOS technology.
2005
EPRINT
Truncated differential cryptanalysis of five rounds of Salsa20
We present an attack on Salsa20 reduced to five of its twenty rounds. This attack uses many clusters of truncated differentials and requires 2^{165} work and 2^{6} plaintexts.
2005
EPRINT
Twin RSA
We introduce {\em Twin RSA}, pairs of RSA moduli $(n,n+2)$, and formulate several questions related to it. Our main questions are: is Twin RSA secure, and what is it good for?
2005
EPRINT
Unclonable Group Identification
We introduce and motivate the concept of unclonable group identification, that provides maximal protection against sharing of identities while still protecting the anonymity of users. We prove that the notion can be realized from any one-way function and suggest a more efficient implementation based on specific assumptions.
2005
EPRINT
Unconditionally Secure Constant Round Multi-Party Computation for Equality, Comparison, Bits and Exponentiation
In this paper we are interested in efficient and secure constant round multi-party protocols which provide unconditional security against so called honest-but-curious adversaries. In particular, we design a novel constant round protocol that converts from shares over Z_q to shares over the integers working for all shared inputs from Z_q. Furthermore, we present a constant round protocol to securely evaluate a shared input on a public polynomial whose running time is linear in the degree of the polynomial. The proposed solution makes use of Chebyshev Polynomials. We show that the latter two protocols can be used to design efficient constant round protocols for the following natural problems: (i) Equality: Computing shares of the bit indicating if a shared input value equals zero or not. This provides the missing building blocks for many constant round linear algebra protocols from the work of Cramer and Damgaard [CrDa01]. (ii) Comparison: Computing shares of a bit indicating which of two shared inputs is greater. (iii) Bits: Computing shares of the binary representation of a shared input value. (iv) Exponentiation: Computing shares of x^a mod q given shares of x, a and q. Prior to this paper, for all the above mentioned problems, there were in general no efficient constant round protocols known providing unconditional security.
2005
EPRINT
Unfairness of a protocol for certified delivery
Recently, Nenadi\'c \emph{et al.} (2004) proposed the RSA-CEGD protocol for certified delivery of e-goods. This is a relatively complex scheme based on verifiable and recoverable encrypted signatures (VRES) to guarantee properties such as strong fairness and non-repudiation, among others. In this paper, we demonstrate how this protocol cannot achieve fairness by presenting a severe attack and also pointing out some other weaknesses.
2005
EPRINT
Unified Point Addition Formul{\ae} and Side-Channel Attacks
The successful application to elliptic curve cryptography of side-channel attacks, in which information about the secret key can be recovered from the observation of side channels like power consumption or timing, has motivated the recent development of unified formul{\ae} for elliptic curve point operations. In this paper, we give a version of a previously-developed family of unified point addition formul{\ae} that uses projective coordinates for improved efficiency. We discuss the applicability of a recent attack by Walter on this family of projective formul{\ae} and describe how the field arithmetic can be implemented to obtain fully unified formul{\ae} and avoid this type of attack.
2005
EPRINT
Universally Composable Disk Encryption Schemes
We propose a formalization of the security of transparent harddisk-encryption using the universal composability framework. We point out that several commercially available schemes for transparent hard disk encryption are built on principles that limit security, and we propose schemes for disk encryption with passive and active security, respectively. As for the efficiency of the schemes, security against active attacks can be obtained with a constant factor overhead in space and a logarithmic overhead in time. Finally, we also also sketch an actively secure scheme that provides some amount of security, even if the adversary is given temporary access to the internal state of the encryption device used.
2005
EPRINT
Universally Composable Password-Based Key Exchange
We propose and realize a definition of security for password-based key exchange within the framework of universal composability (UC), thus providing security guarantees under arbitrary composition with other protocols. In addition, our definition captures some aspects of the problem that were not adequately addressed by most prior notions. For instance, our definition does not assume any underlying probability distribution on passwords, nor does it assume independence between passwords chosen by different parties. We also formulate a definition of password-based secure channels, and show how to realize such channels given any password-based key exchange protocol. The password-based key exchange protocol shown here is in the common reference string model and relies on standard number-theoretic assumptions. The components of our protocol can be instantiated to give a relatively efficient solution which is conceivably usable in practice. We also show that it is impossible to satisfy our definition in the "plain" model (e.g., without a common reference string).
2005
EPRINT
Universally Composable Time-Stamping Schemes with Audit
We present a universally composable time-stamping scheme based on universal one-way hash functions. The model we use contains an ideal auditing functionality (implementable in the Common Reference String model), the task of which is to check that the rounds' digests are correctly computed. Our scheme uses hash-trees and is just a slight modification of the known schemes of Haber-Stornetta and Benaloh-de Mare, but both the modifications and the audit functionality are crucial for provable security. The scheme turns out to be nearly optimal -- we prove that in every universally composable auditable time-stamping scheme, almost all time stamp requests must be communicated to the auditor.
2005
EPRINT
Untraceability of Two Group Signature Schemes
A group signature scheme allows a group member of a given group to sign messages on behalf of the group in an anonymous fashion. In case of a dispute, however, a designated group manager can reveal the signer of a valid group signature. In the paper, we show the untraceability of two group signatures in [1, 5] by new and very simple attacks. Although those flaws, such as, forgeability, untraceability and linkability have been shown in [2, 7, 8, 9], we should point out that our attacks are more simple.
2005
EPRINT
Update on SHA-1
We report on the experiments we performed in order to assess the security of SHA-1 against the attack by Chabaud and Joux. We present some ideas for optimizations of the attack and some properties of the message expansion routine. Finally, we show that for a reduced version of SHA-1, with 53 rounds instead of 80, it is possible to find collisions in less than $2^{80}$ operations.
2005
EPRINT
Use of Sparse and/or Complex Exponents in Batch Verification of Exponentiations
Modular exponentiation in an abelian group is one of the most frequently used mathematical primitives in modern cryptography. {\em Batch verification} is to verify many exponentiations simultaneously. We propose two fast batch verification algorithms. The first one makes use of exponents with small weight, called {\em sparse exponents}, which is asymptotically 10 times faster than the individual verification and twice faster than the previous works without security loss. The second one is applied only to elliptic curves defined over small finite fields. Using sparse Frobenius expansion with small integer coefficients, we propose a complex exponent test which is four times faster than the previous works. For example, each exponentiation in one batch requires asymptotically 9 elliptic curve additions in some elliptic curves for $2^{80}$ security.
2005
EPRINT
Using Probabilistic I/O Automata to Analyze an Oblivious Transfer Protocol
The Probabilistic I/O Automata framework of Lynch, Segala and Vaandrager provides tools for precisely specifying protocols and reasoning about their correctness using multiple levels of abstraction, based on implementation relationships between these levels. We enhance this framework to allow analyzing protocols that use cryptographic primitives. This requires resolving and reconciling issues such as nondeterministic behavior and scheduling, randomness, resource-bounded computation, and computational hardness assumptions. The enhanced framework allows for more rigorous and systematic analysis of cryptographic protocols. To demonstrate the use of this framework, we present an example analysis that we have done for an Oblivious Transfer protocol.
2005
EPRINT
Verifiable Shuffles: A Formal Model and a Paillier-based 3-Round Construction with Provable Security
We propose a formal model for security of verifiable shuffles and a new verifiable shuffle system based on the Paillier encryption scheme, and prove its security in the proposed model. The model is general, so it can be extended to verifiable shuffle decryption and provides a direction for provable security of mix-nets.
2005
EPRINT
VEST Hardware-Dedicated Stream Ciphers
VEST ciphers are based on bijective non-linear parallel feedback shift registers assisted by non-linear Residue Number System (RNS) based counters. Four VEST cipher family trees are introduced: 80-bit secure VEST-4, 128-bit secure VEST-8, 160-bit secure VEST-16 and 256-bit secure VEST-32. VEST ciphers return 4 to 32 bits of output per clock cycle while occupying ~5K to ~22K ASIC gates including the finite state machine logic overhead. All VEST ciphers support family keying, variable key sizes and instant re-keying. VEST ciphers are designed exploiting all the advantages of ASIC and FPGA hardware offering high-speed encryption with very low latency and substantial performance improvements comparing with general-purpose or software ciphers implemented in the same area.
2005
EPRINT
VSH, an Efficient and Provable Collision Resistant Hash Function
We introduce VSH, {\em very smooth hash}, a new $S$-bit hash function that is provably collision-resistant assuming the hardness of finding nontrivial modular square roots of very smooth numbers modulo an $S$-bit composite. By very smooth, we mean that the smoothness bound is some fixed polynomial function of~$S$. We argue that finding collisions for VSH has the same asymptotic complexity as factoring using the Number Field Sieve factoring algorithm, i.e., subexponential in~$S$. %We show how our asymptotic argument can be turned into a practical method to %select parameters so that VSH meets a desired security level. VSH is theoretically pleasing because it requires just a single multiplication modulo the~$S$-bit composite per $\Omega(S)$ message-bits (as opposed to $O(\log S)$ message-bits for previous provably secure hashes). It is relatively practical. A preliminary implementation on a 1GHz Pentium III processor that achieves collision resistance at least equivalent to the difficulty of factoring a 1024-bit RSA modulus, runs at 1.1 MegaByte per second, with a moderate slowdown to 0.7MB/s for 2048-bit RSA security. VSH can be used to build a fast, provably secure randomised trapdoor hash function, which can be applied to speed up provably secure signature schemes (such as Cramer-Shoup) and designated-verifier signatures.
2005
EPRINT
Wang's sufficient conditions of MD5 are not sufficient
In this paper, we report that the "sufficient conditions" of MD5 of the modification technique for the collision search algorithm described by Wang are not sufficient. In our analysis, we show at least 4 extra-conditions for the message modification in the first block and corrections of the several conditions which are correspond to the highest (32nd) bit of the sufficient conditions in the second block should be needed. And we show the new collision message which is completely different from the message pairs showed by Wang by using our extended sufficient conditions.
2005
EPRINT
Weak Composite Diffie-Hellman is not Weaker than Factoring
In1985, Shmuley proposed a theorem about intractability of Composite Diffie-Hellman [Sh85]. The Theorem of Shmuley may be paraphrased as saying that if there exist a probabilistic poly-time oracle machine which solves the Diffie-Hellman modulo an RSA-number with odd-order base then there exist a probabilistic algorithm which factors the modulo. In the other hand factorization of the module obtained only if we can solve the Diffie-Hellman with odd-order base. In this paper we show that even if there exist a probabilistic poly-time oracle machine which solves the problem only for even-order base and abstain answering the problem for odd-order bases still a probabilistic algorithm can be constructed which factors the modulo in poly-time for more than 98% of RSA-numbers.
2005
EPRINT
Weak keys of the Diffe Hellman key exchange I
This paper investigates the Diffie-Hellman key exchange scheme over the group $\fpm^*$ of nonzero elements of finite fields and shows that there exist exponents $k$, $l$ satisfying certain conditions called the \emph{modulus conditions}, for which the Diffie Hellman Problem (DHP) can be solved in polynomial number of operations in $m$ without solving the discrete logarithm problem (DLP). These special private keys of the scheme are termed \emph{weak} and depend also on the generator $a$ of the cyclic group. More generally the triples $(a,k,l)$ with generator $a$ and one of private keys $k,l$ weak, are called \emph{weak triples}. A sample of weak keys is computed and it is observed that their number may not be insignificant to be ignored in general. Next, an extension of the analysis and weak triples is carried out for the Diffie Hellman scheme over the matrix group $\gln$ and it is shown that for an analogous class of session triples, the DHP can be solved without solving the DLP in polynomial number of operations in the matrix size $n$. A revised Diffie Hellman assumption is stated, taking into account the above exceptions.
2005
EPRINT
Weak keys of the Diffie Hellman key exchange II : Pairing based schemes on elliptic curves
This paper develops a cryptanalysis of the pairing based Diffie Hellman (DH) key exchange schemes which have found important applications as in the tripartite exchange scheme proposed in \cite{joux}. The analysis of \emph{weak keys} of the standard DH scheme proposed in \cite{kas1} is applied to show existence of weak sessions for tripartite schemes over super-singular curves. It is shown that for such sessions the associated Bilinear Diffie Hellman Problem (BDHP) is solvable in polynomial time, without computing the private keys i.e. without solving the discrete logarithms. Similar applications of the analysis to Decisional Diffie Hellman Problem (DDHP)and the Identity Based DH scheme (IBS) are also developed. The tripartite key exchange scheme is analyzed in detail and it is shown that the number of weak keys increases in this scheme as compared to the standard two party DH scheme. It is shown that the random choice of private keys by the users independent of each other's knowledge is insecure in these schemes. Algorithms are suggested for checking weakness of private keys based on an order of selection. A modified tripartite key exchange scheme is presented in which detection of weak keys is incorporated.
2005
EPRINT
Weakness of shim??s New ID-based tripartite multiple-key agreement protocol
In this article we show that Shim??s new ID-based tripartite multiple-key agreement protocol still suffers from the impersonation attack, a malicious user can launch an impersonation attack on their protocol.
2005
EPRINT
Weaknesses in a leakage-resilient authenticated key transport protocol
In this paper we demonstrate the existence of a number of weaknesses in a leakage-resilient authenticated key transport (RSA-AKE) protocol due to Shin, Kobara and Imai.
2005
EPRINT
Weaknesses in two group Diffie-Hellman key exchange protocols
In this paper we show that the password-based Diffie-Hellman key exchange protocols due to Byun and Lee suffer from dictionary attacks.
2005
EPRINT
Weaknesses of the Boyd-Mao Deniable Authenticated key Establishment for Internet Protocols
In 2003, Boyd and Mao proposed two deniable authenticated key establishment protocols using elliptic curve pairings for Internet protocols, one is based on Diffie-Hellman key exchange and the other is based on Public-Key Encryption approach. For the use of elliptic curve pairings, they declared that their schemes could be more efficient than the existing Internet Key Exchange (IKE), nowadays. However in this paper, we will show that both of Boyd-Mao??s protocols suffer from the key-Compromise Impersonation attack.
2005
EPRINT
What do S-boxes Say in Differential Side Channel Attacks?
Cryptographic devices are vulnerable against the now well-known side channel leakage analysis. Secret data, such as keys, can be revealed by attacks like DPA, DEMA, CPA. However, this kind of attacks also exhibits wrong keys, this phenomenon being known as the "ghost peaks" problem and has been brie?y explained in CPA. We give here a comprehension and analysis of the ghost peak problem that occurs in differential analysis regarding to different power consumption model and various weighting techniques.
2005
EPRINT
Yet Another Short Signatures Without Random Oracles from Bilinear Pairings
In recent years, cryptographic protocols based on the bilinear pairings have attracted much attention. One of the most distinguished achievements in this area was the solution to design short signatures. Up to now, there exist two short signature schemes with random oracles and one without random oracles from bilinear pairings. In this paper, we describe another short signature scheme which is existentially unforgeable under a chosen message attack without using random oracles. The security of our scheme depends on a new complexity assumption we call the $k$+1 square roots assumption. We discuss the relationship between the $k$+1 square roots assumption and some related problems and give some conjectures. Further more, the $k$+1 square roots assumption gives even shorter signatures under the random oracles.
2005
EPRINT
Zero-Knowledge Blind Identification For Smart Cards Using Bilinear Pairings
Identification protocols based on the Computational Diffie Hellman Problem (CDHP) generally assume the intractability of the underlying Decisional Diffie Hellman Problem (DDHP). Due to this, the security of all such schemes in a pairing based scenario is doubtful. In this paper, we propose a two-round zero-knowledge identification protocol using bilinear pairings. Our proposed protocol has two contrasting features to traditional identification schemes: (1) The scheme requires the verifier to toss his coins before the prover. (2) The coin tosses of the verifier are secret while the coin tosses of the prover are not. As a consequence, we obtain a \emph{blind} identification scheme with complete zero knowledge. Traditionally in an identification scheme, a passive adversary watching the communication gains information intended only for the verifier. For instance, from watching the transcript in the Fiat-Shamir zero knowledge identification scheme, an adversary also learns the outcome of the protocol (i.e. whether the identification succeeds or not). The blinding property of our scheme eliminates this disadvantage while still ensuring zero knowledge. Finally, as a natural extension of our scheme, we present the concept of `all or none' group identification protocol that can be used to authenticate together an arbitrary number of users in a batch such that if the identification fails, it is impossible for the users to know which one cheated. We also prove the security of our scheme and give some interesting applications including anonymous seller credit card payments. The cryptographic primitives can be efficiently encapsulated in smart cards designed for Elliptic Curve Cryptography (ECC). The private key must be included in a tamperproof device inside the smart card.
2005
EPRINT
Zero-Knowledge Proofs for Mix-nets of Secret Shares and a Version of ElGamal with Modular Homomorphism
Mix-nets can be used to shuffle vectors of shared secrets. This operation can be an important building block for solving combinatorial problems where constraints depend on secrets of different participants. A main contribution of this paper is to show how participants in the mix-net can provide Zero-Knowledge proofs to convince each other that they do not tamper with the shuffled secrets, and that inverse permutations are correctly applied at unshuffling. The approach is related to the proof of knowing an isomorphism between large graphs. We also make a detailed review and comparison with rationales and analysis of Chaum's and Merritt's mix-nets. Another contribution is a (+ mod q, X)-homomorphic encryption scheme that can be parametrized by a public prime value q and that is obtained from (+,X)-homomorphic ElGamal. This cryptosystem allows for guarantees of security in the aforementioned mix-net. A generalization shows how to obtain modular arithmetic homomorphic schemes from other cryptosystems. Mix-nets offer only computational security since participants get encrypted versions of all the shares. Information theoretically secure algorithms can be obtained using secure arithmetic circuit evaluation. The arithmetic circuit previously proposed for shuffling a vector of size k was particularly slow. Here we also propose a new arithmetic circuit for performing the operation in O(k^2) multiplications and requiring k-1 shared random numbers with different domains. Another contribution is to provide more efficient arithmetic circuits for combinatorial optimization problems, exploiting recent secure primitives. Examples are shown of how these techniques can be used in the Secure Multi-party Computation (SMC) language. SMC's procedures for generating uniformly distributed random permutations are also detailed.